Mitigating GRC risks for SAP systems
Authorizations in SAP systems: what admins should look out for
You can use the system trace function (transaction ST01) to record the authorization checks in all modes, if the trace and the transaction to be traced run on the same application server. All object fields and their values are recorded during the authorization object check.
Unlike the EWA, the SOS is able to list users that require extensive permissions. So you can maintain a whitelist. We recommend that you deal with the results of the SOS as follows: Verify that all identified users require critical permission. Complete the users who need this permission in the whitelist. Remove this permission from other users.
Change management
Many companies are currently converting their current SAP systems from an ERP state to an SAP S/4HANA system. Through this conversion, many technical and also organizational components come upon the respective companies. The time factor for determining, organizing and implementing the necessary components should not be underestimated. The area of security is often neglected in thought, but can lead to major problems and possibly image-related damage - and resulting financial losses - in retrospect. For this reason, the implementation of a comprehensive authorization concept should be considered as early as possible in the project phase, as several components are intertwined here.
Do you need to integrate the S_TABU_NAM authorization object into your existing permission concept? In this tip, we show you the steps that are necessary to do this - from maintaining the suggestion values to an overview of the eligible tables. You have added the S_TABU_NAM authorization object to your permission concept, so that users can access the tables not only through the S_TABU_DIS authorization object, but also through S_TABU_NAM. This directly regulates access to the tables via table permission groups or, if access is not allowed through table permission groups, via the table permission (see Tip 73, "Use table editing authorization objects"). Do you want to identify the tables or created parameter transactions that allow access to only specific tables to maintain SU24 for these suggested values in the transaction? This makes it easier to maintain PFCG roles. Furthermore, a tool would be useful to give you an overview of the tables for which a user is entitled.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
The authorization concept in your organization states that access (processing) to Records Management objects should be allowed for an employee only within his/her own organizational unit.
The indirect role assignment uses the evaluation paths PROFLO and PROFLINT for assigning the PFCG roles to the corresponding users.