Search for user and password locks
Redesign of SAP® Authorizations
The evaluation of the licence data via the ZBV with the report RSUSR_SYSINFO_LICENSE provides a result list with the following contents: Contractual User Type - This column contains the actual local user types from the ZBV subsidiary systems. Value in Central - This column contains the central user type from the ZBV that is stored for the respective subsidiary system to the user.
The first line defines that access to all files is forbidden unless other settings have been made for them in the other lines. The asterisk (*) is in the first place here and in this case for all files and paths. If the asterisk is in a different position, it is interpreted as part of the file name, which is not allowed in Microsoft Windows, for example. In our example table, setting the switches FS_NOREAD = X and FS_NOWRITE = X for all paths prohibits reading and writing. This makes the table a white list. This is preferable to a black list for security reasons. SPTH, on the other hand, becomes a Black List if you remove the first line with PATH = * in our example or if you do not set any of the switches FS_NOREAD, FS_NOWRITE or FS_BRGRU. The second line with PATH = /tmp allows read and write access for all files starting with /tmp, similar to a permission value /tmp*, as an exception to the access ban defined in the first line for all files and paths. This setting is not limited to subdirectories, but includes, for example, all files whose name starts with /tmp-xy. The third line with PATH = /tmp/myfiles defines a permission group with FS_BRGRU = FILE, triggering the subsequent permission check on the S_PATH object. The SAVEFLAG = X switch defines that these files will be included in a backup procedure; however, this is not relevant for the permission award.
Preventing sprawl with the workload monitor
Role credentials saved by the last edit are displayed. This option is not recommended if transactions have been changed in the Role menu.
If such information is available from the past, it should be checked whether all topics have been implemented in accordance with the comments. If one or the other recommendation has not been implemented, this circumstance should in any case be documented in a comprehensible manner, or it should be possible to provide a comprehensible justification. However, it is not sufficient to focus only on the improvement potentials that have been presented, because it must be ensured that all those points that have not been criticized in the past will continue to fit. Preparation is made much more difficult if there are no helpful comments or reports from the previous fiscal year, or if it is a first-time audit or a change of auditor. What all does the IT auditor look at during the annual audit? There are topics that every auditor looks at because there are standards for doing so, however it is common for the auditor to perform additional audit procedures in the IT audit depending on the strategy of the overall audit. In this newsletter we want to focus on the most important standard audit topics on the process level and the IT controls defined therein in the context of the SAP® system.
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
Alternatively, you can also use the Use only users without locks option and additionally, in the Selecting after the user is valid between user today and user today, select not valid.
You can do this by using the P_ABAP authorization object to override the usual permission checks.