Use system recommendations to introduce security
Authorizations in SAP BW, HANA and BW/4HANA
The relevant authorization objects are then displayed in an ALV list and the documentation for the authorization object can be called up via the I in the Docu column. This documentation then displays much more detailed information about the respective authorization object as well as the defined fields.
The authorisation concept in SAP ERP does not normally allow to limit permissions to individual financial years. However, this is particularly relevant for tax audits. As of 1 January 2002, the electronic tax audit was enshrined in law in § 147 (6) of the German Tax Code. The opinion of the Finance Administration is in the BMF letter of 16.07.2001 (BStBl. 2001 I)"Principles on data access and the verifiability of digital documents"(GDPdU). The electronic control check can be performed in Germany on three types of access: Immediate access: The tax authority shall have the right to inspect the stored data (read-only access) and to use the taxpayer's hardware and software to verify the data, including the master data and links. Mean Access: The tax authority may require the taxable person to perform the read-only processing of the data in accordance with its specifications. Volume Release: Alternatively, the tax administration may require the taxable person to have the stored documents available to it for evaluation on a machine-usable medium.
Analyzing the quality of the authorization concept - Part 1
For each form of automated derivative of roles, you should first define an organisational matrix that maps the organisational requirements. To do this, you must provide data on each organisation in a structured form.
RFC connections are interfaces for many local and global system processes, but also a security-relevant source of errors for many companies. The RFC interfaces and associated system users often have too strong authorizations and can quickly be misused by unauthorized persons to view sensitive company data. It is therefore important to always keep these system connections in the focus of global monitoring and to check which RFC destinations lead where and what they do. For this purpose there is the program RSRFCCHK which allows you to perform specific tests for your RFC system landscape. On the one hand the content of the RFCDES table is checked and on the other hand the corresponding user properties of the system users are displayed as an overview. Consequently, important parameters such as the target machine, the client, the background user or also the password property can be checked in an overview.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
Based on the authorization concept, the administrator assigns authorizations to users that determine which actions a user is allowed to perform in the SAP system after logging on to the system and being authenticated.
In total, there are the following three traces to authorization checks: 1) Authorization trace (transaction STUSOBTRACE) 2) System trace (transaction ST01 or STAUTHTRACE) 3) User trace (transaction STUSERTRACE).