View system modifiability settings
Permissions and User Root Sets Evaluations
In addition to SAP standard software, do you also use custom ABAP programmes? Learn how the SAP Code Vulnerability Analyser can scan your customer code for potential security vulnerabilities and resolve them if necessary. Permission concepts, firewalls, anti-virus and encryption programmes alone are not enough to protect your IT infrastructure and IT systems against internal and external attacks and misuse. Some of the risks are identified by potential security vulnerabilities in the ABAP code, most of which cannot be addressed by downstream measures and therefore need to be addressed in the code itself. It should also be noted that the permission concepts used can be circumvented by ABAP code, which underlines the weight of security vulnerabilities in the ABAP code. While SAP is responsible for providing security information to help close security vulnerabilities in standard code, it is up to you to address security vulnerabilities in custom ABAP programmes. Companies are subject to a whole range of legal requirements on data protection and data integrity, and you can fulfil them as far as possible with the help of a new tool. The SAP Code Vulnerability Analyser is integrated into the ABAP Test Cockpit (ATC) and thus available in all ABAP editors such as SE80, SE38, SE24, etc. Developers can use it to scan their code for vulnerabilities during programming and before releasing their tasks. This reduces testing costs and costs.
You will find all the user favourites of a system in the SMEN_BUFFC table; additionally there is the table SMEN_BUFFI, in which the links from the favourite lists are stored. You can simply export this table to Microsoft Excel and then evaluate it. At this point, however, we would like to point out that you may not evaluate the favourites without prior consultation with the users, because the stored favourites are user-related and therefore personal data. The SMEN_BUFFC table contains various fields that determine the structure of the placed favourites. For example, you can create folders in your favourites to sort them. This folder structure can also be found in the SMEN_BUFFC table. However, the entries themselves that you will find in the REPORT field are important for the re-creation of a permission concept. The REPORTTYPE field tells you whether the entry in question is, for example, a transaction or a Web-Dynpro application. In the TEXT field, if required, you will find the description of the favourite entry. In addition, you should also pay attention to the TARGET_SYS field, since favourites can also be entered for other systems, in this case an RFC target system is entered under TARGET_SYS.
Maintain permission values using trace evaluations
Do you want to keep track of what changes have been made to the Central User Management configuration or the distribution parameters for the User Master's Care? You can manage the change documents centrally. The Central User Administration (ZBV) is used to create users, assign roles and distribute them to the respective subsidiary systems. For this, the ZBV has to be configured initially. These include defining the ZBV landscape, i.e. defining the central system and subsidiary systems, adjusting the distribution parameters and transferring users from the subsidiary systems to the central system. You can also configure the ZBV afterwards. For example, you can add subsidiary systems or release them from the ZBV. In the transaction, you can modify SCUM to change the field allocation properties so that fields that were originally globally distributed across the ZBVs are also locally maintainable. All this information about the changes to the ZBV configuration has not been centrally logged.
If an authorization system grows too much over the years and there is no structured approach, the result is uncontrolled growth. If companies wait too long with the cleanup, a complete rebuild of the authorization structure or a new concept may make sense. This must be clarified quickly in the event of a cleanup.
Authorizations can also be assigned via "Shortcut for SAP systems".
This also applies to structural permissions.
Changes in customizing and various security-relevant changes, such as the maintenance of RFC interfaces, can be viewed via table change logs.