Every SAP Basis consultant must know these 10 technology trends
STRUST Trust Manager
Customers with such a case regularly contact us. Creating a Permission Concept from the ground up is often a time-consuming task. Furthermore, the know-how, which aspects should be dealt with in an authorisation concept and how the corresponding processes can look practical and at the same time audit-proof is often lacking. Our solution: tool-based generation of an individual, written authorisation concept In this situation, we have recommended to our customers the tool-based generation of a written authorisation concept directly from the SAP system. We use the XAMS Security Architect tool, with which we have had good experiences. This includes a template for a revision-proof and comprehensible, written authorisation concept. It includes established best practices for role and entitlement management. The template covers all relevant areas in a permission concept. The included text of the authorisation concept is completely customisable, so that the concept can be tailored to your situation without creating a permission concept from scratch. Dynamically update the written authorisation concept One of the biggest challenges after the development of an authorisation concept is to keep it up to date in the long term and to measure the sustainable implementation in the system. This is achieved by integrating live data such as configuration settings and defined rules directly from the connected system. For example, lists of existing roles or user groups and tables are read from the system each time the document is generated and updated in the permission concept. The following screenshot shows an example of what the appearance in the concept document might look like. Automatically check and monitor compliance with the concept To check compliance with the concept, the XAMS Security Architect includes extensive inspection tools. These cover the rules formulated in the concept and are suitable for measuring the extent to which the reality in the system meets the requirements formulated in the concept.
If you have already defined a Queue, but the Queue does not meet its requirements or has encountered errors, you can delete it again. Note that your system is inconsistent when you delete the queue after objects have been imported (for example, after an error in the DDIC_IMPORT step and following). The deletion in these SPAM steps should only be used for troubleshooting and you should repeat the insertion of the support packages as soon as possible. Note that starting with SPAM/SAINT version 11, you cannot delete the queue after the DDIC_IMPORT step and following. Procedure Select View/Define SPAM in the entry image of the transaction. You will get a dialogue box that displays the current queue. In this dialogue box, select Delete Queue. Result The queue has been deleted. You can define a new queue.
Time buffers for job chains lead to long runtimes
If you need to reinstall a Support Package because of errors or because a SPAM update is required, reset its status. Resetting does not mean that the system is at an old state. Note that your system is inconsistent when you reset the status after items have already been imported (for example, after the DDIC_IMPORT step and following). Resetting the status should only be used to troubleshoot the issue and you should repeat the playback as soon as possible. Procedure To reset the status of a Support Package or Queue, select Add Status Reset. Result After updating the status, the corresponding entries in the cofile and in the log file are deleted. The support package must then be fully reloaded. The transaction SPAM starts the insertion with the step CHECK_REQUIREMENTS [page 26].
So-called Access Control Lists (ACL) offer a good possibility to secure your gateway in order to exclude unwanted external accesses to the database of the application server. With the help of the ACL files reginfo and secinfo an access control can be implemented, in which allowed as well as forbidden communication partners can be defined. The reginfo file controls the registration of external programs on the gateway, which means that rules can be defined that allow or prohibit programs. With the help of the file secinfo you can define which users are allowed to start an external program. To be able to use these files, you must set the parameters gw/reg_info and gw/sec_info (transaction RZ11). For more information, refer to SAP Note 1408081.
Tools such as "Shortcut for SAP Systems" complement missing functions in the SAP basis area.
XMX = In the user name none of these special characters may occur at the BEGINNING and at the END.
Some useful tips about SAP basis can be found on www.sap-corner.de.
Resetting does not mean that the system is at an old state.