SAP Authorizations Installing and executing ABAP source code via RFC - SAP Corner

Direkt zum Seiteninhalt
Installing and executing ABAP source code via RFC
Excursus Special feature for authorizations for FIORI Apps under S/4HANA
By adding certain SAP standard reports and the user information system ("SUIM"), you can quickly identify security-relevant issues and correct any errors. This improves basic management of your existing security concept and protects you against external and internal intrusions. If you need help with your system analysis, please feel free to contact us. Xiting offers you a wide range of services related to SAP Security. Above all, our proprietary security tool, the Xiting Authorizations Management Suite, or XAMS for short, allows you to build a new role concept based on your usage data and even generate a revision-compliant security concept at the push of a button. Why not see for yourself and join one of our many different webinars.

In the transaction SU01, enter a non-existent user ID and click the Create button (F8). The BAdI BADI_IDENTITY_SU01_CREATE is called with the new user ID. Implementation in the BAdI is running. For example, here you can read additional attributes to the new user from an external data source. The data collected within the BAdIs is written into the fields of the transaction SU01. This will show you the new user master set with the pre-filled fields. You can edit the user master record, such as assign roles, or change the pre-populated fields.
Detect critical base permissions that should not be in application roles
In practice, the main problem is the definition of content: The BMF letter remains very vague here with the wording "tax relevant data". In addition, there is the challenge of limiting access to the audited financial years.

In general, you should note that not all relevant change documents of a system are present in the user and permission management. As a rule, authorisation administration takes place in the development system; Therefore, the relevant proof of amendment of the authorisation management is produced in the development systems. By contrast, you will find the relevant user administration change documents in the production systems; Therefore, you should note that when importing roles and profiles in the production systems, no change documents are written. Only transport logs are generated that indicate that changes have been made to the objects. For this reason, the supporting documents of the development systems' authorisation management are relevant for revision and should be secured accordingly.

Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.

This switch only affects new mappings; You should manually clean up any existing mappings of other user types.

You can also find some useful tips from practice on the subject of SAP authorizations on the page

Since there may of course be different security requirements for the systems in your landscape (e.g. development and production systems), you can define different target systems with the appropriate settings.
SAP Corner
Zurück zum Seiteninhalt