SAP Authorizations Lock Inactive Users - SAP Corner

Direkt zum Seiteninhalt
Lock Inactive Users
Displaying sensitive data
Locking and validity of the user account is done through the user administrator and is also valid for other authentication procedures. This means that a login via SSO is not possible for an invalid user or a user with administrator lock. We therefore always recommend that you prevent access to the system by setting the validity of users. Setting validity on assigned roles also prevents the user from performing actions in the system, but does not generally prevent them from logging in.

In the foreground, important SAP reports on the subject of role and authorization administration were presented. Since these and the entire SAP system are known to be based on ABAP coding, the analysis of the source code is just as important, especially when using in-house developments. These in-house developments often present serious security vulnerabilities because they have insufficient authorization checks in the coding. To search for explicit strings and to categorize the in-house developments accordingly, the report RS_ABAP_SOURCE_SCAN can be used. This allows existing programs in the backend to be explicitly checked for specific check patterns by the authorization administrator and any errors to be corrected by the relevant developers. Authorization-relevant check patterns for such a scan are, for example, "AUTHORITY-CHECK" or SQL statements such as SELECT, UPDATE or DELETE. The former checks whether authorization checks are present in the source code at all. The check for Open SQL patterns analyzes the code structure for direct SELECT, MODIFY or INSERT statements that must be avoided or protected on the authorization side. The best practice measure in this case is to use SAP BAPIs. The preventive best practice would be to involve developers and authorization administrators equally during the conceptual design of the custom development.
Use SAP_NEW correctly
Due to the changed suggestion values in the SU24 transaction, you must now perform step 2c (roles to verify) to update all roles affected by the changed proposal values. Role changes are only customised! You will get a list that shows all the roles you need to edit. If you have more than one client to maintain roles, you must also do this in the other client.

You can do this by using the P_ABAP authorization object to override the usual permission checks. This applies to all reports that access the logical database PNPCE (or PNP). In case of a P_ABAP permission, the usual checks for authorization objects, such as P_ORGIN or P_ORGINCON, will no longer take place or will be simplified. This also applies to structural permissions. Whether the permission checks are simplified or completely switched off is controlled by the COARS field of the object. To disable all checks, set the value COARS = 2. This value does not limit the data displayed in the legitimate report. If you want to allow advanced permissions for reporting, but you do not want them to be unrestricted, you must select COARS = 1. In this case, you will also designate the P_ORGIN (or P_ORGINCON, P_ORGXX and P_ORGXXCON) authorization object. However, you must be careful not to mark all fields of the objects, otherwise direct access is also possible. Therefore, always write two versions of the P_ORGIN authorization object, one with the functional permissions (permission levels, info types, and subtypes), and one with the organisational boundaries (personnel area, employee group, employee group, and organisation keys). In addition, you will of course need a P_ABAP for the relevant reports with the value COARS = 1.

With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.

Information about existing records of the same role by other administrators does not take place.

If you want to know more about SAP authorizations, visit the website

In the background, the system creates a programme that builds the join.
SAP Corner
Zurück zum Seiteninhalt