Permissions with status
Background processing
If you want to cancel, share, or reset other users' jobs to scheduled status, you must have permission for the S_BTCH_ADM object with a value of Y. Alternatively, you can also grant the JOBACTION = MODI and JOBGROUP = permission for the S_BTCH_JOB object. The MODI promotion was introduced with SAP NetWeaver AS ABAP 7.00 or can be recorded via SAP Note 1623250. The following illustration shows an example of how the JOBACTION = MODI privilege is expressed for the jobs of the users listed under JOBGROUP.
The filter setting in transaction SM19 determines which events should be logged. In addition, you must activate the Security Audit Log via the profile parameters in the transaction RZ11 and make technical settings. For an overview of the profile parameters for the Security Audit Log, see the following table. The values specified in the table are a suggestion, but not the default values. The Security Audit Log is not fully configured until both the profile parameters and an active filter profile have been maintained. Note that the Security Audit Log has two configuration options: static and dynamic configuration. Static configuration stores filter settings persistent in the database; they are only applied on a system boot. The filter settings are used as the current configuration for each subsequent startup and should therefore always be maintained. The dynamic configuration allows you to change the settings in the running mode. The dynamic configuration is used when settings need to be adjusted temporarily. Here you can change all filter settings, but not the number of existing filters. Dynamic configuration will remain active until the next boot.
SAP FICO Authorizations
First, consider the transport of your proposed permissions from various development systems to a consolidation system. When you save permission proposal values in transport orders, you will notice that generic entries are used instead of detailed BOMs. These generic entries mark all applications, for example, with TR*..
The audit result lists the vulnerabilities by priority, with a high priority combined with a high hit safety of a finding and a low priority combined with low hit safety. In addition, more information is available within the ABAP editor at each location. This priority indicator helps you to identify whether a false positive or an actual security problem is present. Priorities 1 and 2 are very likely to be a genuine reference. The tool provides recommendations on how to modify the source code to correct the vulnerabilities. In addition to the individual checks for individual developers, the tool also offers mass checks, for example to check an entire application for vulnerabilities in one step.
Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.
Re-load the role in the PFCG transaction if the application has already been rolled.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
By adding certain SAP standard reports and the user information system ("SUIM"), you can quickly identify security-relevant issues and correct any errors.