Security in development systems
Equal permissions
You can also remove customer-specific organisational levels and convert them to a simple permission field. The report PFCG_ORGFIELD_DELETE serves for this purpose. It removes the permission field from the USORG table and changes the permission proposal values to that field. Finally, it goes through all the rolls that contain a shape to the field. However, it does not restore the old location of the field, because summarised values will no longer be separated when the field is elevated to the organisational level. Instead, the aggregated values are entered separately in each field. The PFCG_ORGFIELD_DELETE report also provides a value aid that shows only the customer's organisational levels. You can also use this value aid to determine all customer-specific organisational levels.
Other project settings should be defined on the Scope, Project Views, Project Employees, Status Values, Keywords, Document Types, Transport Orders, and Cross Reference tabs. After all entries have been made, you must secure the project. Do not forget to generate the project. The SPRO transaction allows you to edit the newly created customising project. The first call does not display the newly created project. To view it, click the Record button in the Work Inventory ( ), select your project, and then confirm your selection. After you have successfully created, generated, or edited the project, you will perform the PFCG transaction to create a customising role for the project. Select a name for the role, and then click Create Single Role. Now open the Menu tab and follow the path: Tools > Customising Permissions > Add > Insert Customising Activities. Then choose between IMG Project and View of an IMG Project. All transaction codes are added from the IMG project to the Role menu. Note that this can be a very large number of transactions and can therefore take longer. You can then use the Permissions tab to express the authorization objects as usual. Back up and generate the role.
Authorization concepts - advantages and architecture
In the course of a comprehensive protection of your system from the inside as well as from the outside it is indispensable to have a closer look especially at the SAP standard users. They have far-reaching authorizations that can cause great damage to your system if misused. It should be noted that they are very important for the operational execution of your SAP system and must not be deleted. However, since the associated standard passwords can be quickly researched, they must be changed immediately after delivery of the SAP ERP. You can perform a detailed check of these users using report RSUSRS003. It is also recommended to set certain default users inactive until they are actually used.
The security policy was introduced with the SAP NetWeaver 7.31 release; for their use you need at least this release. Security policies thus replace the definition of password rules, password changes, and login restrictions via profile parameters. The security policy is assigned to the user in transaction SU01 on the Logon Data tab. Profile parameter settings remain relevant for user master records that have not been assigned a security policy. Some of the profile parameters are also not included in the security policy and therefore still need to be set system-wide. Security policy always includes all security policy attributes and their suggestion values. Of course, you can always adjust the proposed values according to your requirements. You define security policy about the SECPOL transaction. Select the attributes for which you want to maintain your own values and enter the values accordingly. The Descendable Entries button displays the attributes that are not different from the global entries.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
With this function you have the possibility to delete either only certain subsidiary systems from the ZBV or the complete ZBV.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
If you have not filled the timestamp tables in the old release, the tables in your new release will be empty.