Testing Permission
What to do when the auditor comes - Part 1: Processes and documentation
The system checks direct access to the contents of tables, for example, with transactions SE16, SM30, or SE16N with authorization checks on a table authorization group, object S_TABU_DIS. If there are no suitable authorizations for the table authorization group, the system checks the name of the table or view, object S_TABU_NAM. When making changes to client-independent tables, the system also checks the authorizations for object S_TABU_CLI. If you have configured line-based authorization checks in Customizing, the system also checks authorization object S_TABU_LIN. Assign tables or views to a table authorization group using transaction SE11 or SE54. You can also define table authorization groups using transaction SE54. If your customer development implements direct access to a table, use the VIEW_AUTHORITY_CHECK function module to perform the authorization check. For more information about generic access to tables, see SAP Note 1434284 Information Published on SAP Site and the online documentation for the authorization objects mentioned above.
Custom programmes should be protected with permissions, just like standard applications. What rules should you follow? Introductory projects usually produce a large number of customised programmes without being subjected to a permission check when they are executed. For your programmes, you should create custom permissions checks by default and manage them accordingly.
Customising User and Permissions Management
Logs: Protocols exist for all audits performed. This allows you to review the history of the audit results at a later stage or to view only the results of the last audit. To do this, use the protocol evaluation of the AIS in the transaction SAIS_LOG or click the button in the transaction SAIS.
This list in the AGR_1252 table contains both the organisational fields that are shipped in the standard and the fields that you have collected for organisational fields. Unfortunately, the list does not indicate what kind of organisation field it is. But you can find out: Open the PFCG_ORGFIELD_DELETE programme via transaction SA38. The Organisation Level Value Helper (Orgebene) provides a list of all customer-specific organisation fields, because only these can be converted back to normal Permissions Object Fields. Note the implications if you want to actually run this programme.
With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.
This is the default IMG structure in which you must include your structure.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
In addition to the individual checks for individual developers, the tool also offers mass checks, for example to check an entire application for vulnerabilities in one step.