How relevant is SAP Basis?
SM37 Simple job selection
Especially after security incidents it may be necessary to find out which (technical) users have logged in at which time. The USR02 table provides a first entry point. In the TRDAT column you can find the last login date for the user you want. However, a history of previous applications is not found in this table. In such cases, the Security Auditlog or SAL helps. Preparation In order to access the desired data, it must also have been saved previously. In the Security Auditlog, you can use various filters to determine which users are logged on which client and which information. The Security Auditlog stores, depending on configuration, logins, RFC calls, and other actions for specific users. You can make these settings in the SM19 transaction. Note: Logging user activity must be aware of the users concerned! Configure the SAL only for technical users or in consultation with users / works council / etc. It can be seen there among other things when the SAL was activated and last edited (1). You can also select the various filters (2), activate the filters individually (3), specify clients and users (4) and specify which activities are logged (5). Static configuration in the SM19 Under the Dynamic Configuration you can also see if SAL is currently active for the system. Determine the status of the SAL Evaluation of the SAL If the Security Audit Log is active, switch to the SM20 evaluation of the Security Audit Log. Select the desired user and client and the appropriate time window. The option Dialogues login is sufficient for the login. Then, restart the AuditLog analysis. Start evaluation You will get an overview of the user's login to the selected client of the system.
If you now want to change the permission data, you will be asked for values for the appropriate organisation levels. First enter a tilde (~) and define the value later in the derived roles. Maintain the permissions you want and then generate the master role. Adding the organisational level to the master role Step 2: Define derived roles Create derived roles Assign the master role After you have created the master role, it is the derived roles that are in the process. To do this, re-enter a suitable role name via the PFCG. In our example, it is called "findepartment_d01". For a better overview, it is usually useful to name and number the derivatives after the master roles. You can also define the roles according to a different scheme. After you have created the role, you must then enter the master role in the Derive from Role field in the Description tab. Confirm the Auto Enquiries. Customise the Organisation Levels Now go to the "Menu" tab. There you can see that the data from the master role was automatically copied. Since the role has not yet been generated, the Permissions tab is currently highlighted in red. Therefore, call "Change Permissions Data". The first call should automatically open a dialogue to maintain the organisational levels, as they are still empty. If this is not the case, or if you would like to adjust the organisational levels again in a later case, you can also access them via the button Ordende (see screenshot). If everything worked well, you can now see that the permissions were also automatically taken from the master role. If you generate the role, the permission tab will also appear green. Congratulations, you have successfully created a derived role! Repeat step 2 with the additional derivatives to adjust the organisation levels accordingly.
CHANGE OF PERCEPTION
In the beginning, in our company the installation and management of the systems were dealt with by the functional consultants/consultants of the respective systems. The CRM consultant was responsible for the SAP CRM system, the SRM consultant for the SAP SRM, etc.
Today, most customers rely on an infrastructure abstraction layer, whether it's VMware or one of the cloud hypervisors. So base administrators need to know how to provision and manage systems in the cloud.
Tools such as "Shortcut for SAP Systems" are extremely useful in basic administration.
These permissions are expressed in a role by permission objects, as in any ABAP report.
See also: Generation Error [Page 30].