Migration to the cloud: Azure, Amazon, Google, others
SHAPING ARCHITECTURE POLICIES
In every company with several SAP systems, there is a person responsible for the complete SAP Basis topics, usually there is even a separate department for this. This person ensures the trouble-free operation of the SAP systems. The person responsible also accompanies maintenance work or upgrades and intervenes in special situations, such as poor performance. Even for companies that hand over the operation of the SAP Basis to an external service provider, there are often still tasks from the environment of user and authorization management at this point.
Instead of letting the power consumer determine each parameter individually, the SAP basis can now create meaningful bundles, such as the power server with a lot of processor power, memory and disk space, and the light server in a simpler setup. Each bundle has its own price, which requires preparation and consideration. The principle of consistently aligning IT services with repeatable standards is thus directly linked to the standardisation of processes and technical specifications. Standardised products can only be offered if process processes are standardised. Likewise, these can only be offered as simple and comprehensible product bundles if technical standards are established.
SAP Basis - the secure foundation of the SAP system
Another important example is the reading permission for TemSe objects. The temporary files are often forgotten, because it is often not considered that cached (strictly) sensitive data, which is intended for only one user (owner), can be viewed by another user without permission - and across clients. The examples mentioned show us how important it is to carefully assign permissions for client-independent transactions. Download Transaction tables The transactions that enable the examples above, including certain expressions of the associated permission objects and our recommendations for them, can be found in the file "Critical cross-client permissions" for download. Other client-independent transactions are located in the Cross Clients TCODES file. The criticality of these transactions should be assessed according to the context. I recommend always being careful and keeping these transactions in mind.
SAP recommends a role design for Fiori permissions based on the defined catalogues and groups in the launchpad. In such a catalogue there is usually a set of apps and services which is relevant for a specific user group. If a role for one or more catalogues in the launchpad has been authorised, the corresponding catalogues and groups will be displayed in the app finder only for eligible users when the launchpad is launched. This ensures that every user only sees what they are working with. Important: These Fiori permissions are maintained on the frontend server! Maintain catalogue permissions in the PFCG To add a Fiori permission to open a catalogue for a role, reopen this role in the PFCG in Change mode and follow the next steps: 1) Select Menu tab 2) Click on the small arrow to add an item 3) Select "SAP Fiori Tile Catalogue" Then select the corresponding Catalogue ID for which the selected role should be eligible. Now the role only has to be assigned to the corresponding users in the system. Once you have completed these steps, you will have the Fiori permissions you need to view individual tile catalogues on the launchpad.
The "Shortcut for SAP Systems" tool is ideal for doing many tasks in the SAP basis more easily and quickly.
The SAP Gateway, which is responsible for the connection between backend and frontend, is also a security risk and must be considered.
The following figure shows the logging for the SAP standard group "SUPER".