Know why which user has which SAP authorization
System Settings
Since Release 4.6D, the system creates a new folder for each of the roles included in the pulley when rebuilding a Collective Roll menu at the first hierarchy level, and only then the corresponding menu is located. You can decide whether the text of each folder should consist of the technical name or the short text of the role. This function can be disabled by customising.
It is important that after the AUTHORITY-CHECK OBJECT command is called, the return code in SY-SUBRC is checked. This must be set to 0; only then a jump is allowed.
Hash values of user passwords
If it is clear that a cleanup is necessary, the first step should be a detailed analysis of the situation and a check of the security situation. Based on these checks, a redesign of the authorizations can be tackled.
The user administration process, i.e. user creation, modification and deactivation, should on the one hand be available in written documented form, either as a separate document or as part of the authorization concept documented in writing, and on the other hand also be carried out in accordance with the documentation. Therefore, a reconciliation should be performed on two levels: on the one hand, it should be ensured that the documentation is up to date and, on the other hand, it should be checked whether the process was also followed in the fiscal year to be audited. Possible deviations should already be prepared argumentatively, special cases can always occur that deviate from the actual process. However, these should be documented in a comprehensible manner so that an external auditor, such as the auditor's IT auditor, can check the plausibility. All documentation should be provided with the essential information (creator, date, version, etc.) and be in a format that cannot be changed (usually PDF). Additional documentation can also be output from the ticket system, provided that the process is consistently documented via the ticket system.
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
This authorization object is used in the same way as the S_TCODE authorization object.
It is easier to specify the programme name in the PROGRAM field because the maximum value of 40 characters is the limit for programme names in the SAP NetWeaver application server ABAP.