Permissions checks
Include customising tables in the IMG
In the foreground, important SAP reports on the subject of role and authorization administration were presented. Since these and the entire SAP system are known to be based on ABAP coding, the analysis of the source code is just as important, especially when using in-house developments. These in-house developments often present serious security vulnerabilities because they have insufficient authorization checks in the coding. To search for explicit strings and to categorize the in-house developments accordingly, the report RS_ABAP_SOURCE_SCAN can be used. This allows existing programs in the backend to be explicitly checked for specific check patterns by the authorization administrator and any errors to be corrected by the relevant developers. Authorization-relevant check patterns for such a scan are, for example, "AUTHORITY-CHECK" or SQL statements such as SELECT, UPDATE or DELETE. The former checks whether authorization checks are present in the source code at all. The check for Open SQL patterns analyzes the code structure for direct SELECT, MODIFY or INSERT statements that must be avoided or protected on the authorization side. The best practice measure in this case is to use SAP BAPIs. The preventive best practice would be to involve developers and authorization administrators equally during the conceptual design of the custom development.
Since a role concept is usually subject to periodic changes and updates, e.g. because new functions or modules are introduced or new organisational values are added, role names should be designed in such a way that they can be expanded. Therefore, in the next step, define the useful criteria you need in your role name.
Integrate S_TABU_NAM into a Permission Concept
When displaying or posting receipts in SAP Finance, are the standard eligibility checks insufficient? Use document validation, BTEs, or BAdIs for additional permission checks. The posting of documents, and often their display, is protected by standard permission checks; but they may not meet your requirements.
For an authorization concept, a clear goal must be defined that is to be achieved with the help of the concept. This should list which regulatory requirements the respective system and the associated authorization concept must take into account. In this way, the legal framework is defined, which is a legal necessity for successful implementation.
However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".
The audit results shall be selected on the basis of the audit structures, the test numbers or the entry date (see figure next page).
Because it is a dynamic profile parameter, it is reset when the application server is launched.