SAP Authorizations Permissions objects already included - SAP Basis

Direkt zum Seiteninhalt
Permissions objects already included
Authorization concept - recertification process
SAP_AUDITOR_TAX Collector Role: The SAP_AUDITOR_TAX collection role is made up of module-specific individual rolls and can be seen as a proposal for the read-only role of the tax inspectors (see SAP Note 445148 for details on this role). The transactions and reports included in the SAP_AUDITOR_TAX collection role have been expanded to include additional checks that define the audit period. Some of the transactions and reports included in the SAP_AUDITOR_TAX collection role have also been expanded to include a logging of the call parameters to allow the taxpayer to better understand the auditor's audit trades.

Many tools that offer to simplify care operations of the transaction PFCG work Excel-based. The complete roll data is stored and processed in Excel. Then the Excel file is uploaded with a special programme and generates roles and role changes. While this all looks very comfortable (and probably is at first), it has its drawbacks in the long run.
Analysis and reporting tool for SAP SuccessFactors ensures order and overview
The passwords of the users are stored in the SAP system as hash values. The quality of the hash values and thus their safety, however, depends on the hash algorithms used. The hash algorithms previously used in SAP systems are no longer considered safe; They can be cracked in a short time using simple technical means. You should therefore protect the passwords in your system in various ways. First, you should severely limit access to the tables where the hash values of the passwords are stored. This applies to the USR02 and USH02 tables and in more recent releases the USRPWDHISTORY table. The best way to assign a separate table permission group to these tables is to do so, as described in Tip 55, "Maintain table permission groups". In addition, you should also control the accesses using the S_TABU_NAM authorization object.

In the SAP standard, there is no universally applicable way to automate the mass maintenance of role derivations. We therefore present three possible approaches: 1) Approach to custom development 2) Automated mass maintenance using the Business Role Management (BRM) component of SAP Access Control 3) Use of a pilot note that allows a report for mass update of organisational values in rolls (currently available to selected customers).

If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.

You want to secure access to the application server files? Find out what the S_DATASET and S_PATH authorization objects offer, what limitations are, and what pitfalls are lurking.

EARLYWATCH only has display rights for performance and monitoring functions.
Zurück zum Seiteninhalt