SAP Security Automation
Lack of definition of an internal control system (ICS)
In order to perform an operation in the SAP system, several authorizations may be required. The resulting interrelationships can become very complex. In order to nevertheless offer a procedure that is manageable and easy to handle, the SAP authorization concept was implemented on the basis of authorization objects. Several system elements to be protected form an authorization object.
SAP Note 1854561 provides a new possible value for the auth/authorisation_trace parameter: F (Trace enabled with filter). Allows you to limit the permission trace to values that can be set by the filter. The filters are defined in the STUSOBTRACE transaction (see SAP Note 1847663).
Authorization concepts - advantages and architecture
You can use authorization objects to restrict access to tables or their content through transactions, such as SE16 or SM30. The S_TABU_DIS authorization object allows you to grant access to tables associated with specific table permission groups. You can view, maintain, and assign table permission groups in transaction SE54 (see Tip 55, "Maintain table permission groups"). For example, if an administrator should have access to user management tables, check the permission status using the SE54 transaction. You will notice that all the user management tables are assigned to the SC table permission group.
SNC secures communication with or between ABAP systems, but there are also many web-based applications in SAP system landscapes. They communicate via the Hypertext Transfer Protocol (HTTP). The data is also transmitted unencrypted when communicating via HTTP; Therefore, you should switch this communication to Hypertext Transfer Protocol Secure (HTTPS). HTTPS uses the encryption protocol Transport Layer Security (TLS) for secure data transfer on the Internet. You should therefore set up HTTPS for all users to access the Web. For communication between SAP systems, you should use HTTPS if you think the data transfer could be intercepted. You should either set up HTTPS on individual components of the infrastructure (such as proxies), or the ABAP systems should support HTTPS or TSL directly. Details of the configuration can be found in the SAPHinweis 510007.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
Until now, no tool has made it possible to create ready-made authorization concepts with just a single click.
Depending on the conceptual granularity of responsibilities in the development and customizing environment, more detailed authorization checks may need to be performed.