Development
Encrypt e-mails
It is very important that critical authorizations are generally subject to a monitoring process in order to be able to ensure that they are assigned in a productive system in a very restricted manner or not at all. Law-critical authorizations in particular, such as deleting all change documents, debugging ABAP programs with Replace, and deleting version histories, must never be assigned in a production system, as these authorizations can be used to violate the erasure ban, among other things. It must therefore be ensured that these authorizations have not been assigned to any user, not even to SAP® base administrators.
The P_ABAP (HR-Reporting) authorization object is not required to execute reports, but is intended to improve performance during execution. In addition, it can be used when reports require permissions for info types that the user should not receive in other cases, which is more common. For example, the right to display information type 0008 (basic salary) is also required for the execution of the travel statement reports. The Invoice Payer Programmes also require P_ABAP permissions to process personal data.
Security within the development system
The assignment of roles does not include any special features. Therefore, we only deal with the topics of time-space delimitation and logging. Time-space validation is implemented as an additional filter that runs after the usual permission checks. This additional filter logic works as follows: The first step is to check whether the user is entered in the tax verifier table (Table TPCUSERN, Configuration with the transaction TPC2). Only then will the further tests be carried out. If not, no additional checks will be carried out. The programme is then checked to see if it is included in the table of allowed programmes (table TPCPROG, configuration with the transaction TPC4). If the check is negative, the system cancels with a permission error. The time-space check is performed against the valid intervals in the table TPCDATA (configuration with the transaction TPC6). The time-space check works in context: In addition to the supporting documents of the audit period, older supporting documents are also included if they are still relevant for the audit period, such as open items that were booked in previous years but only settled in the audit period. Records that do not fall into the valid period according to the logic described above are filtered out.
This report has two functions: PFCG role consolidation - Identical roles are grouped into a single user base when validity periods overlap or connect directly to each other. Select the users, user groups, or roles to apply these rules to in the Selection Criteria pane. Deleting Expired PFCG Scrolls - If you uncheck Expired Mappings, Expired Scrolls will be removed from the user's root.
With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.
The necessary function blocks are identified in the UCON Phase Tool (transaction UCONPHTL), which constantly monitors all external RFC calls and supports an introduction of the UCON Communication Assembly.
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
This is only possible if you have administrator privileges on all systems in the landscape and the password rules of the systems are compatible.