Displaying sensitive data
Concept for in-house developments
Like all other security issues, SAP authorizations must be integrated into the framework used. The risks associated with incorrectly assigned authorizations must be classified as very high. The definition of a holistic governance, risk and compliance management system is required. This ensures that risks are recorded, analyzed, evaluated, coordinated and forwarded within the company at an early stage. Accordingly, the risks arising from incorrectly assigned SAP authorizations or from a lack of a process for monitoring authorizations are also included here.
Before using the system recommendations, we recommend that you implement the corrections in SAP Notes 1554475 and 1577059. It is also necessary that the systems to be managed are connected to the SAP Solution Manager and that in the transaction SMSY were assigned to a productive system and an SAP solution. Then, in the System Recommendations settings, schedule a background job that collects the relevant information about the attached systems. Relevant information is your release and support package stand, as well as SAP notes and their versions. An OSS connection from the SAP Solution Manager, which you have to set up beforehand, will then perform a calculation in the SAP Global Support Backbone, which will determine the necessary information, i.e., that the SAP Solution Manager itself hardly generates any load from the calculation. To automatically check the security level of your systems, you should also schedule this calculation as a background job.
Conclusion
In the SU22 transaction, the developers of an application maintain the proposed values for all required authorization objects; the authorisation trace helps in this. As described in SAP Note 543164, the dynamic profile parameter auth/authorisation_trace of the trace is set to Y (active) or F (active with filter). By inserting the SAP Notes 1854561 or the relevant support package from SAP Note 1847663, it is possible to define a filter for this trace via the STUSOBTRACE transaction, which you can restrict by the type of application, authorization objects, or user criteria.
Configuration validation uses the CCDB's configuration data to reconcile settings. To do this, you define your customer-specific security settings technically in a target system. This contains the specifications for the configuration of SAP systems. You can also define a target system based on the settings of an existing system and adapt it to your requirements. Then you compare the settings of your SAP systems with this target system on a daily basis and get an overview of the deviations. Since there may of course be different security requirements for the systems in your landscape (e.g. development and production systems), you can define different target systems with the appropriate settings. You then start the comparison with a target system for the relevant systems. Alternatively, you can compare to an actual system; For example, this is a useful function in the context of a roll-out.
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
Since SAP NetWeaver 7.0, there is also a report that shows the system modifiability settings.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
The path with the associated permission group DEVL contains the local temporary files of the ABAP Frontend Editor of the ABAP development environment (transactions SE38, SE80, SE24, etc.).