Existing permissions
SU2X_CHECK_CONSISTENCY & SU24_AUTO_REPAIR
This information is used in the name generation of the external service. In this way, all area start pages and logical links configured in a CRM business role are authorised in the form of external services. Due to the mass of external services that appear in the role menu, it is difficult to keep track of them. Now, to allow only certain external services, you can do the following: First, identify the external service using the permission trace.
In order to sustainably guarantee the security of the SAP system internally and externally, regular auditing is indispensable. Existing rule violations must be detected and corrected. In addition, it is important to document the regular operation of SAP in order to have evidence of this for external and internal requirements. Automated processes can save a lot of time and money.
Check for permissions on the old user group when assigning a new user group to a user
SAP_NEW represents a specific permission profile that summarises the concrete permission changes between two SAP release levels. A distinction should be made between SAP's delivery of the SAP_NEW profile and the generation of an SAP_NEW role with a corresponding profile by you as a SAP customer (see also the SAP hint 1711620). Depending on the authorisation tracking procedure, the SAP_NEW permission can be assigned to any user in a development and quality assurance system immediately after the technical system upgrade. However, the goal is to assign to each user in the production environment only permissions that they need for their business operations. In the context of upgrades, the correct permissions must be determined and integrated into the corresponding permission roles.
This solution is only available via a support package starting with SAP NetWeaver AS ABAP 731 and requires a kernel patch. For details on the relevant support packages, see SAP Note 1891583. In principle, user login to the application server can then be restricted by setting the new login/server_logon_restriction profile parameter.
However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".
Dynamic configuration will remain active until the next boot.
If you want to know more about SAP authorizations, visit the website www.sap-corner.de.
Efficient and well thought-out authorization management plays a key role in minimizing risk and is a good way of protecting against unauthorized access, data misuse and industrial espionage.