Mitigating GRC risks for SAP systems
Create order through role-based permissions
The proposed values in the SU24 transaction are an imperative for the maintenance of PFCG roles, as these values are used when creating PFCG roles. The better these values are maintained, the less effort is required to maintain the PFCG roles (see figure next page). You may ask yourself in which cases it makes sense to adjust the proposed values, since they have such a large impact on the maintenance of roles.
If RFC function modules are called via RFC connections (for example, from an RFC client program or another system), an authorization check is performed on authorization object S_RFC in the called system. This check checks the name of the function group to which the function module belongs. If this check fails, the system also checks the authorizations for the name of the function module. Configure this check with the auth/rfc_authority_check parameter.
Translating texts into permission roles
If you want to export the movement data of the productive system to a development system, you should first export user master records and the permission proposal values and archive the complete change documents. After importing, you can then delete the imported change documents, in analogy to the client copy, and then reload and index the original change documents of the development system. The activities described here require administrative permissions for the change documents (S_SCD0 and S_ARCHIVE) and, if applicable, for the table logs (S_TABU_DIS or S_TABU_NAM and S_ARCHIVE). These permissions should be considered critical, and you should assign them to a small circle.
Only adding an authorization object via SU24 does not automatically result in a check within the transaction. The developer has to include an authorization check exactly for this object in the program code.
Authorizations can also be assigned via "Shortcut for SAP systems".
If your user is assigned the privilege ROLE ADMIN (either directly or through a role), you can create your own roles and assign them to users.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
Map the business processes (if necessary only at the generic level of applications such as MM or CO) across the organisation.