Preventing sprawl with the workload monitor
Query Data from a Local Table
Not all users should be able to log on to the application server during your maintenance? Use the security policy and a new profile parameter. When you are performing maintenance work on your SAP system, it is always necessary to prevent users from logging into the application server. This often excludes a small group of administrators who are still allowed to log on to the system. Until now, users had to be locked and the group of administrators excluded from this lock. This is now easier by using the security policy in combination with the login/server_logon_restriction profile parameter.
Authorizations are used to map the organizational structure, business processes and separation of functions. Therefore, they control the access options of users in the SAP system. The security of business data depends directly on the authorizations assigned. For this reason, the assignment of authorizations must be well planned and executed in order to achieve the desired security.
Data ownership concept
In an SAP® system, authorizations are not the only focus of the auditor. Essential system parameters are also part of the audit. For this reason, it should also be ensured in advance that all parameters are set up in accordance with the company's specifications. The parameters concerned are all those that ensure system and client security. Among other things, it must be ensured that the production system is protected against any kind of changes and therefore no direct development is possible.
You can view the change documents of the permission proposal maintenance using the report SU2X_SHOW_HISTORY (available with the support package named in the SAPHinweis 1448611). If the note is not implemented, use the USOBT_CD and USOBX_CD tables. We recommend that you run the SU24_AUTO_REPAIR correction report regularly. This report cleans up inconsistencies and adds missing modification flags in the transaction SU24 data that may turn up as errors when the transaction SU25 is executed. Read SAP Note 1539556 for this. Modification flags are added to the records in transaction SU24, if they have been modified by you. You can see these flags in the USOBT_C and USOBX_C tables.
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
In this way, you can tailor your SAP role concepts to the content of the usage behaviour.
First, create an overview of the customising tables currently available in your system.