Use timestamp in transaction SU25
SAP S/4HANA® migration audit
If the programme determines that both of the criteria set out in the previous bullet points are met, the criterion of equality shall apply. This means that the proposed values of the permission that is already in place and to be added will come from the same transaction. Thus, the programme does not add a new default permission to the permission tree.
Of course, you can also use the data obtained with the permission trace (with filter for the S_DATASET authorization object) to express permissions on the object itself. In any case, you should also use the values obtained for the PROGRAM field. In this way, you exclude misuse by modified copies of ABAP programmes. This limitation of access programmes already represents a security gain, even if you do not want to restrict access to paths and files.
However, a full SAP security audit does not end here. In addition, the auditor examines whether the four important concepts of SAP Security, namely the data ownership concept, the proprietary development concept, the authorization concept and the emergency user concept, meet the requirements. Each of them should represent a fully formulated document that, on the one hand, contains all the target specifications for the respective topic and, on the other hand, is consistent with the actual state found during the audit.
By correcting SAP Note 1692243, you can now also use the report in a ZBV (Central User Management) environment; It is no longer limited to individual clients. If the role assignment of the ZBV in the SCUM transaction is set to global, it is sufficient if the correction is recorded in the central client. Then it is only possible to execute the report in the central client. Furthermore, you have the option to select the ZBV's subsidiary systems from the Receive System drop-down box in such a way that only the systems in which the role assignment is to be consolidated or deleted are taken into account. In the results list of the consolidated role assignment, you will now be listed in the ZBV-System column the subsidiary systems where consolidation or deletion took place.
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
Only the organisation levels that you create are displayed through the Value Help.
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
How secure business data is in SAP depends largely on the assignment of authorizations and access options for a company's users.