Correct settings of the essential parameters
What to do when the auditor comes - Part 1: Processes and documentation
SAP customers do not maintain suggested values in this transaction. However, there are cases where data in the SU22 transaction is maintained in a customer environment. If TADIR services or external services are developed by the customer or partner, these services are not available by default in the SU22 transaction or the SU24 transaction. For these services, the header data must first be written to the USOBHASH table, which serves as the basis for maintaining the services. These entries in the USOBHASH table are generated automatically when running TADIR services. Read Tip 41, "Add external services from SAP CRM to the proposal values", for dealing with external services. Once the data in this table is available, you have the option to maintain the proposed values.
Access to this data is critical, since the hash values can possibly be decrypted using tools, thus enabling unauthorized logon to the SAP system. Since identical passwords are often used for different systems, the determined password may also be usable for downstream systems. The current or former hash values of the passwords are stored in the tables USR02, USH02, USRPWDHISTORY, USH02_ARC_TMP, VUSER001 and VUSR02_PWD. These tables can be accessed either via classic table access transactions such as SE16 or via database administration transactions such as DBACOCKPIT. The authorizations required for table access via database tools depend on the respective system configuration and should be verified via an authorization trace (transaction STAUTHTRACE), if necessary.
Define security policy for users
Configuration validation is a tool that allows systems to be tested against corporate or organisational requirements and regulations. You can find this tool in the Change Management section of the SAP Solution Manager. This allows you to evaluate security-relevant configurations and critical permissions. This is based on the SAP Solution Manager's Configuration and Change Database (CCDB), which stores all details about the configuration of the connected systems. The configuration data is stored in different configuration stores, depending on the type of configuration. You can evaluate the configuration of the operating system, the database, and profile parameters in the ABAP and Java systems. You will also get an overview of the status of transport orders and support packages. You can also track changes to the configurations of the attached systems in the CCDB. You can also graphically evaluate these changes via an end-to-end analysis in SAP BW; contains information on the number of changes per system, the type of changes and the modification date.
If you want to know more about SAP authorizations, visit the website www.sap-corner.de.
You should not grant large permissions for the SCC4 and SE06 transactions to internal and external auditors, just so that they can see the system modifiability. We present the report, which only requires the permissions a auditor usually has to view the system modifiability. There are several people who want to view the system modifiability settings in your system for specific reasons. These can be internal auditors, auditors or developers. The display of these settings, e.g. via the SCC4 or SE06 transactions, is not in itself critical; However, this has previously required permissions that are not usually assigned to the group of people just described. Since SAP NetWeaver 7.0, there is also a report that shows the system modifiability settings. This report requires only viewing permissions that can be assigned to the above-described group without any concerns. We present the application of this report and the required permissions here.
Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.
After transport to the target system, this role is activated as a runtime object.
A note box in which data of all kinds can be quickly filed and retrieved. This is what Scribble Papers promises. At first, the program looks very spartan. But once a small structure is in place, you realise the great flexibility of this little helper.
The risk of incorrectly assigned developer authorizations has also increased due to the elimination of additional protection via developer and object keys in S/4 HANA systems (see, among other things, SAP Note 2309060).