Encrypt e-mails
Excursus Special feature for authorizations for FIORI Apps under S/4HANA
If you use configuration validation, we still recommend that you use the AGS Security Services, such as the EarlyWatch Alerts and SAP Security Optimisation Services, which we describe in Tip 93, "AGS Security Services." SAP keeps the specifications and recommendations in the AGS Security Services up to date and adapts them to new attack methods and security specifications. If you have identified new security issues within a security service, you can set your target systems accordingly and monitor these aspects in the future.
Please note that depending on the results of the RSUSR003 report, a system log message of type E03 is generated. If a critical feature (stored in red) is detected, the message text"Programme RSUSR003 reports ›Security violations‹"is written into the system log. If no critical feature has been detected, the message"Programme RSUSR003 reports ›Security check passed‹"will be displayed instead. This message is sent because the password status information of the default users is highly security relevant and you should be able to track the accesses. You can grant the User and System Administration change permissions for the RSUSR003 report, or you can grant only one execution permission with the S_USER_ADM authorization object and the value CHKSTDPWD in the S_ADM_AREA field. This permission does not include user management change permissions and can therefore also be assigned to auditors.
Analysis and reporting tool for SAP SuccessFactors ensures order and overview
SOS reports can be very comprehensive. In particular, if the Whitelists are not yet maintained, reporting volumes of up to 200 pages are not uncommon. Do not be discouraged in such a case, but start by cleaning up a manageable amount of critical SOS results. You can then edit the further results in several rounds. The AGS recommends which critical SOS results you should consider first; You can find these in the AGS Security Services Master slide set in the SAP Service Marketplace Media Library.
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
Remove improperly defined SAP Orgebene ($CLASS): This function deletes the $CLASS organisational level that was incorrectly delivered with the GRCPlug-in (Governance, Risk and Compliance). Use the test mode of the report to look at possible corrections in advance.
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
You can check whether the function is present in the daughter systems in the report log.
To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.
Of course, this has implications if you want to upgrade a field to the organisation level.