Full verification of user group permissions when creating the user
Important components in the authorization concept
Privileges control the use of all objects and data contained in the HANA database. In order to use an application, you typically have to assign many different types of privileges to a user. In order to be able to take into account the complex relationships in the allocation of the privileges actually needed in a manageable way, privileges in SAP HANA are bundled into roles. In our example, the role MODELING in the role SAPT04_CONTENT_ACTIVATION is included. In SAP HANA, it is possible to assign a role to multiple roles as well as to multiple roles. This way, complex role hierarchies can be put together.
The general authorizations are quite normal authorization objects in SAP HCM, which regulates the access to PA/PD infotypes (tables PAnnnn / HRPnnnn), clusters for the own person or for other persons. Typical authorization objects are "P_PERNR", "P_ORGIN", "P_ORGXX", "PLOG" and "P_PLCX".
Check the SAP authorization concept
Furthermore, the statistical data of other users (user activities, such as executed reports and transactions) should be classified as sensitive, since it may be possible to draw conclusions about work behavior using this data. This data can be displayed using transaction ST03N, for example. Access authorizations to the two types of data mentioned above should be assigned only very restrictively.
The website www.sap-corner.de offers a lot of useful information about SAP authorizations.
Insert SAP Notes 1656965 and 1793961 into your system. With these hints, the report RSUSR_LOCK_USERS is delivered or extended. This report supports automatic selection and blocking of inactive users. To do this, you have to select the criteria in the selection screen of the RSUSR_LOCK_USERS report, according to which you want to lock or invalidate users. You can determine the choice of users by using various criteria. It is recommended to take into account the period since the last login in the Days since last login field and the password status in the Days since password change field. You have the option to check the result of the selection and view the users found. To do this, select the Test of Selection action in the Select Action pane. You can also choose between the User Lock-outs (Local Lock-outs) and User Unlock (Local Lock-outs) actions in this area. You can set the end of a user's validity by clicking the corresponding options for "today" or "yesterday". Note that you can only set the validity for current users.
Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.
The system trace that you can call through the ST01 transaction or the STAUTHTRACE transaction (see also Tip 31, "Optimise Trace Evaluation") is a short-term, client-dependent trace that you can restrict to users or applications.
The freeware Scribble Papers puts an end to the confusing paper chaos. The tool is also suitable for storing, structuring and quickly finding text documents and text snippets of all kinds in addition to notes.
You must follow the XMI interface documentation to configure it.