SAP Authorizations Transports - SAP Basis

Direkt zum Seiteninhalt
Transports
Make sense in maintaining proposal values
In the SAP system, passwords are locked when the maximum number of allowed password login errors is reached. This counter is reset with a password each time you successfully log in. In addition, an initial password can be locked when its validity has expired. Both the validity of the initial password and the maximum value for password login errors are set using profile parameters. For details, see Tip 4, "Set password parameters and valid passwords characters". A password lock only prevents a user from logging in via his password, because the number of errors is only evaluated if the login is done by password. If a login is now made via other authentication methods (such as SSO), these are not affected by the password lock. This also applies to internal expiration procedures (such as background jobs) because you do not need to register a password. This prevents, for example, denial-of-service attacks, which first cause a password to be locked in order to block internal processes. Eine Ausnahme von dieser Regel gibt es allerdings: Auch wenn andere Authentifizierungsverfahren genutzt werden, prüft das System, ob der Benutzer dazu in der Lage ist, sich mit einem Passwort anzumelden. Wenn dies der Fall ist und das Passwort gerade geändert werden muss, wird diese Änderung vom Benutzer abgefragt. Diese Abfrage können Sie aber auch mithilfe des Profilparameters login/password_change_for_SSO ausschalten.

With the help of the SAP-Note 1642106 it is possible to automatically perform the text comparison from SAP NetWeaver AS ABAP 7.0. Inserting the note will automatically perform text matching for any changes to PFCG roles in the central system. We recommend that you install the support package that is appropriate for your release, which is specified in the SAP Note, because inserting the hint requires a lot of manual work. With the help of the SUSR_ZBV_GET_RECEIVER_PROFILES report, you can turn on the new functionality in all subsidiary systems where the correction information has also been recorded. If you run the report in the central system with the default selection, all subsidiary systems are included. You can check whether the function is present in the daughter systems in the report log.
Copy values from the Clipboard to the transaction's PFCG permission fields
HR authorizations are a very critical issue in many companies. On the one hand, HR administrators should be able to perform their tasks - on the other hand, the protection of employees' personal data must be ensured. Any error in the authorization system falls within the remit of a company's data protection officer.

At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.

The security of an SAP system is not only dependent on securing the production system. The development systems should also be considered, since here it is possible to influence the productive system via changes to be transported in the development environment and in customizing or via inadequately configured interfaces. Depending on the conceptual granularity of responsibilities in the development and customizing environment, more detailed authorization checks may need to be performed.

With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.

This does not take into account information already recorded.

So much information... how can you keep it so that you can find it again when you need it? Scribble Papers is a "note box" that makes this very easy.

In the SPTH table, you can define access rights for paths and whether you want to perform an additional permission check on the S_PATH object.
SAP BASIS
Zurück zum Seiteninhalt