Centrally review failed authorisation checks in transaction SU53
Lack of definition of an internal control system (ICS)
Logs: Protocols exist for all audits performed. This allows you to review the history of the audit results at a later stage or to view only the results of the last audit. To do this, use the protocol evaluation of the AIS in the transaction SAIS_LOG or click the button in the transaction SAIS.
Similarly, SAP Identity Management version 7.2 SP 3 and above supports the installation of HANA users and the assignment of roles. You can also use Identity Management to add value to the business roles for creating a user with role assignment in the ABAP system and HANA database.
Maintain table permission groups
Secure management of access options in the SAP system is essential for any company. This makes it all the more important to analyze and improve the authorizations assigned. This step serves as optimal preparation for your S/4 HANA migration. Managed Services supports central and efficient administration to ensure an optimal overview. In order to sustainably improve your processes, a database provides information on possible optimizations for SAP licenses.
The filter setting in transaction SM19 determines which events should be logged. In addition, you must activate the Security Audit Log via the profile parameters in the transaction RZ11 and make technical settings. For an overview of the profile parameters for the Security Audit Log, see the following table. The values specified in the table are a suggestion, but not the default values. The Security Audit Log is not fully configured until both the profile parameters and an active filter profile have been maintained. Note that the Security Audit Log has two configuration options: static and dynamic configuration. Static configuration stores filter settings persistent in the database; they are only applied on a system boot. The filter settings are used as the current configuration for each subsequent startup and should therefore always be maintained. The dynamic configuration allows you to change the settings in the running mode. The dynamic configuration is used when settings need to be adjusted temporarily. Here you can change all filter settings, but not the number of existing filters. Dynamic configuration will remain active until the next boot.
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
If you want to get more information about SAP basis, visit the website www.sap-corner.de.
Finally, we would like to draw your attention to SAP Note 1781328, which provides the report PFCG_ORGFIELD_ROLES_UPD.
The freeware Scribble Papers is a "note box" in which all kinds of data can be stored. It takes in typed texts as well as graphics and entire documents. The data is then organised in folders and pages.
You can enable the permission trace using the auth/authorisation_trace dynamic profile parameter.