SAP Authorizations Coordinate authorisation management in customer-owned programmes

Direkt zum Seiteninhalt
Coordinate authorisation management in customer-owned programmes
Assign SAP_NEW to Test
The Security Audit Log can also log customer-specific events in restricted way starting with SAP NetWeaver 7.31. The event definitions DUX, DUY and DUZ are reserved for customers and delivered with a dummy expression. For these events, you can then define individually configurable messages using the RSAU_WRITE_CUSTOMER_EVTS function block. To do this, you must first identify the additional necessary events and define their message texts and variables. Note that you may not change the meaning of the message and the arrangement of the variables later, as this would prevent older log files from being readable. Finally, you must include the new message definitions in your filters (transaction SM19). You will find the corrections and an overview of the required support packages in SAP Note 1941526. Since the use of this functionality requires extensive knowledge about the Security Audit Log, it is important that you also consider the recommendations in SAP Note 1941568 and that you can be supported by a basic consultant.

This solution is only available with a support package starting with SAP NetWeaver AS ABAP 7.31 and requires a kernel patch. For details on the relevant support packages, see SAP Note 1750161. In addition, the SAP Cryptographic Library must be installed; but this is ensured by the required kernel patch. Only if you have manually made a different configuration, you must check this requirement.
System Security
With the introduction of security policy, it is now possible to define your own security policy for System or Service users. This way you can ensure that backward-compatible passwords are still used for these users. This eliminates the reason that password rules were not valid for System/Service type users; Therefore, the rules for the content of passwords now apply to users of these types. Password change rules are still not valid for System or Service type users. If you are using security policy in your system, you can use the RSUSR_SECPOL_USAGE report to get an overview of how security policy is assigned to users. This report can be found in the User Information System (transaction SUIM). In addition, the user information system reports have added selected security policies to the user selection. This change was provided through a support package; For details, see SAP Note 1611173.

An essential aspect in the risk assessment of a development system is the type of data available there. Normally, at least a 3-system landscape is used (development, test and production system). One of the purposes of this is to ensure that (possibly external) developers do not have access to productive or production-related data. Since developers with the required developer authorizations have access to all data in all clients of the system concerned, there should be no production-related data in a development system. Even a division into a development and a test client (with the sensitive data) within the system does not protect against unauthorized data access for the reasons mentioned above. In the following, it is assumed that no production-related data exists on the development system. Otherwise, extended authorization checks must be carried out in the modules and access to production-related data must be approved beforehand with respect to the production system by the respective data owners. Since developers, as described, have quasi full authorization through their developer rights, revoking the authorizations listed below can raise the inhibition threshold for performing unauthorized activities, but ultimately cannot prevent them.

The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".

The website www.sap-corner.de offers many useful information about SAP basis.


Volume Release: Alternatively, the tax administration may require the taxable person to have the stored documents available to it for evaluation on a machine-usable medium.

So much information... how can you keep it so that you can find it again when you need it? Scribble Papers is a "note box" that makes this very easy.


Changes only take effect the next time the user logs on to the system.
Zurück zum Seiteninhalt