SAP Authorizations Displaying sensitive data

Displaying sensitive data

SAP Data Analytics

Here we present different scenarios for the process of resetting passwords. In all scenarios, the user selects the system and the client in which a password is to be reset from a web page. Only systems and clients where this user already exists and assigned a permission should be displayed. An initial password is then generated and sent to the user's email address. Only if a user lock is set by false logins, the user must be unlocked. If an administrator lock is in place, the user should be informed accordingly. Before implementing self-service, consider the password rules set in your systems and the use of security policies. Because these settings allow you to control how passwords are generated in your systems. We recommend that you read the instructions in Tips 4, "Set Password Parameters and Valid Signs for Passwords", and 5, "Define User Security Policy".

The best way for companies to combat historically grown uncontrolled growth in authorizations is to prevent it. An analysis of whether the current authorization concept is sufficient for the company helps here.

Reset passwords using self service

If the changes to your SU24 data have not been detected with step 2a, or if you have imported transports from other system landscapes into your system, you have the option to reset the timestamp tables and start again. To do this, run the SU24_AUTO_REPAIR report in a system that is still at the state of the legacy release so that the modification flag is set correctly (see tip 38, "Use the SU22 and SU24 transactions correctly"). Subsequently, you create a transport and transport your SU24 data to the system, which is at the state of the new release. Now delete your timestamp tables. You can use the report SU25_INITIALIZE_TSTMP. Starting with SAP NetWeaver 7.31, you have the choice to set the reference time stamp from the SU22 data or delete the contents of the time stamp tables. You can then run Step 2a again.

The changes made by inserting the note or upgrading to the above support packages do not only affect the SAP_ALL profile. While it remains possible to assign the full RFC_SYSID, RFC_CLIENT, and RFC_USER permissions in principle; However, this can only be done manually in the PFCG transaction through the dialogue maintenance of the fields. In this case, another dialogue box will open, indicating the security risk. You must confirm this window. From this change of behaviour of the SAP_ALL profile, it follows that all automatic methods for taking over the overall authorisation are no longer available in the fields of the S_RFCACL authorization object.

If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.

The website www.sap-corner.de offers many useful information about SAP basis.

You have already created roles for SAP CRM and would like to add additional external services? Nothing easier than that! Create PFCG roles for the SAP CRM Web Client, typically so that you complete the customising of the CRM business role before creating the PFCG role, based on this customising.

To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.

The ability to create this role with the report REGENERATE_SAP_APP exists after inserting the SAP note 1703299.