RS_ABAP_SOURCE_SCAN
Security in development systems
Of course, you can also use the data obtained with the permission trace (with filter for the S_DATASET authorization object) to express permissions on the object itself. In any case, you should also use the values obtained for the PROGRAM field. In this way, you exclude misuse by modified copies of ABAP programmes. This limitation of access programmes already represents a security gain, even if you do not want to restrict access to paths and files.
Eligibility objects that were visible in the permission trace are quickly inserted in rolls. But are they really necessary? Are these possibly even critical permissions? A review of the Permissions Concept can reveal that critical permissions are in your end-user roles. We would like to give you some examples of critical permissions in this tip. It is helpful to know which authorization objects are covered by the critical permissions. They must also ask themselves whether the granting of these allowances entails risks.
Maintain batch job suggestion values
In the SAP standard, there is no universally applicable way to automate the mass maintenance of role derivations. We therefore present three possible approaches: 1) Approach to custom development 2) Automated mass maintenance using the Business Role Management component 3) Use of a pilot note that allows a report for mass update of organisational values in rolls (currently available to selected customers) (BRM) from SAP Access Control.
With the transaction SUIM you can search under roles, roles with different search criteria. The variant "Roles by complex selection criteria" covers all possible selection criteria. However, you can also search only for a specific selection criterion (e.g. only for transactions, only for authorization objects...).
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
Some useful tips about SAP basis can be found on www.sap-corner.de.
In general, you should note that not all relevant change documents of a system are present in the user and permission management.
To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.
The evaluation is similar to the evaluation of the system trace in the transaction ST01.