Use automatic synchronisation in central user management
THE "TOP SEVEN"
An essential aspect in the risk assessment of a development system is the type of data available there. Normally, at least a 3-system landscape is used (development, test and production system). One of the purposes of this is to ensure that (possibly external) developers do not have access to productive or production-related data. Since developers with the required developer authorizations have access to all data in all clients of the system concerned, there should be no production-related data in a development system. Even a division into a development and a test client (with the sensitive data) within the system does not protect against unauthorized data access for the reasons mentioned above. In the following, it is assumed that no production-related data exists on the development system. Otherwise, extended authorization checks must be carried out in the modules and access to production-related data must be approved beforehand with respect to the production system by the respective data owners. Since developers, as described, have quasi full authorization through their developer rights, revoking the authorizations listed below can raise the inhibition threshold for performing unauthorized activities, but ultimately cannot prevent them.
Cybersecurity is a broad field. Starting with the technical infrastructure of companies and extending to the business processes in SAP systems. Such projects must be well planned and prepared. We have already seen some negative examples of companies that wanted too much at once and then "got it wrong." When it comes to securing business processes in particular, it is important to ensure that the employees affected are picked up and involved. Therefore, use a risk analysis to select the topics and processes that should be at the top of the list when securing.
Security in development systems
If the proliferation has occurred because the authorization concept was not adhered to, a cleanup is sufficient. If the proliferation has arisen because there are errors and gaps in the authorization concept, these errors must be identified, eliminated and the authorizations optimized. If the concept can no longer be implemented in a meaningful way, or if it has already been set up incorrectly, it will be necessary to create a new one.
Roles can be assigned to users directly through user management in the SU01 transaction, role maintenance in the PFCG transaction, or mass change of users in the SU10 transaction. However, if the employee changes his or her position in the company, the old roles must be removed and new roles assigned according to the new activities. Because PFCG roles are created to represent job descriptions, you can use organisational management to assign roles to users based on the post, job, etc.
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
The website www.sap-corner.de offers many useful information about SAP basis.
For SAP CRM only the objects Organisational Unit (O), Headquarters (S), Central Person (CP) and User (US) play a role.
The freeware Scribble Papers puts an end to the confusing paper chaos. The tool is also suitable for storing, structuring and quickly finding text documents and text snippets of all kinds in addition to notes.
This applies to all transactions or function blocks that make changes to user data.