Check current situation
You would like to revise your authorisation concept and tailor SAP roles only to the productive processes. We show you how to use the statistical usage data from the Workload Monitor for the SAP role definition. One of the biggest effort drivers in redesigning SAP role concepts is the definition of transactional expression of SAP roles. By using the statistical usage data from the workload monitor, you can avoid costly coordination with process managers in the sense of a Green Field Approach. In this way, you can tailor your SAP role concepts to the content of the usage behaviour. The only requirement is that the data be available for a representative period. This is two months in the SAP standard; You can also extend this time period. Below we describe how you can use the statistical usage data from the Workload Monitor for the SAP role definition.
Your SAP system landscape keeps you safe and up-to-date by inserting different types of SAP hints and patches. For a first overview of the security information for SAP systems, see the SAP Service Marketplace at https://service.sap.com/securitynotes. For a complete list of all security advisories for all SAP solutions (SAP NetWeaver Application Server ABAP and Java, TREX, SAP HANA, Sybase, SAP GUI, etc.), see Security Notes Search on this page. The My Security Notes page allows you to find the SAP notes that are relevant for systems registered in SAP Service Marketplace. This does not take into account information already recorded.
Use automatic synchronisation in central user management
The SAP authorization concept protects transactions and programs in SAP systems on the basis of authorization objects. Authorization objects enable complex checks of an authorization that are bound to several conditions. Authorizations represent characteristics of authorization objects depending on the employee's activity and responsibility. The authorizations are combined in an authorization profile that belongs to a role. The administrator assigns the appropriate role to the employee via the user master record so that the employee can perform his or her tasks in the system.
If your users are allowed to share their own background jobs, you need the JOBACTION = RELE permission to the S_BTCH_JOB object. In this case, you can start all jobs at the desired time. In many cases, background jobs are used for the professional or technical operation of applications; Therefore, we recommend that you schedule these background jobs under a System-Type technical user (see also Tip 6, "Note the impact of user types on password rules"). The advantage of this is that the permissions can be controlled more accurately and you do not run the risk of a job being lost if the user under whom it was scheduled to leave your company once. You can realise the association with a system user by giving the user who plans the job permission for the S_BTCH_NAM object. In the BTCUNAME field, the name of the step user, i.e. the user under whom the job should run, such as MUSTERMANN, is entered.
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
So much information... how can you keep it so that you can find it again when you need it? That's what Scribble Papers is great for.
Before you start and define critical permissions, you should identify your core business processes or functions and then map the conflicting processes in meaningful combinations as so-called risk.
You can now define the user group as a mandatory field in the user master record by inserting the default user group in the USER_GRP_REQUIRED entry of the USR_CUST client-dependent table.