Ensuring secure administration
Authorizations
Access to this data is critical, since the hash values can possibly be decrypted using tools, thus enabling unauthorized logon to the SAP system. Since identical passwords are often used for different systems, the determined password may also be usable for downstream systems. The current or former hash values of the passwords are stored in the tables USR02, USH02, USRPWDHISTORY, USH02_ARC_TMP, VUSER001 and VUSR02_PWD. These tables can be accessed either via classic table access transactions such as SE16 or via database administration transactions such as DBACOCKPIT. The authorizations required for table access via database tools depend on the respective system configuration and should be verified via an authorization trace (transaction STAUTHTRACE), if necessary.
The downloading of the table must be monthly. You can also make downloading easier; Frank Buchholz presents programmes that you can use in his blog (see http://wiki.scn.sap.com/wiki/display/Snippets/Show+RFC+Workload+Statistic+to+build+authorizations+for+authorization+object+S_RFC). Optionally, the next step is to identify function groups for the function blocks. You can find them in the AREA field of the ENLFDIR table. However, we recommend granting permissions at the function block level, because function groups often contain a large number of function blocks and the accessibility is expanded unnecessarily.
Object S_BTCH_NAM and S_BTCH_NA1 (use of foreign users in Steps)
In the SCUA transaction, which you typically use to create or delete a ZBV distribution model, you can temporarily disable a subsidiary system. This option is disabled by default. To enable it, you must make changes in the customising of the PRGN_CUST table. Open the PRGN_CUST table either directly or via the customising in the SPRO transaction in the respective subsidiary system.
In many distributed organisations, the Profit Centre is used to map out the distributed units. However, this was only possible for FI with additional programming. In integrated data flows in SAP ERP, the sending application usually does not check the authorization objects of the receiving application. Financial Accounting (FI) in SAP does not check permissions for cost centres and profit centres. However, depending on the case of use, this may be necessary, e.g. if distributed entities are to operate as small enterprises within the enterprise and only collect and view data for this particular unit at a time. With the introduction of the new general ledger, SAP has technically merged the financial accounting and the profit centre account, so that the question of the inclusion of profit centre allowances in FIs becomes even more important.
However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".
So much information... how can you keep it so that you can find it again when you need it? Scribble Papers is a "note box" that makes this very easy.
As a small anticipation, I may refer here to some SAP blogs on the subject of SAP Basis or also the VideoPodcast "RZ10 LIVE SAP BASIS AND SECURITY" from rz10.de picks up topics in the area of authorizations again and again and is instructive here :-).
You want to display certain documents in the transactions FBL*N depending on additional permission checks.