SAP S/4HANA® migration audit
Cybersecurity is a broad field. Starting with the technical infrastructure of companies and extending to the business processes in SAP systems. Such projects must be well planned and prepared. We have already seen some negative examples of companies that wanted too much at once and then "got it wrong." When it comes to securing business processes in particular, it is important to ensure that the employees affected are picked up and involved. Therefore, use a risk analysis to select the topics and processes that should be at the top of the list when securing.
The handling of organisational levels in PFCG roles wants to be learned. If these are maintained manually, problems arise when deriving rolls. We will show you how to correct the fields in question. Manually maintained organisational levels (orgons) in PFCG roles cannot be maintained via the Origen button. These organisational levels prevent the inheritance concept from being implemented correctly. You can see that organisational levels have been maintained manually when you enter values via the Ormits button, but the changes are not applied to the authorization object.
Finally, we want to give you some recommendations for securing file access. The SPTH table allows you to protect the file system from ABAP programme accesses without granting permissions and to deliberately define exceptions. The problem is identifying the necessary exceptions. However, because the SPTH check is always performed together with the S_DATASET object check, you can use a long-running permission trace to find the paths that are used with filters for the S_DATASET authorization object. The procedure for this is described in detail in our Tip 39, "Maintain suggestion values by using trace evaluations". If you are using applications that access files in the DIR_HOME directory without a path, such as the ST11 transaction, you must specify access to the allowed file groups individually (e.g. dev_, gw_), because there is no wild card for DIR_HOME.
It is important that after the AUTHORITY-CHECK OBJECT command is called, the return code in SY-SUBRC is checked. This must be set to 0; only then a jump is allowed.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
So much information... how can you keep it so that you can find it again when you need it? That's what Scribble Papers is great for.
The security section of the ESC is the entry point for the evaluation of permissions; Therefore, it currently contains the following seven critical tests: Super User Accounts (accounts with the SAP_ALL permission profile), users with the Display all Tables permission, users with the Start all Reports permission, users with the Debug/Replace permission, users with the Display Other Users Spool Request permission, users with the Administer RFC Connections permission, users with the Reset/Change User Passwords permission.
A prerequisite for the indirect assignment of PFCG roles is a well-maintained organisational model.