Perform upgrade rework for Y landscapes permission proposal values
Use SAP_NEW correctly
The SAP Solution Manager is the central platform for all technically supported services, because information about the connected systems is available when you schedule data collections for these systems via background jobs. The documentation for the safe operation of SAP systems is compiled in the SAP End-to-End Solution Operations Standard for Security (Secure Operations Standard). It provides an overview of security aspects of SAP operations and is designed to guide you through the available information and recommendations and to refer you to relevant content.
Of course, you can also use the data obtained with the permission trace (with filter for the S_DATASET authorization object) to express permissions on the object itself. In any case, you should also use the values obtained for the PROGRAM field. In this way, you exclude misuse by modified copies of ABAP programmes. This limitation of access programmes already represents a security gain, even if you do not want to restrict access to paths and files.
Implementing Permissions Concept Requirements
Due to the complexity of an SAP® authorization concept, it is necessary that all essential aspects are set down in a written documented authorization concept. This should describe the essential processes, but also how to handle the assignment of authorizations via roles. In particular, the nomenclature of specially created roles must be clearly defined. It should therefore be checked whether all changes since the last audit have been documented in the written authorization concept. After all, this document serves the auditor as a template for the so-called target/actual comparison. This means that the auditor compares the document with the actual status in the SAP® system for the main topics relevant to the audit. Any discrepancy can lead to a finding that must be avoided.
You should therefore enforce cryptographic authentication and communication encryption by setting up Secure Network Communication (SNC). SNC provides a strong cryptographic authentication mechanism, encrypts data transmission, and preserves the integrity of the transmitted data. For some time now, SNC is freely available without a SSOMechanism (SSO = Single Sign-on) for SAP GUI and the RFC communication of all SAP NetWeaver customers. You should always implement SNC between SAP GUI and application server, as this communication can also run over open networks. For RFC communication, you need an SNC implementation if you think the data transfer could be intercepted.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.
Not only does the transaction need to be started by the S_TCODE authorization object, but the following conditions must also be met: For certain transactions, there are additional permission checks that are performed before the transaction starts.
Any error in the authorization system falls within the remit of a company's data protection officer.