Manual authorizations
Use table editing authorization objects
User master record - Used to log on to the SAP system and grants restricted access to SAP system functions and objects via the authorization profiles specified in the role. The user master record contains all information about the corresponding user, including authorizations. Changes only take effect the next time the user logs on to the system. Users already logged on at the time of the change are not affected by the changes.
You can't keep an eye on everything. Therefore, avoid that your colleagues do not assign users to a user group, and thus ensure that the user master data maintenance permissions check is correct. You do not want a user without a user group to be able to be created in your SAP systems? Users without a user group can be changed by all administrators with permission for any user group. You should also prevent incomplete permission checks when assigning roles and profiles to users without a permission group. Because it is possible to assign roles and permissions to a user first, and then assign a user group that does not have permission to assign roles and profiles. Finally, do you want to change the user group for an existing user without having permission for the new user group? In the following section we will show you how to secure your user master data maintenance.
Perform upgrade rework for Y landscapes permission proposal values
Protect your system from unauthorised calls to RFC function blocks from the S_RFC authorization object by obtaining the necessary permissions using the statistical usage data. In many organisations, the primary focus in the permission environment is on protecting dialogue access. For each required transaction, you decide in detail which groups of people are allowed access. It is often overlooked that the critical S_RFC privilege object requires an analogue permission assignment. If the RFC (Remote Function Call) external access permissions are unneatly defined and assigned to the users, the S_TCODE authorization object quickly bypasses the primary protection for bootable applications.
Use the RSUSR003 standard report (or RSUSR003 transaction) to validate the default users for initial passwords and ensure the security policies associated with those users. You can define and use your own layout on the home page. After the report is executed, you will be presented with an overview of the existing standard users in the different companies. This includes the password status, a lock flag, the reasons for the lock, the number of false logins, the user validity periods and the security policies associated with the users. The security policy appears to help you understand whether these users are subject to special login or password rules.
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
In this table you can enter both specific passwords (e.g. your company's name) and patterns for passwords (e.g. 1234*).
The security audit log is evaluated via the SM20 or SM20N transaction or the RSAU_SELECT_EVENTS report.