Protect Passwords
SAP Security Concepts
Do the permissions for a self-developed UI component for the SAP CRM Web Client always have to be maintained manually? Not necessarily - if you define them as suggested values for external services. If you have developed your own UI components in the Customer Name Room in SAP CRM and you want to authorise them via the default process, i.e. create a role menu for a PFCG role using the CRMD_UI_ROLE_PREPARE report, you must do some preliminary work. When you run the report, you will notice that the external services for your own developments are not present and therefore do not appear in the role menu. The only way to qualify your UI components is to manually maintain the UIU_COMP authorization object. However, you can maintain your own UI components as external services with suggestion values in the SU24 transaction and take advantage of this information in PFCG role maintenance.
We recommend that you implement all safety instructions of priority very high (1) and high (2) directly. On the other hand, you can implement medium (3) and low (4) security advisories via support packages, which you should also include regularly. If you are unable to insert a support package at the moment, SAP will also provide you with the priority 3 and 4 security advisories. For the evaluation of the security advisories, you should define a monthly security patch process.
Correct settings of the essential parameters
As part of the SAP Access Control solution, the Business Role Management component serves the central role management. In addition to other useful functions, it also offers the automation of mass maintenance of role withdrawals. To do this, you must first place the organisational matrix in the customising (transaction SPRO), i.e. you enter the values or value ranges in the Organisation Level Mapping details area for the different organisation fields. At this point, however, you do not specify which reference roles should be derived for these organisational values.
The permissions on database objects show you the details of the user's permissions to access the object. In the following example, the MODELING role includes permission to use the _SYS_BI object with the EXECUTE, SELECT, INSERT, UPDATE, and DELETE privileges. In addition, a user assigned this role is not allowed to pass these privileges on to other users (Grantable to Others). Our role as an example also includes Analytical Privileges and Package Privileges, which are not discussed here.
Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.
In addition, you must note that you may not execute this report on systems that are used as a user source for a Java system.
Since a role concept is usually subject to periodic changes and updates, e.g. because new functions or modules are introduced or new organisational values are added, role names should be designed in such a way that they can be expanded.