RSUSRAUTH
Copy the user from the Clipboard to the Transaction SU10 selection
Before you start and define critical permissions, you should identify your core business processes or functions and then map the conflicting processes in meaningful combinations as so-called risk. The RSUSR008_009_NEW report cannot replace a GRC system (GRC = Governance, Risk, and Compliance) with the SAP Access Control component. Rather, this report should be understood and used as an indicator of the current system state. The report identifies the users that have the critical permission combinations defined in the USKRIA table. The identifier, which can also be called a risk ID, describes a combination of authorization objects with field names and field values. These are linked to one of the two operatives AND or OR available.
The Security Audit Log now logs the table or view name and the scheduled activity of external table access via RFC connections; a new message type has been defined. You can find this fix and an overview of the required support packages in SAP Note 1539105.
Assignment of critical authorizations and handling of critical users
When you create users in the SU01 transaction, do you want to automatically pre-occupy certain fields from a data source? Use a new BAdI for which we present an implementation example. If you create a user in the SU01 transaction in an SAP system, there is almost always data about that user in other systems. A classic example is user data in the Active Directory or the personnel master data in SAP ERP HCM, which are already maintained as part of the employee recruitment process. If user data is present in multiple systems, then the first choice is to automatically create a user through an identity management system, which is resolved by an HR trigger in SAP Identity Management (ID Management). ID Management detects changes, such as personnel master data, SAP ERP HCM, or business partners in SAP CRM, and either applies the appropriate users in your systems or makes changes and deactivations. But what if you don't have an identity management system in place? Do you need to type all of this data? No - you can pre-document them automatically. You can use a Business Add-in (BAdI), which allows you to pre-define certain fields when you create a user in the SU01 transaction.
If the authorization objects also require permission fields, you can create them in the SU20 transaction. When creating a authorization object in the SU21 transaction, you first set a name and description for the authorization object, and then assign it to an object class. Then assign the necessary permission fields. If any of these fields are ACTVT, you can select all of the activities to be checked by clicking the Activities button. The navigation behaviour has been improved here a lot.
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
On this basis, determine which organisational characteristics (organisational levels, but also cost centres, organisational units, etc.) represent which parts of the organisation.
If necessary, you can switch it back to a dialogue user using the Emergency User.