Security in development systems
Conclusion
Your system landscape does not correspond to a typical three-system landscape? Find out what you should consider when upgrading the suggested values of roles. Your system landscape may differ from the typical three-system landscapes, for example, because you have several development systems or development mandates. Transports are then used to merge all developments and customising entries into one consolidation system. Perform your upgrade work in the SU25 transaction and use Step 3 to transport your SU24 data. By contrast, perform this step in all development systems, run all transports together in your consolidation system, and only the last import of the tables is used. The same entries are also recognised as deleted entries. The same is true with your PFCG rolls. Maintain these in multiple development systems or mandates, and if you now want to transport the rolls with their generated profiles, there is a risk that the profile numbers will be the same, as the profile names consist of the first and third characters of the system ID and a six-digit number. If the profiles originate from the same system (even if the client is a different one), import errors may occur due to the same profile names. In addition, the origin of the profile can no longer be traced afterwards. Therefore, you need a way to transport the data for the permission proposal values and the PFCG rolls in Y landscapes in a transparent and consistent way.
Always make sure you use the latest version of the Note Assistant. To do this, look for SAP hints about the BC-UPG-NA component in the system recommendations. We also recommend that you perform the security patch process as part of a release or support package upgrade to avoid additional testing by security advisories already released at the time of the upgrade.
Critical authorizations
The general SAP authorizations are used most often and for many things they are sufficient. For example, if only the HR department has access to the SAP HCM system. However, if other users come onto the system and you only want to allow them access to a limited number of personnel, then in the case of the general authorizations you have to deal with the organization key of infotype 1 (VSDK1), which must be hard-coded into the authorization roles. If ESS/MSS or Manager Desktop etc. now come into play, however, this means a large number of authorization roles, namely a separate one for each manager. This makes maintenance and servicing very time-consuming and your authorization concept becomes opaque, which in turn brings the much-quoted auditor onto the scene.
Depending on the transaction invoked, the application can be more granular checked by this additional permission check. Therefore, transactions that are called with additional parameters might require more than one authorization object and must be protected programmatically. The following listing shows an example of a permission check that ensures that the logged-in user has the permission to start the SU24 transaction.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
For example, if only the HR department has access to the SAP HCM system.
If you want to check custom fields, you must create your own permission fields in the transaction SU20.