Tag Archive | Object
October 13, 2014  

SAP – SU24 is the blueprint for your security setup

A key element in maintaining SAP roles correctly is knowing how your transactions and authorization objects are linked. In technincal terms SU24. It is an aspect that many underestimate, mainly because it is hard to get a grip on. With this post I want to clarify why it is important to use and which aspects needs to be taken into consideration – in coming posts I will take a deep dive into each of the aspect.

1) Why is an updated SU24 base important?

The only place that transaction codes are linked to authorization objects and suggested values are in SU24. You can use this information for a number of things, but especially during maintenance of roles is an updated SU24 database important, cause how will you otherwise know which objects and values to add into your roles? If you don’t update SU24, you might as well not use PFCG and just create profiles.

The following areas emphasizes why this is an important area

2) Understand and use the authorization object status in connection with PFCG

Status on the authorization objects inside each role has a clear meaning. If you don’t understand the message each status represents you will run into problems with maintenance. Especially you need to have an eye on objects with status changed or manually – but more on this in a coming post :)

3) Build a process for reviewing roles after each SU24 update

Once you have a hold on SU24 and the authorization object status you need to have a process for reviewing all roles containing the transaction that has been updated in SU24. This includes updates you do in the daily maintenance and house cleaning, but also when you update the system. Only by reviewing and updating all affected roles will you have full control over you concept. In another coming post, I will dive into details on how to use the role maintenance options on the authorization folder in PFCG.

4) Information is king

Once SU24 is fully updated, utilize the information any way you can. I often use the information to identify currently used authorization objects, obsolete own developed objects, optimization of test and many other things. In any case the foundation is an updated SU24 data base.

February 24, 2014  

SAP: Table Access Management

A small change with big effect fra SAP has come in the area of table security.

SAP standard solution for table security has always been to group tables into authorization groups, which users then where granted access to using object S_TABU_DIS. Thereby granting access to all tables in the authorization group. For many years this has been the only standard solution for management of table authorizations.

A clear disadvantage has always been; what criteria should the table groups be based on? Criticality? Business area? Or something else? Regardless, management of the table groups means spending many resources on management of the table structure.

SAP’s solution is the introduction of security management on table name basis. So instead of grouping tables in authorization groups and then granting access to them, SAP has now made it possible to utilize S_TABU_NAME and directly assigning access to a specific table.

FANTASTIC!

See SAPs description in the below link or OSS note 1481950

http://help.sap.com/saphelp_nw73/helpdata/en/4c/a0ac7a68243b9ee10000000a42189b/frameset.htm

“To also protect tables that are not assigned to an authorization group, you can also use the authorization object S_TABU_NAM. It is integrated into the authorization check of the central function module VIEW_AUTHORITY_CHECK. In this case, the system first checks S_TABU_DIS. If this authorization check is not successful, the system also checks S_TABU_NAM.”