SAP Audit Information and ApproachVIP专享VIP免费

SAPAuditInformationandApproachAuthorizationExample1.UserMasterRecordUser:FrankW.LyonsProfile:Example2.Profile:ExampleObject:Authorizations:S_ProgramABAP:3.Authorization:ABAP:Object:S_ProgramValues:Fields:*ProgramGroupSUBMIT,VARIANTActivityAuthorizationSystem:1.ProfilesOneormoreassignedtoauser2.ObjectsMustbeuniquenameswithoneormorefields3.FieldsContainvaluesforauthoritychecking4.AuthorizationsCanhavethesamenamesastheyarephysicallyandphysicallylinkedtoanobjectFieldgroupforanobjecthasmultiplevaluesandcanbesharedacrossobjectsInitialDefaults1.InitialClientsClient000StandardmodelClient001Modelforuserdefinedclients.(template)2.InitialUserIdsSAP*Defaultsuperuser.AusermasterrecordiscreatedduringinstallationbutitisnotneededbySAP*toaccessthecompletesystem.IftheSAP*masterrecordisdeleted,theSAP*accounthasthefollowingspecialprivileges:ItisnotsubjecttoauthorizationchecksandthereforehasallauthorizationsIthasthepassword“PASS”,whichcannotbechangedwithoutcreatinganewusermasterrecord.Topreventdeletion,assignSAP*usertoagroupcalledSUPERandonlysuperusershouldbeabletomaintainusergroupSUPER.3.InitialSecurityParametersParametersforuserlogonlogin/min_password/lngMinimumpasswordlengthdefaultis(3)login/password_expiration_timeNumberofdaysafterwhichapasswordmustbechanged.Thedefaultiszero,whichdoesnotenforcepasswordchanges.Recommendedvalue=45.login/fails_to_session_endNumberoftimesausercanenteranincorrectpasswordbeforethesystemendstheloginattempt.Thedefaultis(3).login/fails_to_user_lockNumberoftimesausercanenteranincorrectpasswordbeforethesystemlockstheuseragainstfurtherlogonattempts.Thedefaultis(12).Recommend(3).Whenapasswordislockedinthismanner,itisautomaticallyunlockedbythesystematthestartofthenextday(midnight).AddingUsers1.Eachusermusthaveamasterrecord.2.Eachusermasterrecordreferstooneormoreprofilesthatdeterminetheaccessrightsfortheuser.3.Masterrecordcontains:UserIDPasswordUsergroupsUsertypePeriodofvalidityreferencestoauthorizationprofilesMasterrecordscanbedeletedbutitwillaffecttheaudittrail.Bettertolocktheuser’smasterrecordMenuPath:Tools-Administration-UserMaintenance-User-Lock/Unlock.4.UserGroupIfapersonisassignedtoausergroup,onlytheadministratorswhoareauthorizedforthatusergroupcanalterusermasterrecords.Ifauserisnotassignedtoagroupthenanyuseradministratorcanaltertheusermasterrecord.AddingProfilesProfilesandAuthorizationsexistinbothmaintenanceandactiveversions.Allowsforupdatestomaintenancebeforeitisactivated.Separationofmaintenanceandactivationfunctions.1.SystemProfilesSAPStandardandSuperUserProfilesS_A.SYSTEMUnlimitedaccesstoallusers,profiles,andauthorizationsS_A.ADMINAuthorizationsforSAPsystemadministration.Thisincludesallauthorizationsexceptfor:MaintenanceofusersinusergroupSUPERMaintenanceofprofilesandauthorizationswithnamesbeginning“S_A.”S_A.CUSTOMIZAuthorizationsforuseintheSAPCustomizingsystemS_A.DEVELOPAuthorizationsforuseintheSAPDevelopmentenvironment(excludesanyuserorprofileauthorizations)S_A.USERBasissystemauthorizationsforend-users(e.g.,S_Program,S_DBC_MONI,etc.2.StartupProfilesProfileNameDescriptionS_ABAP_ALLAllABAP/4authorizationsS_ADMI_ALLAllsystemadministrationfunctionsS_BDC_ALLAllbatchinputactivitiesS_BTCH_ALLAllbatchprocessingauthorizationsS_DDIC_ALLDDIC:AllauthorizationsS_DDIC_SUDataDictionary:AllauthorizationsS_NUMBERNumberra...