Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Security review

Former Member
0 Kudos

Hi All,

How to perform security review for existing users, roles and authosrisations? What all to check?How should i proceed?

Can some one give me some information, how to perform this?

Regards,

Sandhya

1 ACCEPTED SOLUTION

Former Member
0 Kudos

In addition to what the others have already said, what you might want to consider doing is starting transaction SECR. It will inform you about the role based menu of the Audit Information System which contains many security relevent checks which you can try out and learn the use of.

Assign these "audit" roles to your ID and the menu's will appear. You can also read an explanation for the checks, before executing them in the report trees.

Cheers,

Julius

3 REPLIES 3

jurjen_heeck
Active Contributor
0 Kudos

Start by reading the sticky thread in the top of the forum.

Your question is way too general to be answered in this forum. As you'll find in the sticky and it's linked threads such questions hardly ever get a satisfiying answer.

What is your position, from which standpoint do you need this information?

Former Member
0 Kudos

Hi Sandhya,

I agree with Jurjen on this one.

When you say Security review, it is a very broad term and I think the way you put it is more about Access Controls in SAP.

I would strongly suggest you to go through the SDN threads where folks had already asked similar details and possibly look into SDN blogs and library.

I think as a best startup, I would suggest to go and start looking from SAP HR if you have. Or alternatively you can start working from LDAP, UME or anyother corporate database of Users. Identify the HR Job titles and Business Roles Users currently occupy.

Then try to find the mapping of the HR position to the existing SAP technical roles. Document all your observations in spreadsheets.

You can now go a little deep further into what access the users exactly have by looking at the tcodes in the roles. It may take a long time and you may have to do a series of discussions of why some tcodes are used by users even though they should no have to.......

You may have to look into Segregation of Duties and Compliance details while checking the roles and Users Access.

I think this will give you a good starting point. Let us know if you dont understand any of the above

Regards,

Kiran Kandepalli.

Former Member
0 Kudos

In addition to what the others have already said, what you might want to consider doing is starting transaction SECR. It will inform you about the role based menu of the Audit Information System which contains many security relevent checks which you can try out and learn the use of.

Assign these "audit" roles to your ID and the menu's will appear. You can also read an explanation for the checks, before executing them in the report trees.

Cheers,

Julius