Audit controls are not the best way to identify risks coming from bad habits in the SAP system administration.
As discussed in the previous posts, SAP system security is complex to define and manage, due to the high integration of the modules. This suggests that some of the risks are not observed due to the complexity of the system that comes from a security administration, which is not always well controlled (and is also less monitored).
Let me show you an example: transactions and authorisations that continue to be used by users, even though the termination of the roles has been flagged as expired.
How to detect such condition with CentinelBox:
How to solve this problem?
There are two ways of addressing this issue
1. By running the PFUD transaction and the PFCG_TIME_DEPENDENCY report, which also performs an adjustment to the user accounts in terms of the assigned privileges.
They perform similar tasks, in terms of adjusting the master data of user accounts with their privileges, which makes it possible to deny access to expired roles.
This action can be programmed with the PFCG_TIME_DEPENDENCY job (which requests the RHAUTUPD_NEW program) so that it is executed automatically through a JOB.
In a simple way, both reports remove the privileges granted in invalid roles. However, the roles are presented equally among the roles assigned in transaction SU01.
2. By running the PRGN_COMPRESS_TIMES report, which performs unassigned roles that have expired. This report executes different tasks:
Below you will see a simulation of the process:
To run the execution, uncheck the simulation execution, check the execution and deletion of overdue assignments and execute.