Friday, 28 November 2014

How to Disable Access to INFOTYPE 008 in HR Security



Info type 0008 will enable users to look at others basic pay which is confidential and it required to be protected from users, because we must restrict this access to users who ever have access to HR data.

Here I will tell you how to achieve it.

1. Go to SE16N and check the table TOBJ(Authorization Objects) and enter field value INFTY ad execute

2. Now you can able to see all the authorization objects which is having filed INFTY, so now we need to check which all are tcodes having access to list of authorization objects which is having access to field INFTY
3. Go to table TSTCA in SE16N tcode and enter the list of authorization objects


4. Now execute and you will get a list of tcodes which is having authorization field INFTY, just do a excel work to remove all the duplicate values and you will get list of PA20, PA30, PA40, etc.. HR tcodes

5. That’s it you are almost done and now check who is having access/whom you want to disable access to info type 0008 in HR data by pulling report in SUIM and making changes in the corresponding assigned roles to users.

Hope this document is helpful to you and do share J

Wednesday, 26 November 2014

SAP System Profile Parameter for SAP Security

Login System Profile paramenter for SAP Security:

Here is a set of system profile parameter required for SAP security and it will enhance the protection and we can have control over SAP login and below profile parameters are useful to implement SAP security in your landscape.

This is a 1st set of profile parameters and i will post next set of system profile paramter which is required for Basis and Security in upcoming post.


Profile parameter
Description
Default value
Recommended value
login/min_password_lng
Minimum password length for user password
3
3
login/password_expiration_time
 
Number of days between forced password change
0
90
Login/fails_to_session_end
Number of invalid logon attempts allowed before the SAP GUI is disconnected

3

3
Login/fails_to_user_lock
Number of invalid logon attempts within a day before the user id is automatically locked by the system

12

5
rdisp/gui_auto_logout
Time, in seconds, that SAPGUI is automatically disconnected because of in-activity

0

30
Auth/test_mode
Switch to report RSUSR400 for authority check
N
N
Auth/system_access_check_off
Switch off automatic authority check
N
N
Auth/no_check_in_some_cases
Special authorization checks turned off by customer
N
Y
Login/ext_security
Security access controlled by external software
N
N
Auth/rfc_authority_check
Permission for remote function calls from within ABAP programs
0
1
Login/failed_user_auto_unlock
Disable system function for automatic unlock of users at midnight
0
1
Login/no_automatic_user_sapstar
Disable ability to logon as SAP* with PASS of password when SAP* deleted
0
1
Auth/no_check_on_tcode
Disable check of S_TCODE on non-basis transactions
N
N
Auth/auth_number_in_userbuffer
Number of authorizations allowed in the user buffer
800
1000
Auth/authorization_trace
Every trace will be logged once in table USOBX
N
N
Auth/check_value_write_on
Write value for SU53 security checking/authorization failure
Y
Y




 Hope this document is helpful to you.