Programme SAP RSUSR005 - List of Users With Critical Authorizations

DOCUMENTATION

Description Lists all users with critical authorizations. Output Short text explanations: - Administration: Change users This user is allowed to change user master records. This does notautomatically mean the user has unlimited possibilities in the system.A closer examination of the user should be made with regard to theauthorization objects: S_USER_GRP User master maintenance: Authorizations groups and S_USER_PRO User master maintenance: Authorization profile It is particularly important whether the user is allowed to maintain oreven delete users in the SUPER group. Refer also to Chapter SAP* in theonline documentation for transaction SU01 'Maintain users'. - Administration: Change profiles This user is allowed to maintain authorization profiles and possiblyactivate them. If this user is not the system administrator, you mustexamine whether he/she can change and activate his/her own profiles.Examine the user closely with respect to the authorization objects S_USER_PRO User master maintenance: Authorization profile and S_USER_AUT User master maintenance: Authorizations - Administration: Change authorizations This user is allowed to maintain authorizations and possibly activatethem. If this user is not the system administrator, you must examinewhether he/she can change and activate his/her own authorizations.Examine the user closely with respect to the authorization object S_USER_AUT User master maintenance: Authorizations - Administration: Start background jobs under any name Background jobs are normally run under the user master that was used toschedule the job. This user can run jobs under any other name e.g. nameof the system administrator. If the user displayed is not the systemadministrator, there is an authorization error for object S_BTCH_NAM Background processing: Specification of background user name - Administration: Start background jobs under another name Background jobs are normally run under the user master that was used toschedule the job. This user can run jobs under another name. You shouldexamine whether the user is allowed to enter the required names; Referhere to object S_BTCH_NAM Background processing: Specification of background user name - Administration: All authorizations for background jobs (Batchadministrator) This user must be the system administrator. Otherwise there is anauthorization error. Users with value Y for authorization object S_BTCH_ADM Background processing: Batch administrator have unlimited possibilities within background processing. - Administration: Release background jobs or display logs This user is allowed to release background jobs and therefore executeall reports that are not protected by an authorization group in theattributes. See authorizations for object S_BTCH_JOB Background processing: Operations on background jobs - Administration: Computer center operation (change authorization) This user has extensive authorizations in the CCMS transactions, suchas authorization to start up and shut down the server. This should beleft to the system administrator only. Note the authorizations forobject S_RZL_ADM Computing Center Management System: System administration - Administration: Network, processes, update, clients, spool ... This user can, for example, define RFC connections, stop workporcesses, log off external users, delete or restart update requests,create new clients in the system, change the spool settings etc. Theseauthorizations should be reserved for the system administrator. Notethe authorizations for object S_ADMI_FCD System authorizations - Administration: Execute external operating system commands This user can execute external operating system commands, i.e.operations at operating system level. In general, only the systemadministrator should be allowed to do this. See also the authorizationsfor object S_LOG_COM Authorization to execute external operating system commands - Administration: Operations on protected spool requests The user can change attributes of protected spool requests, outputprotected spool requests more than once, redirect spool requests toother printers or delete protected spool requests. Note theauthorizations for object S_SPO_ACT Spooler: Actions - Administration: Output to all printers allowed The user can print on all output devices. See also the authorizationsfor object S_SPO_DEV Spooler: Device authorizations - Administration: Operations on external TemSe objects The user can generate, read, delete or add external TemSe objects.TemSe manages objects with temporary sequential data. See also theauthorizations for object S_TMS_ACT TemSe: Actions to/on TemSe objects - Customizing: Change all tables The user can display and change all tables using transactions SM30 orSM31 or possibly through function modules. Only central Customizing orsystem administration should be allowed to do this. See also theauthorizations for object S_TABU_DIS Table maintenance (via standard tools, such as SM31 forexample) - Customizing: Change all Basis tables The user can display and change all Basis tables using transactionsSM30 or SM31 or possibly through function modules. Only centralCustomizing or system administration should be allowed to do this. Seealso the authorizations for object S_TABU_DIS Table maintenance (via standard tools, such as SM31 forexample) - Customizing: Change client-independent tables The user can make changes to client-independent tables. If full use ismade of the client concept, improper maintenance of these tables canproduce undesired side effects. See also the authorizations for object S_TABU_CLI Table maintenance, client-independent tables - Development: Maintain program or Dictionary The user can execute the development environment tools and thus hasunlimited possibilities in the system. For example, the developer candisplay any DB table through an ABAP/4 program or even modify it.Furthermore, it is possible for the developer to extend his/herauthorizations (if they are limited). For security reasons, only thesystem administrator should own developer authorizations in theproduction system. See also the authorizations for object S_DEVELOP ABAP/4 Development Workbench - Development: Transport system The user can create and release transport requests. This will normallybe found in connection with the developer authorization in thedevelopment or test system. Production systems, for which it isimportant to maintain a high level of security, should be physicallyseparated from the development system (to prevent transport requestsand therefore programs reaching the production system unchecked). Onlythe system administrator should own the transport authorization in theproduction system. See also the doucmentation and authorizations forthe object S_TRANSPRT Correction/transport system and request management - Revision: Display users This user can display user master records. An attempt to determine theuser master of the system administrator for malicious purposes isfeasible. Therefore, you should restrict the number of users whoreceive this authorization. See authorizations for object S_USER_GRP User master maintenance: User groups - Revision: Display profiles This user can display authorizations profiles. An attempt to determinethe profiles important for security for malicious purposes is feasible.Therefore, you should restrict the number of users who receive thisauthorization. See authorizations for object S_USER_PRO User master maintenance: Authorization profile - Revision: Display authorizations This user can dipslay authorizations. An attempt to determine theauthorizations important for security for malicious purposes isfeasible. Therefore, you should restrict the number of users whoreceive this authorization. See authorizations for object S_USER_AUT User master maintenance: Authorizations