Simple changes can rise your system security. Usage of SAProuter is a good choice when correctly implemented. Login through SAP LogonPad (from version 3.0f onwards) improve the access control. SAP profile parameters shall also contain:
Rdisp/gui_auto_logout = 1800
The user connection is closed after 30 minutes without usage. This parameter is deactivated by setting the value to 0.
Login/fails_to_session_end = 3
After 3 wrong password the connection is automaticly closed.
The default value is 3, can set it to any value between 1 and 99
Login/fails_to_users_lock = 5
After 5 wrong password the user is locked. The default value is 12. Possible values are form. 1 to 99.
Login/min_password_lng = 6
Password length at least 6 characters.
Login/password_expiration_time = 90
Password expires after 3 months.
Disables special properties for for user SAP*, when this parameter is set to a value greater than 0
This parameter is set to switch off special authorization checks by customers and is the main parameter for activating the Profile Generator Tool. Values can be either Y(yes) or N(no)
对于Parameter : auth/no_check_in_some_cases再看看更详细的说明 《Note：416016》
Parameter description :
This parameter must be set to "Y" if you are using the profile generator.
The profile generator uses the authorization default values that you can manage with Transaction SU24.This transaction is also used to suppress certain authorization checks for selected transactions.
If you deactivate authorization checks using Transaction SU24, the users can carry out activities without the required authorizations.
Nevertheless, it could be useful to reduce the extent of the authorization check in the following cases, for example:
1. You are not using the authorization object connected to the authorization check (for example, you may need HR authorizations in FI even though you are not actually using the HR SAP system).
2. The authorization check for the S_TCODE object still protects the core transaction.(However, bear in mind that the authorization check S_TCODE provides only a very general level of protection.This is not a sufficient reason to suppress an authorization check.)
3. You want to avoid admitting all values (*) for all authorization fields in the authorization object.
来自 “ ITPUB博客 ” ，链接：http://blog.itpub.net/148866/viewspace-701500/，如需转载，请注明出处，否则将追究法律责任。