Question:
The ABAP team at my client did not consistently include the appropriate Auth Checks in their custom programs. As a result, I have been assigned the responsibility to correct this for the client's next rollout.
The corrective action states:
Security Team develops a Quality Assurance process to ensure that the appropriate Authority Check statements are included in all custom programs for Wave 2.
Does anyone have any suggestions on how to best streamline this process?
Thank you in advance.
Answer:
This should be part of the func spec have a controls requirement.
If there is the requirement for control, make sure that a control objective is defined e.g. line items should only be returned if user has authorisation for the company code etc.
The tech spec should detail how they are going to achieve that & it should be coded into the customisation & +ve & -ve testing of the control included as part of signoff.
Obviously you need to plug in appropriate people/teams in to suit your project/company setup