Show overview about security policies (SECPOL)

Introduction

A security policy is a collection of security policy attributes and their values. This definition replaces the definition of behavior with profile parameters: once a security policy is assigned to a user master record, this determines the desired behavior. The profile parameters are only relevant for those user master records for which no security policy has been assigned.

You can easily view the current settings of security policies in transaction SECPOL individually.

However, there is no tool available which shows the effective settings of all policies in comparison with the current settings of profile parameters. You can use the custom report ZSHOW_SECPOL for this purpose.

Report ZSHOW_SECPOL

You can get this report from GitHub: https://github.com/SAP-samples/security-services-tools

You can either copy&paste the source code or use abapGit to load the whole package.

Selection screen

The reports allows to select up to 20 security policies. (This artificial limitation is based on the layout of the result screen.)

Result

The result shows following columns:

• Attribute type
• Attribute name
• Default attribute value (this value is used if a policy does not define a specific value)
• For each selected policy: Policy attribute value (the specific values are marked in yellow)
• Description
• Corresponding profile parameter
• Current profile parameter value (values which differ from the default values are marked in red)
• Kernel default value of profile parameter (this value is identical to the policy default value)

In addition you get a line showing the count of assigned users per policy.

Navigation

You can navigate to the definition of a security policy by double clicking into the corresponding column.

Limitation: If you navigate from the report to the definition of a security policy, you can view and maintain this policy but you cannot create new ones. Use transaction SECPOL instead to create new security policies.

You can navigate to transaction RZ11 for a profile parameter by double clicking into the corresponding columns.

References

Online Help – Security Policy Attributes for Logon and Passwords
Online Help – Profile Parameters for Logon and Password (Login Parameters)
SCN Blog – SAP Security policies / Group policies (2013)
Daniel Berlin Blog – A note on SECPOL behavior (2015)
RZ10 Blog – SAP-Passwortregeln: Profilparameter und Security Policies via SECPOL (2019)