SAP Security Level 1
SAP Security Level 1
SAP Security Level 1
Table of Contents
BASIC TERMINOLOGIES
USER SETTINGS
ROLE MAINTENANCE – BASICS
ROLE MAINTENANCE – ADVANCE TOPICS
PROFILE PARAMETERS, SPECIAL USERS AND CRITICAL
AUTHORIZATIONS
CONTROLLING USER AND ROLE ADMINISTRATION
TROUBLESHOOTING AND ADMINISTRATION AIDS
TRANSPORTING AUTHORIZATION COMPONENTS
CONFIGURING ROLE MAINTENANCE TOOLS
PFCG INSTALLATION AND UPGRADE
ORGANIZATIONAL MANAGEMENT
SECURITY IN PROJECTS
Lesson 1
BASIC TERMINOLOGIES
Introduction to SAP Security
Authentication
Only legitimate users should be able to access the system
Authorization
Users should only be able to perform their designated tasks
Integrity
Data integrity needs to be granted at all time
Privacy
Protection of data against unauthorized access
Obligation
Ensuring liability and legal obligation towards stakeholders and shareholders including validation
Security measures at different levels of the system architecture
Basic Terminologies
Values
Values
Fields Values
ACTVT
ICF_VALUE
RFCDEST
RFCTYPE
ABAP Program Authorization Checks (authority-check Statement)
• •Authorization
Authorization checks
checks inin authority-check object 'S_TABU_DIS'"check by
authority-check
class object 'S_TABU_DIS'"check by
programs
programs are
are performed
performed class id 'ACTVT' field act_level
using
using thethe ABAP
ABAP command
command id 'ACTVT'
id
id 'DICBERCLS'
'DICBERCLS'
field act_level
field
field w_tddat-cclass.
w_tddat-cclass.
if sy-subrc <> 0. "not allowed
authority-check.
authority-check. if sy-subrc
if act_level<> 0.= '02'. "not allowed
if act_level = '02'. object 'S_TABU_DIS'
authority-check
• •For
Forexample
example if if
aa user
user tries
tries authority-check
"check by class object 'S_TABU_DIS'
"check by id class
toto
edit
edit aa table
table inin SM30
SM30 thethe
'ACTVT'
id 'ACTVT'
id 'DICBERCLS' '03'
field
field '03'
field w_tddat-cclass.
system
system first checks
first checks if if
the
the idif 'DICBERCLS'
sy-subrc = 0. field w_tddat-cclass.
if sy-subrc = 0.
act_level = '03'.
users
users hashas the
the relevant
relevant act_level
p_action= '03'.
= 'S'.
authorization
authorization forforthe
the object
object
p_action
message
message
allowed
= 'S'.
w114(tb).
w114(tb).
"only show
"only show
S_TABU_DIS,
S_TABU_DIS, actvt
actvt : 02
: 02 and
and allowed else.
else.message e115(tb). "no upd auth
dibercls
dibercls (authorization
(authorization message
endif. e115(tb). "no updfrom
"sy-subrc auth2nd
group
group inintable
table TDDAT).
TDDAT). If If endif.
auth_check
auth_check
"sy-subrc from 2nd
else. "act_level <> 02
this
thischeck
check fails
fails thethesystem
system else.MESSAGE e116(tb). "act_level <> "no02show
MESSAGE e116(tb). "no show
would
would check
check if if
thetheuser
user hashas
auth
auth endif.
display
display authorization
authorization forfor endif.
endif.
endif.
the
thetable.
table.
Lesson 2
USER SETTINGS
User Settings
User P200USER
User P200USER
Last Changed 24.08.2011
Last Changed 24.08.2011
Address Logon Data Defaults Parameters
Address Logon Data Defaults Parameters
User Master Record
User P200USER
User P200USER
Last Changed 24.08.2011
Last Changed 24.08.2011
Roles Profiles Personalization License Data
Roles Profiles Personalization License Data
User Type
System Users
•
System users (called CPIC users in older releases) are required for the
• System users (called CPIC users in older releases) are required for the
internal communication of the systems. To increase the security of your
internal communication of the systems. To increase the security of your
system landscape, when you are creating system users, assign only
system landscape, when you are creating system users, assign only
greatly restricted authorizations, combined in special roles to the system
greatly restricted authorizations, combined in special roles to the system
users.
users.
• In principle, one user ID (such as SAPCPIC) would be sufficient, and you
• In principle, one user ID (such as SAPCPIC) would be sufficient, and you
could use it for all system users. However, with this situation, it would be
could use it for all system users. However, with this situation, it would be
practically impossible to change the password of the system users, or
practically impossible to change the password of the system users, or
simply to keep it secret, as there can be multiple utilizing RFC destinations.
simply to keep it secret, as there can be multiple utilizing RFC destinations.
• So that you must only change the password of the relevant system user in
• So that you must only change the password of the relevant system user in
one place when you are changing the password later, use a separate
one place when you are changing the password later, use a separate
system user for each RFC destination. This means that there are as many
system user for each RFC destination. This means that there are as many
system users in your system landscape as there are RFC destinations.
system users in your system landscape as there are RFC destinations.
• No license fees apply to these system users.
• No license fees apply to these system users.
Additional Features
• Transaction PFCG
Role
• Roles are authorization containers that represent a specific part of an employee’s job. The role itself is
composed of different functions of the employee, which again is the sum of certain tasks inside these
functions.
• Example: The job of a user is Head of the purchase dept. In his job he has different roles, such as being
a buyer. One of the functions of the buyer is to create purchase orders.
– Job: Head of the purchase dept.
– Role: Buyer
– Function: Create Purchase Order (Referred to as a Transaction in SAP).
• A user may have more than one role. The above user may also be responsible for maintaining the master
data relevant for purchasing.
• He may also be responsible for vendor evaluation and rating.
• With roles you can implement menus which the users can work with after logging on to the system.
• If integrated with organizational management, roles can be assigned to jobs, positions and organizational
units.
SAP_CO_PC_JOB_SALESORDER
Role SAP_CO_PC_JOB_SALESORDER
Role Documentation
Role Display Sales Orders
Role Documentation
Description Display Sales Orders
Description
Description Menu Authorizations User
Description Menu Authorizations User
Role Maintenance - Views
Settings
Settings
View
ViewSimple maintenance (Workplace menu maintenance)
Simple
Basicmaintenance
maintenance(Workplace menu maintenance)
(menus, profiles, other objects)
Basic maintenance
Complete (menus, profiles,
view (Organizational other objects)
Management and workflow)
Goto Utilities(M) Environment Complete
SystemviewHelp
(Organizational Management and workflow)
Goto Utilities(M) Environment System Help
Settings
Settings
Transactions in Roles Shift + F9
Transactions in Roles Shift + F9
Reports assignment in Roles
• If they are to be used in a role Transaction Code for Reports
Transaction Code for Reports
reports should always have a Report type
transaction code ReportABAP
type Report
ABAP
SAPReport
Query
• The transaction code can be SAP Query
Transaction with Variant
automatically generated by the Transaction
BW Report Variant
with
BW Report
system or specified by the ABAP Report
ABAP Report
administrator
• If you assign a new transaction code Report RSUSR402
RSUSR402
Report
although a transaction code has Variant
Variant
already been created for this report Skip selection screen
Skip selection screen
(for example, for another role), the
system displays a message that GUI Support
GUI Support
informs you about the situation and If SAPGUI for Windows
necessary, you can choose between SAPGUI for Windows
SAPGUI for Java
the new and the old T codes. SAPGUI for Java
SAPGUI for HTML
SAPGUI for HTML
Create Transaction Code
Create Transaction Code Generate Automatically
A transaction code already exists for the report entered Generate Automatically
A transaction code already Transaction Code ZTESTREP
Do you want to adopt theexists for the report
old transaction entered
code?
Transaction Code ZTESTREP
Do you want to adopt the old transaction code?
Transfer Recreate Cancel
Transfer Recreate Cancel
Designing and Structuring the Role Menu
• Add/delete Transactions and Reports
• Copy Menus from other roles
• BW reports and Queries can also be added using the report button
• Web links and Document links can be added using the other button.
• Create/Delete , Rename Folders and Create hierarchies.
• You can distribute the role to a target system using RFC.
Description Menu Authorizations User MiniApps
Description Menu Authorizations User MiniApps
Transaction Report Other Delete
Transaction Report Other Delete
Authorization Default
Authorization Default
Role Menu Target System
Role Menu Target System
User Maintenance Dest. CT1CLNT010
UserMaintenance
BP - Maintain Business Partner Dest. CT1CLNT010
PFCG
Distribute
BP - Role
- Maintain Maintenance
Business Partner
SU01
Distribute
PFCG – User
- Role Maintenance
Maintenance
SA38
SU01 – ABAP
– User Reporting
Maintenance
SE16
SA38 – Data
– ABAP Browser
Reporting Copy Menus
SM30
SE16 – Call
– Data View Maintenance
Browser Copy Menus
SM30 – Call View Maintenance From SAP Menu
From SAP Menu
From Other Role
From Other Role
From Area Menu
From Area Menu
Import from file
Import from file
Maintain Authorizations
• PFCG automatically proposes the authorizations with default values in some
cases based on the transactions added in the role menu.
• The authorization objects display Yellow or Green Traffic Lights based on whether
the authorization data has been maintained completely or partially.
• The authorization objects for Organizational values are displayed in Red traffic
lights instead of Yellow if not maintained with values.
Change role: Authorizations
Change role: Authorizations
Selection Criteria Manually Open Changed Maintained Org. Levels
Selection Criteria Manually Open Changed Maintained Org. Levels
Note : AGR_PROF only lists the main profile but does not list the automatically generated profiles in the role.
User Assignment
• User tab page in PFCG is used to assign the roles Utilities System
to the users. Utilities System
Info object
• The validity dates can be set to a limited period of InfoCustomizing
object auth
time if required. Customizing
Settings auth
• User master comparison is done to fill up the Settings
Display Changes
authorization buffer tables (USRBF2) and also to Display Changes
make to the time dependant authorizations effective. Optimize User Assignment
Settings:User
Optimize RoleAssignment
maintenance
• There are three ways of performing a user master Settings: Role maintenance
comparison: Automatic User Master Adjustment when Saving Role
– For an individual role on the users tab. Automatic User Master Adjustment when Saving Role
Menu: Do Not Insert Existing Entries. Standard: No
– You can do it in mass for a large number of roles
Menu: Do Not Insert Existing Entries. Standard: No
using transaction PFUD
– You can schedule a background job to run every
day during the non-working hours for the program
pfcg_time_dependency
Description Menu Authorizations User MiniApps
Description Menu Authorizations User MiniApps
Organizational Mgmt. User Comparison
Organizational Mgmt. User Comparison
User Assignments
User Assignments
User ID User Name From To In
User ID
TCRUSE User Name
Tom Cruise From
21.10.2010 To 22.05.2012 In
TCRUSE
NKDMAN Tom Cruise
Nicole Kidman 21.10.2010
21.02.2011 22.05.2012
31.12.9999 C
NKDMAN Nicole Kidman 21.02.2011 31.12.9999 C
Lesson 4
• One of the important challenges for an security consultant is to design the roles to map
the organizational requirements.
• A wrong decision in designing the roles may lead to huge efforts during maintenance
mode, longer cycle times in decision making and realization of role changes leading to
frustration amongst the user community.
• There are a variety of options and flexibility offered in PFCG for designing the roles.
• Composite, Derived, Customizing and Reference Roles are advanced role types which
could meet the challenging design requirements.
Customizing Roles
• When building roles for the project team and especially for the
functional consultants it possible to restrict their access to the
specific project views of the IMG project.
• Customizing roles can be built in PFCG by inserting
customizing authorization from Utilities > Customizing Auth.
Utilities System Customizing Authorizations
Utilities System Customizing Authorizations
Info object
InfoCustomizing
object Status: You have not assigned any Customizing objects
auth Status: You have not assigned any Customizing objects
Customizing
Settings auth
Settings
Display Changes Add
Display Changes
Optimize User Assignment Add
Optimize User Assignment
Description Menu Au Insert Customizing Activities Select IMG Project
Description Menu Au Insert Customizing Activities Select IMG Project
IMG project Project Title
Transaction Report IMG project Project
STEEL Title
Steel IMG
Transaction Report IMG project view STEEL Steel IMGIMG
Authorization Default IMG project view TEST TEST
Authorization Default TEST TEST IMG
Role Menu
Role Menu
Composite Roles
Composite roles are just role containers, they do not have any authorizations of their
own
Composite Roles and User Assignments
Limitations of a composite role
Role ZDB_AIO_AP_CLERK
Role ZDB_AIO_AP_CLERK
Description Dubai Accounts Payable Clerk
Description Dubai Accounts Payable Clerk
Description Authorizations
Description Menu Authorizations Description Authorizations
Menu Description Menu Authorizations
Role Menu Menu
Role Menu
User Maintenance Transaction Inheritance
UserMaintenance Transaction Inheritance
BP - Maintain Business Partner Derive from Role Z00_AIO_AP_CLERK
PFCG
BP - Role
- Maintain Maintenance
Business Partner
PFCG - Role Maintenance AP Clerk Global
Delete Inheritance Relationship
Delete Inheritance Relationship
Implementing Organization Field Values Directly
(SAP Note 314513)
• Authorization data of Information
Information
organizational levels is usually Individual maintenance of an organizational field using the "Maintain
maintained in the Profile Individual maintenance
Field Values" of an
dialog box organizational
makes fieldchange
the following using the
for"Maintain
this field in
Generator in the "Define Field
thisValues" dialog box makes the following change for this field in
authorization:
this authorization:
organizational levels" dialog box.
o Value maintenance using the dialog box "Define Organizational
However, you can also maintain o Value maintenance
Levels" no longer using
changesthe the
dialog box "Define Organizational
value.
individual organizational level Levels" no longer changes the value.
fields in each authorization via the o When adjusting derived roles, the authorization value is overwritten
o When adjusting derived roles, the authorization value is overwritten
"Implement field values" dialog
You can reset the new status of the organizational field in this
box. If you do so, the Youauthorization
can reset thebynew statusthe
deleting of field
the organizational
content using field in thisicon next
the delete
organizational levels, however, authorization
to the field by deleting the field content using the delete icon next
name.
lose their special status and are to the field name.
then treated as normal
authorization fields with the Do you want to maintain the organizational level field individually?
Do you want to maintain the organizational level field individually?
following practical consequences:
- The maintenance via the "Define organizational levels" dialog box no longer changes the
authorization values.
- As of Release 4.6B: When adjusting the authorization data of derived roles, the system
overwrites the authorization values in the derived roles.
PFCG: Traffic Lights
• Traffic lights help in giving an overview of the of the current maintenance status of the
authorizations.
– Green : All fields have been filled with values
– Yellow : At least one field which is not an organizational level field for which data has not been
proposed or maintained
– Red : At least one field which is an organizational level field for which data has not been proposed
or maintained
• If several authorizations exist for one authorization object, the Profile Generator checks
• If several
whetherauthorizations
the status andexist for one
content authorization
of the combination object,
allow the
twoProfile
or moreGenerator checksto be
authorizations
whether
merged.theAutomatic
status andcompression
content of the combination
allows allow two
optimal display or more
of the authorizations
authorization list, andto be
merged.
preventsAutomatic compression
unnecessary data from allows
beingoptimal
saved display of the
in the role andauthorization
the generatedlist,profile.
and
prevents unnecessary data from being saved in the role and the generated profile.
• Automatic combining during the merge process is only possible on authorizations with the
• Automatic combiningand
status "Standard" during the merge process is only possible on authorizations with the
"Maintained".
status "Standard" and "Maintained".
• Changed and manual authorizations can be merged if they share an identical active status.
• Changed and manual authorizations can be merged if they share an identical active status.
• If this pre-requisite is fulfilled then two authorizations can be combined in the following
• If this pre-requisite is fulfilled then two authorizations can be combined in the following
cases:
cases: • For all fields, one authorization is contained in the other.
•
• ForThe
all fields, one authorization is contained in the other.
values of both authorizations differ in exactly one field, and are otherwise identical.
• The values of both authorizations differ in exactly one field, and are otherwise identical.
• SAP* is defined in the SAP system code and does not require a user master record.
• SAP* is defined
• It has in the access
got unlimited SAP system
to thecode
system andand
doesthenot require
default a user master
password is pass.record.
• It• has got installation
During unlimited access to the
the user system
master recordandforthe default
SAP* password
is created is pass.
in client 000 and 001 with initial password
• During
as 06071992, The installation can proceed only after the admin has resetand
installation the user master record for SAP* is created in client 000 the001 with initial
password password
for the user.
as 06071992, The installation can proceed only after the admin has reset the password
• This master record created in the system for SAP* deactivates the special authorizations for the user andfor the user.
• Thisnowmaster record
only the created
assigned in the systemtofor
authorizations theSAP*
userdeactivates
would apply.the special authorizations for the user and
now
• Creation of user master record for SAP* is one way ofapply.
only the assigned authorizations to the user would preventing unauthorized access with the user.
• Creation
• If you delete the user master record for SAP*, then the standardunauthorized
of user master record for SAP* is one way of preventing user definedaccess withcode
in system the user.
becomes
• If you delete
active withthe userpassword
default master record for SAP*, then the standard user defined in system code becomes
“PASS”.
active with
– The default
user now haspassword
complete“PASS”.
authorization.
– The user
– The now haspassword
standard complete“PASS”
authorization.
cannot be changed.
– The standard password “PASS” cannot be changed.
Special Users : DDIC and EarlyWatch
Special Authorization Objects
• S_TABU_DIS controls which tables the user can display or maintain in table
• S_TABU_DIS controls which tables the user can display or maintain in table
maintenance transactions SM30, SM31 or Data Browser SE16. Tables are assigned
maintenance transactions
to authorization SM30, SM31 Tables
groups (DIBERCLS). or DatatoBrowser SE16. Tables
group assignments are
are assigned
defined in
to table
authorization
TDDAT. groups (DIBERCLS). Tables to group assignments are defined in
table TDDAT.
• Tables which are not assigned to any authorization groups are by default assigned
• Tables which are not assigned to any authorization groups are by default assigned
the dummy authorization group &NC&
the dummy authorization group &NC&
• The assignment of this authorization group (&NC&) is not useful with regard to a
• The assignment of this authorization group (&NC&) is not useful with regard to a
conclusive authorization concept and should be avoided.
conclusive authorization concept and should be avoided.
• You can use transaction SE54 to create customer-specific table authorization
• You can use transaction SE54 to create customer-specific table authorization
groups and assign both customer-specific and standard SAP tables.
groups and assign both customer-specific and standard SAP tables.
• If your table maintenance authorization is based on S_TABU_DIS only then In the
• If your table maintenance authorization is based on S_TABU_DIS only then In the
productive environment, the generic table access tools (SE16N, SE16, SE17,
productive environment,
SM30, SM31, and SM34)the must
genericbe table
treated access tools (SE16N,
as particularly SE16, SE17,
security-relevant
SM30, SM31, and
transactions. ForSM34) must
detailed be treated
access to tables as with
particularly
genericsecurity-relevant
maintenance tools, use
transactions. For detailed access to tables with generic maintenance
parameter transactions that specify both the view or table to be maintained tools, useand the
parameter
permitted activity, and that skip the initial screen of the transaction. If these the
transactions that specify both the view or table to be maintained and
permitted activity,
transactions andyet
do not thatexist
skipfor
thethe
initial screen
relevant of the transaction.
purpose, If these
you can create them in the
transactions do not yet exist
customer or partner namespace.for the relevant purpose, you can create them in the
customer or partner namespace.
S_TABU_NAM (Granular Table Maintenance Authorization)
• S_TABU_NAM is not generally available in SAP ERP Package, it can be defined and
• S_TABU_NAM
activated afterisapplying
not generally available
relevant SAP notes in SAP ERP Package, it can be defined and
(1481950).
activated after applying relevant SAP notes (1481950).
• With this object, the system checks the view names or table names directly so that an
• With thisauthorization
exact object, the system
check checks the view
is possible. In thenames
module or VIEW_AUTHORITY_CHECK,
table names directly so that anthe
exact authorization
system check is possible.
checks S_TABU_NAM only ifInthe
theauthorization
module VIEW_AUTHORITY_CHECK,
check on S_TABU_DIS was the
system checks S_TABU_NAM only if the authorization check on S_TABU_DIS was
unsuccessful.
unsuccessful.
• This procedure enables both the retention of the previous table access concept and the
• This procedureuse
superposed enables both
of both the retention
authorization of the previous table access concept and the
objects.
superposed use of both authorization objects.
• If you use authorization objects S_TABU_DIS and S_TABU_NAM in parallel, the
• If you use authorization
advantages objects S_TABU_DIS
of a group-based authorization check and S_TABU_NAM
can be combinedin parallel,
with thethe
possibility
advantages of a group-based authorization
of a very finely granulated authorization assignment. check can be combined with the possibility
of a very finely granulated authorization assignment.
• Users with a large scope of functions for a department can be authorized as far as
• Users with using
possible a largeS_TABU_DIS,
scope of functions for very
but only a department
extensivecan beauthorization
table authorized asgroups
far as or
possible usingsensitive
particularly S_TABU_DIS,
areas arebut assigned
only very in extensive table authorization
a table-specific manner usinggroups or
the object
particularly
S_TABU_NAM. sensitive areas are assigned in a table-specific manner using the object
S_TABU_NAM.
• Advantage here is that particularly extensive or critical authorization groups do not have
• Advantage here istothat
to be assigned particularly
users. extensive
In principle, or critical
authorization authorization
groups groups
with tables that do
arenot have
classified
to as
be critical
assigned to users.
should not beInassigned.
principle, authorization groups with tables that are classified
as critical should not be assigned.
S_TABU_CLI (Cross-Client Table Maintenance)
• •Authorization
Authorizationobject
objectS_TABU_CLI:
S_TABU_CLI:Grants Grants
authorizationtotomaintain
authorization maintaincross-client
cross-clienttablestableswith
withthe
the
standardtable
standard tablemaintenance
maintenancetransaction
transaction(SM31),(SM31),
extendedtable
extended tablemaintenance
maintenancetransaction
transaction(SM30),(SM30),andand
thetheData
DataBrowser
Browser(SE16),
(SE16),and andalso alsoininthe
theCustomizing
Customizing
system.
system.
• •It Italso
alsoacts
actsasasananadditional
additionalsecurity
securitymeasure
measurefor for
cross-client tables and enhances the
cross-client tables and enhances the general table general table
maintenanceauthorization
maintenance authorizationS_TABU_DIS.
S_TABU_DIS.
• •CLIIDMAINT:
CLIIDMAINT:If Ifidentifier
identifierXXoror* *isisset,
set,cross-client
cross-client
tablescan
tables canbebemaintained.
maintained.
S_TABU_LIN (Field Level Authorization Restrictions)
Organizational Crit. ZCOMPANY
Organizational Crit. ZCOMPANY
Org. Crit. name Company Code
Org. Crit. name Company Code
Attribute COMPANY
Attribute COMPANY
Name Company Code
Name Company Code
View/table ZORGTABLE
View/table ZORGTABLE
Table Fields
Table
Field Fields
Name COMPANY
Field Name COMPANY
Domain ZCOMPANY
Domain ZCOMPANY
• Programs like tables are protected against unauthorized access using authorization
groups.
• Authorization group is stored in program attributes.
• Program authorization groups can be maintained using report RSCSAUTH
• The following activities are controlled:
– SUBMIT : To start a program execution
– BTCSUBMIT : Schedule a program as a background job.
– VARIANT : To create and execute a program as a variant.
Lesson 6
• You can try to find alternative solutions like existing roles S_BCE_68001405 Profiles by Authorization Name
S_BCE_68001406 Profiles by Values
with the required authorizations which can be assigned to
S_BCE_68001407 Profiles by Changes
the user without granting too much extra access. S_BCE_68001408 Profiles by Roles
• There are several useful reports from the user information S_BCE_68001409 Profiles According to Complex Crit.
system available which aid in deriving these solutions. S_BCE_68001410 Auth. Objects According to Complex
S_BCE_68001411 Auth. Objects According to Complex
• These reports help an administrator to gain an overview of
S_BCE_68001412 Auth. Objects According to Complex
the users in the system and many other related facts. S_BCE_68001413 Auth. Objects According to Complex
• The transactions listed in the screenshot on the left can be S_BCE_68001414 Auth. According to Complex Criteria
called as executable reports starting with RSUSR* which S_BCE_68001415 Authorizations by Values
can be called from SA38. S_BCE_68001416 Authorizations by Changes
S_BCE_68001417 Auth. According to Complex Criteria
• A complete list of these useful transactions can be found
S_BCE_68001418 Roles by Role Name
in the user information system SUIM which is one place S_BCE_68001419 Roles by User Assignment
from which you can branch and jump to individual reports. S_BCE_68001420 Roles by Transaction Assignment
S_BCE_68001421 Roles by Profile Assignment
S_BCE_68001422 Roles by Authorization Object
S_BCE_68001423 Roles by Authorization Values
S_BCE_68001424 Roles by Change Data
S_BCE_68001425 Roles by Complex Criteria
System Audit Information
• As of release 4.6C there is a
special role concept used for
SAP System auditing which was
previously done using AIS (Audit
Information System) transaction
SECR.
• Roles:
– SAP_AUDITOR (AIS - Audit
Information System)
– SAP_AUDITOR_TAX (AIS - Tax Audit)
• With the role concept the flow
and quality of the checks has
improved considerably.
Lesson 8
TRANSPORTING AUTHORIZATION
COMPONENTS
Transporting Authorization Components
Transporting Roles
Upload/Download Roles
• In addition to use transaction SU24 to display default field values, you can also use
it to reduce authorization checks at runtime.
• This has the effect of not performing an authorization check on a specific
authorization object.
• You should be careful when deciding which authorization checks to suppress. By
suppressing authorization checks, you allow users to perform tasks for which they
are not explicitly allowed.
• For an authorization check to be executed, it must be included in the source code
of a transaction and must not be explicitly exempt from the check.
• You can suppress authorization checks without changing the program code, as
check indicators control authorization checks.
Reducing Scope of Authorization Checks
• The authorization check indicator
defines whether or not the
authorization check for this object
is performed during the execution
of the transaction. Possible values
are "Check" and "Do Not Check“
• From an auditor's perspective, if
you find an authorization check has
been disabled, just ensure that
disabling meets with the company
policy.
Auth/no_check_in_some_cases
Auth/no_check_in_some_cases
Short description Activation of the Profile Generator
Short description Activation of the Profile Generator
Appl. area Authentication
Appl. area Authentication
Y
Default value Y
Default
Profilevalue
value Y
Profile value Y
Current value Y
Current value Y
Tables USOBX_C and USOBT_C
• When the administrator adds a transaction to a role the profile generator selects and
• When the administrator
proposes adds objects
the authorization a transaction
that areto checked
a role theand profile generator
maintained in selects
profile and
proposes
generator theforauthorization objects that are checked and maintained in profile
this transaction.
generator for this transaction.
• Tables USOBX_C and USOBT_C control the behavior of the Profile Generator after
• Tables USOBX_Chas
the transaction andbeen
USOBT_Cselected. control
Afterthe
a newbehavior of the Profile
installation, Generator
these tables after and
are empty
themust
transaction
be filledhas withbeen
valuesselected.
before the AfterProfile
a newGenerator
installation, thesefor
is used tables are time.
the first empty and
must be filled with values before the Profile Generator is used for the first time.
• SAP delivers the tables USOBX and USOBT. These tables are filled with default values
• SAPanddelivers
are used thefor
tables USOBX
the initial fill ofand
theUSOBT.
customer These
tablestables are filled
USOBX_C andwith default values
USOBT_C. After
and are used for the initial fill of the customer tables USOBX_C and
the initial fill, you can modify the customer tables, and therefore the behavior of the USOBT_C. After
theProfile
initial Generator,
fill, you canifmodify
required. the customer tables, and therefore the behavior of the
Profile Generator, if required.
• Table USOBX defines which authorization checks are to be performed within a
• Table USOBXand
transaction defines
which which
are not authorization checks are to
(despite programmed be performed command).This
authority-check within a
transaction
table alsoand which are
determines not (despite
which programmed
authorization checks are authority-check
maintained incommand).This
the Profile
table also
Generator. determines which authorization checks are maintained in the Profile
Generator.
• Table USOBT defines for each transaction and for each authorization object which
• Table USOBT
default values defines for each transaction
an authorization and the
created from for each authorization
authorization objectobject
shouldwhich
have in
default valuesGenerator.
the Profile an authorization created from the authorization object should have in
the Profile Generator.
Tables USOBX_C and USOBT_C
ME21N TR M_BANF_EKO SAP 30.08.2010 13:00:00 X
ME21N TR M_BANF_WRK SAP 30.08.2010 13:00:00 X
USOBX_C
ME21N
ME21N
TR
TR
M_BEST_BSA
M_BEST_EKG
SAP
SAP
30.08.2010 13:00:00
30.08.2010 13:00:00
Y
Y
USOBX_C
ME21N TR M_BEST_EKO SAP 30.08.2010 13:00:00 Y
ME21N TR M_BEST_WRK SAP 30.08.2010 13:00:00 Y
ME21N TR M_EINF_EKO SAP Checkfl Short
30.08.2010 13:00:00 Description
X
Checkfl Short Description
ME21N TR M_EINF_FRG DDIC 01.02.2011 15:03:00 X
ME21N TR M_INFO_MCD SAP N No
30.08.2010 13:00:00authorization
X check
N X NoAuthorization
authorization check
check takes place
ME21N TR M_IS_KENNZ SAP 30.08.2010 13:00:00 X
ME21N TR M_MATE_CHG SAP X U
30.08.2010 Authorization
13:00:00 X check takes place
Not maintained
U Y NotAuthorization
maintained check takes place, default values in
Y Authorization
USOBT Notcheck takes place, default values in
maintained
USOBT Not maintained
ME21N TR M_BEST_BSA ACTVT 01 SAP
ME21N TR M_BEST_BSA ACTVT 02 DDIC
ME21N TR M_BEST_BSA ACTVT 03 DDIC
ME21N TR M_BEST_BSA ACTVT 08 DDIC
ME21N TR M_BEST_BSA ACTVT 09 SAP
ME21N TR M_BEST_BSA BSART SAP
USOBT_C
ME21N
ME21N
TR
TR
M_BEST_EKG
M_BEST_EKG
ACTVT
ACTVT
01
02
SAP
DDIC
USOBT_C
ME21N TR M_BEST_EKG ACTVT 03 DDIC
ME21N TR M_BEST_EKG ACTVT 08 DDIC
ME21N TR M_BEST_EKG ACTVT 09 SAP
ME21N TR M_BEST_EKG EKGRP $EKGRP SAP
ME21N TR M_BEST_EKG ACTVT 01 SAP
SU24 – Check Indicators
• After the customer tables USOBX_C and USOBT_C have been filled, you can maintain
them to adjust the behavior of the Profile Generator and the authorization checks to be
performed for each transaction. The tables are maintained in transaction SU24.
• This transaction displays the check indicators of a transaction. Check indicators determine
if an authorization check will run within the transaction or not.
• •There
Thereare
arealways
alwaystwo
twopossibilities:
possibilities:
– –Source
Sourcerelease
releasedid
didnot
notuse
usePFCG
PFCG
• PG needs to be activated.
• PG needs to be activated.
– –Source
Sourcerelease
releaseused
usedPFCG
PFCG(>3.1G)
(>3.1G)
• USOBX_C and USOBT_C needs to be updated.
• USOBX_C and USOBT_C needs to be updated.
• Roles need to be updated.
• Roles need to be updated.
• •IfIfyou
youare
areusing
usingPG
PGfor
forthe
thefirst
firsttime:
time:
– –You
Youcan
canstart
startbuilding
buildingyour
yourroles
rolesusing
usingPG
PG
– –Convert
Convertthe
themanual
manualprofiles
profilesinto
intoroles
rolesusing
usingstep
step6 6
ofofSU25.
SU25.
Upgrade – Source release > 3.1G
Installing the Profile generator
Installing the Profile generator • The USOB* tables and the roles
1. Initially Fill the Customer Tables • The USOB* tables and the roles
1. Initially Fill the Customer Tables both need to be updated to the
Post-process the Settings After Upgrading to a Higher Release both need
latest to be updated to the
version.
Post-process the Settings After Upgrading to a Higher Release
2A.. Preparation: Compare with SAP values latest version.
2B.2A.. Preparation:
Compare Compare
Affected with SAP values
Transactions • Transaction SU25, steps 2A to
2B. Compare Affected Transactions • Transaction SU25, steps 2A to
2C. Roles to Be Checked
2D.
2D.2C. RolesChanged
Display to Be Checked
Transaction Codes 2D.–
2D. Display Changed Transaction Codes
Transport Conn. 2A: Executes the Profile Generator
Transport Conn.
– 2A:comparison
Executes the Profile Compares
program. Generator
3.. Transport the Customer Tables comparison program.
the new tables USOBX Compares
and
3.. Transport the Customer Tables
Adjust the Authorization Checks (Optional) theUSOBT
new tables USOBX
with USOBX_C andand
Adjust theindicator
Authorization Checks
SU24)(Optional) USOBT with USOBX_C and
4. Check (Transaction USOBT_C.
5. 4. Check indicator
Deactivate (Transaction
Authorization SU24)
Object Globally USOBT_C.
5. Deactivate Authorization Object Globally – 2B: Adds any new
Create Roles from Manually – Created Profiles – 2B:transactions/updates
Adds any new
Create to tables
6. CopyRoles from Manually
Profiles – Created Profiles
Data from Old transactions/updates
USOBX_C and USOBT_C. to tables
6. Copy Data from Old Profiles
USOBX_C and USOBT_C.
– 2C: Updates the existing roles and
– 2C: Updates
flags thewith
all roles existing
new roles and
flags all roles with
authorization new
objects.
authorization objects.
– 2D: Displays all roles for which
– 2D: Displays
there all roles transaction
are changed for which
there are changed transaction
codes.
codes.
Upgrade Profile : SAP_NEW
• The profile SAP_NEW is delivered with every
Profile SAP_NEW new release and contains authorizations for
Profile SAP_NEW
Texts in User Master Comp profile all new checks in existing transactions.
Texts in User Master Comp profile • The SAP_NEW profile guarantees backward
Text New authorization checks
Text New authorization checks compatibility of the authorizations if a new
Status Active
Active release or an update or authorization checks
Status
Changed by DDIC introduces checks for previously unprotected
Changed by DDIC functions.
• Composite profile to bridge the differences in
Consisting of Profiles releases in the case of new or changed
Consisting of Profiles
authorization checks for existing functions,
Profile Text
so that your users can continue to work as
SAP_NEW_21C Authorizations for new objects added Rel. 2.1C
SAP_NEW_21D Authorizations for New Objects Added Rel. 2.1D normal.
SAP_NEW_22A Authorizations for New Objects Added Rel. 2.2A • If there are a large number of roles to be
SAP_NEW_30A Authorizations for New Objects Rel. 3.0A modified due to an upgrade then you can buy
SAP_NEW_30B Authorizations for New Objects Rel. 3.0B
time to process these roles later by assigning
SAP_NEW_30C Authorizations for New Objects in Release 3.0C
SAP_NEW_30D Authorizations for new objects in Release 3.0D
users SAP_NEW on a temporary basis
SAP_NEW_30E Authorizations for New Objects in Release 3.0E provided it is allowed as per the
SAP_NEW_30F Authorizations for new objects in Release 3.0F organizations security policy.
SAP_NEW_31G Authorizations for New Objects in Release 3.1G • The SAP_NEW composite profile consists of
SAP_NEW_40A Authorizations for New Objects in Release 4.0A
single profiles for all old releases of SAP.
Lesson 11
ORGANIZATIONAL MANAGEMENT
Organizational Management
• Overtime people change positions, departments and collect
authorizations for their new areas of work. If the user administrator
forgets to remove the authorizations for the user’s older departments
or positions then the user keeps on receiving more authorizations.
Buyer Accounts Warehouse
Clerk Manager
Position based authorization management
• If the roles are now assigned to the objects of the organizational plan, such as positions, the
employees, who are indirectly assigned to these positions through the organizational plan,
can inherit the roles.
• Advantage: As soon as an employee changes position, he or she also loses the
corresponding authorizations (since these depend not on the user, but on the position).
• Create roles based on organizational objects, such as positions in your organization. For example: Sales
manager, accountant, and secretary.
• Assign the roles to your organizational plan. Users then inherit the authorizations (indirectly) in accordance
with their position in the organizational plan.
Accounts Warehouse
Buyer Clerk Manager
Organizational Plan
• An organizational plan represents a
functional organization and reporting
structures between positions in an
enterprise. Holder(s)
SECURITY IN PROJECTS
Implementation Methodology
• Every company or every project follows a
• Every company or methodology
implementation every project which
followscana be
implementation methodology
more or less divided in five which
distinctcan be
phases.
• more or less divided in five distinct phases.
Project Preparation: Forming the team and
• Project Preparation:
assembling Formingrequired
the resources the team forand
assembling the resources required for
project implementation.
• project implementation.
Blueprint: Determine the business
• Blueprint: Determine
requirements the business
and formulate a visual
requirements and formulate a visual
representation of the as-is business process
representation
to be mapped ofinthe as-is business process
SAP.
• to be mapped in SAP.
Realization: This is phase where the
• Realization: This is phaseare
business requirements where the
implemented in
business requirements are implemented
the system through configurations and in
thedevelopment.
system through configurations and
• development.
Final preparation: Testing of the interfaces
• Final
andpreparation:
modules, TrainingTestingofofthe
theusers,
interfaces
move
and modules,
changes Training of the
to production, Fine users,
tuning move
and soft
changes
configuration of the production systemsoft
to production, Fine tuning and etc.
• configuration of the production system etc.
Go-Live & Support: Release of system
• Go-Live
access&toSupport: Release of system
users, Enhancements and Bug-
access
Fixes.to users, Enhancements and Bug-
Fixes.
Authorization Project Methodology
Blueprint Phase
• The blueprint phase for the authorizations may start only after the business blueprint is
done.
• This is because the authorizations can be analyzed and conceptualized only after the
business processes are documented.
• The main steps during this phase are:
– Analyze the business process with the project team
– Determine the various job roles and activities to be included within the roles.
– Prepare a list of the roles for the business process and list the activities for each
role.
– Determine an ideal design for the job roles
– Determine an naming convention for the roles.
• The Process Master List is a document which forms a basis for this phase. It
documents all the activities that are performed during a business process. These
activities are mapped with SAP transactions in this list.
• This list should be ready and signed off to start working on the job roles.
• The authorizations team along with the business process owners would work on
grouping these activities to form the job roles.
Process Master and Authorizations List
System
Type
Primary Transaction Codes
Activity Group Process Group Activity (for
(mandatory for SAP activities)
Activities
only)
A-LM059_LXX LM Determine MB1B/MIGO SAP R/3
Putaway
Location
A-AP001_LXX AP Requisitione FK03 SAP R/3
r checks
SAP for
Vendor
Existence
A-AP002_LXX AP Request to N/A Manual
create/chan
ge Vendor
Master Data
A-AP003_LXX AP Purchasing N/A Manual
Complete
Vendor
Creation
Form for AP
A-AP004_LXX AP Terms of N/A Manual
Payment
request
A-AP010_LXX AP Maintain FK01, FK02, XK01, XK02 SAP R/3
Vendor
Master
Authorizations Concept in SAP
Role design approach
• Derived roles are only helpful initially for small roles (or individual tasks) which truly are exactly the same (except for the org
or other element of a common object). If you are planning some major acquisitions and diversity in your production locations
and sales organizations, then derived roles might be an option for a "Just One Company Code" system, but your business
areas and other org elements will be forced to some extent to have the same business processes or your roles will provide
too much access for the others when one of them wants something special. You will become inflexible and over time the
differences will destroy your concept very easily.
• One would want to create a common set of roles which contains the required org level authorizations for the various roles and
then create a second set of roles for the functions in the different business areas and add the differentiated org elements to
them. Make sure that the transaction you select actually also use these. What you have is a transactional role containing all
the transactions & auth objects. You then create a separate role with manually added auth objects that contain all the auth
objects that are relevant for restriction. You then disable those objects in the transactional role. This way you have 2 roles,
one providing transactional content & the other providing all your restrictions.
– One of the perceived benefits is that you only have 1 role containing restriction data and this can be applied to all users.
You then give them different transactional roles depending on what transactions they need etc.
– Downsides to this are:
Increased complexity: It can be a steep learning curve for a new administrator in the company.
Reduced security: Security is based on 2 levels, S_TCODE & object level. If you are creating a single value role (or
even a few of them) they are going to contain more auth objects than are needed for the respective transactional roles.
SOD analysis: It makes analysis and reporting at role level more complex.
Breaking SAP security setup: When you take this approach you may be breaking the link between PFCG and SU24.
• Also we have to decide whether we have one single role with all the transactions or break them up into smaller roles. They
have their Pros and Cons as mentioned below:
– It might be desirable for users to only have one role (in addition to a "common role for all users"). This way SoD
analysis can concentrate on analyzing authorizations within single role designs, without the added complexity of doing
role to role comparisons
– Smaller roles can be used across multiple functions thus limiting the total number of roles can have a dramatic impact
on the total maintenance effort. When designed the right way.
– A big role (per position) is avoiding redundancy of transactions in various smaller roles where they could easily have
different values on object level.
Naming Convention
• It is important to assign a unique identifier to the roles through a
• It is important to assign a unique identifier to the roles through a
flexible and standardized naming convention.
flexible and standardized naming convention.
• There are 30 characters available to define the role name.
• There are 30 characters available to define the role name.
• One of the best approaches to use the elements like region (e.g.
• One of the best approaches to use the elements like region (e.g.
US,GB,DE etc.), application module(e.g. FI,MM etc.) and business
US,GB,DE etc.), application module(e.g. FI,MM etc.) and business
process(e.g. FRAP, OPMA etc.) in the role names.
process(e.g. FRAP, OPMA etc.) in the role names.
• Role names should be flexible and extensible so that they do not lose
• Role names should be flexible and extensible so that they do not lose
their significance on addition or removal of transactions within them.
their significance on addition or removal of transactions within them.
• Naming conventions also help in segregating the role and user
• Naming conventions also help in segregating the role and user
administration tasks.
administration tasks.
• The role names are not language dependant and should not begin
• The role names are not language dependant and should not begin
with SAP.
with SAP.
• It is also important that you align the naming conventions with that of
• It is also important that you align the naming conventions with that of
the project.
the project.
Role Documents
• You have finalized upon the below criteria:
• You have finalized upon the below criteria:
• Number of job roles to be created
• Number of job roles to be created
• The transactions to be included in each job role
• The transactions to be included in each job role
• Design approach for the job roles
• Design approach for the job roles
• Naming convention for the job roles
• Naming convention for the job roles
• Now you can start to create job role documents to identify and describe each role
• Now
bothyou can startas
technically to well
create
as job role documents to identify and describe each role
functionally.
both technically as well as functionally.
• The document should cover the following aspects of the role:
• The document should cover the following aspects of the role:
• Role name and Description
• Role name and Description
• Transactions that are included in the role
• Transactions that are included in the role
• Business relevance of the role through a brief description of its functionality.
• Business relevance of the role through a brief description of its functionality.
• Critical authorizations included within the role
• Critical authorizations included within the role
• Organizational values and other restrictions within the role
• Organizational values and other restrictions within the role
• Role documents are very useful for the business process owners to understand the
• Role
job documents arebeing
roles that are very useful forto
built and the business
suggest anyprocess ownersif to
modifications understand
necessary the
before
jobthey
roles that
are are being built
implemented and
in the to suggest any modifications if necessary before
system.
they are implemented in the system.
• A formal sign off by the business owners and project managers on these documents
• A formal sign off by the business owners and project managers on these documents
is recommended.
is recommended.
Realization Phase
• Start building the job roles in the system as per the role
• Start building the job roles in the system as per the role
documents.
documents.
• Informal screening of the roles by the functional team is
• Informal screening of the roles by the functional team is
recommended during this phase to ensure that the
recommended during this phase to ensure that the
authorizations are being set as desired.
authorizations are being set as desired.
• Prepare test users per role/per module.
• Prepare test users per role/per module.
• Changes to the transactions within the role and addition /
• Changes to the transactions within the role and addition /
removal of job roles in the list is expected during this
removal of job roles in the list is expected during this
phase.
phase.
• Define the test scripts for testing the authorizations in the
• Define the test scripts for testing the authorizations in the
next phase.
next phase.
Final Preparation
Go-Live and Support