Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

SAP Security Level 1

Download as pdf or txt
Download as pdf or txt
You are on page 1of 121

SAP Security – Level 1

Table of Contents

BASIC TERMINOLOGIES
USER SETTINGS
ROLE MAINTENANCE – BASICS
ROLE MAINTENANCE – ADVANCE TOPICS
PROFILE PARAMETERS, SPECIAL USERS AND CRITICAL
AUTHORIZATIONS
CONTROLLING USER AND ROLE ADMINISTRATION
TROUBLESHOOTING AND ADMINISTRATION AIDS
TRANSPORTING AUTHORIZATION COMPONENTS
CONFIGURING ROLE MAINTENANCE TOOLS
PFCG INSTALLATION AND UPGRADE
ORGANIZATIONAL MANAGEMENT
SECURITY IN PROJECTS
Lesson 1

BASIC TERMINOLOGIES
Introduction to SAP Security
Authentication
Only legitimate users should be able to access the system

Authorization
Users should only be able to perform their designated tasks

Integrity
Data integrity needs to be granted at all time

Privacy
Protection of data against unauthorized access

Obligation
Ensuring liability and legal obligation towards stakeholders and shareholders including validation
Security measures at different levels of the system architecture
Basic Terminologies

• Application data is protected from unauthorized access using authorizations.


• Application data is protected from unauthorized access using authorizations.
• Authorizations are bundled into profiles which are assigned in the form of
• Authorizations are bundled into profiles which are assigned in the form of
roles to the user master record.
roles to the user master record.
• Roles are defined by an administrator to map business scenarios.
• Roles are defined by an administrator to map business scenarios.
• Business scenarios are made up of a group of activities which are
• Business scenarios are made up of a group of activities which are
represented in the form of transactions within the roles.
represented in the form of transactions within the roles.
• A user may have access to a single scenario or several scenarios depending
• A user may have access to a single scenario or several scenarios depending
on the way the business flow is structured within the organization.
on the way the business flow is structured within the organization.
• Similarly. A business scenario can be split into several roles depending upon
• Similarly. A business scenario can be split into several roles depending upon
the complexity of the business process.
the complexity of the business process.
• Splitting of roles is also important to segregate the duties amongst the
• Splitting of roles is also important to segregate the duties amongst the
employees of an organization and thereby having more players to accomplish
employees
a business ofprocess
an organization and This
end to end. thereby having
reduces themore players
risk of to accomplish
malpractices within
a business process end to end. This reduces the risk of malpractices within
the company.
the company.
Elements of an SAP authorization concept
Authorizations, Objects, Fields and Values
Authorizations Instance and Profile
Roles and User Menu
• A role
• A can
role canbebe assigned
assigned toto
any
any
number
number ofofusers.
users.
• Through
• Through thetherole, you
role, youalso
also Favorites
User Menu for Subramaniam
Favorites
assign the authorizations that
assign the authorizations that Menu User for Subramaniam
BP - Maintain Business Partner
users
usersneed
need totoaccess
access the
the  PFCG
 BP - Role
- Maintain Maintenance
Business Partner
 SU01
 PFCG – User
- Role Maintenance
Maintenance
transactions,
transactions, reports,
reports, and
andsoso  SU01
 SA38 – ABAP
– User Reporting
Maintenance
ononcontained
contained ininthe
themenu.
menu.
 SE16
 SA38
 SM30
 SE16
– Data
– ABAP Browser
Reporting
– Call
– Data View Maintenance
Browser
 SM30 – Call View Maintenance
• This
• Thisuser
user menu
menu appears
appears when
when
the
theuser
user totowhich
which thethe
authorization
authorization profile
profilewas
was
assigned
assigned logs
logsonontotothe
theSAP
SAP
system.
system.
• A user
• A usermenu
menu consists
consists ofof
the
the
role
rolemenus
menus ofof
the assigned
the assigned
roles.
roles.It It
contains
contains thetheactivities
activities
that
thatare
are required
required bybyaagroup
group
ofof
users
users for
fortheir work
their work area.
area.
Tips – Regarding User and SAP Menu

• Table SSM_CUST, view "Set Values for the Session Manager /


• Table SSM_CUST, view "Set Values for the Session Manager /
Profile Generator“
Profile Generator“
– Control of the removal of redundant transactions with redundancy
– Control of the removal of redundant transactions with redundancy
avoidance
avoidance
• DELETE_DOUBLE_TCODES, YES/NO
• DELETE_DOUBLE_TCODES, YES/NO
– Sorting the user menu with redundancy avoidance
– Sorting the user menu with redundancy avoidance
• SORT_USER_MENU, YES/NO
• SORT_USER_MENU, YES/NO
– Switch to turn the user menu on or off
– Switch to turn the user menu on or off
• ALL_USER_MENUS_OFF, YES/NO
• ALL_USER_MENUS_OFF, YES/NO
• Table USERS_SSM
• Table USERS_SSM
– Switch the user menu and/or the SAP menu on or off as required.
– Switch the user menu and/or the SAP menu on or off as required.
• ALL_USER_MENUS_OFF , YES/NO
• ALL_USER_MENUS_OFF , YES/NO
Sequence of Authorization Checks
Display Dialog Transaction
Display Dialog Transaction
Transaction Code SM59
Transaction Code SM59
Package SRCX
Package SRCX
Transaction Text RFC Destinations
Transaction Text RFC Destinations
Program SAPMCRFC
Program SAPMCRFC
Screen Number 100
Screen Number 100
Authorization Object S_RFC_ADM
Authorization Object S_RFC_ADM

Values
Values

Fields Values
ACTVT

ICF_VALUE

RFCDEST

RFCTYPE
ABAP Program Authorization Checks (authority-check Statement)

• •Authorization
Authorization checks
checks inin authority-check object 'S_TABU_DIS'"check by
authority-check
class object 'S_TABU_DIS'"check by
programs
programs are
are performed
performed class id 'ACTVT' field act_level
using
using thethe ABAP
ABAP command
command id 'ACTVT'
id
id 'DICBERCLS'
'DICBERCLS'
field act_level
field
field w_tddat-cclass.
w_tddat-cclass.
if sy-subrc <> 0. "not allowed
authority-check.
authority-check. if sy-subrc
if act_level<> 0.= '02'. "not allowed
if act_level = '02'. object 'S_TABU_DIS'
authority-check
• •For
Forexample
example if if
aa user
user tries
tries authority-check
"check by class object 'S_TABU_DIS'
"check by id class
toto
edit
edit aa table
table inin SM30
SM30 thethe
'ACTVT'
id 'ACTVT'
id 'DICBERCLS' '03'
field
field '03'
field w_tddat-cclass.
system
system first checks
first checks if if
the
the idif 'DICBERCLS'
sy-subrc = 0. field w_tddat-cclass.
if sy-subrc = 0.
act_level = '03'.
users
users hashas the
the relevant
relevant act_level
p_action= '03'.
= 'S'.
authorization
authorization forforthe
the object
object
p_action
message
message
allowed
= 'S'.
w114(tb).
w114(tb).
"only show
"only show
S_TABU_DIS,
S_TABU_DIS, actvt
actvt : 02
: 02 and
and allowed else.
else.message e115(tb). "no upd auth
dibercls
dibercls (authorization
(authorization message
endif. e115(tb). "no updfrom
"sy-subrc auth2nd
group
group inintable
table TDDAT).
TDDAT). If If endif.
auth_check
auth_check
"sy-subrc from 2nd
else. "act_level <> 02
this
thischeck
check fails
fails thethesystem
system else.MESSAGE e116(tb). "act_level <> "no02show
MESSAGE e116(tb). "no show
would
would check
check if if
thetheuser
user hashas
auth
auth endif.
display
display authorization
authorization forfor endif.
endif.
endif.
the
thetable.
table.
Lesson 2

USER SETTINGS
User Settings

• A user master record is a must for every


user to access the system. The record
also stores information used for
authentication. E.g. Password
• User master records are client specific.
• A user id is a 12 character identifier for an
SAP user.
Authorizations for User Administrator
User Master Record

User P200USER
User P200USER
Last Changed 24.08.2011
Last Changed 24.08.2011
Address Logon Data Defaults Parameters
Address Logon Data Defaults Parameters
User Master Record
User P200USER
User P200USER
Last Changed 24.08.2011
Last Changed 24.08.2011
Roles Profiles Personalization License Data
Roles Profiles Personalization License Data
User Type
System Users

System users (called CPIC users in older releases) are required for the
• System users (called CPIC users in older releases) are required for the
internal communication of the systems. To increase the security of your
internal communication of the systems. To increase the security of your
system landscape, when you are creating system users, assign only
system landscape, when you are creating system users, assign only
greatly restricted authorizations, combined in special roles to the system
greatly restricted authorizations, combined in special roles to the system
users.
users.
• In principle, one user ID (such as SAPCPIC) would be sufficient, and you
• In principle, one user ID (such as SAPCPIC) would be sufficient, and you
could use it for all system users. However, with this situation, it would be
could use it for all system users. However, with this situation, it would be
practically impossible to change the password of the system users, or
practically impossible to change the password of the system users, or
simply to keep it secret, as there can be multiple utilizing RFC destinations.
simply to keep it secret, as there can be multiple utilizing RFC destinations.
• So that you must only change the password of the relevant system user in
• So that you must only change the password of the relevant system user in
one place when you are changing the password later, use a separate
one place when you are changing the password later, use a separate
system user for each RFC destination. This means that there are as many
system user for each RFC destination. This means that there are as many
system users in your system landscape as there are RFC destinations.
system users in your system landscape as there are RFC destinations.
• No license fees apply to these system users.
• No license fees apply to these system users.
Additional Features

• Transaction SU10 can be used to maintain the user


master for a large number of users at once.
• You can display change documents for users by
navigating to environment -> display changes.
• User master record is stored in USR* tables.
• Table USR02 is used to display logon data for the user
and it also stores some change logs like last logon date
for the user.
• Change logs for the user are stored in USH* tables.
• To effectively utilize the memory space occupied by the
tables in the database, the table data can be archived.
Lesson 3

ROLE MAINTENANCE - BASICS


Role Maintenance - Basics

• Transaction PFCG
Role
• Roles are authorization containers that represent a specific part of an employee’s job. The role itself is
composed of different functions of the employee, which again is the sum of certain tasks inside these
functions.
• Example: The job of a user is Head of the purchase dept. In his job he has different roles, such as being
a buyer. One of the functions of the buyer is to create purchase orders.
– Job: Head of the purchase dept.
– Role: Buyer
– Function: Create Purchase Order (Referred to as a Transaction in SAP).

• A user may have more than one role. The above user may also be responsible for maintaining the master
data relevant for purchasing.
• He may also be responsible for vendor evaluation and rating.
• With roles you can implement menus which the users can work with after logging on to the system.
• If integrated with organizational management, roles can be assigned to jobs, positions and organizational
units.

SAP_CO_PC_JOB_SALESORDER
Role SAP_CO_PC_JOB_SALESORDER
Role Documentation
Role Display Sales Orders
Role Documentation
Description Display Sales Orders
Description
Description Menu Authorizations User
Description Menu Authorizations User
Role Maintenance - Views

• There are three types of role maintenance views.


• Simple Maintenance : Allows only menu and user maintenance.
• Basic Maintenance : Access all role maintenance functionalities
and assignment to users
• Complete View : For Organizational Management is used in
Personnel Planning and Development

Settings
Settings
View
ViewSimple maintenance (Workplace menu maintenance)
Simple
Basicmaintenance
maintenance(Workplace menu maintenance)
(menus, profiles, other objects)
Basic maintenance
Complete (menus, profiles,
view (Organizational other objects)
Management and workflow)
Goto Utilities(M) Environment Complete
SystemviewHelp
(Organizational Management and workflow)
Goto Utilities(M) Environment System Help
Settings
Settings
Transactions in Roles Shift + F9
Transactions in Roles Shift + F9
Reports assignment in Roles
• If they are to be used in a role Transaction Code for Reports
Transaction Code for Reports
reports should always have a Report type
transaction code ReportABAP
type Report
ABAP
SAPReport
Query
• The transaction code can be SAP Query
Transaction with Variant
automatically generated by the Transaction
BW Report Variant
with
BW Report
system or specified by the ABAP Report
ABAP Report
administrator
• If you assign a new transaction code Report RSUSR402
RSUSR402
Report
although a transaction code has Variant
Variant
already been created for this report Skip selection screen
Skip selection screen
(for example, for another role), the
system displays a message that GUI Support
GUI Support
informs you about the situation and If SAPGUI for Windows
necessary, you can choose between SAPGUI for Windows
SAPGUI for Java
the new and the old T codes. SAPGUI for Java
SAPGUI for HTML
SAPGUI for HTML
Create Transaction Code
Create Transaction Code Generate Automatically
A transaction code already exists for the report entered Generate Automatically
A transaction code already Transaction Code ZTESTREP
Do you want to adopt theexists for the report
old transaction entered
code?
Transaction Code ZTESTREP
Do you want to adopt the old transaction code?
Transfer Recreate Cancel
Transfer Recreate Cancel
Designing and Structuring the Role Menu
• Add/delete Transactions and Reports
• Copy Menus from other roles
• BW reports and Queries can also be added using the report button
• Web links and Document links can be added using the other button.
• Create/Delete , Rename Folders and Create hierarchies.
• You can distribute the role to a target system using RFC.
Description Menu Authorizations User MiniApps
Description Menu Authorizations User MiniApps
Transaction Report Other Delete
Transaction Report Other Delete
Authorization Default
Authorization Default
Role Menu Target System
Role Menu Target System
User Maintenance Dest. CT1CLNT010
UserMaintenance
BP - Maintain Business Partner Dest. CT1CLNT010
 PFCG
Distribute
 BP - Role
- Maintain Maintenance
Business Partner
 SU01
Distribute
 PFCG – User
- Role Maintenance
Maintenance
 SA38
 SU01 – ABAP
– User Reporting
Maintenance
 SE16
 SA38 – Data
– ABAP Browser
Reporting Copy Menus
 SM30
 SE16 – Call
– Data View Maintenance
Browser Copy Menus
 SM30 – Call View Maintenance From SAP Menu
From SAP Menu
From Other Role
From Other Role
From Area Menu
From Area Menu
Import from file
Import from file
Maintain Authorizations
• PFCG automatically proposes the authorizations with default values in some
cases based on the transactions added in the role menu.
• The authorization objects display Yellow or Green Traffic Lights based on whether
the authorization data has been maintained completely or partially.
• The authorization objects for Organizational values are displayed in Red traffic
lights instead of Yellow if not maintained with values.
Change role: Authorizations
Change role: Authorizations
Selection Criteria Manually Open Changed Maintained Org. Levels
Selection Criteria Manually Open Changed Maintained Org. Levels

SAP_BC_BASIS_ADMIN System Administrator


SAP_BC_BASIS_ADMIN System Administrator AAAB
Manually Cross Application Authorization Objects
Manually Cross Application Authorization Objects AAAB
BC_A
Maintained Basis Administration
BC_A
Maintained Basis Administration
Maintained User Master Maintenance: User Groups S_USER_GRP
Maintained User Master Maintenance: User Groups S_USER_GRP
Maintained User Master Maintenance: User Groups T_YA67011010
Maintained User Master Maintenance: User Groups T_YA67011010
* Activity 03,08 ACTVT
* Activity
User Group in user master 03,08 ACTVT
* User Group in user master
maintenanc
CLASS
* maintenanc
CLASS
Generate Authorizations
• Finally once the authorizations are maintained they need to be generated to take effect.
• On generation all the maintained authorizations are collected into a profile.
• Since a profile can only hold a limited number of authorizations (150) , One role may
have several profiles. PFCG divides and creates these profiles automatically.
• You can recognize these profiles from the fact that their names are identical for the first
10 characters, and an appended number starting with 1-99.
• Change role:known
They are also Authorizations
as sequential profiles.
Change role: Authorizations
Selection Criteria Manually Open Changed Maintained Org. Levels
Selection Criteria Manually Open Changed Maintained Org. Levels

SAP_BC_BASIS_ADMIN System Administrator


SAP_BC_BASIS_ADMIN System Administrator AAAB
Manually Assign Profile
CrossName
Application Authorization
for Generated Objects Profile
Authorization
Manually Assign Profile
CrossName
Application Authorization Objects AAAB
for Generated Authorization Profile BC_A
Maintained Basis Administration
You can change the default profile name here BC_A
Maintained Basis Administration
You can change
Maintained Userthe default
Master profile nameUser
Maintenance: hereGroups S_USER_GRP
Profile User
Maintained nameMasterT-12345678
Maintenance: User Groups S_USER_GRP
Profile name T-12345678
Maintained
Text User Master
Profile Maintenance:
for role User Groups
SAP_BC_BASIS_ADMIN T_YA67011010
Maintained
Text User
ProfileMaster
for Maintenance:
role User
SAP_BC_BASIS_ADMINGroups T_YA67011010
* Activity 03,08 ACTVT
* Activity
User Group in user master 03,08 ACTVT
* User Group in user master
maintenanc
ADMIN CLASS
* maintenanc
ADMIN CLASS

Note : AGR_PROF only lists the main profile but does not list the automatically generated profiles in the role.
User Assignment

• User tab page in PFCG is used to assign the roles Utilities System
to the users. Utilities System
Info object
• The validity dates can be set to a limited period of InfoCustomizing
object auth
time if required. Customizing
Settings auth
• User master comparison is done to fill up the Settings
Display Changes
authorization buffer tables (USRBF2) and also to Display Changes
make to the time dependant authorizations effective. Optimize User Assignment
Settings:User
Optimize RoleAssignment
maintenance
• There are three ways of performing a user master Settings: Role maintenance
comparison: Automatic User Master Adjustment when Saving Role
– For an individual role on the users tab. Automatic User Master Adjustment when Saving Role
Menu: Do Not Insert Existing Entries. Standard: No
– You can do it in mass for a large number of roles
Menu: Do Not Insert Existing Entries. Standard: No
using transaction PFUD
– You can schedule a background job to run every
day during the non-working hours for the program
pfcg_time_dependency
Description Menu Authorizations User MiniApps
Description Menu Authorizations User MiniApps
Organizational Mgmt. User Comparison
Organizational Mgmt. User Comparison

User Assignments
User Assignments
User ID User Name From To In
User ID
TCRUSE User Name
Tom Cruise From
21.10.2010 To 22.05.2012 In
TCRUSE
NKDMAN Tom Cruise
Nicole Kidman 21.10.2010
21.02.2011 22.05.2012
31.12.9999 C
NKDMAN Nicole Kidman 21.02.2011 31.12.9999 C
Lesson 4

ROLE MAINTENANCE – ADVANCE


TOPICS
Role Maintenance – Advanced Topics

• One of the important challenges for an security consultant is to design the roles to map
the organizational requirements.
• A wrong decision in designing the roles may lead to huge efforts during maintenance
mode, longer cycle times in decision making and realization of role changes leading to
frustration amongst the user community.
• There are a variety of options and flexibility offered in PFCG for designing the roles.
• Composite, Derived, Customizing and Reference Roles are advanced role types which
could meet the challenging design requirements.
Customizing Roles

• When building roles for the project team and especially for the
functional consultants it possible to restrict their access to the
specific project views of the IMG project.
• Customizing roles can be built in PFCG by inserting
customizing authorization from Utilities > Customizing Auth.
Utilities System Customizing Authorizations
Utilities System Customizing Authorizations
Info object
InfoCustomizing
object Status: You have not assigned any Customizing objects
auth Status: You have not assigned any Customizing objects
Customizing
Settings auth
Settings
Display Changes Add
Display Changes
Optimize User Assignment Add
Optimize User Assignment
Description Menu Au Insert Customizing Activities Select IMG Project
Description Menu Au Insert Customizing Activities Select IMG Project
IMG project Project Title
Transaction Report IMG project Project
STEEL Title
Steel IMG
Transaction Report IMG project view STEEL Steel IMGIMG
Authorization Default IMG project view TEST TEST
Authorization Default TEST TEST IMG
Role Menu
Role Menu
Composite Roles
Composite roles are just role containers, they do not have any authorizations of their
own
Composite Roles and User Assignments
Limitations of a composite role

• They are simply containers and do not carry any


authorizations themselves.
• If you want to restrict a particular authorization for a
composite role, you have to ensure that every role
within the composite role is restricted. This may not
be desirable always and may make the roles very
rigid to maintain.
• If you decide to extend the authorization of a single
role, then all the roles it is assigned will get affected
which may also not be always desirable.
• Implementations which use composite roles to
separate the transaction role and the organization
values, break the link between the role and SU24.
Such roles are very difficult to maintain.
• Also in above case a removal of a transaction from
role does not ensure removal of all its related objects
from the organizational role.
• Transporting such roles is also very tricky because in
such cases the entire composite role needs to be
transported and not just the single role which has
been modified.
• As a result such roles may also result in blocking the
transport routes and causing over taker issues.
Building Menus for Composite Roles
• If you assign a user the single roles directly rather than through a composite role, then the menu
from the single roles appear repeatedly for the same folder path.
• Although composite roles do not contain authorizations of their own they can be used to read the
menus from the contained single roles using the “Read Menu” button on the menu tab.
• If a single role was added or removed from the composite role then a comparison needs to be
done again to read the menus of each role.
• Here you have the option to only update the composite role with the delta changes or to do
complete update of the composite role menu.
• Chose Re-import to discard your settings and re-structure your composite role menu.
• Chose merge to only do an delta update to the roles.
Description Roles Menu UserRole maintenance
Settings:
Description Roles Menu UserRole maintenance
Settings:
Delete
There are two ways you can create the menu structure
Delete
Role Menu There arecomposite
of the two ways role:
you canYoucreate the menu
can either structure
recreate the menu
Role Menu
User Maintenance of the composite
completely, or role: Youmerge
you can can either recreate
it with the of
the menu menu
the
UserMaintenance
BP - Maintain Business Partner
completely, or you can merge it with the menu of the
single roles.
 PFCG
 BP - Role
- Maintain Maintenance
Business Partner single roles.
Copy Menus
 SU01
 PFCG – User
- Role Maintenance
Maintenance Copy Menus Do you want to recreate the composite role completely
ReadDo you wantthe
to recreate the composite role completely
 SA38
 SU01 – ABAP
– User Reporting
Maintenance or merge existing data with the menu data from the
 SE16
 SA38 – Data
– ABAP Browser
Reporting
Menu
or
Read Menumerge
single the existing
roles? data with the menu data from the
 SM30
 SE16 – Call
– Data View Maintenance
Browser
 SM30 – Call View Maintenance
single roles?
Re-import Merge Cancel
Re-import Merge Cancel
Reference and Derived Roles

• In today’s world companies are


striving towards harmonizing the
business processes globally
across various regions.
• Although this is a very idealistic
approach but the derived roles
concept fits best where
companies have such harmonized
processes.
• The concept is that there is a
Reference(d) role which transfers
it’s menu (structure plus
transactions) and authorizations
to the Derived role.
• Only the organizational values are
maintained in the derived roles.
Reference and Derived Roles
• Derived roles reference to already existing roles and these roles should not be in SAP
namespace.
• The menu is maintained in the imparting role only. Changes have an immediate effect
on all inheriting roles.
• Thus unlike the composite roles, the derived role has the complete filled menu of the
referenced role immediately after the referencing role is entered and the role is saved.
• The inheritance relationship can be canceled, but the previously inheriting role is then
handled like a normal role. The cancellation of the relationship cannot be undone.

Role ZDB_AIO_AP_CLERK
Role ZDB_AIO_AP_CLERK
Description Dubai Accounts Payable Clerk
Description Dubai Accounts Payable Clerk
Description Authorizations
Description Menu Authorizations Description Authorizations
Menu Description Menu Authorizations
Role Menu Menu
Role Menu
User Maintenance Transaction Inheritance
UserMaintenance Transaction Inheritance
BP - Maintain Business Partner Derive from Role Z00_AIO_AP_CLERK
 PFCG
 BP - Role
- Maintain Maintenance
Business Partner
 PFCG - Role Maintenance AP Clerk Global
Delete Inheritance Relationship
Delete Inheritance Relationship
Implementing Organization Field Values Directly
(SAP Note 314513)
• Authorization data of Information
Information
organizational levels is usually Individual maintenance of an organizational field using the "Maintain
maintained in the Profile Individual maintenance
Field Values" of an
dialog box organizational
makes fieldchange
the following using the
for"Maintain
this field in
Generator in the "Define Field
thisValues" dialog box makes the following change for this field in
authorization:
this authorization:
organizational levels" dialog box.
o Value maintenance using the dialog box "Define Organizational
However, you can also maintain o Value maintenance
Levels" no longer using
changesthe the
dialog box "Define Organizational
value.
individual organizational level Levels" no longer changes the value.
fields in each authorization via the o When adjusting derived roles, the authorization value is overwritten
o When adjusting derived roles, the authorization value is overwritten
"Implement field values" dialog
You can reset the new status of the organizational field in this
box. If you do so, the Youauthorization
can reset thebynew statusthe
deleting of field
the organizational
content using field in thisicon next
the delete
organizational levels, however, authorization
to the field by deleting the field content using the delete icon next
name.
lose their special status and are to the field name.
then treated as normal
authorization fields with the Do you want to maintain the organizational level field individually?
Do you want to maintain the organizational level field individually?
following practical consequences:

- The maintenance via the "Define organizational levels" dialog box no longer changes the
authorization values.
- As of Release 4.6B: When adjusting the authorization data of derived roles, the system
overwrites the authorization values in the derived roles.
PFCG: Traffic Lights
• Traffic lights help in giving an overview of the of the current maintenance status of the
authorizations.
– Green : All fields have been filled with values
– Yellow : At least one field which is not an organizational level field for which data has not been
proposed or maintained
– Red : At least one field which is an organizational level field for which data has not been proposed
or maintained

Change role: Authorizations


Change role: Authorizations
Selection Criteria Manually Open Changed Maintained Org. Levels
Selection Criteria Manually Open Changed Maintained Org. Levels

SAP_BC_BASIS_ADMIN System Administrator


SAP_BC_BASIS_ADMIN System Administrator AAAB
Manually Cross Application Authorization Objects
Manually Cross Application Authorization Objects AAAB
BC_A
Maintained Basis Administration
BC_A
Maintained Basis Administration
Maintained User Master Maintenance: User Groups S_USER_GRP
Maintained User Master Maintenance: User Groups S_USER_GRP
Maintained User Master Maintenance: User Groups T_YA67011010
Maintained User Master Maintenance: User Groups T_YA67011010
* Activity 03,08 ACTVT
* Activity
User Group in user master 03,08 ACTVT
* User Group
maintenancin user master
CLASS
* maintenanc
CLASS
PFCG: Important Icons
PFCG : Maintenance Status
Each authorization contained in a role is identified by one of four different
maintenance statuses, which are defined as follows:
PFCG : Update Status
After each merge process, the update status is specified in addition to the
maintenance status. There are three possible statuses with the following
meanings:
Standard : Active & Inactive
Maintained : Active & Inactive
Combining Authorizations

• If several authorizations exist for one authorization object, the Profile Generator checks
• If several
whetherauthorizations
the status andexist for one
content authorization
of the combination object,
allow the
twoProfile
or moreGenerator checksto be
authorizations
whether
merged.theAutomatic
status andcompression
content of the combination
allows allow two
optimal display or more
of the authorizations
authorization list, andto be
merged.
preventsAutomatic compression
unnecessary data from allows
beingoptimal
saved display of the
in the role andauthorization
the generatedlist,profile.
and
prevents unnecessary data from being saved in the role and the generated profile.
• Automatic combining during the merge process is only possible on authorizations with the
• Automatic combiningand
status "Standard" during the merge process is only possible on authorizations with the
"Maintained".
status "Standard" and "Maintained".
• Changed and manual authorizations can be merged if they share an identical active status.
• Changed and manual authorizations can be merged if they share an identical active status.
• If this pre-requisite is fulfilled then two authorizations can be combined in the following
• If this pre-requisite is fulfilled then two authorizations can be combined in the following
cases:
cases: • For all fields, one authorization is contained in the other.

• ForThe
all fields, one authorization is contained in the other.
values of both authorizations differ in exactly one field, and are otherwise identical.
• The values of both authorizations differ in exactly one field, and are otherwise identical.

• There are also exceptions to the above:


• There are also exceptions to the above:
• An authorization that contains empty fields cannot be combined with another
• Anauthorization
authorizationinthat contains
which empty
at least fields
one of cannot
these fieldsbe
is combined
filled. with another
authorization in which at least one of these fields is filled.
• An authorization that contains fields with total authorization (*) cannot be merged with
• Ananother
authorization that contains
authorization, fields
in which with total
at least one authorization
of these fields(*) cannot
does not be merged
indicate with
a total
another authorization, in which at least one of these fields does not indicate a total
authorization.
authorization.
Deactivating Authorizations

It is useful for two reasons to deactivate the unwanted standard


It is useful for two reasons to deactivate the unwanted standard
authorizations:
authorizations:
1. No unnecessary authorization data is transferred to the profile that
1. No unnecessary authorization data is transferred to the profile that
belongs to the role because deactivated authorizations are ignored
belongs to the role because deactivated authorizations are ignored
during profile generation.
during profile generation.
2. The same standard authorization is not added again during the next
2. The same standard authorization is not added again during the next
merge process
merge process
What is special about S_TCODE?

Due to the dependency of the content of the role menu, the


Due to the dependency of the content of the role menu, the
authorization object S_TCODE is of particular significance and is
authorization object S_TCODE is of particular significance and is
subject to special rules:
subject to special rules:
1. Authorizations for S_TCODE can exist only in the maintenance status
1. "Standard"
Authorizations for S_TCODE can exist only in the maintenance status
or "Manually".
"Standard" or "Manually".
2. To ensure that the menu and the authorization data of a role correspond, you
2. cannot
To ensure that the
change the menu andauthorization
standard the authorization data of a role
for S_TCODE. Thiscorrespond, you
does not include
cannot change thefunction
the deactivation standard authorization for S_TCODE. This does not include
the deactivation function
Lesson 5

PROFILE PARAMETERS, SPECIAL


USERS AND CRITICAL
AUTHORIZATIONS
Password Rules and Profile Parameters for
System Logon
• A well defined security policy is a
must for a every organization.
One of the key features for the
security policy is the password
rules which control unauthorized
access to the SAP systems.
• There are a quite a few security
profile parameters which govern
the security settings for the
system.
• When setting password rules one
must differentiate between rules
that are pre-defined in the system
and the rules that are configured
by the customer.
Customer Defined
User-Defined System Default Parameter
Parameter Name Value Value Name Comment
min. number of chars which differ between old and new
login/min_password_diff 1 1 password
login/min_password_digits 0 0 min. number of digits in passwords
login/min_password_letters 0 0 min. number of letters in passwords
login/min_password_lng 8 6 6 Minimum Password Length
login/min_password_lowercase 0 0 minimum number of lower-case characters in passwords
login/min_password_specials 0 0 min. number of special characters in passwords
login/min_password_uppercase 0 0 minimum number of upper-case characters in passwords
login/password_expiration_time 60 0 0 Dates until password must be changed
login/password_history_size 10 5 5 Number of records to be stored in the password history
login/password_logon_usergroup users of this group can still logon with passwords
maximum #days a password (set by the admin) can be
login/password_max_idle_initial 15 0 0 unused (idle)
maximum #days a password (set by the user) can be
login/password_max_idle_productive 60 0 0 unused (idle)

• Customers can control the password rules in two ways:


• Customers can control the password rules in two ways:
– System profile parameters to determine the min. length or frequency of change etc for
– System profile parameters to determine the min. length or frequency of change etc for
passwords
passwords
– An illegal passwords table USR40 to bar the users from using some well known strings
– Anorillegal passwords
characters table
in their USR40 For
password. to bar the
e.g. users from
Company using
name, some
City namewell known
etc. Herestrings
you can
or define
characters in their password. For e.g. Company name, City name etc. Here you can
strings using wildcards like ? For a single character or * for a character string.
define strings using wildcards like ? For a single character or * for a character string.
Special Users

• Special Users are the users


which are predefined in the SAP
systems with well known names
and passwords.
• As a result they should be
protected from unauthorized
access.
• There are two types of special
users: those created by
installing the SAP system and
those created when you copy
clients.
• 000, 001 and 066 clients are
created automatically during an
SAP installation.
Special Users : SAP*
Param. Name
login/no_automatic_user_sapstar
login/no_automatic_user_sapstar
Short description Control of the automatic login user SAP*
Short description Control of the automatic login user SAP*
Appl. area Logon
Appl. area Logon
1
Default value 1
Default
Profilevalue
value 1
Profile value 1
Current value 1
Current value 1

• SAP* is defined in the SAP system code and does not require a user master record.
• SAP* is defined
• It has in the access
got unlimited SAP system
to thecode
system andand
doesthenot require
default a user master
password is pass.record.
• It• has got installation
During unlimited access to the
the user system
master recordandforthe default
SAP* password
is created is pass.
in client 000 and 001 with initial password
• During
as 06071992, The installation can proceed only after the admin has resetand
installation the user master record for SAP* is created in client 000 the001 with initial
password password
for the user.
as 06071992, The installation can proceed only after the admin has reset the password
• This master record created in the system for SAP* deactivates the special authorizations for the user andfor the user.
• Thisnowmaster record
only the created
assigned in the systemtofor
authorizations theSAP*
userdeactivates
would apply.the special authorizations for the user and
now
• Creation of user master record for SAP* is one way ofapply.
only the assigned authorizations to the user would preventing unauthorized access with the user.
• Creation
• If you delete the user master record for SAP*, then the standardunauthorized
of user master record for SAP* is one way of preventing user definedaccess withcode
in system the user.
becomes
• If you delete
active withthe userpassword
default master record for SAP*, then the standard user defined in system code becomes
“PASS”.
active with
– The default
user now haspassword
complete“PASS”.
authorization.
– The user
– The now haspassword
standard complete“PASS”
authorization.
cannot be changed.
– The standard password “PASS” cannot be changed.
Special Users : DDIC and EarlyWatch
Special Authorization Objects

• In the following sections we shall have a


look at some authorization objects which
are frequently called when executing
reports, transactions and queries with an
aim to understand its usefulness and
purpose.
S_TCODE (Authorization Check for Transaction Start)
List of Called Transactions Text
Add Tcode Delete Tcode Text
Check Indicator for Checking
Add Tcode Delete Tcode Check Indicator
Calling Transaction : FS00 S_TCODE in for
CALLChecking
TRANSACTION
Description: GL account master record maintenance S_TCODE in CALL TRANSACTION
Check Message Use
Exce. Called Tcode Transaction Text Ind Type Use
The check indicator determines
FB01 Post Document YES The check indicator
whether a transaction determines
start
FD01 Create Customer (Accounting) YES whether a transaction start
authorization check (that is, an
authorization
authorization checkcheck (that is, anthe object
against
FSP0 G/L acct master record in chrt/accts YES
authorization
S_TCODE check with the against the object
transaction code of
FSS0 G/L account master record in co code YES
S_TCODE with the transaction
the called transaction, and additional code of
KA01 Create Cost Element theauthorization
called transaction,
checksand additional
entered in
KA02 Change Cost Element authorization
transactionchecks
SE93 for entered in
the transaction, if
KP65 Create Cost Planning Layout YES transaction
appropriate) SE93 forbe
is to theperformed
transaction, if
when
appropriate) is to be
the ABAP statement CALL performed when
• For every transaction that is executed from the menu tree, favorites or from the the ABAP statement CALL
• Forcommand
TRANSACTION is run.
every transaction that isisexecuted
field, a check performed from
by the
the menu
kerneltree, favorites
for the or from
transaction the the TRANSACTION is run.
against
command field, aobject
authorization checkS_TCODE
is performed for by
thethe kernel
field TCD.for the transaction against the
You can enter the following values:
authorization object S_TCODE for athe field TCD.MIGO, the system will only allow to
You canAn
Yes: enter the following
authorization checkvalues:
is
• For example if a user executes transaction
• Forproceed
examplefurther
if a user executes
Yes: An authorization check
performed when the ABAP statement is
if he has the aauthorization
transaction MIGO, for the the system will
transaction only allow
in object to
S_TCODE.
proceed performed when the ABAPisstatement
CALL TRANSACTION run
• Therefurther if he has
are however the authorization
exceptions to the abovefor the transaction in object S_TCODE.
rule:
• There are however
– Transactions thatexceptions to the
are called from above
another rule: or transaction using statement “CALL
program
CALL TRANSACTION
No: No authorization check is is run
TRANSACTION”
– Transactions that are called from another program or transaction using statement “CALL No:performed
No authorization check is
TRANSACTION”
– Report Transactions which are started using SUBMIT action from SA38 are checked performed
SPACE (empty): One of the above
against
– Report authorization
Transactions object
which areS_PROGRAM.
started using SUBMIT action from SA38 are checked SPACE
against authorization
– Parameter object S_PROGRAM.
check(empty):
indicators One of the
is yet above
to be set. In the
transactions that eventually call core transaction codes (Table TSTCP). Core
transactions
– Parameter are not protected by S_TCODE.
check indicators is yet to
current release, no authorization be set. In the
check
transactions that eventually call core transaction codes (Table TSTCP). Core
transactions are not protected by S_TCODE. current release,
is performed. no authorization check
is performed.
S_TABU_DIS (Table Maintenance Authorization)

• S_TABU_DIS controls which tables the user can display or maintain in table
• S_TABU_DIS controls which tables the user can display or maintain in table
maintenance transactions SM30, SM31 or Data Browser SE16. Tables are assigned
maintenance transactions
to authorization SM30, SM31 Tables
groups (DIBERCLS). or DatatoBrowser SE16. Tables
group assignments are
are assigned
defined in
to table
authorization
TDDAT. groups (DIBERCLS). Tables to group assignments are defined in
table TDDAT.
• Tables which are not assigned to any authorization groups are by default assigned
• Tables which are not assigned to any authorization groups are by default assigned
the dummy authorization group &NC&
the dummy authorization group &NC&
• The assignment of this authorization group (&NC&) is not useful with regard to a
• The assignment of this authorization group (&NC&) is not useful with regard to a
conclusive authorization concept and should be avoided.
conclusive authorization concept and should be avoided.
• You can use transaction SE54 to create customer-specific table authorization
• You can use transaction SE54 to create customer-specific table authorization
groups and assign both customer-specific and standard SAP tables.
groups and assign both customer-specific and standard SAP tables.
• If your table maintenance authorization is based on S_TABU_DIS only then In the
• If your table maintenance authorization is based on S_TABU_DIS only then In the
productive environment, the generic table access tools (SE16N, SE16, SE17,
productive environment,
SM30, SM31, and SM34)the must
genericbe table
treated access tools (SE16N,
as particularly SE16, SE17,
security-relevant
SM30, SM31, and
transactions. ForSM34) must
detailed be treated
access to tables as with
particularly
genericsecurity-relevant
maintenance tools, use
transactions. For detailed access to tables with generic maintenance
parameter transactions that specify both the view or table to be maintained tools, useand the
parameter
permitted activity, and that skip the initial screen of the transaction. If these the
transactions that specify both the view or table to be maintained and
permitted activity,
transactions andyet
do not thatexist
skipfor
thethe
initial screen
relevant of the transaction.
purpose, If these
you can create them in the
transactions do not yet exist
customer or partner namespace.for the relevant purpose, you can create them in the
customer or partner namespace.
S_TABU_NAM (Granular Table Maintenance Authorization)

• S_TABU_NAM is not generally available in SAP ERP Package, it can be defined and
• S_TABU_NAM
activated afterisapplying
not generally available
relevant SAP notes in SAP ERP Package, it can be defined and
(1481950).
activated after applying relevant SAP notes (1481950).
• With this object, the system checks the view names or table names directly so that an
• With thisauthorization
exact object, the system
check checks the view
is possible. In thenames
module or VIEW_AUTHORITY_CHECK,
table names directly so that anthe
exact authorization
system check is possible.
checks S_TABU_NAM only ifInthe
theauthorization
module VIEW_AUTHORITY_CHECK,
check on S_TABU_DIS was the
system checks S_TABU_NAM only if the authorization check on S_TABU_DIS was
unsuccessful.
unsuccessful.
• This procedure enables both the retention of the previous table access concept and the
• This procedureuse
superposed enables both
of both the retention
authorization of the previous table access concept and the
objects.
superposed use of both authorization objects.
• If you use authorization objects S_TABU_DIS and S_TABU_NAM in parallel, the
• If you use authorization
advantages objects S_TABU_DIS
of a group-based authorization check and S_TABU_NAM
can be combinedin parallel,
with thethe
possibility
advantages of a group-based authorization
of a very finely granulated authorization assignment. check can be combined with the possibility
of a very finely granulated authorization assignment.
• Users with a large scope of functions for a department can be authorized as far as
• Users with using
possible a largeS_TABU_DIS,
scope of functions for very
but only a department
extensivecan beauthorization
table authorized asgroups
far as or
possible usingsensitive
particularly S_TABU_DIS,
areas arebut assigned
only very in extensive table authorization
a table-specific manner usinggroups or
the object
particularly
S_TABU_NAM. sensitive areas are assigned in a table-specific manner using the object
S_TABU_NAM.
• Advantage here is that particularly extensive or critical authorization groups do not have
• Advantage here istothat
to be assigned particularly
users. extensive
In principle, or critical
authorization authorization
groups groups
with tables that do
arenot have
classified
to as
be critical
assigned to users.
should not beInassigned.
principle, authorization groups with tables that are classified
as critical should not be assigned.
S_TABU_CLI (Cross-Client Table Maintenance)

• •Authorization
Authorizationobject
objectS_TABU_CLI:
S_TABU_CLI:Grants Grants
authorizationtotomaintain
authorization maintaincross-client
cross-clienttablestableswith
withthe
the
standardtable
standard tablemaintenance
maintenancetransaction
transaction(SM31),(SM31),
extendedtable
extended tablemaintenance
maintenancetransaction
transaction(SM30),(SM30),andand
thetheData
DataBrowser
Browser(SE16),
(SE16),and andalso alsoininthe
theCustomizing
Customizing
system.
system.
• •It Italso
alsoacts
actsasasananadditional
additionalsecurity
securitymeasure
measurefor for
cross-client tables and enhances the
cross-client tables and enhances the general table general table
maintenanceauthorization
maintenance authorizationS_TABU_DIS.
S_TABU_DIS.
• •CLIIDMAINT:
CLIIDMAINT:If Ifidentifier
identifierXXoror* *isisset,
set,cross-client
cross-client
tablescan
tables canbebemaintained.
maintained.
S_TABU_LIN (Field Level Authorization Restrictions)
Organizational Crit. ZCOMPANY
Organizational Crit. ZCOMPANY
Org. Crit. name Company Code
Org. Crit. name Company Code
Attribute COMPANY
Attribute COMPANY
Name Company Code
Name Company Code
View/table ZORGTABLE
View/table ZORGTABLE
Table Fields
Table
Field Fields
Name COMPANY
Field Name COMPANY
Domain ZCOMPANY
Domain ZCOMPANY

• Through the introduction of organization criteria concept in combination with object


S_TABU_LIN, it is possible to restrict a user's access rights to specific fields of a
table.
• A possible use for S_TABU_LIN would be to display and to change content for only
a certain work area, such as a country or a plant.
• The table key fields/row are defined and linked to organizational criterion in
customizing.
• Once the defined organization criterion is activated it is not possible to display or
maintain contents in the table which has been linked to it in customizing without
authorization to object S_TABU_LIN for the table key field value.
S_PROGRAM (ABAP Program Run Check)
ABAP: Program Attributes RBDSERCHECK Display

Title Serialization Using Object Types: Consistency Check


Title Serialization Using Object Types: Consistency Check
Attributes
Attributes
Executable Program
Type Executable Program
Type
BASIS
Application
Application BASIS
Authorization Group S_ALE
Authorization Group S_ALE
Package SALE
Package SALE

• Programs like tables are protected against unauthorized access using authorization
groups.
• Authorization group is stored in program attributes.
• Program authorization groups can be maintained using report RSCSAUTH
• The following activities are controlled:
– SUBMIT : To start a program execution
– BTCSUBMIT : Schedule a program as a background job.
– VARIANT : To create and execute a program as a variant.
Lesson 6

CONTROLLING USER AND ROLE ADMINISTRATION


Controlling User and Role Administration

• A security administrator responsible for user and access


management in an organization would frequently use
transactions SU01 and PFCG for maintaining users and roles
respectively.
• Some of the important tasks of a security administrator are:
– Create and maintain users
– Lock/unlock users and reset passwords
– Create and maintain roles
– Maintain the transaction in menu and authorization data
– Generation of profiles
– Assign roles and profiles to users
– Transport roles
– Monitoring of system access etc.
Important authorization Objects in User and Role Administration
Decentralized User and Role Administration
Dual &Treble Control
Sample Use Case
Z.IND_USER_ADMIN India User Administrator
Z.IND_USER_ADMIN India User Administrator BC_A
Maintained Basis Administration
BC_A
Maintained Basis Administration
Maintained Authorizations: Role Check S_USER_GRP
Maintained Authorizations: Role Check S_USER_GRP
Maintained Authorizations: Role Check T_YA67011010
Maintained Authorizations: Role Check T_YA67011010
* Activity 01.02,03,08,22 ACTVT
* Activity 01.02,03,08,22 ACTVT
* Role Name Z.IN*, ZIN* CLASS
* Role Name Z.IN*, ZIN* CLASS
Maintained User Master Maintenance: User Groups S_USER_GRP
Maintained User Master Maintenance: User Groups S_USER_GRP
Maintained User Master Maintenance: User Groups T_YA67011010
Maintained User Master Maintenance: User Groups T_YA67011010
* Activity 01.02,03,08,22 ACTVT
* Activity
User Group in user master 01.02,03,08,22 ACTVT
* User Group in user master
maintenanc
INDUSER CLASS
* maintenanc
INDUSER CLASS

• Authorizations for user administrators are decentralized


• Authorizations for user
based on location. administrators
A administrator areauthorizations
role decentralized for
based
Indiaonhas
location. A administrator
to be set up such that herolecanauthorizations for
India has to
– Create, be set
change, up such
display, that change
display he candocuments, lock/unlock
– Create,
users change, display, display change documents, lock/unlock
users
– Assign roles and profiles to users
– Assign roles
– Display and and
roles profiles to users
profiles and their change documents
– Display roles and profiles and their change documents
• Naming Convention for India
• Naming
User Convention for India
Group : INDUSER
User Group
Roles : INDUSER Roles – Z.IN* and Single Roles – ZIN*
: Composite
Roles : Composite Roles – Z.IN* and Single Roles – ZIN*
Lesson 7

TROUBLESHOOTING AND ADMINISTRATION AIDS


Troubleshooting and Administration Aids

• RSUSR002 : Users by complex


• SAP provides tools like SU53 and • RSUSR002 : Users by complex
selection criteria
selection criteria: By critical
• RSUSR008
ST01 for troubleshooting and • RSUSR008 : By
combinations ofcritical
authorizations at
finding missing authorizations for combinations of
transaction startauthorizations at
users. transaction start
• RSUSR008_009_NEW : List of
• RSUSR008_009_NEW : List
users with critical authorizations of
• There are plenty of administration users with critical: Profiles
authorizations
• RSUSR020 by complex
reports which aid in evaluation • RSUSR020 : Profiles
selection criteria by complex
functions. selection criteria: Authorizations by
• RSUSR030
• RSUSR030 : Authorizations
complex selection criteria by
complex selection
• RSUSR040 criteria
: Authorization objects
• RSUSR040 : Authorization
by complex selection criteria objects
by •complex
RSUSR070 selection
: Rolescriteria
by complex
• RSUSR070 : Roles
selection criteria by complex
selection criteria: Change Documents
• RSUSR100
• RSUSR100
for Users : Change Documents
for•Users
RSUSR101 : Change Documents
• RSUSR101
for Profiles : Change Documents
for Profiles
Authorization Error Analysis – SU53

Authorization check failed


Authorization check failed
Authorization object M_LFM1_EKO
Authorization object M_LFM1_EKO
Authorization Field ACTVT
Authorization Field ACTVT
02
02
Authorization Field EKORG
Authorization Field EKORG
1000
User’s authorization Data USER01 1000
User’s authorization Data USER01
Authorization object M_LFM1_EKO
Authorization object
Authorization M_LFM1_EKO
T-C01001045689
Authorization T-C01001045689
Profile T-C0100104
Profile
RoleT-C0100104
Z_MASTER_DATA Master Data Admin
Role Z_MASTER_DATA Master Data Admin
Authorization Field ACTVT
Vendor Account Changes: Initial Screen Authorization Field ACTVT
02,03,08
Vendor Account Changes: Initial Screen 02,03,08
Authorization Field EKORG
Vendor T00080021 Authorization Field EKORG
Vendor T00080021 2000
Purch Org. 1000 2000
Purch Org. 1000
Plant
Plant

No authorization for changing vendors in purch. Org. 1000


No authorization for changing vendors in purch. Org. 1000
Authorization Trace – ST01
System Trace
• An experienced security consultant can judge by System Trace
Change Trace Trace off Analysis
plainly looking at an SU53 screen as to whether it is Change Trace Trace off Analysis
pointing towards the correct missing object or not. Trace Status Trace switched on (main switch on)
• If there are a series of authorization failures when Trace Status Trace switched on (main switch on)
executing a transaction code SU53 may only point Trace Components System Trace: Filter
Trace Components System Trace: Filter
you to the last failed check (which may be Authorization Check X Process number
unimportant or intentionally suppressed for the Authorization Check
Kernel Functions X Process number
user). Kernel Functions User USER01
General Kernel USER01
• ST01 is the tool that consultants should rely upon General Kernel User
SQL Trace
under circumstances where SU53 analysis is SQL Trace
Table Buffer Trace Transaction
incorrect. ST01 provides quite accurate results for Table Buffer Trace Transaction
authorization checks. It lists down the complete story RFC Calls Program
RFC Calls
Lock Operations Program
for the authorization checks for users in a system
Lock Operations
when turned on. General Filters
General Filters

Client 010 User USER01 Transaction MK04


Client
Work 010 User 0USER01
Process PID DateTransaction MK04
16.10.2011 Start 07:03:00 Finish 07:03:09
Work
Block Version 1248 No of Records 3 File 07:03:00
Process 0 PID Date 16.10.2011 Start version 1Finish 07:03:09
Block Version 1248
hh:mm:ss TypeNo of Records
Object3 File version 1Text
hh:mm:ss Type Object Text
07:03:01 AUTH F_LFA1_APP RC=0 APPKZ=M; ACTVT=08
07:03:01
07:03:03 AUTH
AUTH F_LFA1_APP RC=0
F_LFA1_GEB RC=0 APPKZ=M; ACTVT=08
ACTVT=08;
07:03:03
07:03:09 AUTH
AUTH F_LFA1_GEB RC=0
M_LFM1_EKO RC=4 ACTVT=08;
EKORG=1000:ACTVT=08;
07:03:09 AUTH M_LFM1_EKO RC=4 EKORG=1000:ACTVT=08;
Improvements in ST01 – Note 1373111
Information System – Administration Aids
Transaction Text
S_BCE_68001400 Users According to Complex Criteria
S_BCE_68001401 Critical Combinations of Auth.
• Once you have identified the missing authorization object, S_BCE_68001402 With Unsuccessful Logons
it does not necessarily mean that you start modifying the S_BCE_68001403 With Critical Authorizations
user’s job roles. S_BCE_68001404 Profiles by Contained Profiles

• You can try to find alternative solutions like existing roles S_BCE_68001405 Profiles by Authorization Name
S_BCE_68001406 Profiles by Values
with the required authorizations which can be assigned to
S_BCE_68001407 Profiles by Changes
the user without granting too much extra access. S_BCE_68001408 Profiles by Roles
• There are several useful reports from the user information S_BCE_68001409 Profiles According to Complex Crit.
system available which aid in deriving these solutions. S_BCE_68001410 Auth. Objects According to Complex
S_BCE_68001411 Auth. Objects According to Complex
• These reports help an administrator to gain an overview of
S_BCE_68001412 Auth. Objects According to Complex
the users in the system and many other related facts. S_BCE_68001413 Auth. Objects According to Complex
• The transactions listed in the screenshot on the left can be S_BCE_68001414 Auth. According to Complex Criteria
called as executable reports starting with RSUSR* which S_BCE_68001415 Authorizations by Values
can be called from SA38. S_BCE_68001416 Authorizations by Changes
S_BCE_68001417 Auth. According to Complex Criteria
• A complete list of these useful transactions can be found
S_BCE_68001418 Roles by Role Name
in the user information system SUIM which is one place S_BCE_68001419 Roles by User Assignment
from which you can branch and jump to individual reports. S_BCE_68001420 Roles by Transaction Assignment
S_BCE_68001421 Roles by Profile Assignment
S_BCE_68001422 Roles by Authorization Object
S_BCE_68001423 Roles by Authorization Values
S_BCE_68001424 Roles by Change Data
S_BCE_68001425 Roles by Complex Criteria
System Audit Information
• As of release 4.6C there is a
special role concept used for
SAP System auditing which was
previously done using AIS (Audit
Information System) transaction
SECR.
• Roles:
– SAP_AUDITOR (AIS - Audit
Information System)
– SAP_AUDITOR_TAX (AIS - Tax Audit)
• With the role concept the flow
and quality of the checks has
improved considerably.
Lesson 8

TRANSPORTING AUTHORIZATION
COMPONENTS
Transporting Authorization Components
Transporting Roles
Upload/Download Roles

•Normally it is only possible to exchange data with


•Normally it is only possible to exchange data with
transport requests between SAP systems with the same
transport requests between SAP systems with the same
release status. For example, if roles have to be
release status. For example, if roles have to be
exchanged across releases, this can be done by
exchanged across releases, this can be done by
downloading or uploading roles.
downloading or uploading roles.
•When you download the data, it is all stored in a local file,
•When you download the data, it is all stored in a local file,
with the exception of the generated authorization profiles
with the exception of the generated authorization profiles
and the user assignments.
and the user assignments.
•After an upload, the role might have to be edited and
•After an upload, the role might have to be edited and
generated.
generated.
•You can save multiple roles in a local file at the same
•You can save multiple roles in a local file at the same
time by choosing Utilities → Mass download.
time by choosing Utilities → Mass download.
Transporting Users

Client Copy – Copy a Client Client Copy – Copy a Client


Client Copy – Copy a Client Client Copy – Copy a Client
Schedule Background Start immediately Schedule Background Start immediately
Schedule Background Start immediately Schedule Background Start immediately
Target Client 010 Customizing Target Client 010 Customizing
Target Client 010 Customizing Target Client 010 Customizing
Selected Profile SAP_UCUS Selected Profile SAP_UCUS
Selected Profile SAP_UCUS Selected Profile SAP_UCUS
Description Customizing and User Master Description Customizing and User Master
Description Customizing and User Master Description Customizing and User Master
Source Client 000 SAP AG Konzern Source Dest.
Source Client 000 SAP AG Konzern Source Dest.
System Name 000 SAP AG Konzern
System Name 000 SAP AG Konzern
Transporting Check Indicators

•The customer tables USOBX_C and USOBT_C which are adjusted


•The customer tables USOBX_C and USOBT_C which are adjusted
as per customer needs can be transported as a whole with all settings
as per customer needs can be transported as a whole with all settings
of check indicators, status and field values in step 3 of SU25.
of check indicators, status and field values in step 3 of SU25.
•It is also possible to maintain values for individual transactions in
•It is also possible to maintain values for individual transactions in
SU24.
SU24.
•In both cases, a transport request is transported and distributed to
•In both cases, a transport request is transported and distributed to
other SAP systems in the context of the Transport Management
other SAP systems in the context of the Transport Management
System.
System.
• During the transport, all of the check indicators and field values in
• During the transport, all of the check indicators and field values in
the target system are replaced, and steps 2a-2d cannot be used.
the target system are replaced, and steps 2a-2d cannot be used.
Lesson 9
CONFIGURING ROLE MAINTENANCE TOOLS
Configuring Role Maintenance Tools

• Configure the role maintenance tools to reduce efforts during


role maintenance in PFCG.
• Role maintenance uses default values shipped by SAP which
affects how PFCG operates as well as how security checks are
carried out during runtime.
• If the default values shipped by SAP do not meet your needs the
tools can be configured so that you do not end up making
multiple changes to authorizations within roles.
PFCG & SU24: How it works? Benefits?
Adjusting SU24
Authorization Authorization Authorization Changed Modification Modification
Name Authorization Object Fld. Value Value by Date Time MODIFIED
MB03 M_MSEG_BMB ACTVT 03 SAP 30.08.2004 14:29:40
MB03 M_MSEG_BMB BWART SAP 30.08.2004 14:29:40
MB03 M_MSEG_LGO ACTVT 03 SMITHJ 17.09.2005 15:33:40 X
MB03 M_MSEG_LGO BWART SMITHJ 17.09.2005 15:33:40 X
MB03 M_MSEG_LGO LGORT SMITHJ 17.09.2005 15:33:40 X

Transaction Code ME21N

Object Object Check Indicator Proposal Field Values

Check Set Status “Yes”


St Object User Name
Do Not Check Check Ind. Flag
Set Status “No”
K_CSKS_SET CO-CCA Cost Center Groups Check NO
Set Status “New UnMaintained”
K_KEKO CO-PC Product Costing Check NO
M_ANFR_BSA Document Type in RFQ Check NO
M_ANFR_EKG Purchasing Group in RFQ Check NO

Object Field Name Change From To


M_BEST_BSA ACTVT 01
M_BEST_BSA ACTVT 02
M_BEST_BSA ACTVT 03
M_BEST_BSA BSART
Authorization Checks
• To ensure that a user has the
appropriate authorizations when he
or she performs an action, users are
subject to authorization checks.
• The following actions are subject to
authorization checks that are
performed before the start of a
program or table maintenance and
which the SAP applications cannot
avoid:
– Starting SAP transactions
(authorization object S_TCODE)
– Starting reports (authorization object
S_PROGRAM)
– Calling RFC function modules
(authorization object S_RFC)
– Table maintenance with generic tools
(S_TABU_DIS)
Authorization Checks: Starting SAP Transaction
Authorization Checks: Starting Reports
Authorization Checks: RFC calls/Table
Maintenance
Reducing Scope of Authorization Checks

• In addition to use transaction SU24 to display default field values, you can also use
it to reduce authorization checks at runtime.
• This has the effect of not performing an authorization check on a specific
authorization object.
• You should be careful when deciding which authorization checks to suppress. By
suppressing authorization checks, you allow users to perform tasks for which they
are not explicitly allowed.
• For an authorization check to be executed, it must be included in the source code
of a transaction and must not be explicitly exempt from the check.
• You can suppress authorization checks without changing the program code, as
check indicators control authorization checks.
Reducing Scope of Authorization Checks
• The authorization check indicator
defines whether or not the
authorization check for this object
is performed during the execution
of the transaction. Possible values
are "Check" and "Do Not Check“
• From an auditor's perspective, if
you find an authorization check has
been disabled, just ensure that
disabling meets with the company
policy.

Transaction Code ME21N


Transaction Code ME21N
Object Object Check Indicator Proposal Field Values
Object Object Check Indicator Proposal Field Values
Check
St Object User
Check Name
Do Not Check Check Ind. Flag
St Object
K_CSKS_SET User Name
DoCO-CCA
Not Cost Center Groups
Check Check Ind.
Check Flag
NO
K_CSKS_SET
K_KEKO CO-CCA Cost Center Groups
CO-PC Product Costing Check
Check NO YS
K_KEKO
M_ANFR_BSA CO-PC Product Costing
Document Type in RFQ Check
Check YS NO
M_ANFR_BSA Document Type in RFQ Check NO
Lesson 10
PFCG INSTALLATION AND UPGRADE
PFCG Installation and Upgrade
• Before the Profile Generator can be used, you must activate it in the system
and link it with default tables for the delivered SAP transaction codes.
• Since release 4.6 the profile generator is already activated. This means that
you do not have to set the system parameter in the instance profile :
auth/no_check_in_some_cases=Y
• This is set as default and you only need to verify the same in transaction
RZ11 or run the report RSPARAM.

Auth/no_check_in_some_cases
Auth/no_check_in_some_cases
Short description Activation of the Profile Generator
Short description Activation of the Profile Generator
Appl. area Authentication
Appl. area Authentication
Y
Default value Y
Default
Profilevalue
value Y
Profile value Y
Current value Y
Current value Y
Tables USOBX_C and USOBT_C

• When the administrator adds a transaction to a role the profile generator selects and
• When the administrator
proposes adds objects
the authorization a transaction
that areto checked
a role theand profile generator
maintained in selects
profile and
proposes
generator theforauthorization objects that are checked and maintained in profile
this transaction.
generator for this transaction.
• Tables USOBX_C and USOBT_C control the behavior of the Profile Generator after
• Tables USOBX_Chas
the transaction andbeen
USOBT_Cselected. control
Afterthe
a newbehavior of the Profile
installation, Generator
these tables after and
are empty
themust
transaction
be filledhas withbeen
valuesselected.
before the AfterProfile
a newGenerator
installation, thesefor
is used tables are time.
the first empty and
must be filled with values before the Profile Generator is used for the first time.
• SAP delivers the tables USOBX and USOBT. These tables are filled with default values
• SAPanddelivers
are used thefor
tables USOBX
the initial fill ofand
theUSOBT.
customer These
tablestables are filled
USOBX_C andwith default values
USOBT_C. After
and are used for the initial fill of the customer tables USOBX_C and
the initial fill, you can modify the customer tables, and therefore the behavior of the USOBT_C. After
theProfile
initial Generator,
fill, you canifmodify
required. the customer tables, and therefore the behavior of the
Profile Generator, if required.
• Table USOBX defines which authorization checks are to be performed within a
• Table USOBXand
transaction defines
which which
are not authorization checks are to
(despite programmed be performed command).This
authority-check within a
transaction
table alsoand which are
determines not (despite
which programmed
authorization checks are authority-check
maintained incommand).This
the Profile
table also
Generator. determines which authorization checks are maintained in the Profile
Generator.
• Table USOBT defines for each transaction and for each authorization object which
• Table USOBT
default values defines for each transaction
an authorization and the
created from for each authorization
authorization objectobject
shouldwhich
have in
default valuesGenerator.
the Profile an authorization created from the authorization object should have in
the Profile Generator.
Tables USOBX_C and USOBT_C
ME21N TR M_BANF_EKO SAP 30.08.2010 13:00:00 X
ME21N TR M_BANF_WRK SAP 30.08.2010 13:00:00 X
USOBX_C
ME21N
ME21N
TR
TR
M_BEST_BSA
M_BEST_EKG
SAP
SAP
30.08.2010 13:00:00
30.08.2010 13:00:00
Y
Y
USOBX_C
ME21N TR M_BEST_EKO SAP 30.08.2010 13:00:00 Y
ME21N TR M_BEST_WRK SAP 30.08.2010 13:00:00 Y
ME21N TR M_EINF_EKO SAP Checkfl Short
30.08.2010 13:00:00 Description
X
Checkfl Short Description
ME21N TR M_EINF_FRG DDIC 01.02.2011 15:03:00 X
ME21N TR M_INFO_MCD SAP N No
30.08.2010 13:00:00authorization
X check
N X NoAuthorization
authorization check
check takes place
ME21N TR M_IS_KENNZ SAP 30.08.2010 13:00:00 X
ME21N TR M_MATE_CHG SAP X U
30.08.2010 Authorization
13:00:00 X check takes place
Not maintained
U Y NotAuthorization
maintained check takes place, default values in
Y Authorization
USOBT Notcheck takes place, default values in
maintained
USOBT Not maintained
ME21N TR M_BEST_BSA ACTVT 01 SAP
ME21N TR M_BEST_BSA ACTVT 02 DDIC
ME21N TR M_BEST_BSA ACTVT 03 DDIC
ME21N TR M_BEST_BSA ACTVT 08 DDIC
ME21N TR M_BEST_BSA ACTVT 09 SAP
ME21N TR M_BEST_BSA BSART SAP
USOBT_C
ME21N
ME21N
TR
TR
M_BEST_EKG
M_BEST_EKG
ACTVT
ACTVT
01
02
SAP
DDIC
USOBT_C
ME21N TR M_BEST_EKG ACTVT 03 DDIC
ME21N TR M_BEST_EKG ACTVT 08 DDIC
ME21N TR M_BEST_EKG ACTVT 09 SAP
ME21N TR M_BEST_EKG EKGRP $EKGRP SAP
ME21N TR M_BEST_EKG ACTVT 01 SAP
SU24 – Check Indicators
• After the customer tables USOBX_C and USOBT_C have been filled, you can maintain
them to adjust the behavior of the Profile Generator and the authorization checks to be
performed for each transaction. The tables are maintained in transaction SU24.
• This transaction displays the check indicators of a transaction. Check indicators determine
if an authorization check will run within the transaction or not.

Transaction Code ME21N


Transaction Code ME21N
Object Object Check Indicator Proposal Field Values
Object Object Check Indicator Proposal Field Values
Check Set Status “Yes”
St Object User
Check Name
Do Not Check SetSet
Status Check Ind.
“Yes” Flag
St Object User Name Status
Check“No”
Ind. Flag
K_CSKS_SET DoCO-CCA Cost Center Groups
Not Check SetSet
Status Check
“No” NO
K_CSKS_SET CO-CCA Cost Center Groups Status
Check“New UnMaintained”
NO
K_KEKO CO-PC Product Costing Set Status “New
Check NO
UnMaintained”
K_KEKO
M_ANFR_BSA CO-PC Product Costing
Document Type in RFQ Check
Check NO NO
M_ANFR_BSA
M_ANFR_EKG Document Type in RFQ
Purchasing Group in RFQ Check
Check NO NO
M_ANFR_EKG Purchasing Group in RFQ Check NO
Object Field Name Change From To
Object
M_BEST_BSA Field Name
ACTVT Change From
01 To
M_BEST_BSA
M_BEST_BSA ACTVT
ACTVT 01 02
M_BEST_BSA
M_BEST_BSA ACTVT
ACTVT 02 03
M_BEST_BSA
M_BEST_BSA ACTVT
BSART 03
M_BEST_BSA BSART
SU24 – Maintenance Status
• The behavior of objects is no longer governed solely by the check indicator (as was the
situation before SAP NetWeaver 2004s); instead, the maintenance status of the
authorization object is also considered.
• The maintenance status of an authorization object shows whether authorization default
data has been correctly maintained for the object.
• Possible values are:

–"Maintained" (green traffic light).


–"Unmaintained" (red traffic light).
–"maintained with warning" (yellow traffic light).
–"Do not check" (gray traffic light).

St Object Object Description


St Object
A_A_VIEW Object
AssetDescription
View
A_A_VIEW
A_S_ANLKL Asset View
Asset Master Record Maint. (Ccode/Asset Class)
A_S_ANLKL
A_S_KOSTL Asset Master
Asset Record
Master Maint.
Record (Ccode/Asset
Maint. Class)
(Ccode/Cost Center)
A_S_KOSTL
C_STUE_BER Asset Master Record Maint.
CS BOM Authorizations (Ccode/Cost Center)
C_STUE_BER CS BOM Authorizations
SU24 – Proposal Status

• The proposal status of an authorization object defines whether


• The proposal status of an authorization object defines whether
or not an authorization default value for the object is to be
or not an authorization default value for the object is to be
added in the profile generator to the authorizations of the role
added in the profile generator to the authorizations of the role
when the application is added to a role. Possible values are
when the application is added to a role. Possible values are
"Yes" or "No".
"Yes" or "No".
• "Yes". An authorization default value with the stored
• "Yes". An authorization default value with the stored
authorization field values is added to the role. The field values
authorization field values is added to the role. The field values
should also be maintained - as far as possible, and as long as
should also be maintained - as far as possible, and as long as
this is useful.
this is useful.
• "No". No authorization default value is added to the role.
• "No". No authorization default value is added to the role.
• ' '. Initial value. This value shows that the application developer
• ' '. Initial value. This value shows that the application developer
responsible has not yet decided whether "Yes" or "No" is to be
responsible has not yet decided whether "Yes" or "No" is to be
set here.
set here.
Security Upgrade
Installing the Profile generator
Installing the Profile generator
1. Initially Fill the Customer Tables • What do you need to do if you
1. Initially Fill the Customer Tables • What do you
perform an need to do if you
upgrade?
Post-process the Settings After Upgrading to a Higher Release
Post-process the Settings After Upgrading to a Higher Release
2A.. Preparation: Compare with SAP values
perform an upgrade?
– Migration of report trees
2A..2B.
Preparation:
Compare Compare with SAP values
Affected Transactions – Migration
– Check of of Profile
report trees
Generator
2B. 2C.
Compare Affected Transactions
Roles to Be Checked – Check of Profile
activation Generator
2C.2D.
Roles to BeChanged
Display CheckedTransaction Codes
activation
– Upgrade of the roles and default
2D. Display Changed Transaction Codes
Transport Conn. – Upgrade of the roles
Transport Conn. tables (SU25, stepsand default
2A-2D)
3.. Transport the Customer Tables tables (SU25, steps
– Conversion 2A-2D)created
of manually
3.. Transport the Customer Tables – Conversion
Adjust the Authorization Checks (Optional) profiles to of manually
roles created
if necessary
Adjust4.the Authorization Checks (Optional) profiles
(SU25,to step
roles6) if necessary
Check indicator (Transaction SU24)
4. Check indicatorAuthorization
5. Deactivate (TransactionObject
SU24)Globally (SU25, step 6)
5. Deactivate Authorization Object Globally
Create Roles from Manually – Created Profiles
Create6.Roles from Manually – Created Profiles
Copy Data from Old Profiles
6. Copy Data from Old Profiles
Upgrade - Scenarios

• •There
Thereare
arealways
alwaystwo
twopossibilities:
possibilities:
– –Source
Sourcerelease
releasedid
didnot
notuse
usePFCG
PFCG
• PG needs to be activated.
• PG needs to be activated.
– –Source
Sourcerelease
releaseused
usedPFCG
PFCG(>3.1G)
(>3.1G)
• USOBX_C and USOBT_C needs to be updated.
• USOBX_C and USOBT_C needs to be updated.
• Roles need to be updated.
• Roles need to be updated.
• •IfIfyou
youare
areusing
usingPG
PGfor
forthe
thefirst
firsttime:
time:
– –You
Youcan
canstart
startbuilding
buildingyour
yourroles
rolesusing
usingPG
PG
– –Convert
Convertthe
themanual
manualprofiles
profilesinto
intoroles
rolesusing
usingstep
step6 6
ofofSU25.
SU25.
Upgrade – Source release > 3.1G
Installing the Profile generator
Installing the Profile generator • The USOB* tables and the roles
1. Initially Fill the Customer Tables • The USOB* tables and the roles
1. Initially Fill the Customer Tables both need to be updated to the
Post-process the Settings After Upgrading to a Higher Release both need
latest to be updated to the
version.
Post-process the Settings After Upgrading to a Higher Release
2A.. Preparation: Compare with SAP values latest version.
2B.2A.. Preparation:
Compare Compare
Affected with SAP values
Transactions • Transaction SU25, steps 2A to
2B. Compare Affected Transactions • Transaction SU25, steps 2A to
2C. Roles to Be Checked
2D.
2D.2C. RolesChanged
Display to Be Checked
Transaction Codes 2D.–
2D. Display Changed Transaction Codes
Transport Conn. 2A: Executes the Profile Generator
Transport Conn.
– 2A:comparison
Executes the Profile Compares
program. Generator
3.. Transport the Customer Tables comparison program.
the new tables USOBX Compares
and
3.. Transport the Customer Tables
Adjust the Authorization Checks (Optional) theUSOBT
new tables USOBX
with USOBX_C andand
Adjust theindicator
Authorization Checks
SU24)(Optional) USOBT with USOBX_C and
4. Check (Transaction USOBT_C.
5. 4. Check indicator
Deactivate (Transaction
Authorization SU24)
Object Globally USOBT_C.
5. Deactivate Authorization Object Globally – 2B: Adds any new
Create Roles from Manually – Created Profiles – 2B:transactions/updates
Adds any new
Create to tables
6. CopyRoles from Manually
Profiles – Created Profiles
Data from Old transactions/updates
USOBX_C and USOBT_C. to tables
6. Copy Data from Old Profiles
USOBX_C and USOBT_C.
– 2C: Updates the existing roles and
– 2C: Updates
flags thewith
all roles existing
new roles and
flags all roles with
authorization new
objects.
authorization objects.
– 2D: Displays all roles for which
– 2D: Displays
there all roles transaction
are changed for which
there are changed transaction
codes.
codes.
Upgrade Profile : SAP_NEW
• The profile SAP_NEW is delivered with every
Profile SAP_NEW new release and contains authorizations for
Profile SAP_NEW
Texts in User Master Comp profile all new checks in existing transactions.
Texts in User Master Comp profile • The SAP_NEW profile guarantees backward
Text New authorization checks
Text New authorization checks compatibility of the authorizations if a new
Status Active
Active release or an update or authorization checks
Status
Changed by DDIC introduces checks for previously unprotected
Changed by DDIC functions.
• Composite profile to bridge the differences in
Consisting of Profiles releases in the case of new or changed
Consisting of Profiles
authorization checks for existing functions,
Profile Text
so that your users can continue to work as
SAP_NEW_21C Authorizations for new objects added Rel. 2.1C
SAP_NEW_21D Authorizations for New Objects Added Rel. 2.1D normal.
SAP_NEW_22A Authorizations for New Objects Added Rel. 2.2A • If there are a large number of roles to be
SAP_NEW_30A Authorizations for New Objects Rel. 3.0A modified due to an upgrade then you can buy
SAP_NEW_30B Authorizations for New Objects Rel. 3.0B
time to process these roles later by assigning
SAP_NEW_30C Authorizations for New Objects in Release 3.0C
SAP_NEW_30D Authorizations for new objects in Release 3.0D
users SAP_NEW on a temporary basis
SAP_NEW_30E Authorizations for New Objects in Release 3.0E provided it is allowed as per the
SAP_NEW_30F Authorizations for new objects in Release 3.0F organizations security policy.
SAP_NEW_31G Authorizations for New Objects in Release 3.1G • The SAP_NEW composite profile consists of
SAP_NEW_40A Authorizations for New Objects in Release 4.0A
single profiles for all old releases of SAP.
Lesson 11

ORGANIZATIONAL MANAGEMENT
Organizational Management
• Overtime people change positions, departments and collect
authorizations for their new areas of work. If the user administrator
forgets to remove the authorizations for the user’s older departments
or positions then the user keeps on receiving more authorizations.
Buyer Accounts Warehouse
Clerk Manager
Position based authorization management
• If the roles are now assigned to the objects of the organizational plan, such as positions, the
employees, who are indirectly assigned to these positions through the organizational plan,
can inherit the roles.
• Advantage: As soon as an employee changes position, he or she also loses the
corresponding authorizations (since these depend not on the user, but on the position).
• Create roles based on organizational objects, such as positions in your organization. For example: Sales
manager, accountant, and secretary.
• Assign the roles to your organizational plan. Users then inherit the authorizations (indirectly) in accordance
with their position in the organizational plan.

Accounts Warehouse
Buyer Clerk Manager
Organizational Plan
• An organizational plan represents a
functional organization and reporting
structures between positions in an
enterprise. Holder(s)

• Organizational Management’s object-


oriented design provides you with a
number of organizational objects with
which you create organizational plans.
• At the center of an organizational plan Holder(s)
are organizational units(departments, for
example) arranged in a hierarchy that
mirrors the structure of your enterprise.
Other organizational units such as
positions(sales administrator, for
example) depict your enterprise’s Holder(s)
reporting structure. Objects such as jobs,
tasks, and work centers are the building
blocks of your organizational plan.
• By relating objects via relationships, you
create a network that mirrors your
In addition toand
organizational this, you canstructures.
reporting create relationships to objects from other components (cost
center, employee or R/3 User, for example).
Organizational Management in SAP
Organizational Structure/Change
• PPOCE : Create Organization and Organizational Structure/Change
• PPOCE : Create Organization and
Staffing Org. Unit Plan version 01 Current plan
• Staffing
PPOME : Change Organization and
Org. Unit
Search Term
Plan version 01 Current plan
Department 2510/000/000
• PPOME
Staffing: Change Organization and Search TermSearch DepartmentDepartment
2510/000/000
Structure Marketing
• Staffing
PPOSE : Display Create Organization Structure Search Department Marketing
Department Finance
• PPOSE : Display Create Organization
and Staffing Department Finance
Department Logistics
and Staffing Department Logistics

• In the simple maintenance mode, You Staff Assignments/Change


• Inwork
the simple maintenance
in three main windows.mode, You
Each Staff Assignments/Change
Org. Unit Plan version 01 Current plan
work in three
window mainspecific
covers windows. Each
maintenance Org. Unit Plan version 01 Current plan
window covers specific maintenance Search Term Department Marketing (Org Unit)
activities: Search Term Department Marketing (Org Unit)
activities:
• The Organizational Structure window
Structure Search
Sales Mgr – Marketing (Position)
• Theallows
Organizational
you to buildStructure
up and window
maintain the Sales Mgr – Marketing (Position)
allows you to buildstructure
organizational up and maintain
for your the Lisa Kudrow (Person/user)
organizational structure
organizational plan. for your Lisa Kudrow (Person/user)
• organizational plan.
The Staff Assignments window allows Task Profile/Change
• Theyou
Staff Assignments window
to identify the fundamental allows
staffing Task Profile/Change
youdetails
to identify the fundamental
required staffing
for an organizational Org. Unit Plan version 01 Current plan
details Org. Unit Plan version 01 Current plan
plan.required for an organizational Search Term Department Marketing (Org Unit)
• plan.
The Task Profile window allows you to Search Term
Structure Search Department Marketing (Org Unit)
• Theassign
Task Profile
roles towindow allows you to
jobs, positions, Change invoice status (Task)
Structure Search
assign roles to jobs, positions, Position Change invoice
Change stat.status (Task) (Task)
of confirmation
organizational units, and holders of
organizational units, and
positions (users). Workflow holders of are
Tasks Position
Job Change stat. of
Employee confirmation (Task)
(Role)
positions (users). at
also assigned Workflow Tasks
this level, are
however, JobUser Employee (Role)
also assigned
these are notat related
this level, however,
to authorizations. User
these are not related to authorizations.
Steps in Organizational Management

Infosys Technologies Limited


Infosys Technologies Limited

Bangalore DC, Pune DC,


Bangalore DC, Pune
Hyderabad DC,
DC etc.
Hyderabad DC etc.

HR Manager, Delivery Manager,


HR Manager, Delivery
etc. Manager,
etc.

HR Manager ES, Delivery


HR Manager ES,ES
Manager Delivery
etc.
Manager ES etc.

Manager resources, Create


Manager resources, Create
Projects etc.
Projects etc.

John Smith, Lisa Norman etc.


John Smith, Lisa Norman etc.
Role Maintenance - PFCG
Settings
• To be able to assign components of Settings
• Toyour
be able to assign components
organizational of
plan, you must View
your organizational
select the “Completeplan,View”
you must
when View
Simple maintenance (Workplace menu maintenance)
select the “Complete
entering PFCG. View” when Simple
Basicmaintenance
maintenance(Workplace menu maintenance)
(menus, profiles, other objects)
• entering PFCG. Basic maintenance (menus, profiles, other objects)
By choosing the Organizational Mgmt Complete view (Organizational Management and workflow
• Bybutton
choosing the user
on the Organizational Mgmt
tab, you jump to the Complete view (Organizational Management and workflow
button
screen on Role:
the user tab, you
Change Agentjump to the
screen Role: Change
Assignment AgentUser
The Indirect
Assignment
Assignments Thethat
Indirect
haveUser
already been Role: Change Agent Assignment
Assignments that have already
maintained are displayed here. been Role: Change Agent Assignment
Indirect user assignments ok
• maintained are displayed here. Indirect user assignments ok
Here you can use positions to assign
• Here youtocan use positions AG /SAP/EMPLOYEE EMPLOYEE Role
users a role(such as to assign AG /SAP/EMPLOYEE EMPLOYEE Role
users to a role(such as By choosing
SALESMANAGER). C 50004150 Sales Manager Job
SALESMANAGER).
Create assignment, Byyou
choosing
can also define
C 50004150 Sales Manager Job
Create S 50004151 Sales Manager - Marketing Position
the following relationships:also define
assignment, you can
S 50004151 Sales Manager - Marketing Position
• the following relationships:
Role / Organizational unit CP 50003346 Lisa Kudrow Person
• Role / Organizational unit CP 50003346 Lisa Kudrow Person
• Role / Position
• Role / Position O 90000755 Department Marketing Org. Unit
• Role/User O 90000755 Department Marketing Org. Unit
• Role/User S 50004151 Sales Manager - Marketing Position
S 50004151 Sales Manager - Marketing Position
CP 50003346 Lisa Kudrow Person
CP 50003346 Lisa Kudrow Person
Lesson 12

SECURITY IN PROJECTS
Implementation Methodology
• Every company or every project follows a
• Every company or methodology
implementation every project which
followscana be
implementation methodology
more or less divided in five which
distinctcan be
phases.
• more or less divided in five distinct phases.
Project Preparation: Forming the team and
• Project Preparation:
assembling Formingrequired
the resources the team forand
assembling the resources required for
project implementation.
• project implementation.
Blueprint: Determine the business
• Blueprint: Determine
requirements the business
and formulate a visual
requirements and formulate a visual
representation of the as-is business process
representation
to be mapped ofinthe as-is business process
SAP.
• to be mapped in SAP.
Realization: This is phase where the
• Realization: This is phaseare
business requirements where the
implemented in
business requirements are implemented
the system through configurations and in
thedevelopment.
system through configurations and
• development.
Final preparation: Testing of the interfaces
• Final
andpreparation:
modules, TrainingTestingofofthe
theusers,
interfaces
move
and modules,
changes Training of the
to production, Fine users,
tuning move
and soft
changes
configuration of the production systemsoft
to production, Fine tuning and etc.
• configuration of the production system etc.
Go-Live & Support: Release of system
• Go-Live
access&toSupport: Release of system
users, Enhancements and Bug-
access
Fixes.to users, Enhancements and Bug-
Fixes.
Authorization Project Methodology
Blueprint Phase
• The blueprint phase for the authorizations may start only after the business blueprint is
done.
• This is because the authorizations can be analyzed and conceptualized only after the
business processes are documented.
• The main steps during this phase are:
– Analyze the business process with the project team
– Determine the various job roles and activities to be included within the roles.
– Prepare a list of the roles for the business process and list the activities for each
role.
– Determine an ideal design for the job roles
– Determine an naming convention for the roles.

• The Process Master List is a document which forms a basis for this phase. It
documents all the activities that are performed during a business process. These
activities are mapped with SAP transactions in this list.
• This list should be ready and signed off to start working on the job roles.
• The authorizations team along with the business process owners would work on
grouping these activities to form the job roles.
Process Master and Authorizations List
System
Type
Primary Transaction Codes
Activity Group Process Group Activity (for
(mandatory for SAP activities)
Activities
only)
A-LM059_LXX LM Determine MB1B/MIGO SAP R/3
Putaway
Location
A-AP001_LXX AP Requisitione FK03 SAP R/3
r checks
SAP for
Vendor
Existence
A-AP002_LXX AP Request to N/A Manual
create/chan
ge Vendor
Master Data
A-AP003_LXX AP Purchasing N/A Manual
Complete
Vendor
Creation
Form for AP
A-AP004_LXX AP Terms of N/A Manual
Payment
request
A-AP010_LXX AP Maintain FK01, FK02, XK01, XK02 SAP R/3
Vendor
Master
Authorizations Concept in SAP
Role design approach
• Derived roles are only helpful initially for small roles (or individual tasks) which truly are exactly the same (except for the org
or other element of a common object). If you are planning some major acquisitions and diversity in your production locations
and sales organizations, then derived roles might be an option for a "Just One Company Code" system, but your business
areas and other org elements will be forced to some extent to have the same business processes or your roles will provide
too much access for the others when one of them wants something special. You will become inflexible and over time the
differences will destroy your concept very easily.
• One would want to create a common set of roles which contains the required org level authorizations for the various roles and
then create a second set of roles for the functions in the different business areas and add the differentiated org elements to
them. Make sure that the transaction you select actually also use these. What you have is a transactional role containing all
the transactions & auth objects. You then create a separate role with manually added auth objects that contain all the auth
objects that are relevant for restriction. You then disable those objects in the transactional role. This way you have 2 roles,
one providing transactional content & the other providing all your restrictions.
– One of the perceived benefits is that you only have 1 role containing restriction data and this can be applied to all users.
You then give them different transactional roles depending on what transactions they need etc.
– Downsides to this are:
Increased complexity: It can be a steep learning curve for a new administrator in the company.
Reduced security: Security is based on 2 levels, S_TCODE & object level. If you are creating a single value role (or
even a few of them) they are going to contain more auth objects than are needed for the respective transactional roles.
SOD analysis: It makes analysis and reporting at role level more complex.
Breaking SAP security setup: When you take this approach you may be breaking the link between PFCG and SU24.
• Also we have to decide whether we have one single role with all the transactions or break them up into smaller roles. They
have their Pros and Cons as mentioned below:
– It might be desirable for users to only have one role (in addition to a "common role for all users"). This way SoD
analysis can concentrate on analyzing authorizations within single role designs, without the added complexity of doing
role to role comparisons
– Smaller roles can be used across multiple functions thus limiting the total number of roles can have a dramatic impact
on the total maintenance effort. When designed the right way.
– A big role (per position) is avoiding redundancy of transactions in various smaller roles where they could easily have
different values on object level.
Naming Convention
• It is important to assign a unique identifier to the roles through a
• It is important to assign a unique identifier to the roles through a
flexible and standardized naming convention.
flexible and standardized naming convention.
• There are 30 characters available to define the role name.
• There are 30 characters available to define the role name.
• One of the best approaches to use the elements like region (e.g.
• One of the best approaches to use the elements like region (e.g.
US,GB,DE etc.), application module(e.g. FI,MM etc.) and business
US,GB,DE etc.), application module(e.g. FI,MM etc.) and business
process(e.g. FRAP, OPMA etc.) in the role names.
process(e.g. FRAP, OPMA etc.) in the role names.
• Role names should be flexible and extensible so that they do not lose
• Role names should be flexible and extensible so that they do not lose
their significance on addition or removal of transactions within them.
their significance on addition or removal of transactions within them.
• Naming conventions also help in segregating the role and user
• Naming conventions also help in segregating the role and user
administration tasks.
administration tasks.
• The role names are not language dependant and should not begin
• The role names are not language dependant and should not begin
with SAP.
with SAP.
• It is also important that you align the naming conventions with that of
• It is also important that you align the naming conventions with that of
the project.
the project.
Role Documents
• You have finalized upon the below criteria:
• You have finalized upon the below criteria:
• Number of job roles to be created
• Number of job roles to be created
• The transactions to be included in each job role
• The transactions to be included in each job role
• Design approach for the job roles
• Design approach for the job roles
• Naming convention for the job roles
• Naming convention for the job roles
• Now you can start to create job role documents to identify and describe each role
• Now
bothyou can startas
technically to well
create
as job role documents to identify and describe each role
functionally.
both technically as well as functionally.
• The document should cover the following aspects of the role:
• The document should cover the following aspects of the role:
• Role name and Description
• Role name and Description
• Transactions that are included in the role
• Transactions that are included in the role
• Business relevance of the role through a brief description of its functionality.
• Business relevance of the role through a brief description of its functionality.
• Critical authorizations included within the role
• Critical authorizations included within the role
• Organizational values and other restrictions within the role
• Organizational values and other restrictions within the role
• Role documents are very useful for the business process owners to understand the
• Role
job documents arebeing
roles that are very useful forto
built and the business
suggest anyprocess ownersif to
modifications understand
necessary the
before
jobthey
roles that
are are being built
implemented and
in the to suggest any modifications if necessary before
system.
they are implemented in the system.
• A formal sign off by the business owners and project managers on these documents
• A formal sign off by the business owners and project managers on these documents
is recommended.
is recommended.
Realization Phase
• Start building the job roles in the system as per the role
• Start building the job roles in the system as per the role
documents.
documents.
• Informal screening of the roles by the functional team is
• Informal screening of the roles by the functional team is
recommended during this phase to ensure that the
recommended during this phase to ensure that the
authorizations are being set as desired.
authorizations are being set as desired.
• Prepare test users per role/per module.
• Prepare test users per role/per module.
• Changes to the transactions within the role and addition /
• Changes to the transactions within the role and addition /
removal of job roles in the list is expected during this
removal of job roles in the list is expected during this
phase.
phase.
• Define the test scripts for testing the authorizations in the
• Define the test scripts for testing the authorizations in the
next phase.
next phase.
Final Preparation
Go-Live and Support

You might also like