Professional Documents
Culture Documents
Access control is a security technique that can be used to regulate who or what can
view or use resources in a computing environment. In order to work in an sap
system, users require a valid USER ID and a user master record must be created
for each system user. Authorizations are assigned to a user using profiles in the
form of roles which are entered into the user master record
DEFINITION OF TERMS
i.
ii.
iii.
PROCUREMENT
BUSINESS SCENARIO
ACTIVITIES,
REQUIRES CERTAIN AUTHORIZATIONS
ORDER PURCHASE
REQUISITION
CREATE PURCHASE REQUISITION
RELEASE PURCHASE REQUISITION
When creating roles, we use the transaction code PFCG; the four core elements of
a role include
TRANSACTION
MENU
AUTHORIZATION
USER ASSIGNMENT
Project Preparation
Business Blueprint
Realization (implementation)
Final Preparation
GO-Live and support
ELEMENTS
AND
TERMINOLOGY OF
SAP
R/3
AUTHORIZATION
CONCEPT
Overview of the terms and Elements in the Authorization Concept
Authorization Object Class: - This contains one or more authorization objects, it is
said to be the logical grouping of authorization objects i.e. All authorization objects
are assigned to a class.
Authorization Object: it refers to groups of authorization fields that control a
particular activity, a template for security that contains fields with blank values.
Authorization Field: Smallest unit in which an authorization check is to be run.
Authorization: It is a combination of allowed values for each authorization field of
an authorization object, it is also said to be an authorization object with the
completed fields or an instance of an authorization object.
Authorization profile: This is the grouping of the different authorizations for the
authorization object.
User Master Record: This is used for logging on to the sap system (Authentication)
after the successful verification of the user, the system grants the user the necessary
access needed to perform its operations (Authorizations)
All possible activities are stored in the Table TACT.
The valid activities for each authorization object is found in Table TACTZ
AUTHORIZATION CHECKS IN THE SAP SYSTEM
There are two authorization checks carried out in the system they include;
a. The check by the kernel: this checks if the user is authorized to start a
transaction, then it checks if an authorization object is assigned to the
transaction code, finally the system checks if the user has an authorization
for the authorization object.
b. The individual check in a programme: The system checks whether an
authorization object has been assigned to the transaction code, if this is the
case the system checks whether user has an authorization for the
authorization object.
After authorization check the system gives back a return code such as
0:- the user has the authorization for the authorization object with the correct
field values.
4:- The user has an authorization for the object but the values checked are
not assigned to the user.
12:- The user does not have any authorization for the authorization object.
16: No profile is entered in the User Master Record.
The values returned by the program check depend on the user buffer.
BUFFER: Each user has his/her own user Buffer in which all authorizations that
are assigned to the user are listed.
WHY WOULD A USER FAIL AN AUTHORIZATION CHECK?
A user might fail an authorization check if
The authorization object doesnt exist in the buffer
The values checked by the application are not assigned to the authorization
object in the user buffer.
UNIT 3
USER SETTING
A user can only log on to an SAP system if a user master record with a
corresponding password exist. User master records are client specific. The Table
below consist of authorization Objects which are required to create and maintain a
user master record (ADMINISTRATOR)
S/N AUTHORIZATION
FUNCTION
1
2
3
4
OBJECT
S_USER_GRP
S_USER_PRO
S_USER_AUTH
S_USER_AGR
assign to users
Authorization to create and maintain authorization
Authorization to protect roles; with this object you
specify which roles can be edited and which
S_USER_TCD
S_USER_VAL
b) Secure data formats (Secure, Store and Forward SSF):- this mechanism
provides you with the means to secure data and does in SAP NetWeaver
c)
d)
e)
f)
User group for authority check: If you want to assign a user to a user group
it is done under the logon data tab and user group field. It is carried out if
you want to run user maintenance amongst several administrators
User Type:
Dialog user: Regular SAP user
System user: User type for backyard processing and communication
within a system
Communication: Dialog free communication between system
Service: Dialogue user for a larger anonymous user range (should
only have a minimum access authorization)
Reference: User type for general, Non person related users that allow
the assignment of additional, identical authorizations e.g. Internet
users
Default Tab Page
Here the standard output devices, its spool control and the personal adjustments for
the display of numbers and dates are displayed. This tab contains the
Start Menu: In this field you can specify an area menu which you can choose
using the possible entries help
Logon Language: System language when the user logs on. In this screen the
user can choose another language if required.
Output Device: Name of a printer in the SAP system, specified in the device
definition.
Time Zone: This describes the location of an object in relation to its local
time.
Decimal Notation and date format: Different countries use different formats
for numbers and date. Enter the format of your country.
Parameters
The personal user parameters are explained here.
Roles
This displays the roles assigned to a user. A role is a set of function describing a
specific work area. The relationship between a role and a user is many to many.
Profile Tabs
In this area you assign manually created authorization profiles and authorizations
to a user. The generated profiles of the roles assigned to a user are also displayed
here. It also displays the profiles assigned to the user. The maximum number of
profiles that can be assigned to a user is 312.
Note: Never assign profiles generated using PFCG manually in the profile tab.
Since the transaction code PFUD deletes this assignment if there is no entry for
them on the role tab page. When you assign a role to a user on the role tab the
generated profile is automatically entered on the profile tab.
Groups
This displays the groups in which the user is listed as a member. Users can only be
a member of one authorization user group, but several general user group. General
user group is not relevant for the object S_USER_GRP
Logon Data: Used for Authorization purpose
Groups: Not used for authorization purpose
Personalization Tab
In this tab you can make person related settings using personal objects.
License data Tab
SAP software contains a measurement program with which every system produces
the information used to determine the payment applicable for installation.
UNIT 4
WORKING WITH THE PROFILE GENERATOR
Role maintenance in an sap system is the central place with which authorizations
are set for users and combined into reusable blocks.
There are two processing views in the profile generator,
1. The basic maintenance: This allows you to access all functions for role
maintenance, assign roles only to SAP users.
2. The complete view: it displays all assignment and data for a role.
In the PFCG you can select the transaction, report and web link of which the user
menu consist of. An authorization profile is generated, The profile is then assigned
to a user.
PROFILE GENERATOR
This is the central tool for generating authorizations and authorization profiles and
assigning them to users.
Roles
A role consists of one or more profiles. A role is used to implement the menu that
users can work with after they have logged into the sap system
Procedure:
PFCG is the transaction code which we use to automatically generate profile and
assign them to users. The PFCG consist of the following tabs; Description, Menu,
Authorization, User, Mini app and personalization.
STEPS:
1.
2.
3.
4.
5.
6.
You can remove transactions in the composite role menu. There are two possible
ways of building the menu tree;
i.
ii.
If the menu tree has not been built you can use the read menu.
Refresh: this brings up an additional query, under this you have the option to
merge and re-import.
UNIT 5
BASIC SETTING
Before the profile generator can be used, you must activate it in the system and
link it with the default tables for the delivered SAP transaction codes. Activating
the profile generator after a new installation requires that:
The SAP system profile parameter auth/no_check_in_some_cases has the
value Y
The default tables are filled which control the behavior of the profile
generator when a transaction is selected in a role
There are two tables and they include
a) USOBT: this defines for each transaction and which authorization object,
which default values an authorization created from an authorization object
should have in the PFCG
b) USOBX: this defines which authorization checks are to be performed within
a transaction and which are not (despite programmed authority check
command)
These tables are SAP delivered table, this table are filled with default values and
are used for the initial fill of the customer table USOBT_C and USOBX_C.
If an administrator selects a transaction while creating a role the PFCG selects the
authorization object that are checked in this transaction and maintained in the
PFCG four cases can occur.
a) For an authorization object for which a check is performed the PFCG has
default values for the authorization content so that full authorization can be
provided. The traffic light beside the authorization object is green
b) For an authorization object for which a check is to be performed in the
transaction selected the PFCG doesnt have the default value for the
authorization content, for security reason no specification were made as to
which activity can be performed the traffic light is yellow
c) For an authorization object for which a check is to be performed in the
transaction selected the PFCG doesnt have the default value for the
authorization content and the field is an organizational level field the traffic
light beside this would be red
d) It may be the case that some authorization checks during transaction
processing were not maintained in the PFCG. The corresponding
authorization object dont appear in the profile overview.
UPGRADING THE PROFILE GENERATOR
What are the things you need to do when you perform an upgrade
1.
2.
3.
4.
SPECIAL
USERS
(MULTIPLE
LOGON)
SPECIAL USERS
There are two types of special users, they include
I.
II.
During the installation of the Sap system client 000 and 066 are created
SAP* is the only user in the system for which no user master record is required, the
password is PASS and the initial password is 06071992
DDIC: this is responsible for maintaining the ABAP dictionary and the software
logistics. When you install the SAP system a user master record is created in client
000 (001) with the default password 19920706. It is the only user that can log onto
the SAP system during the installation of a new release.
EARLY WATCH: this user is delivered in client 066 and is protected with the
password support. the early watch experts at SAP work with this user. This user
should not be deleted.
In order to restrict SAP* access it is necessary to deactivate the special properties
of
SAP*,
to
do
this
you
must
set
the
system
profile
parameter
ii.
iii.
iv.
v.
authorization field
S_USER_OBJ: used to protect access to global deactivation of authorization
object.
i.
ii.
iii.
role.
S_USER_VAL: defines which field values an administrator may enter in
roles for which authorization object and which field.
ii.
iii.
ADMINISTRATORS
AUTHORIZATION DATA ADMINISTRATOR: creates the role, selects the
transaction and maintains the authorization data
AUTHORIZATION PROFILE ADMINISTRATOR: he/she starts the
transaction SUPC and chooses all roles.
System checks
Audits (business audit)
Tax audits
Internal auditing
External auditing
The AIS role improves the flow and quality of the check. AIS is used by auditor the
AIS role is divided into 2 categories,
a) Business audit
b) System audit
These roles can be split into two groups;
I.
II.
Authorization role
Transaction role
UNIT 6
TRANSPORTING AUTHORIZATION
The authorization components that could be transported include
It is only possible to transport all user master record when performing a copy
Schedule transport as a background job during the night, it helps avoid data
inconsistency
If you do not want to transport the user assignment to roles, you can protect the
target system with an import lock.
ROLES WITH CENTRAL USER ADMINISTRATION
Roles must exist in the system in which they are assigned to users within the
central user administration. If systems are assigned to a Central User
Administration, roles must be transported without user assignment since these
assignments are made in and distributed from the central system. If user
assignments were transported, there would be a temporary inconsistency between
the actual state of the system and its subsystems.
UPLOADING AND DOWNLOADING ROLES
It is only possible to exchange data with transport request between SAP systems
with the same release status. When you download the data it is all stored in a local
file; with the exception of generated authorization profiles and user assignments.
After an upload the role has to be edited and generated.
TRANSPORTING CUSTOMERS CHECK INDICATORS
The customer tables USOBT_C & USOBX_C which controls the behavior of the
profile generator must be filled in each system in which the PFCG is used. It is
only when this tables are adjusted to customers need that they can be transported.
UNIT 7
INTEGRATION INTO THE COMPANY LANDSCAPE
Using central user administration simplifies user administration, central user
administration transfers only an assignment of users to roles and profiles but not
the authorization values that are contained in the authorization profiles. In the
central system, all the child system and central system are specified while in the
child system, the child system itself and central system are defined.
CHILD SYSTEM
CENTRAL SYSTEM
CHILD SYSTEM
CHILD SYSTEM
CHILD SYSTEM
This must be performed using communication users with certain RFC
SYSTEM
authorization for central user administration in the CHILD
relevant system.
CENTRAL SYSTEM
Roles
of
communication
user
in
the
central
system:
CHILD SYSTEM
SAP_BC_USR_CUA_CENTRAL,
SAP_BC_USR_CUA_CENTRAL_BDIST,
user
in
the
child
system:
SAP_BC_USR_CUA_CLIENT, SAP_BC_USR_CUA_SETUP_CLIENT
The data sent (from where to where) is defined in the ALE DISTRIBUTION
MODEL. Distribution model is created, generated and distributed from transaction
BD64 in the central system. It only needs to be generated in all of the child system.
Central User Administration is then activated centrally in transaction code SCUA.
Note these are the various possibilities of a User Master record field attribute
VI.
Assigning tasks
Organizational unit
Position
Job
Task