SAP Security – Level 1 Basics

SAP Security Level 1
Table of Contents
BASIC TERMINOLOGIES
USER SETTINGS
ROLE MAINTENANCE BASICS
ROLE MAINTENANCE ADVANCE TOPICS
PROFILE PARAMETERS, SPECIAL USERS AND CRITICAL
AUTHORIZATIONS
CONTROLLING USER AND ROLE ADMINISTRATION
TROUBLESHOOTING AND ADMINISTRATION AIDS
TRANSPORTING AUTHORIZATION COMPONENTS
CONFIGURING ROLE MAINTENANCE TOOLS
PFCG INSTALLATION AND UPGRADE
ORGANIZATIONAL MANAGEMENT
SECURITY IN PROJECTS
Lesson 1
BASIC TERMINOLOGIES
Introduction to SAP Security

Authentication
Only legitimate users should be able to access the system
Authorization
Users should only be able to perform their designated tasks
Integrity
Data integrity needs to be granted at all time
Privacy
Protection of data against unauthorized access

Obligation
Ensuring liability and legal obligation towards stakeholders and shareholders including validation
Security measures at different levels of the system architecture
Basic Terminologies
Application data is protected from unauthorized access using authorizations.
Application data is protected from unauthorized access using authorizations.
Authorizations are bundled into profiles which are assigned in the form of
Authorizations are bundled into profiles which are assigned in the form of
roles to the user master record.
roles to the user master record.
Roles are defined by an administrator to map business scenarios.
Roles are defined by an administrator to map business scenarios.
Business scenarios are made up of a group of activities which are
Business scenarios are made up of a group of activities which are
represented in the form of transactions within the roles.
represented in the form of transactions within the roles.
A user may have access to a single scenario or several scenarios depending
A user may have access to a single scenario or several scenarios depending
on the way the business flow is structured within the organization.
on the way the business flow is structured within the organization.
Similarly. A business scenario can be split into several roles depending upon
Similarly. A business scenario can be split into several roles depending upon
the complexity of the business process.
the complexity of the business process.
Splitting of roles is also important to segregate the duties amongst the
Splitting of roles is also important to segregate the duties amongst the
employees of an organization and thereby having more players to accomplish
employees
ofprocess
an organization
and This
thereby
having
players
to accomplish
a business
end to end.
reduces
themore
risk of
malpractices
within
a business
process end to end. This reduces the risk of malpractices within
the company.
the company.
Elements of an SAP authorization concept
Authorizations, Objects, Fields and Values
Authorizations Instance and Profile
Roles and User Menu

A
role
can
bebe
assigned
toto
any
A
role
can
assigned
any
number
ofof
users.
number
users.
Favorites
Through
the
role,
you
also
Through
the
role,
you
also
User Menu for Subramaniam
Favorites
assign
the
authorizations
that
User
for Subramaniam
assign the authorizations that Menu
BP - Maintain Business Partner
PFCG
users
need
toto
access
the
BP
- Role
Maintenance
- Maintain
Business
Partner
users
need
access
the
SU01
PFCG
User
Maintenance
- Role
Maintenance
transactions,
reports,
and
soso SU01
SA38
ABAP
Reporting
User
Maintenance
transactions,
reports,
and
SE16
SA38
Data
Browser
ABAP
Reporting
onon
contained
inin
the
menu.
SM30
contained
the
menu.
SE16
Call
View Maintenance
Data
Browser
SM30 Call View Maintenance
This
user
menu
appears
when
This
user
menu
appears
when
the
user
toto
which
the
the
user
which
the
authorization
profile
was
authorization
profile
was
assigned
logs
onon
toto
the
SAP
assigned
logs
the
SAP
system.
system.
A
user
menu
consists
ofof
the
A
user
menu
consists
the
role
menus
ofof
the
assigned
role
menus
the
assigned
roles.
It It
contains
the
activities
roles.
contains
the
activities
that
are
required
byby
aa
group
that
are
required
group
ofof
users
for
their
work
area.
users
for
their
work
area.
Tips Regarding User and SAP Menu

Table SSM_CUST, view "Set Values for the Session Manager /
Table
SSM_CUST, view "Set Values for the Session Manager /
Profile Generator
Profile Generator
Control of the removal of redundant transactions with redundancy
Control of the removal of redundant transactions with redundancy
avoidance
avoidance
DELETE_DOUBLE_TCODES, YES/NO
DELETE_DOUBLE_TCODES, YES/NO
Sorting the user menu with redundancy avoidance

Sorting the user menu with redundancy avoidance
SORT_USER_MENU, YES/NO
SORT_USER_MENU, YES/NO
Switch to turn the user menu on or off

Switch to turn the user menu on or off
ALL_USER_MENUS_OFF, YES/NO
ALL_USER_MENUS_OFF, YES/NO
Table USERS_SSM
Table
USERS_SSM
Switch the user menu and/or the SAP menu on or off as required.
Switch the user menu and/or the SAP menu on or off as required.
ALL_USER_MENUS_OFF , YES/NO
ALL_USER_MENUS_OFF , YES/NO
Sequence of Authorization Checks

Display Dialog Transaction
Display Dialog Transaction
SM59
SM59
SRCX
SRCX
Transaction Text
RFC Destinations
Transaction Text
RFC Destinations
Program
SAPMCRFC
Program
SAPMCRFC
Screen Number
100
Screen Number
100
Authorization Object S_RFC_ADM
Authorization Object S_RFC_ADM
Transaction Code
Transaction Code
Package
Package
Values
Values
Fields
ACTVT
ICF_VALUE
RFCDEST
RFCTYPE
Values
ABAP Program Authorization Checks (authority-check Statement)

Authorization
checks
inin
Authorization
checks
programs
are
performed
programs
are
performed
using
the
ABAP
command
using
the
ABAP
command
authority-check.
authority-check.
For
example
if if
aa
user
tries
For
example
user
tries
toto
edit
aa
table
inin
SM30
the
edit
table
SM30
the
system
first
checks
if if
the
system
first
checks
the
users
has
the
relevant
users
has
the
relevant
authorization
for
the
object
authorization
for
the
object
S_TABU_DIS,
actvt
: 02
and
S_TABU_DIS,
actvt
: 02
and
dibercls
(authorization
dibercls
(authorization
group
inin
table
TDDAT).
If If
group
table
TDDAT).
this
check
fails
the
system
this
check
fails
the
system
would
check
if if
the
user
has
would
check
the
user
has
display
authorization
for
display
authorization
for
the
table.
the
table.
authority-check object 'S_TABU_DIS'"check by

authority-check
object 'S_TABU_DIS'"check by
class
class id 'ACTVT'
field act_level
id 'ACTVT'
field act_level
id 'DICBERCLS'
field w_tddat-cclass.
id
'DICBERCLS'
field
w_tddat-cclass.
if sy-subrc <> 0.
"not allowed
if sy-subrc
<> 0.= '02'.
"not allowed
if act_level
if act_level
= '02'. object 'S_TABU_DIS'
authority-check
authority-check
"check
by class object 'S_TABU_DIS'
"check by id
class
'ACTVT'
field '03'
id 'ACTVT'
field
id 'DICBERCLS' '03'
field w_tddat-cclass.
idif 'DICBERCLS'
sy-subrc = 0. field w_tddat-cclass.
if sy-subrc
= 0.
act_level
= '03'.
act_level
= '03'.
p_action
= 'S'.
p_action
= 'S'.
message
w114(tb).
"only show
message
w114(tb).
"only
show
allowed
allowed else.
else.message e115(tb).
"no upd auth
message
"no updfrom
auth2nd
endif. e115(tb).
"sy-subrc
endif.
"sy-subrc
from
2nd
auth_check
auth_check
else.
"act_level <> 02
else.MESSAGE e116(tb).
"act_level <>
"no02show
MESSAGE
e116(tb).
"no
show
auth
auth endif.
endif.
endif.
endif.
Lesson 2
USER SETTINGS
User Settings
A user master record is a must for every
user to access the system. The record
also stores information used for
authentication. E.g. Password
User master records are client specific.
A user id is a 12 character identifier for an
SAP user.
Authorizations for User Administrator
User Master Record

User
User
Last Changed
Last Changed
Address
Address
P200USER
P200USER
24.08.2011
24.08.2011
Logon Data
Logon Data
Defaults
Defaults
Parameters
Parameters
User Master Record

User
User
Last Changed
Last Changed
Roles
Roles
P200USER
P200USER
24.08.2011
24.08.2011
Profiles
Profiles
Personalization
Personalization
License Data
License Data
User Type
System Users
System users (called CPIC users in older releases) are required for the
System users (called CPIC users in older releases) are required for the
internal communication of the systems. To increase the security of your
internal communication of the systems. To increase the security of your
system landscape, when you are creating system users, assign only
system landscape, when you are creating system users, assign only
greatly restricted authorizations, combined in special roles to the system
greatly restricted authorizations, combined in special roles to the system
users.
users.
In principle, one user ID (such as SAPCPIC) would be sufficient, and you
In principle, one user ID (such as SAPCPIC) would be sufficient, and you
could use it for all system users. However, with this situation, it would be
could use it for all system users. However, with this situation, it would be
practically impossible to change the password of the system users, or
practically impossible to change the password of the system users, or
simply to keep it secret, as there can be multiple utilizing RFC destinations.
simply to keep it secret, as there can be multiple utilizing RFC destinations.
So that you must only change the password of the relevant system user in
So that you must only change the password of the relevant system user in
one place when you are changing the password later, use a separate
one place when you are changing the password later, use a separate
system user for each RFC destination. This means that there are as many
system user for each RFC destination. This means that there are as many
system users in your system landscape as there are RFC destinations.
system users in your system landscape as there are RFC destinations.
No license fees apply to these system users.
No license fees apply to these system users.
Additional Features
Transaction SU10 can be used to maintain the user
master for a large number of users at once.
You can display change documents for users by
navigating to environment -> display changes.
User master record is stored in USR* tables.
Table USR02 is used to display logon data for the user
and it also stores some change logs like last logon date
for the user.
Change logs for the user are stored in USH* tables.
To effectively utilize the memory space occupied by the
tables in the database, the table data can be archived.
Lesson 3
ROLE MAINTENANCE - BASICS
Role Maintenance - Basics

Transaction PFCG
Role
Roles are authorization containers that represent a specific part of an employees job. The role itself is
composed of different functions of the employee, which again is the sum of certain tasks inside these
functions.
Example: The job of a user is Head of the purchase dept. In his job he has different roles, such as being
a buyer. One of the functions of the buyer is to create purchase orders.
Job: Head of the purchase dept.
Role: Buyer
Function: Create Purchase Order (Referred to as a Transaction in SAP).
A user may have more than one role. The above user may also be responsible for maintaining the master
data relevant for purchasing.
He may also be responsible for vendor evaluation and rating.
With roles you can implement menus which the users can work with after logging on to the system.
If integrated with organizational management, roles can be assigned to jobs, positions and organizational
units.
Role
Role
Description
Description
Description
Description
SAP_CO_PC_JOB_SALESORDER
SAP_CO_PC_JOB_SALESORDER
Display Sales Orders
Display Sales Orders
Menu
Menu
Authorizations
Authorizations
Role Documentation
Role Documentation
User
User
Role Maintenance - Views

There are three types of role maintenance views.
Simple Maintenance : Allows only menu and user maintenance.
Basic Maintenance : Access all role maintenance functionalities
and assignment to users
Complete View : For Organizational Management is used in
Personnel Planning and Development
Settings
Settings
View
ViewSimple maintenance (Workplace menu maintenance)
Simple
menu maintenance)
Basicmaintenance
maintenance(Workplace
(menus, profiles,
other objects)
Basic
maintenance
(menus, profiles,
other objects)
Complete
view (Organizational
Management
and workflow)
Environment Complete
SystemviewHelp
(Organizational Management and workflow)
Goto Utilities(M)
Goto Utilities(M)
Environment
System Help
Settings
Settings
Transactions in Roles
Shift + F9
Transactions in Roles
Shift + F9
Reports assignment in Roles

If they are to be used in a role
reports should always have a
transaction code
The transaction code can be
automatically generated by the
system or specified by the
administrator
If you assign a new transaction code
although a transaction code has
already been created for this report
(for example, for another role), the
system displays a message that
informs you about the situation and If
necessary, you can choose between
the new and the old T codes.
Create Transaction Code
Create
Transaction
Code
A transaction
code
already exists for the report entered
A transaction
code
already
for the report
entered
Do you want
to adopt
theexists
old transaction
code?
Do you want to adopt the old transaction code?
Transfer
Recreate
Cancel
Transfer
Recreate
Cancel
Transaction Code for Reports

Transaction Code for Reports
Report type
ReportABAP
type Report
ABAP
SAPReport
Query
SAP
Query
Transaction
with Variant
Transaction
with
BW Report Variant
BW Report
ABAP Report
ABAP Report
RSUSR402
Report
RSUSR402
Report
Variant
Variant
Skip selection screen
Skip selection screen
GUI Support
GUI Support
SAPGUI for Windows
SAPGUI for Windows
SAPGUI for Java
SAPGUI for Java
SAPGUI for HTML
SAPGUI for HTML
Generate Automatically
Generate
Automatically
Transaction
Code ZTESTREP
Transaction Code ZTESTREP
Designing and Structuring the Role Menu
Add/delete Transactions and Reports

Copy Menus from other roles
BW reports and Queries can also be added using the report button
Web links and Document links can be added using the other button.
Create/Delete , Rename Folders and Create hierarchies.
You
can distribute the
role to a target
system using RFC.
Description
Menu
Authorizations
User
MiniApps
Description
Menu
Authorizations
Transaction
Report
Transaction
Report
Authorization Default
Role Menu
Role Menu
User Maintenance
UserMaintenance
PFCG
BP
- Role
Maintenance
- Maintain
Business
Partner
SU01
PFCG
User
Maintenance
- Role
Maintenance
SA38
SU01
ABAP
Reporting
User
Maintenance
SE16
SA38
Data
Browser
ABAP
Reporting
SM30
SE16
Call
View Maintenance
Data
Browser
Other
Other
User
MiniApps
Delete
Delete
Target System
Target System
CT1CLNT010
Dest.
CT1CLNT010
Dest.
Distribute
Distribute
Copy Menus
Copy Menus
From SAP Menu
From SAP Menu
From Other Role
From Other Role
From Area Menu
From Area Menu
Import from file
Import from file
Maintain Authorizations
PFCG automatically proposes the authorizations with default values in some
cases based on the transactions added in the role menu.
The authorization objects display Yellow or Green Traffic Lights based on whether
the authorization data has been maintained completely or partially.
The authorization objects for Organizational values are displayed in Red traffic
lights instead of Yellow if not maintained with values.
Change role: Authorizations

Selection Criteria
Selection Criteria
Manually
Manually
Open
Open
Changed
Changed
Maintained
Maintained
SAP_BC_BASIS_ADMIN
System Administrator
SAP_BC_BASIS_ADMIN
Manually
Cross Application Authorization Objects
Manually
Basis Administration
Maintained
Maintained
Maintained User Master Maintenance: User Groups
Activity
03,08
*
Activity
03,08
*
User Group in user master
*
User
Group in user master
maintenanc
*
maintenanc
Org. Levels
Org. Levels
AAAB
AAAB
BC_A
BC_A
S_USER_GRP
S_USER_GRP
T_YA67011010
T_YA67011010
ACTVT
ACTVT
CLASS
CLASS
Generate Authorizations
Finally once the authorizations are maintained they need to be generated to take effect.
On generation all the maintained authorizations are collected into a profile.
Since a profile can only hold a limited number of authorizations (150) , One role may
have several profiles. PFCG divides and creates these profiles automatically.
You can recognize these profiles from the fact that their names are identical for the first
10 characters, and an appended number starting with 1-99.
role:known
Authorizations
Change
They are also
as sequential profiles.

Selection Criteria
Selection Criteria
Manually
Manually
Open
Open
Changed
Changed
Maintained
Maintained
SAP_BC_BASIS_ADMIN
SAP_BC_BASIS_ADMIN
Manually Assign Profile
CrossName
Application
Authorization
Objects Profile
for Generated
Authorization
Manually Assign Profile
CrossName
Application
Authorization
Objects
for Generated Authorization Profile
Maintained
You can
change
the default profile name here
Basis
Administration
Maintained
You can change
default
profile nameUser
hereGroups
Userthe
Master
Maintenance:
Maintained
T-12345678
Profile User
nameMaster
Maintenance: User Groups
Maintained
Profile
name T-12345678
Maintained
User Master
Maintenance:
User Groups
Profile
for role
SAP_BC_BASIS_ADMIN
Text
Maintained
User
Master
Maintenance:
User
Groups
Profile
for
role
SAP_BC_BASIS_ADMIN
Text
Activity
03,08
*
Activity
03,08
*
ADMIN
*
User
maintenanc
ADMIN
*
maintenanc
Org. Levels
Org. Levels
AAAB
AAAB
BC_A
BC_A
S_USER_GRP
S_USER_GRP
T_YA67011010
T_YA67011010
ACTVT
ACTVT
CLASS
CLASS
Note : AGR_PROF only lists the main profile but does not list the automatically generated profiles in the role.
User Assignment
User tab page in PFCG is used to assign the roles
Utilities
System
Utilities
System
to the users.
Info object
InfoCustomizing
object
The validity dates can be set to a limited period of
auth
time if required.
Customizing
Settings auth
User master comparison is done to fill up the
Settings
Display Changes
authorization buffer tables (USRBF2) and also to
Display
Changes
Optimize
User Assignment
make to the time dependant authorizations effective.
Settings:User
RoleAssignment
maintenance
Optimize
There are three ways of performing a user master
Settings: Role maintenance
comparison:
Automatic User Master Adjustment when Saving Role
Automatic
User Master Adjustment when Saving Role
For an individual role on the users tab.
Menu: Do Not Insert Existing Entries. Standard: No
You can do it in mass for a large number of roles
Menu: Do Not Insert Existing Entries. Standard: No
using transaction PFUD
You can schedule a background job to run every
day during the non-working hours for the program
pfcg_time_dependency
Description
Description
Menu
Menu
Authorizations
Authorizations
User
User
Organizational Mgmt.
Organizational Mgmt.
User Assignments
User Assignments
User ID
User
ID
TCRUSE
TCRUSE
NKDMAN
NKDMAN
User Name
User
Name
Tom
Cruise
Tom
Cruise
Nicole Kidman
Nicole Kidman
MiniApps
MiniApps
User Comparison
User Comparison
From
From
21.10.2010
21.10.2010
21.02.2011
21.02.2011
To
To 22.05.2012
22.05.2012
31.12.9999
31.12.9999
In
C
In
C
Lesson 4
ROLE MAINTENANCE ADVANCE

TOPICS
Role Maintenance Advanced Topics

One of the important challenges for an security consultant is to design the roles to map
the organizational requirements.
A wrong decision in designing the roles may lead to huge efforts during maintenance
mode, longer cycle times in decision making and realization of role changes leading to
frustration amongst the user community.
There are a variety of options and flexibility offered in PFCG for designing the roles.
Composite, Derived, Customizing and Reference Roles are advanced role types which
could meet the challenging design requirements.
Customizing Roles
When building roles for the project team and especially for the
functional consultants it possible to restrict their access to the
specific project views of the IMG project.
Customizing roles can be built in PFCG by inserting
customizing authorization from Utilities > Customizing Auth.
Utilities
System
Utilities
System
Info object
InfoCustomizing
object
auth
Customizing
auth
Settings
Settings
Display Changes
Display
Changes
Optimize
User Assignment
Optimize User Assignment
Description
Description
Menu
Menu
Customizing Authorizations
Customizing Authorizations
Status: You have not assigned any Customizing objects
Status: You have not assigned any Customizing objects
Add
Add
Au
Au
Transaction
Report
Transaction
Report
Role Menu
Role Menu
Insert Customizing Activities

Insert Customizing Activities
IMG project
IMG project
IMG project view
IMG project view
Select IMG Project

Select
IMG Project
Project
Title
Project
Title
STEEL
Steel IMG
STEEL
Steel
IMGIMG
TEST
TEST
TEST
TEST IMG
Composite Roles
Composite roles are just role containers, they do not have any authorizations of their
own
Composite Roles and User Assignments
Limitations of a composite role

They are simply containers and do not carry any
authorizations themselves.
If you want to restrict a particular authorization for a
composite role, you have to ensure that every role
within the composite role is restricted. This may not
be desirable always and may make the roles very
rigid to maintain.
If you decide to extend the authorization of a single
role, then all the roles it is assigned will get affected
which may also not be always desirable.
Implementations which use composite roles to
separate the transaction role and the organization
values, break the link between the role and SU24.
Such roles are very difficult to maintain.
Also in above case a removal of a transaction from
role does not ensure removal of all its related objects
from the organizational role.
Transporting such roles is also very tricky because in
such cases the entire composite role needs to be
transported and not just the single role which has
been modified.
As a result such roles may also result in blocking the
transport routes and causing over taker issues.
Building Menus for Composite Roles

If you assign a user the single roles directly rather than through a composite role, then the menu
from the single roles appear repeatedly for the same folder path.
Although composite roles do not contain authorizations of their own they can be used to read the
menus from the contained single roles using the Read Menu button on the menu tab.
If a single role was added or removed from the composite role then a comparison needs to be
done again to read the menus of each role.
Here you have the option to only update the composite role with the delta changes or to do
complete update of the composite role menu.
Chose Re-import to discard your settings and re-structure your composite role menu.
Chose merge to only do an delta update to the roles.
Settings:
Description
Roles
Menu
UserRole maintenance
Settings:
Description
Roles
Menu
UserRole maintenance
Role Menu
Role Menu
User Maintenance
UserMaintenance
PFCG
BP
- Role
Maintenance
- Maintain
Business
Partner
SU01
PFCG
User
Maintenance
- Role
Maintenance
SA38
SU01
ABAP
Reporting
User
Maintenance
SE16
SA38
Data
Browser
ABAP
Reporting
SM30
SE16
Call
View Maintenance
Data
Browser
Delete
There are two ways you can create the menu structure
Delete
There
arecomposite
two ways role:
you can
the menu
structure
of the
Youcreate
can either
recreate
the menu
of the
composite
Youmerge
can either
recreate
the of
menu
completely,
or role:
you can
it with
the menu
the
completely,
or you can merge it with the menu of the
single roles.
single roles.
Copy Menus
Copy Menus Do you want to recreate the composite role completely
you
wantthe
to recreate
the composite
role completely
or
merge
existing data
with the menu
data from the
ReadDo
Menu
or
merge
the
existing
data
with
the
menu
data
from the
single
roles?
Read Menu
single roles?
Re-import
Merge
Cancel
Re-import
Merge
Cancel
Reference and Derived Roles

In todays world companies are
striving towards harmonizing the
business processes globally
across various regions.
Although this is a very idealistic
approach but the derived roles
concept fits best where
companies have such harmonized
processes.
The concept is that there is a
Reference(d) role which transfers
its menu (structure plus
transactions) and authorizations
to the Derived role.
Only the organizational values are
maintained in the derived roles.
Reference and Derived Roles

Derived roles reference to already existing roles and these roles should not be in SAP
namespace.
The menu is maintained in the imparting role only. Changes have an immediate effect
on all inheriting roles.
Thus unlike the composite roles, the derived role has the complete filled menu of the
referenced role immediately after the referencing role is entered and the role is saved.
The inheritance relationship can be canceled, but the previously inheriting role is then
handled like a normal role. The cancellation of the relationship cannot be undone.
Role
ZDB_AIO_AP_CLERK
Description
Dubai Accounts Payable Clerk
Description
Authorizations
Menu
Description
Authorizations
Menu
Role Menu
Role Menu
User Maintenance
UserMaintenance
PFCG
BP
- Role
Maintenance
- Maintain
Business
Partner
PFCG - Role Maintenance
Role
ZDB_AIO_AP_CLERK
Description
Dubai Accounts Payable Clerk
Description
Description
Authorizations
Menu
Authorizations
Menu
Transaction Inheritance
Transaction Inheritance
Z00_AIO_AP_CLERK
Derive from Role
AP Clerk Global
Delete Inheritance Relationship
Delete Inheritance Relationship
Implementing Organization Field Values Directly

(SAP Note 314513)
Authorization data of
organizational levels is usually
maintained in the Profile
Generator in the "Define
organizational levels" dialog box.
However, you can also maintain
individual organizational level
fields in each authorization via the
"Implement field values" dialog
box. If you do so, the
organizational levels, however,
lose their special status and are
then treated as normal
authorization fields with the
following practical consequences:
Information
Information
Individual maintenance of an organizational field using the "Maintain
Individual
maintenance
of an
organizational
fieldchange
using the
Field Values"
dialog box
makes
the following
for"Maintain
this field in
Field
dialog box makes the following change for this field in
thisValues"
authorization:
this authorization:
o Value maintenance using the dialog box "Define Organizational
o Value
maintenance
the the
dialog
box "Define Organizational
Levels"
no longer using
changes
value.
Levels" no longer changes the value.
o When adjusting derived roles, the authorization value is overwritten
o When adjusting derived roles, the authorization value is overwritten
You can reset the new status of the organizational field in this
Youauthorization
can reset thebynew
statusthe
of field
the organizational
in thisicon next
deleting
content using field
the delete
authorization
deleting the field content using the delete icon next
to the field by
name.
to the field name.
Do you want to maintain the organizational level field individually?
Do you want to maintain the organizational level field individually?
- The maintenance via the "Define organizational levels" dialog box no longer changes the
authorization values.
- As of Release 4.6B: When adjusting the authorization data of derived roles, the system
overwrites the authorization values in the derived roles.
PFCG: Traffic Lights

Traffic lights help in giving an overview of the of the current maintenance status of the
authorizations.
Green : All fields have been filled with values
Yellow : At least one field which is not an organizational level field for which data has not been
proposed or maintained
Red : At least one field which is an organizational level field for which data has not been proposed
or maintained

Selection Criteria
Selection Criteria
Manually
Manually
Open
Open
Changed
Changed
Maintained
Maintained
SAP_BC_BASIS_ADMIN
SAP_BC_BASIS_ADMIN
Manually
Manually
Maintained
Maintained
Activity
03,08
*
Activity
03,08
*
*
User
Group
in
user
master
maintenanc
*
maintenanc
Org. Levels
Org. Levels
AAAB
AAAB
BC_A
BC_A
S_USER_GRP
S_USER_GRP
T_YA67011010
T_YA67011010
ACTVT
ACTVT
CLASS
CLASS
PFCG: Important Icons
PFCG : Maintenance Status

Each authorization contained in a role is identified by one of four different
maintenance statuses, which are defined as follows:
PFCG : Update Status

After each merge process, the update status is specified in addition to the
maintenance status. There are three possible statuses with the following
meanings:
Standard : Active & Inactive
Maintained : Active & Inactive
Combining Authorizations
If several authorizations exist for one authorization object, the Profile Generator checks
If several
for one
authorization
object,
Generator
checksto be
whetherauthorizations
the status andexist
content
of the
combination
allow the
twoProfile
or more
authorizations
whether
theAutomatic
status andcompression
content of the
combination
allow two
or more
authorizations
to be
merged.
allows
optimal display
of the
authorization
list, and
merged.
Automatic
compression
allows
of the
list,profile.
and
prevents
unnecessary
data from
beingoptimal
saved display
in the role
andauthorization
the generated
prevents unnecessary data from being saved in the role and the generated profile.
Automatic combining during the merge process is only possible on authorizations with the
Automatic
combiningand
during
the merge process is only possible on authorizations with the
status "Standard"
"Maintained".
status "Standard" and "Maintained".
Changed and manual authorizations can be merged if they share an identical active status.
Changed and manual authorizations can be merged if they share an identical active status.
If this pre-requisite is fulfilled then two authorizations can be combined in the following
If this
pre-requisite is fulfilled then two authorizations can be combined in the following
cases:
cases: For all fields, one authorization is contained in the other.
all fields, one authorization is contained in the other.

ForThe
values of both authorizations differ in exactly one field, and are otherwise identical.
The values of both authorizations differ in exactly one field, and are otherwise identical.
There are also exceptions to the above:

There are also exceptions to the above:
An authorization that contains empty fields cannot be combined with another
Anauthorization
authorizationinthat
contains
empty
fields
cannot
with another
which
at least
one of
these
fieldsbe
is combined
filled.
authorization in which at least one of these fields is filled.
An authorization that contains fields with total authorization (*) cannot be merged with
Ananother
authorization
that contains
fields
with total
cannot
merged
with
authorization,
in which
at least
one authorization
of these fields(*)
does
not be
indicate
a total
another
authorization, in which at least one of these fields does not indicate a total
authorization.
authorization.
Deactivating Authorizations
It is useful for two reasons to deactivate the unwanted standard
It is useful for two reasons to deactivate the unwanted standard
authorizations:
authorizations:
1. No unnecessary authorization data is transferred to the profile that

1. No unnecessary authorization data is transferred to the profile that
belongs to the role because deactivated authorizations are ignored
belongs to the role because deactivated authorizations are ignored
during profile generation.
during profile generation.
2. The same standard authorization is not added again during the next
2. The same standard authorization is not added again during the next
merge process
merge process
What is special about S_TCODE?

Due to the dependency of the content of the role menu, the
Due to the dependency of the content of the role menu, the
authorization object S_TCODE is of particular significance and is
authorization object S_TCODE is of particular significance and is
subject to special rules:
subject to special rules:
1. Authorizations for S_TCODE can exist only in the maintenance status

1. "Standard"
Authorizations
for S_TCODE can exist only in the maintenance status
or "Manually".
"Standard" or "Manually".
2. To ensure that the menu and the authorization data of a role correspond, you
2. cannot
To ensure
that the
andauthorization
the authorization
data of a role
you
change
the menu
standard
for S_TCODE.
Thiscorrespond,
does not include
cannot
change thefunction
standard authorization for S_TCODE. This does not include
the deactivation
the deactivation function
Lesson 5
PROFILE PARAMETERS, SPECIAL

USERS AND CRITICAL
AUTHORIZATIONS
Password Rules and Profile Parameters for

System Logon
A well defined security policy is a
must for a every organization.
One of the key features for the
security policy is the password
rules which control unauthorized
access to the SAP systems.
There are a quite a few security
profile parameters which govern
the security settings for the
system.
When setting password rules one
must differentiate between rules
that are pre-defined in the system
and the rules that are configured
by the customer.
Customer Defined
System Default
Value
Parameter
Name
login/min_password_diff
Comment
min. number of chars which differ between old and new
password
login/min_password_digits
min. number of digits in passwords
login/min_password_letters
min. number of letters in passwords
Minimum Password Length
login/min_password_lowercase
minimum number of lower-case characters in passwords
login/min_password_specials
min. number of special characters in passwords
login/min_password_uppercase
minimum number of upper-case characters in passwords
Parameter Name
login/min_password_lng
User-Defined
Value
login/password_expiration_time
60
Dates until password must be changed
login/password_history_size
10
Number of records to be stored in the password history

users of this group can still logon with passwords
maximum #days a password (set by the admin) can be
unused (idle)
maximum #days a password (set by the user) can be
unused (idle)
login/password_logon_usergroup
login/password_max_idle_initial
15
login/password_max_idle_productive 60
Customers can control the password rules in two ways:

Customers can control the password rules in two ways:
System profile parameters to determine the min. length or frequency of change etc for
System
profile parameters to determine the min. length or frequency of change etc for
passwords
passwords
An illegal passwords table USR40 to bar the users from using some well known strings
Anorillegal
passwords
table
USR40 For
to bar
the
users from
using
some
well
known
characters
in their
password.
e.g.
Company
name,
City
name
etc.
Herestrings
you can
or define
characters
in
their
password.
For
e.g.
Company
name,
City
name
etc.
Here
you
can
strings using wildcards like ? For a single character or * for a character string.
define strings using wildcards like ? For a single character or * for a character string.
Special Users
Special Users are the users
which are predefined in the SAP
systems with well known names
and passwords.
As a result they should be
protected from unauthorized
access.
There are two types of special
users: those created by
installing the SAP system and
those created when you copy
clients.
000, 001 and 066 clients are
created automatically during an
SAP installation.
Special Users : SAP*

Param. Name
login/no_automatic_user_sapstar
login/no_automatic_user_sapstar
Short description
Short description
Appl. area
Appl. area
Default value
Default
value
Profile
value
Profile
value
Current value
Current value
Control of the automatic login user SAP*

Control of the automatic login user SAP*
Logon
Logon
1
1
1
1
1
1
SAP* is defined in the SAP system code and does not require a user master record.
SAP*
is defined
in the access
SAP system
andand
does
require
a user master
It has
got unlimited
to thecode
system
thenot
default
password
is pass.record.
It has
got installation
unlimited access
to the
system
andfor
the
default
password
is pass.
During
the user
master
record
SAP*
is created
in client
000 and 001 with initial password
During
installation
the
user
master
record
for
SAP*
is
created
in
client
000
with initial
password
as 06071992, The installation can proceed only after the admin has resetand
the001
password
for the
user.
as
06071992,
The
installation
can
proceed
only
after
the
admin
has
reset
the
password
for
the
user.
This master record created in the system for SAP* deactivates the special authorizations for the user and
This
master
record
created
in the systemtofor
now
only the
assigned
authorizations
theSAP*
userdeactivates
would apply.the special authorizations for the user and
now
only
the
assigned
authorizations
to
the
user
would
Creation of user master record for SAP* is one way ofapply.
preventing unauthorized access with the user.
Creation
of
user
master
record
for
SAP*
is
one
way
of
preventing
withcode
the user.
If you delete the user master record for SAP*, then the standardunauthorized
user definedaccess
in system
becomes
If you
delete
userpassword
master record
for SAP*, then the standard user defined in system code becomes
active
withthe
default
PASS.
active
with
default
password
The
user
now has
completePASS.
authorization.
The
user
now haspassword
completePASS
authorization.
The
standard
cannot be changed.
The standard password PASS cannot be changed.
Special Users : DDIC and EarlyWatch
Special Authorization Objects
In the following sections we shall have a

look at some authorization objects which
are frequently called when executing
reports, transactions and queries with an
aim to understand its usefulness and
purpose.
S_TCODE (Authorization Check for Transaction Start)

List of Called Transactions
Text
Text
Check Indicator for Checking
Add Tcode
Delete Tcode
Add Tcode
Delete Tcode
Calling Transaction : FS00
Description: GL account master record maintenance
Exce.
Called Tcode Transaction Text
Check
Indicator
Checking
S_TCODE
in for
CALL
TRANSACTION
S_TCODE in CALL TRANSACTION
Check Message
Ind
Type
Use
Use
The check indicator determines
The
check indicator
determines
whether
a transaction
start
whether
a
transaction
start
authorization check (that is, an
FD01
Create Customer (Accounting)
YES
authorization
check
(that
is, anthe object
authorization
check
against
FSP0
G/L acct master record in chrt/accts
YES
authorization
against
the object
S_TCODE check
with the
transaction
code of
FSS0
G/L account master record in co code
YES
S_TCODE
with
the
transaction
code
of
the called transaction, and additional
KA01
Create Cost Element
theauthorization
called transaction,
additional
checksand
entered
in
KA02
Change Cost Element
authorization
entered
in
transactionchecks
SE93 for
the transaction,
if
KP65
Create Cost Planning Layout
YES
transaction
SE93
forbe
theperformed
transaction,
if
appropriate)
is to
when
appropriate)
is
to
be
performed
when
the ABAP statement CALL
For every transaction that is executed from the menu tree, favorites or from the the ABAP statement CALL
TRANSACTION is run.
Forcommand
every transaction
that isisexecuted
from
favorites
or from
the the TRANSACTION is run.
field, a check
performed
by the
the menu
kerneltree,
for the
transaction
against
You can enter the following values:
command
field, aobject
checkS_TCODE
is performed
kernel
authorization
for by
thethe
field
TCD.for the transaction against the
You
canAn
enter
the following
values:
Yes:
authorization
check
is
authorization
object
S_TCODE
for athe
field TCD.MIGO, the system will only allow to
For example
if a user
executes
transaction
Yes:
An
authorization
check
is
performed when the ABAP statement
Forproceed
examplefurther
if a user
executes
transaction MIGO,
system will
only allow
to
if he
has the aauthorization
for the the
transaction
in object
S_TCODE.
performed
when the ABAPisstatement
CALL TRANSACTION
run
proceed
if he has
the authorization
for the
transaction in object S_TCODE.
Therefurther
are however
exceptions
to the above
rule:
CALL
TRANSACTION
is
run
No: No authorization check is
There
are however
to the
above
rule: or transaction using statement CALL
Transactions
thatexceptions
are called from
another
program
No:performed
No authorization check is
TRANSACTION
Transactions
that are called from another program or transaction using statement CALL
TRANSACTION
Report Transactions which are started using SUBMIT action from SA38 are checked
performed
SPACE (empty): One of the above
against
authorization
object
Report
Transactions
which
areS_PROGRAM.
started using SUBMIT action from SA38 are checked
SPACE
One
of the
above
check(empty):
indicators
is yet
to be
set. In the
against
authorization
object S_PROGRAM.
Parameter
transactions
that eventually call core transaction codes (Table TSTCP). Core
check
indicators
is
yet
to
be
set.
In the
current release, no authorization
check
transactions
are not protected
by S_TCODE.
Parameter
transactions
that eventually
call core transaction codes (Table TSTCP). Core
current
release,
no
authorization
check
transactions are not protected by S_TCODE.
is performed.
is performed.
FB01
Post Document
YES
S_TABU_DIS (Table Maintenance Authorization)

S_TABU_DIS controls which tables the user can display or maintain in table
S_TABU_DIS controls which tables the user can display or maintain in table
maintenance transactions SM30, SM31 or Data Browser SE16. Tables are assigned
maintenance
transactions
SM30, SM31 Tables
or DatatoBrowser
SE16. Tables
are
assigned
to authorization
groups (DIBERCLS).
group assignments
are
defined
in
to table
authorization
groups
(DIBERCLS).
Tables
to
group
assignments
are
defined
in
TDDAT.
table TDDAT.
Tables which are not assigned to any authorization groups are by default assigned
Tables which are not assigned to any authorization groups are by default assigned
the dummy authorization group &NC&
the dummy authorization group &NC&
The assignment of this authorization group (&NC&) is not useful with regard to a
The assignment of this authorization group (&NC&) is not useful with regard to a
conclusive authorization concept and should be avoided.
conclusive authorization concept and should be avoided.
You can use transaction SE54 to create customer-specific table authorization
You can use transaction SE54 to create customer-specific table authorization
groups and assign both customer-specific and standard SAP tables.
groups and assign both customer-specific and standard SAP tables.
If your table maintenance authorization is based on S_TABU_DIS only then In the
If your table maintenance authorization is based on S_TABU_DIS only then In the
productive environment, the generic table access tools (SE16N, SE16, SE17,
productive
environment,
the must
generic
access
tools (SE16N,
SE16, SE17,
SM30, SM31,
and SM34)
be table
treated
as particularly
security-relevant
SM30,
SM31, and
must
be treated
as with
particularly
transactions.
ForSM34)
detailed
access
to tables
genericsecurity-relevant
maintenance tools, use
transactions.
For
detailed
access
to
tables
with
generic
maintenance
tools, use
parameter transactions that specify both the view or table to be maintained
and the
parameter
transactions
that
specify
both
the
view
or
table
to
be
maintained
and
permitted activity, and that skip the initial screen of the transaction. If these the
permitted
activity,
andyet
thatexist
skipfor
thethe
initial
screen
of the transaction.
If these
transactions
do not
relevant
purpose,
you can create
them in the
transactions
do
not
yet
exist
for
the
relevant
purpose,
you
can
create
them
in the
customer or partner namespace.
customer or partner namespace.
S_TABU_NAM (Granular Table Maintenance Authorization)

S_TABU_NAM is not generally available in SAP ERP Package, it can be defined and
S_TABU_NAM
not generally
available
in SAP
ERP Package, it can be defined and
activated afterisapplying
relevant
SAP notes
(1481950).
activated after applying relevant SAP notes (1481950).
With this object, the system checks the view names or table names directly so that an
With
thisauthorization
object, the system
the view
or VIEW_AUTHORITY_CHECK,
table names directly so that anthe
exact
check checks
is possible.
In thenames
module
exact
authorization
check is possible.
theauthorization
module VIEW_AUTHORITY_CHECK,
the
system
checks S_TABU_NAM
only ifInthe
check on S_TABU_DIS was
system
checks S_TABU_NAM only if the authorization check on S_TABU_DIS was
unsuccessful.
unsuccessful.
This procedure enables both the retention of the previous table access concept and the
This
procedureuse
enables
both
the retention
of the previous table access concept and the
superposed
of both
authorization
objects.
superposed use of both authorization objects.
If you use authorization objects S_TABU_DIS and S_TABU_NAM in parallel, the
If you
use authorization
objects S_TABU_DIS
and S_TABU_NAM
in parallel,
advantages
of a group-based
authorization check
can be combined
with thethe
possibility
advantages
of
a
group-based
authorization
check
can
be
combined
with
the
possibility
of a very finely granulated authorization assignment.
of a very finely granulated authorization assignment.
Users with a large scope of functions for a department can be authorized as far as
Users
with using
a largeS_TABU_DIS,
scope of functions
for very
a department
beauthorization
authorized asgroups
far as or
possible
but only
extensivecan
table
possible
usingsensitive
S_TABU_DIS,
but assigned
only very in
extensive
table authorization
groups
or
particularly
areas are
a table-specific
manner using
the object
particularly
sensitive areas are assigned in a table-specific manner using the object
S_TABU_NAM.
S_TABU_NAM.
Advantage here is that particularly extensive or critical authorization groups do not have
Advantage
here istothat
particularly
extensive
or critical
authorization
groups
have
to be assigned
users.
In principle,
authorization
groups
with tables
that do
arenot
classified
to as
be critical
assigned
to users.
principle, authorization groups with tables that are classified
should
not beInassigned.
as critical should not be assigned.
S_TABU_CLI (Cross-Client Table Maintenance)

Authorizationobject
objectS_TABU_CLI:
S_TABU_CLI:Grants
Grants
Authorization
authorizationtotomaintain
maintaincross-client
cross-clienttables
tableswith
withthe
the
authorization
standardtable
tablemaintenance
maintenancetransaction
transaction(SM31),
(SM31),
standard
extendedtable
tablemaintenance
maintenancetransaction
transaction(SM30),
(SM30),and
and
extended
theData
DataBrowser
Browser(SE16),
(SE16),and
andalso
alsoininthe
theCustomizing
Customizing
the
system.
system.
alsoacts
actsasasan
anadditional
additionalsecurity
securitymeasure
measurefor
for
It Italso
cross-client
tables
and
enhances
the
general
table
cross-client tables and enhances the general table
maintenanceauthorization
authorizationS_TABU_DIS.
S_TABU_DIS.
maintenance
CLIIDMAINT:If Ifidentifier
identifierXXoror* *isisset,
set,cross-client
cross-client
CLIIDMAINT:
tablescan
canbe
bemaintained.
maintained.
tables
S_TABU_LIN (Field Level Authorization Restrictions)

Organizational Crit.
Organizational Crit.
Org. Crit. name
Org. Crit. name
Attribute
Attribute
Name
Name
View/table
View/table
Table Fields
Table
Fields
Field
Name
Field Name
Domain
Domain
ZCOMPANY
ZCOMPANY
Company Code
Company Code
COMPANY
COMPANY
Company Code
Company Code
ZORGTABLE
ZORGTABLE
COMPANY
COMPANY
ZCOMPANY
ZCOMPANY
Through the introduction of organization criteria concept in combination with object

S_TABU_LIN, it is possible to restrict a user's access rights to specific fields of a
table.
A possible use for S_TABU_LIN would be to display and to change content for only
a certain work area, such as a country or a plant.
The table key fields/row are defined and linked to organizational criterion in
customizing.
Once the defined organization criterion is activated it is not possible to display or
maintain contents in the table which has been linked to it in customizing without
authorization to object S_TABU_LIN for the table key field value.
S_PROGRAM (ABAP Program Run Check)

ABAP: Program Attributes RBDSERCHECK Display
Serialization Using Object Types: Consistency Check
Serialization Using Object Types: Consistency Check
Attributes
Attributes
Executable Program
Type
Executable Program
Type
BASIS
Application
BASIS
Application
Authorization Group
S_ALE
Authorization Group
S_ALE
Package
SALE
Package
SALE
Title
Title
Programs like tables are protected against unauthorized access using authorization
groups.
Authorization group is stored in program attributes.
Program authorization groups can be maintained using report RSCSAUTH
The following activities are controlled:
SUBMIT : To start a program execution
BTCSUBMIT : Schedule a program as a background job.
VARIANT : To create and execute a program as a variant.
Lesson 6
CONTROLLING USER AND ROLE ADMINISTRATION
Controlling User and Role Administration

A security administrator responsible for user and access
management in an organization would frequently use
transactions SU01 and PFCG for maintaining users and roles
respectively.
Some of the important tasks of a security administrator are:
Create and maintain users
Lock/unlock users and reset passwords
Create and maintain roles
Maintain the transaction in menu and authorization data
Generation of profiles
Assign roles and profiles to users
Transport roles
Monitoring of system access etc.
Important authorization Objects in User and Role Administration
Decentralized User and Role Administration
Dual &Treble Control
Sample Use Case

Z.IND_USER_ADMIN
India User Administrator
Z.IND_USER_ADMIN
India User Administrator
Maintained
Maintained
Maintained Authorizations: Role Check
Activity
01.02,03,08,22
*
Activity
01.02,03,08,22
*
Role Name
Z.IN*, ZIN*
*
Role
Name
Z.IN*,
ZIN*
*
Activity
01.02,03,08,22
*
Activity
01.02,03,08,22
*
INDUSER
*
User
maintenanc
INDUSER
*
maintenanc
BC_A
BC_A
S_USER_GRP
S_USER_GRP
T_YA67011010
T_YA67011010
ACTVT
ACTVT
CLASS
CLASS
S_USER_GRP
S_USER_GRP
T_YA67011010
T_YA67011010
ACTVT
ACTVT
CLASS
CLASS
Authorizations for user administrators are decentralized

Authorizations
for user
administrators
areauthorizations
decentralized for
based on location.
A administrator
role
based
location.
A administrator
role
Indiaonhas
to be set
up such that he
canauthorizations for
India
has to
be set
up such
that change
he candocuments, lock/unlock
Create,
change,
display,
display
Create,
users change, display, display change documents, lock/unlock
users
Assign roles and profiles to users
Assign
roles
and and
profiles
to users
Display
roles
profiles
and their change documents
Display roles and profiles and their change documents
Naming Convention for India

Naming
for India
User Convention
Group : INDUSER
User
Group
: INDUSER Roles Z.IN* and Single Roles ZIN*
Roles
: Composite
Roles : Composite Roles Z.IN* and Single Roles ZIN*
Lesson 7
TROUBLESHOOTING AND ADMINISTRATION AIDS
Troubleshooting and Administration Aids
SAP provides tools like SU53 and

ST01 for troubleshooting and
finding missing authorizations for
users.
There are plenty of administration
reports which aid in evaluation
functions.
RSUSR002 : Users by complex

RSUSR002
: Users by complex
selection criteria
selection
criteria: By critical
RSUSR008
RSUSR008
: By
combinations
ofcritical
authorizations at
combinations
of
authorizations
at
transaction start
transaction
start
RSUSR008_009_NEW
: List of
RSUSR008_009_NEW
:
List
of
users with critical authorizations
users
with critical: Profiles
authorizations
RSUSR020
by complex
RSUSR020
:
Profiles
by
complex
selection criteria
selection
criteria: Authorizations by
RSUSR030
RSUSR030
: Authorizations
complex selection
criteria by
complex
selection
criteria
RSUSR040
: Authorization
objects
RSUSR040
:
Authorization
objects
by complex selection criteria
by complex
selection
criteria
RSUSR070
: Roles
by complex
RSUSR070
:
Roles
by
complex
selection criteria
selection
criteria: Change Documents
RSUSR100
RSUSR100
for Users : Change Documents
forUsers
RSUSR101 : Change Documents
RSUSR101
for Profiles : Change Documents
for Profiles
Authorization Error Analysis SU53

Authorization check failed
Authorization check failed
Authorization object M_LFM1_EKO
Authorization Field ACTVT
Authorization Field EKORG
Vendor Account Changes: Initial Screen

Vendor Account Changes: Initial Screen
T00080021
Vendor
T00080021
Vendor
Purch Org.
1000
Purch Org.
1000
Plant
Plant
No authorization for changing vendors in purch. Org. 1000

No authorization for changing vendors in purch. Org. 1000
02
02
1000
Users authorization Data USER01 1000
Users authorization Data USER01
Authorization
object
M_LFM1_EKO
Authorization
T-C01001045689
Authorization
T-C01001045689
Profile T-C0100104
Profile
RoleT-C0100104
Z_MASTER_DATA Master Data Admin
Role
Z_MASTER_DATA
Master Data Admin
02,03,08
02,03,08
2000
2000
Authorization Trace ST01

System Trace
An experienced security consultant can judge by System Trace

Change Trace
Trace off
Analysis
plainly looking at an SU53 screen as to whether it is Change Trace
Trace off
Analysis
pointing towards the correct missing object or not.
Trace switched on (main switch on)
Trace Status
Trace
switched on (main switch on)
If there are a series of authorization failures when Trace Status
Trace Components
System Trace: Filter
executing a transaction code SU53 may only point
Trace Components
System Trace: Filter
you to the last failed check (which may be
Authorization Check
X
Process number
Authorization
Check
X
unimportant or intentionally suppressed for the
Kernel Functions
Process number
USER01
user).
User
Kernel
Functions
General
Kernel
USER01
User
ST01 is the tool that consultants should rely upon
General
Kernel
SQL Trace
under circumstances where SU53 analysis is
SQL
Trace
Transaction
Table
Buffer Trace
incorrect. ST01 provides quite accurate results for Table Buffer Trace
Transaction
authorization checks. It lists down the complete story RFC Calls
Program
RFC
Calls
Lock
Operations
Program
for the authorization checks for users in a system
Lock Operations
when turned on.
General Filters
General Filters
Client 010 User USER01 Transaction MK04
Client
User 0USER01
Transaction
MK04
Work 010
Process
PID Date
16.10.2011
Start 07:03:00 Finish 07:03:09
Work
Process
0
PID
Date
16.10.2011
Start
Block Version 1248 No of Records 3 File 07:03:00
version 1Finish 07:03:09
Block
Version 1248
hh:mm:ss
TypeNo of Records
Object3 File version 1Text
hh:mm:ss
Type
Object
Text
07:03:01
07:03:01
07:03:03
07:03:03
07:03:09
AUTH
AUTH
AUTH
AUTH
AUTH
F_LFA1_APP RC=0
F_LFA1_APP
RC=0
F_LFA1_GEB
RC=0
F_LFA1_GEB
RC=0
M_LFM1_EKO RC=4
APPKZ=M; ACTVT=08
APPKZ=M;
ACTVT=08
ACTVT=08;
ACTVT=08;
EKORG=1000:ACTVT=08;
07:03:09
AUTH
M_LFM1_EKO RC=4
EKORG=1000:ACTVT=08;
Improvements in ST01 Note 1373111
Information System Administration Aids

Transaction
Text
S_BCE_68001400 Users According to Complex Criteria
Once you have identified the missing authorization object,

it does not necessarily mean that you start modifying the
users job roles.
You can try to find alternative solutions like existing roles
with the required authorizations which can be assigned to
the user without granting too much extra access.
There are several useful reports from the user information
system available which aid in deriving these solutions.
These reports help an administrator to gain an overview of
the users in the system and many other related facts.
The transactions listed in the screenshot on the left can be
called as executable reports starting with RSUSR* which
can be called from SA38.
A complete list of these useful transactions can be found
in the user information system SUIM which is one place
from which you can branch and jump to individual reports.
S_BCE_68001401 Critical Combinations of Auth.

S_BCE_68001402 With Unsuccessful Logons
S_BCE_68001403 With Critical Authorizations
S_BCE_68001404 Profiles by Contained Profiles
S_BCE_68001405 Profiles by Authorization Name
S_BCE_68001406 Profiles by Values
S_BCE_68001407 Profiles by Changes
S_BCE_68001408 Profiles by Roles
S_BCE_68001409 Profiles According to Complex Crit.
S_BCE_68001410 Auth. Objects According to Complex
S_BCE_68001414 Auth. According to Complex Criteria
S_BCE_68001415 Authorizations by Values
S_BCE_68001416 Authorizations by Changes
S_BCE_68001417 Auth. According to Complex Criteria
S_BCE_68001418 Roles by Role Name
S_BCE_68001419 Roles by User Assignment
S_BCE_68001420 Roles by Transaction Assignment
S_BCE_68001421 Roles by Profile Assignment
S_BCE_68001422 Roles by Authorization Object
S_BCE_68001423 Roles by Authorization Values
S_BCE_68001424 Roles by Change Data
S_BCE_68001425 Roles by Complex Criteria
System Audit Information

As of release 4.6C there is a
special role concept used for
SAP System auditing which was
previously done using AIS (Audit
Information System) transaction
SECR.
Roles:
SAP_AUDITOR (AIS - Audit
Information System)
SAP_AUDITOR_TAX (AIS - Tax Audit)
With the role concept the flow

and quality of the checks has
improved considerably.
Lesson 8
TRANSPORTING AUTHORIZATION
COMPONENTS
Transporting Authorization Components
Transporting Roles
Upload/Download Roles
Normally it is only possible to exchange data with
Normally
it is only possible to exchange data with
transport requests between SAP systems with the same
transport requests between SAP systems with the same
release status. For example, if roles have to be
release status. For example, if roles have to be
exchanged across releases, this can be done by
exchanged across releases, this can be done by
downloading or uploading roles.
downloading or uploading roles.
When you download the data, it is all stored in a local file,
When
you download the data, it is all stored in a local file,
with the exception of the generated authorization profiles
with the exception of the generated authorization profiles
and the user assignments.
and the user assignments.
After an upload, the role might have to be edited and
After
an upload, the role might have to be edited and
generated.
generated.
You can save multiple roles in a local file at the same
You
can save multiple roles in a local file at the same
time by choosing Utilities Mass download.
time by choosing Utilities Mass download.
Transporting Users
Client Copy Copy a Client

Schedule Background
Schedule Background
Start immediately
Start immediately
Target Client 010 Customizing

Selected Profile
SAP_UCUS
Selected Profile
SAP_UCUS
Description
Customizing and User Master
Description
Source Client 000 SAP AG Konzern
Source Client 000 SAP AG Konzern

Schedule Background
Schedule Background
Start immediately
Start immediately

Selected Profile
SAP_UCUS
Selected Profile
SAP_UCUS
Description
Description
Source Dest.
Source Dest.
System Name
000 SAP AG Konzern
System Name
000 SAP AG Konzern
Transporting Check Indicators

The customer tables USOBX_C and USOBT_C which are adjusted
The customer tables USOBX_C and USOBT_C which are adjusted
as per customer needs can be transported as a whole with all settings
as per customer needs can be transported as a whole with all settings
of check indicators, status and field values in step 3 of SU25.
of check indicators, status and field values in step 3 of SU25.
It is also possible to maintain values for individual transactions in
It is also possible to maintain values for individual transactions in
SU24.
SU24.
In both cases, a transport request is transported and distributed to
In both cases, a transport request is transported and distributed to
other SAP systems in the context of the Transport Management
other SAP systems in the context of the Transport Management
System.
System.
During the transport, all of the check indicators and field values in
During the transport, all of the check indicators and field values in
the target system are replaced, and steps 2a-2d cannot be used.
the target system are replaced, and steps 2a-2d cannot be used.
Lesson 9
CONFIGURING ROLE MAINTENANCE TOOLS
Configuring Role Maintenance Tools

Configure the role maintenance tools to reduce efforts during
role maintenance in PFCG.
Role maintenance uses default values shipped by SAP which
affects how PFCG operates as well as how security checks are
carried out during runtime.
If the default values shipped by SAP do not meet your needs the
tools can be configured so that you do not end up making
multiple changes to authorizations within roles.
PFCG & SU24: How it works? Benefits?
Adjusting SU24
Authorization Authorization Authorization Changed Modification
Name Authorization Object Fld.
Value
Value
by
Date
MB03 M_MSEG_BMB
ACTVT
03
SAP
30.08.2004
MB03 M_MSEG_BMB
BWART
SAP
30.08.2004
MB03 M_MSEG_LGO
ACTVT
03
SMITHJ 17.09.2005
MB03 M_MSEG_LGO
BWART
SMITHJ 17.09.2005
MB03 M_MSEG_LGO
LGORT
SMITHJ 17.09.2005
Transaction Code
Object
St
Object
Modification
Time
14:29:40
14:29:40
15:33:40
15:33:40
15:33:40
MODIFIED
X
X
X
ME21N
Check Indicator
Proposal
Field Values
Object
K_CSKS_SET
K_KEKO
M_ANFR_BSA
M_ANFR_EKG
Check
Set Status Yes
User
Name
Check Ind.
Flag
Do Not
Check
Set Status No
CO-CCA Cost Center Groups
Check
NO
Set Status New UnMaintained
CO-PC Product Costing
Check
NO
Document Type in RFQ
Check
NO
Purchasing Group in RFQ
Check
NO
Object
M_BEST_BSA
M_BEST_BSA
M_BEST_BSA
M_BEST_BSA
Field Name
ACTVT
ACTVT
ACTVT
BSART
Change
From
01
02
03
To
Authorization Checks
To ensure that a user has the
appropriate authorizations when he
or she performs an action, users are
subject to authorization checks.
The following actions are subject to
authorization checks that are
performed before the start of a
program or table maintenance and
which the SAP applications cannot
avoid:
Starting SAP transactions
(authorization object S_TCODE)
Starting reports (authorization object
S_PROGRAM)
Calling RFC function modules
(authorization object S_RFC)
Table maintenance with generic tools
(S_TABU_DIS)
Authorization Checks: Starting SAP Transaction
Authorization Checks: Starting Reports
Authorization Checks: RFC calls/Table

Maintenance
Reducing Scope of Authorization Checks
In addition to use transaction SU24 to display default field values, you can also use
it to reduce authorization checks at runtime.
This has the effect of not performing an authorization check on a specific
authorization object.
You should be careful when deciding which authorization checks to suppress. By
suppressing authorization checks, you allow users to perform tasks for which they
are not explicitly allowed.
For an authorization check to be executed, it must be included in the source code
of a transaction and must not be explicitly exempt from the check.
You can suppress authorization checks without changing the program code, as
check indicators control authorization checks.
Reducing Scope of Authorization Checks

The authorization check indicator
defines whether or not the
authorization check for this object
is performed during the execution
of the transaction. Possible values
are "Check" and "Do Not Check
From an auditor's perspective, if
you find an authorization check has
been disabled, just ensure that
disabling meets with the company
policy.
Transaction Code
Transaction Code
Object
Object
St
St
Object
Object
Object
Object
K_CSKS_SET
K_CSKS_SET
K_KEKO
K_KEKO
M_ANFR_BSA
M_ANFR_BSA
ME21N
ME21N
Check Indicator
Proposal
Field Values
Check Indicator
Proposal
Field Values
Check
User
Name
Check Ind.
Flag
Check
Do Not
Check
User
Name
Check
Ind.
Flag
Cost Center Groups
Check
NO
DoCO-CCA
Not
Check
CO-CCA
Cost
Center
Groups
Check
NO
CO-PC Product Costing
Check
YS
CO-PC
Product
Costing
Check
YS
Check
NO
Check
NO
Lesson 10
PFCG INSTALLATION AND UPGRADE
PFCG Installation and Upgrade

Before the Profile Generator can be used, you must activate it in the system
and link it with default tables for the delivered SAP transaction codes.
Since release 4.6 the profile generator is already activated. This means that
you do not have to set the system parameter in the instance profile :
auth/no_check_in_some_cases=Y
This is set as default and you only need to verify the same in transaction
RZ11 or run the report RSPARAM.
Auth/no_check_in_some_cases
Auth/no_check_in_some_cases
Short description
Short description
Appl. area
Appl. area
Default value
Default
value
Profile
value
Profile
value
Current value
Current value
Activation of the Profile Generator

Activation of the Profile Generator
Authentication
Authentication
Y
Y
Y
Y
Y
Y
Tables USOBX_C and USOBT_C

When the administrator adds a transaction to a role the profile generator selects and
When
the administrator
adds objects
a transaction
to checked
a role theand
profile
generator
proposes
the authorization
that are
maintained
in selects
profile and
proposes
thefor
authorization
objects that are checked and maintained in profile
generator
this transaction.
generator for this transaction.
Tables USOBX_C and USOBT_C control the behavior of the Profile Generator after
Tables
USOBX_Chas
andbeen
USOBT_C
control
behavior
of the Profile
Generator
after and
the transaction
selected.
Afterthe
a new
installation,
these tables
are empty
themust
transaction
selected.
AfterProfile
a newGenerator
installation,
thesefor
tables
are time.
empty and
be filledhas
withbeen
values
before the
is used
the first
must be filled with values before the Profile Generator is used for the first time.
SAP delivers the tables USOBX and USOBT. These tables are filled with default values
SAP
thefor
tables
USOBX
These
tables
are filled
with
default values
anddelivers
are used
the initial
fill ofand
theUSOBT.
customer
tables
USOBX_C
and
USOBT_C.
After
and
are
used
for
the
initial
fill
of
the
customer
tables
USOBX_C
and
USOBT_C.
After
the initial fill, you can modify the customer tables, and therefore the behavior of the
theProfile
initial Generator,
fill, you canifmodify
the customer tables, and therefore the behavior of the
required.
Profile Generator, if required.
Table USOBX defines which authorization checks are to be performed within a
Table
USOBXand
defines
which
authorization
checks are to
be performed command).This
within a
transaction
which
are not
(despite programmed
authority-check
transaction
which are
not (despite
programmed
authority-check
table alsoand
determines
which
authorization
checks are
maintained incommand).This
the Profile
table
also
determines
which
authorization
checks
are
maintained
in
the
Profile
Generator.
Generator.
Table USOBT defines for each transaction and for each authorization object which
Table
USOBT
defines
for each transaction
and the
for each
authorization
which
default
values
an authorization
created from
authorization
objectobject
should
have in
default
valuesGenerator.
an authorization created from the authorization object should have in
the Profile
the Profile Generator.
Tables USOBX_C and USOBT_C

ME21N
ME21N
ME21N
ME21N
ME21N
ME21N
ME21N
ME21N
ME21N
ME21N
ME21N
TR
TR
TR
TR
TR
TR
TR
TR
TR
TR
TR
M_BANF_EKO
M_BANF_WRK
M_BEST_BSA
M_BEST_EKG
M_BEST_EKO
M_BEST_WRK
M_EINF_EKO
M_EINF_FRG
M_INFO_MCD
M_IS_KENNZ
M_MATE_CHG
SAP
SAP
SAP
SAP
SAP
SAP
SAP
DDIC
SAP
SAP
SAP
30.08.2010 13:00:00
X
30.08.2010 13:00:00
X
30.08.2010 13:00:00
Y
30.08.2010 13:00:00
Y
30.08.2010 13:00:00
Y
30.08.2010 13:00:00
Y
Checkfl
Short
Description
30.08.2010 13:00:00
X
Checkfl Short Description
01.02.2011 15:03:00
X
N
No
authorization
check
30.08.2010 13:00:00
X
N X
NoAuthorization
authorization check
check takes place
30.08.2010 13:00:00
X
X
Authorization
30.08.2010
13:00:00
X check takes place
U
Not maintained
USOBX_C
USOBX_C
U Y
Y
ME21N
ME21N
ME21N
ME21N
ME21N
ME21N
ME21N
ME21N
ME21N
ME21N
ME21N
ME21N
ME21N
TR
TR
TR
TR
TR
TR
TR
TR
TR
TR
TR
TR
TR
M_BEST_BSA
M_BEST_BSA
M_BEST_BSA
M_BEST_BSA
M_BEST_BSA
M_BEST_BSA
M_BEST_EKG
M_BEST_EKG
M_BEST_EKG
M_BEST_EKG
M_BEST_EKG
M_BEST_EKG
M_BEST_EKG
ACTVT
ACTVT
ACTVT
ACTVT
ACTVT
BSART
ACTVT
ACTVT
ACTVT
ACTVT
ACTVT
EKGRP
ACTVT
01
02
03
08
09
01
02
03
08
09
$EKGRP
01
NotAuthorization
maintained check takes place, default values in
Authorization
takes place, default values in
USOBT Notcheck
maintained
USOBT Not maintained
SAP
DDIC
DDIC
DDIC
SAP
SAP
SAP
DDIC
DDIC
DDIC
SAP
SAP
SAP
USOBT_C
USOBT_C
SU24 Check Indicators

After the customer tables USOBX_C and USOBT_C have been filled, you can maintain
them to adjust the behavior of the Profile Generator and the authorization checks to be
performed for each transaction. The tables are maintained in transaction SU24.
This transaction displays the check indicators of a transaction. Check indicators determine
if an authorization check will run within the transaction or not.
Transaction Code
Transaction Code
Object
Object
St
St
Object
Object
ME21N
ME21N
Object
Object
K_CSKS_SET
K_CSKS_SET
K_KEKO
K_KEKO
M_ANFR_BSA
M_ANFR_BSA
M_ANFR_EKG
M_ANFR_EKG
Check Indicator
Proposal
Field Values
Check Indicator
Proposal
Field Values
Check
Set Status Yes
User
Name
Check Ind.
Flag
Check
SetSet
Status
Yes
Do Not
Check
Status
No
User
Name
Check
Ind.
Flag
Cost Center Groups
Check
NO
DoCO-CCA
Not Check
SetSet
Status
No
Status
New UnMaintained
CO-CCA
Cost
Center
Groups
Check
NO
CO-PC Product Costing Set Status New
Check
NO
UnMaintained
CO-PC
Product
Costing
Check
NO
Check
NO
Document
Type
in
RFQ
Check
NO
Check
NO
Check
NO
Object
Object
M_BEST_BSA
M_BEST_BSA
M_BEST_BSA
M_BEST_BSA
M_BEST_BSA
M_BEST_BSA
M_BEST_BSA
M_BEST_BSA
Field Name
Field
Name
ACTVT
ACTVT
ACTVT
ACTVT
ACTVT
ACTVT
BSART
BSART
Change
Change
From
From
01
01 02
02 03
03
To
To
SU24 Maintenance Status

The behavior of objects is no longer governed solely by the check indicator (as was the
situation before SAP NetWeaver 2004s); instead, the maintenance status of the
authorization object is also considered.
The maintenance status of an authorization object shows whether authorization default
data has been correctly maintained for the object.
Possible values are:
"Maintained" (green traffic light).
"Unmaintained" (red traffic light).
"maintained with warning" (yellow traffic light).
"Do not check" (gray traffic light).
St
St
Object
Object
A_A_VIEW
A_A_VIEW
A_S_ANLKL
A_S_ANLKL
A_S_KOSTL
A_S_KOSTL
C_STUE_BER
C_STUE_BER
Object Description
Object
Description
Asset
View
Asset
View
Asset Master Record Maint. (Ccode/Asset Class)
Asset
Master
Record
Maint.
(Ccode/Asset
Class)
Asset
Master
Record
Maint.
(Ccode/Cost
Center)
Asset
Master
Record
Maint.
(Ccode/Cost
Center)
CS BOM Authorizations
CS BOM Authorizations
SU24 Proposal Status

The proposal status of an authorization object defines whether
The proposal status of an authorization object defines whether
or not an authorization default value for the object is to be
or not an authorization default value for the object is to be
added in the profile generator to the authorizations of the role
added in the profile generator to the authorizations of the role
when the application is added to a role. Possible values are
when the application is added to a role. Possible values are
"Yes" or "No".
"Yes" or "No".
"Yes". An authorization default value with the stored
"Yes". An authorization default value with the stored
authorization field values is added to the role. The field values
authorization field values is added to the role. The field values
should also be maintained - as far as possible, and as long as
should also be maintained - as far as possible, and as long as
this is useful.
this is useful.
"No". No authorization default value is added to the role.
"No". No authorization default value is added to the role.
' '. Initial value. This value shows that the application developer
' '. Initial value. This value shows that the application developer
responsible has not yet decided whether "Yes" or "No" is to be
responsible has not yet decided whether "Yes" or "No" is to be
set here.
set here.
Security Upgrade
Installing the Profile generator
1. Initially Fill the Customer Tables

Post-process the Settings After Upgrading to a Higher Release

Post-process
the Settings After Upgrading to a Higher Release
2A.. Preparation: Compare with SAP values
2A..2B.
Preparation:
with SAP values
Compare Compare
Affected Transactions
2B. 2C.
Compare
Affected
Transactions
Roles to Be Checked
2C.2D.
Roles
to BeChanged
CheckedTransaction Codes
Display
2D. Display Changed Transaction Codes
Transport Conn.
Transport Conn.
3.. Transport the Customer Tables

Adjust the Authorization Checks (Optional)

Adjust4.the
Authorization Checks (Optional)
Check indicator (Transaction SU24)
4. Check
indicatorAuthorization
(TransactionObject
SU24)Globally
5. Deactivate
5. Deactivate Authorization Object Globally
Create Roles from Manually Created Profiles

Create6.Roles
from Manually Created Profiles
Copy Data from Old Profiles
6. Copy Data from Old Profiles
What do you need to do if you

What
do you
to do if you
perform
an need
upgrade?
perform
an upgrade?
Migration
of report trees
Migration
of Profile
report trees
Check of
Generator
Check
of
Profile
Generator
activation
activation
Upgrade of the roles and default
Upgrade
of the roles
default
tables (SU25,
stepsand
2A-2D)
tables
(SU25, steps
2A-2D)created
Conversion
of manually
Conversion
manually
created
profiles to of
roles
if necessary
profiles
to step
roles6)
if necessary
(SU25,
(SU25, step 6)
Upgrade - Scenarios
Thereare
arealways
alwaystwo
twopossibilities:
possibilities:
There
Sourcerelease
releasedid
didnot
notuse
usePFCG
PFCG
Source
PG needs to be activated.
PG needs to be activated.
Sourcerelease
releaseused
usedPFCG
PFCG(>3.1G)
(>3.1G)
Source
USOBX_C and USOBT_C needs to be updated.

USOBX_C and USOBT_C needs to be updated.
Roles need to be updated.
Roles need to be updated.
youare
areusing
usingPG
PGfor
forthe
thefirst
firsttime:
time:
IfIfyou
Youcan
canstart
startbuilding
buildingyour
yourroles
rolesusing
usingPG
PG
You
Convertthe
themanual
manualprofiles
profilesinto
intoroles
rolesusing
usingstep
step6 6
Convert
SU25.
ofofSU25.
Upgrade Source release > 3.1G


Post-process the Settings After Upgrading to a Higher Release

Post-process
the Settings After Upgrading to a Higher Release
2A.. Preparation: Compare with SAP values
Preparation:
Compare
with SAP values
2B.2A..
Compare
Affected
Transactions
2B.
Compare
Affected
Transactions
2C. Roles to Be Checked
RolesChanged
to Be Checked
2D.2C.
Display
Transaction Codes
2D. Display Changed Transaction Codes
Transport Conn.
Transport Conn.

Adjust the Authorization Checks (Optional)

Adjust
theindicator
Authorization
Checks
4. Check
(Transaction
SU24)(Optional)
Check indicator
(Transaction
SU24)
5. 4.
Deactivate
Authorization
Object Globally
5. Deactivate Authorization Object Globally
Create Roles from Manually Created Profiles

Create
from
Manually
6. CopyRoles
Data from
Old
Profiles Created Profiles
6. Copy Data from Old Profiles
The USOB* tables and the roles

The USOB* tables and the roles
both need to be updated to the
both
need
to be updated to the
latest
version.
latest version.
Transaction SU25, steps 2A to
Transaction SU25, steps 2A to
2D.
2D.
2A: Executes the Profile Generator

2A:comparison
Executes the
Profile Compares
Generator
program.
comparison
program.
Compares
the new tables
USOBX
and
theUSOBT
new tables
USOBX
and
with USOBX_C and
USOBT
with USOBX_C and
USOBT_C.
USOBT_C.
2B: Adds any new
2B:transactions/updates
Adds any new
to tables
transactions/updates
to
tables
USOBX_C and USOBT_C.
USOBX_C and USOBT_C.
2C: Updates the existing roles and
2C:
Updates
thewith
existing
flags
all roles
new roles and
flags
all roles with
new
authorization
objects.
authorization objects.
2D: Displays all roles for which
2D:
Displays
all roles transaction
for which
there
are changed
there
are changed transaction
codes.
codes.
Upgrade Profile : SAP_NEW

Profile
Profile
Texts in User Master
Texts in User Master
Text
Text
Status
Status
Changed by
Changed by
SAP_NEW
SAP_NEW
Comp profile
Comp profile
New authorization checks
New authorization checks
Active
Active
DDIC
DDIC
Consisting of Profiles
Consisting of Profiles
Profile
SAP_NEW_21C
SAP_NEW_21D
SAP_NEW_22A
SAP_NEW_30A
SAP_NEW_30B
SAP_NEW_30C
SAP_NEW_30D
SAP_NEW_30E
SAP_NEW_30F
SAP_NEW_31G
SAP_NEW_40A
Text
Authorizations for new objects added Rel. 2.1C
Authorizations for New Objects Added Rel. 2.1D
Authorizations for New Objects Added Rel. 2.2A
Authorizations for New Objects Rel. 3.0A
Authorizations for New Objects Rel. 3.0B
Authorizations for New Objects in Release 3.0C
Authorizations for new objects in Release 3.0D
Authorizations for New Objects in Release 3.0E
Authorizations for new objects in Release 3.0F
Authorizations for New Objects in Release 3.1G
Authorizations for New Objects in Release 4.0A
The profile SAP_NEW is delivered with every

new release and contains authorizations for
all new checks in existing transactions.
The SAP_NEW profile guarantees backward
compatibility of the authorizations if a new
release or an update or authorization checks
introduces checks for previously unprotected
functions.
Composite profile to bridge the differences in
releases in the case of new or changed
authorization checks for existing functions,
so that your users can continue to work as
normal.
If there are a large number of roles to be
modified due to an upgrade then you can buy
time to process these roles later by assigning
users SAP_NEW on a temporary basis
provided it is allowed as per the
organizations security policy.
The SAP_NEW composite profile consists of
single profiles for all old releases of SAP.
Lesson 11
ORGANIZATIONAL MANAGEMENT
Organizational Management
Overtime people change positions, departments and collect
authorizations for their new areas of work. If the user administrator
forgets to remove the authorizations for the users older departments
or positions then the user keeps on receiving more authorizations.
Buyer
Accounts
Clerk
Warehouse
Manager
Position based authorization management

If the roles are now assigned to the objects of the organizational plan, such as positions, the
employees, who are indirectly assigned to these positions through the organizational plan,
can inherit the roles.
Advantage: As soon as an employee changes position, he or she also loses the
corresponding authorizations (since these depend not on the user, but on the position).
Create roles based on organizational objects, such as positions in your organization. For example: Sales
manager, accountant, and secretary.
Assign the roles to your organizational plan. Users then inherit the authorizations (indirectly) in accordance
with their position in the organizational plan.
Buyer
Accounts
Clerk
Warehouse
Manager
Organizational Plan
An organizational plan represents a
functional organization and reporting
structures between positions in an
Holder(s)
enterprise.
Organizational Managements objectoriented design provides you with a
number of organizational objects with
which you create organizational plans.
At the center of an organizational plan
Holder(s)
are organizational units(departments, for
example) arranged in a hierarchy that
mirrors the structure of your enterprise.
Other organizational units such as
positions(sales administrator, for
example) depict your enterprises
Holder(s)
reporting structure. Objects such as jobs,
tasks, and work centers are the building
blocks of your organizational plan.
By relating objects via relationships, you
create a network that mirrors your
In addition toand
this,
you canstructures.
create relationships to objects from other components (cost
organizational
reporting
center, employee or R/3 User, for example).
Organizational Management in SAP
PPOCE : Create Organization and

PPOCE
: Create Organization and
Staffing
Staffing
PPOME : Change Organization and
PPOME
: Change Organization and
Staffing
Staffing
PPOSE : Display Create Organization
PPOSE
: Display Create Organization
and Staffing
and Staffing
In the simple maintenance mode, You

Inwork
the simple
maintenance
mode,
You
in three
main windows.
Each
work
in three
mainspecific
windows.
Each
window
covers
maintenance
window
covers specific maintenance
activities:
activities:
The Organizational Structure window
Theallows
Organizational
Structure
you to build
up and window
maintain the
allows
you to buildstructure
up and maintain
organizational
for your the
organizational
structure
for
your
organizational plan.
plan.
organizational
The Staff Assignments
window allows
Theyou
Staff
Assignments
window
allows
to identify the fundamental
staffing
youdetails
to identify
the fundamental
staffing
required
for an organizational
details
plan.required for an organizational
plan.
The Task Profile window allows you to
Theassign
Task Profile
allows you to
roles towindow
jobs, positions,
assign
roles to jobs,
positions,
organizational
units,
and holders of
organizational
units,
and
holders
of are
positions (users). Workflow
Tasks
positions
(users). at
Workflow
Tasks
are
also assigned
this level,
however,
also
assigned
at related
this level,
however,
these
are not
to authorizations.
these are not related to authorizations.
Organizational Structure/Change
Organizational Structure/Change
Org. Unit
Plan version 01 Current plan
Org. Unit
Department 2510/000/000
Search Term
2510/000/000
Search
TermSearch DepartmentDepartment
Marketing
Structure
Department
Marketing
Structure Search
Department Finance
Department
Finance
Department
Logistics
Department Logistics
Staff Assignments/Change
Staff Assignments/Change
Org. Unit
Org. Unit
Search Term
Department Marketing (Org Unit)
Search
Term
Department
Marketing (Org Unit)
Structure Search
Sales Mgr Marketing (Position)
Sales Mgr Marketing (Position)
Lisa Kudrow (Person/user)
Lisa Kudrow (Person/user)
Task Profile/Change
Task Profile/Change
Org. Unit
Org. Unit
Department Marketing (Org Unit)
Search Term
Department
Marketing (Org Unit)
Search
Term
Structure Search
Change invoice status (Task)
Structure Search
Change
invoice
(Task) (Task)
Change
stat.status
of confirmation
Position
Change
stat. of
confirmation (Task)
Position
Job
Employee
(Role)
JobUser
Employee (Role)
User
Steps in Organizational Management

Infosys Technologies Limited
Infosys Technologies Limited
Bangalore DC, Pune DC,
Bangalore
DC, Pune
DC,
Hyderabad
DC etc.
Hyderabad DC etc.
HR Manager, Delivery Manager,
HR Manager, Delivery
etc. Manager,
etc.
HR Manager ES, Delivery
HR Manager
ES,ES
Delivery
Manager
etc.
Manager ES etc.
Manager resources, Create
Manager resources,
Create
Projects etc.
Projects etc.
John Smith, Lisa Norman etc.
John Smith, Lisa Norman etc.
Role Maintenance - PFCG
To be able to assign components of

Toyour
be able
to assign components
of
organizational
plan, you must
your
organizational
plan,View
you must
select
the Complete
when
select
the
Complete
View
when
entering PFCG.
entering PFCG.
By choosing the Organizational Mgmt
Bybutton
choosing
the user
Organizational
Mgmt
on the
tab, you jump
to the
button
on Role:
the user
tab, you
jump to the
screen
Change
Agent
screen
Role: Change
AgentUser
Assignment
The Indirect
Assignment
Thethat
Indirect
Assignments
haveUser
already been
Assignments
that
have
already
been
maintained are displayed here.
maintained are displayed here.
Here you can use positions to assign
Here
youtocan
use positions
users
a role(such
as to assign
users
to a role(such as By choosing
SALESMANAGER).
SALESMANAGER).
Byyou
choosing
Create assignment,
can also define
Create
assignment,
you
can
the following relationships:also define
the following relationships:
Role / Organizational unit
Role / Organizational unit
Role / Position
Role / Position
Role/User
Role/User
Settings
Settings
View
View
Simple maintenance (Workplace menu maintenance)
Simple
menu maintenance)
Basicmaintenance
maintenance(Workplace
(menus, profiles,
other objects)
Basic
maintenance
(menus,
profiles,
other
objects)
Complete view (Organizational Management
and workflow
Complete view (Organizational Management and workflow
Role: Change Agent Assignment

Role: Change Agent Assignment
Indirect user assignments ok
Indirect user assignments ok
Role
Role
Job
Job
S 50004151 Sales Manager - Marketing
Position
S 50004151 Sales Manager - Marketing
Position
CP 50003346 Lisa Kudrow
Person
Person
O 90000755 Department Marketing
Org. Unit
O 90000755 Department Marketing
Org. Unit
S 50004151 Sales Manager - Marketing Position
S 50004151 Sales Manager - Marketing Position
Person
Person
AG /SAP/EMPLOYEE
EMPLOYEE
AG /SAP/EMPLOYEE
EMPLOYEE
C 50004150 Sales Manager
C 50004150 Sales Manager
Lesson 12
SECURITY IN PROJECTS
Implementation Methodology
Every company or every project follows a

Every
company or methodology
every project which
followscan
a be
implementation
implementation
methodology
be
more or less divided
in five which
distinctcan
phases.
more or less divided in five distinct phases.
Project Preparation: Forming the team and
Project
Preparation:
Formingrequired
the team
assembling
the resources
forand
assembling
the resources required for
project implementation.
project implementation.
Blueprint: Determine the business
Blueprint:
Determine
the business
requirements
and formulate
a visual
requirements
and
formulate
a
visual
representation of the as-is business process
representation
ofinthe
as-is business process
to be mapped
SAP.
to be mapped in SAP.
Realization: This is phase where the
Realization:
This is phaseare
where
the
business requirements
implemented
in
business
requirements
are
implemented
in
the system through configurations and
thedevelopment.
system through configurations and
development.
Final preparation: Testing of the interfaces
Final
Testingofofthe
theusers,
interfaces
andpreparation:
modules, Training
move
and
modules,
Training of the
users,
move
changes
to production,
Fine
tuning
and soft
changes
to
production,
Fine
tuning
and
configuration of the production systemsoft
etc.
configuration of the production system etc.
Go-Live & Support: Release of system
Go-Live
Release of system
access&toSupport:
users, Enhancements
and Bugaccess
to
users,
Enhancements
and
BugFixes.
Fixes.
Authorization Project Methodology
Blueprint Phase
The blueprint phase for the authorizations may start only after the business blueprint is
done.
This is because the authorizations can be analyzed and conceptualized only after the
business processes are documented.
The main steps during this phase are:
Analyze the business process with the project team
Determine the various job roles and activities to be included within the roles.
Prepare a list of the roles for the business process and list the activities for each
role.
Determine an ideal design for the job roles
Determine an naming convention for the roles.
The Process Master List is a document which forms a basis for this phase. It
documents all the activities that are performed during a business process. These
activities are mapped with SAP transactions in this list.
This list should be ready and signed off to start working on the job roles.
The authorizations team along with the business process owners would work on
grouping these activities to form the job roles.
Process Master and Authorizations List

Activity Group
Process Group Activity
A-LM059_LXX
LM
A-AP001_LXX
AP
A-AP002_LXX
AP
A-AP003_LXX
AP
A-AP004_LXX
AP
A-AP010_LXX
AP
Primary Transaction Codes

(mandatory for SAP activities)
Determine MB1B/MIGO
Putaway
Location
Requisitione FK03
r checks
SAP for
Vendor
Existence
Request to N/A
create/chan
ge Vendor
Master Data
Purchasing N/A
Complete
Vendor
Creation
Form for AP
Terms of
N/A
Payment
request
Maintain
FK01, FK02, XK01, XK02
Vendor
Master
System
Type
(for
Activities
only)
SAP R/3
SAP R/3
Manual
Manual
Manual
SAP R/3
Authorizations Concept in SAP
Role design approach
Derived roles are only helpful initially for small roles (or individual tasks) which truly are exactly the same (except for the org
or other element of a common object). If you are planning some major acquisitions and diversity in your production locations
and sales organizations, then derived roles might be an option for a "Just One Company Code" system, but your business
areas and other org elements will be forced to some extent to have the same business processes or your roles will provide
too much access for the others when one of them wants something special. You will become inflexible and over time the
differences will destroy your concept very easily.
One would want to create a common set of roles which contains the required org level authorizations for the various roles and
then create a second set of roles for the functions in the different business areas and add the differentiated org elements to
them. Make sure that the transaction you select actually also use these. What you have is a transactional role containing all
the transactions & auth objects. You then create a separate role with manually added auth objects that contain all the auth
objects that are relevant for restriction. You then disable those objects in the transactional role. This way you have 2 roles,
one providing transactional content & the other providing all your restrictions.
One of the perceived benefits is that you only have 1 role containing restriction data and this can be applied to all users.
You then give them different transactional roles depending on what transactions they need etc.
Downsides to this are:
Increased complexity: It can be a steep learning curve for a new administrator in the company.
Reduced security: Security is based on 2 levels, S_TCODE & object level. If you are creating a single value role (or
even a few of them) they are going to contain more auth objects than are needed for the respective transactional roles.
SOD analysis: It makes analysis and reporting at role level more complex.
Breaking SAP security setup: When you take this approach you may be breaking the link between PFCG and SU24.
Also we have to decide whether we have one single role with all the transactions or break them up into smaller roles. They
have their Pros and Cons as mentioned below:
It might be desirable for users to only have one role (in addition to a "common role for all users"). This way SoD
analysis can concentrate on analyzing authorizations within single role designs, without the added complexity of doing
role to role comparisons
Smaller roles can be used across multiple functions thus limiting the total number of roles can have a dramatic impact
on the total maintenance effort. When designed the right way.
A big role (per position) is avoiding redundancy of transactions in various smaller roles where they could easily have
different values on object level.
Naming Convention
It is important to assign a unique identifier to the roles through a

It is important to assign a unique identifier to the roles through a
flexible and standardized naming convention.
flexible and standardized naming convention.
There are 30 characters available to define the role name.
There are 30 characters available to define the role name.
One of the best approaches to use the elements like region (e.g.
One of the best approaches to use the elements like region (e.g.
US,GB,DE etc.), application module(e.g. FI,MM etc.) and business
US,GB,DE etc.), application module(e.g. FI,MM etc.) and business
process(e.g. FRAP, OPMA etc.) in the role names.
process(e.g. FRAP, OPMA etc.) in the role names.
Role names should be flexible and extensible so that they do not lose
Role names should be flexible and extensible so that they do not lose
their significance on addition or removal of transactions within them.
their significance on addition or removal of transactions within them.
Naming conventions also help in segregating the role and user
Naming conventions also help in segregating the role and user
administration tasks.
administration tasks.
The role names are not language dependant and should not begin
The role names are not language dependant and should not begin
with SAP.
with SAP.
It is also important that you align the naming conventions with that of
It is also important that you align the naming conventions with that of
the project.
the project.
Role Documents
You have finalized upon the below criteria:

You have finalized upon the below criteria:
Number of job roles to be created
Number of job roles to be created
The transactions to be included in each job role
The transactions to be included in each job role
Design approach for the job roles
Design approach for the job roles
Naming convention for the job roles
Naming convention for the job roles
Now you can start to create job role documents to identify and describe each role
Now
can startas
to well
create
role documents to identify and describe each role
bothyou
technically
as job
functionally.
both technically as well as functionally.
The document should cover the following aspects of the role:
The document should cover the following aspects of the role:
Role name and Description
Role name and Description
Transactions that are included in the role
Transactions that are included in the role
Business relevance of the role through a brief description of its functionality.
Business relevance of the role through a brief description of its functionality.
Critical authorizations included within the role
Critical authorizations included within the role
Organizational values and other restrictions within the role
Organizational values and other restrictions within the role
Role documents are very useful for the business process owners to understand the
Role
arebeing
very useful
forto
the
business
ownersif to
understand
the
job documents
roles that are
built and
suggest
anyprocess
modifications
necessary
before
jobthey
roles
that
are being built
and
to suggest any modifications if necessary before
are
implemented
in the
system.
they are implemented in the system.
A formal sign off by the business owners and project managers on these documents
A formal
sign off by the business owners and project managers on these documents
is recommended.
is recommended.
Realization Phase
Start building the job roles in the system as per the role
Start
building the job roles in the system as per the role
documents.
documents.
Informal screening of the roles by the functional team is
Informal
screening of the roles by the functional team is
recommended during this phase to ensure that the
recommended during this phase to ensure that the
authorizations are being set as desired.
authorizations are being set as desired.
Prepare test users per role/per module.
Prepare
test users per role/per module.
Changes to the transactions within the role and addition /
Changes
to the transactions within the role and addition /
removal of job roles in the list is expected during this
removal of job roles in the list is expected during this
phase.
phase.
Define the test scripts for testing the authorizations in the
Define
the test scripts for testing the authorizations in the
next phase.
next phase.
Final Preparation
Go-Live and Support

SAP Security – Level 1 Basics

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SAP Security – Level 1 Basics

Uploaded by

Copyright:

Available Formats

SAP Security Level 1

Introduction to SAP Security

Only legitimate users should be able to access the system

Users should only be able to perform their designated tasks

Data integrity needs to be granted at all time

Protection of data against unauthorized access

Security measures at different levels of the system architecture

Elements of an SAP authorization concept

Authorizations, Objects, Fields and Values

Authorizations Instance and Profile

Roles and User Menu

Tips Regarding User and SAP Menu

Sorting the user menu with redundancy avoidance

Switch to turn the user menu on or off

Sequence of Authorization Checks

ABAP Program Authorization Checks (authority-check Statement)

authority-check object 'S_TABU_DIS'"check by

Authorizations for User Administrator

User Master Record

User Master Record

ROLE MAINTENANCE - BASICS

Role Maintenance - Basics

Role Maintenance - Views

Reports assignment in Roles

Transaction Code for Reports

Designing and Structuring the Role Menu

Add/delete Transactions and Reports

Change role: Authorizations

Change role: Authorizations

ROLE MAINTENANCE ADVANCE

Role Maintenance Advanced Topics

Insert Customizing Activities

Select IMG Project

Composite Roles and User Assignments

Limitations of a composite role

Building Menus for Composite Roles

Reference and Derived Roles

Reference and Derived Roles

Dubai Accounts Payable Clerk

Dubai Accounts Payable Clerk

Implementing Organization Field Values Directly

PFCG: Traffic Lights

Change role: Authorizations

PFCG: Important Icons

PFCG : Maintenance Status

PFCG : Update Status

Standard : Active & Inactive

Maintained : Active & Inactive

all fields, one authorization is contained in the other.

There are also exceptions to the above:

1. No unnecessary authorization data is transferred to the profile that

What is special about S_TCODE?

1. Authorizations for S_TCODE can exist only in the maintenance status

PROFILE PARAMETERS, SPECIAL

Password Rules and Profile Parameters for

min. number of digits in passwords

min. number of letters in passwords

Minimum Password Length

minimum number of lower-case characters in passwords

min. number of special characters in passwords

minimum number of upper-case characters in passwords

Dates until password must be changed