Beginner's Guide to SAP Security and Authorizations
-
Upload
khangminh22 -
Category
Documents
-
view
3 -
download
0
Transcript of Beginner's Guide to SAP Security and Authorizations
ISBN: 978-3-9451-7087-8(ePUB)
Editor: LisaJackson
CoverDesign: PhilipEsch,MartinMunzel
CoverPhoto: Fotolia#51570006©larshallstrom
InteriorDesign: Johann-ChristianHanke
Allrightsreserved
1stEdition2016,Gleichen
©2016EspressoTutorialsGmbH
URL:www.espresso-tutorials.com
All rights reserved. Neither this publication nor any part of itmay be copied orreproduced in any form or by any means or translated into another languagewithoutthepriorconsentofEspressoTutorialsGmbH,ZumGelenberg11,37130Gleichen,Ger¬many
EspressoTutorialsmakesnowarranties or representationswith respects to thecontenthereofandspecificallydisclaimsanyimpliedwarrantiesofmerchantabilityorfitnessforanyparticularpurpose.EspressoTutorialsassumesnoresponsibilityforanyerrorsthatmayappearinthispublication.
Feedback:We greatly appreciate any kind of feedback you have concerning this [email protected].
ThankyouforpurchasingthisbookfromEspressoTutorials!Like a cup of espresso coffee, Espresso Tutorials SAP books are concise andeffective. We know that your time is valuable and we deliver information in asuccinctandstraightforwardmanner.ItonlytakesourreadersashortamountoftimetoconsumeSAPconcepts.Ourbooksarewellrecognizedintheindustryforleveraging tutorial-style instructionandvideos to showyoustepbystephow tosuccessfullyworkwithSAP.
CheckoutourYouTubechanneltowatchourvideosathttps://www.youtube.com/user/EspressoTutorials.
If you are interested inSAPFinance andControlling, join us at http://www.fico-forum.com/forum2/ to get your SAP questions answered and contribute todiscussions.
RelatedtitlesfromEspressoTutorials:
BorisRubarth:FirstStepsinABAP®http://5015.espresso-tutorials.comSydnieMcConnell,MartinMunzel:FirstStepsinSAP®,2ndeditionhttp://5045.espresso-tutorials.comAntjeKunz:SAP®LegacySystemMigrationWorkbench(LSMW)http://5051.espresso-tutorials.comDarrenHague:UniversalWorklistwithSAP®NetWeaverPortalhttp://5076.espresso-tutorials.comMichałKrawczyk:SAP®SOAIntegration—EnterpriseServiceMonitoringhttp://5077.espresso-tutorials.comAnnCacciottolli:FirstStepsinSAP®FinancialAccounting(FI)http://5095.espresso-tutorials.comKathiKones:SAPListViewer(ALV)—APracticalGuideforABAPDevelopershttp://5112.espresso-tutorials.comJelenaPerfiljeva:WhatonEarthisanSAPIDoc?http://5130.espresso-tutorials.com
TableofContentsCover
Title
Copyright/Imprint
Preface:IntroductiontoSAPSecurityandAuthorizationsconcept
1Usermaintenanceoverview
1.1Usermasterrecord1.2Usertypes1.3Usergroups1.4Massusermaintenance(SU10)1.5Passwords1.6Centraluseradministration(CUA)
2Roleoverview
2.1Roletypes
3Profilegeneratorandrolemaintenanceoverview
3.1Whatisaprofile?3.2Whatisanauthorization?3.3Profilesandroles
4Advancedtopicsforrolemaintenance
4.1Profilegeneratordeepdive4.2Authorization-objectlevelsecurity4.3Roletypereview4.4Transportingauthorizations
5SAPSecurityandAuthorizationstrouble-shooting
5.1ReadinganSU535.2Runningatrace(ST01)5.3UsefulSAPSecuritytablesandsensitiveauthorizations5.4Maintainauthorizationobjectassignmenttotransactioncodes(SU24)5.5Userinformationsystem(SUIM)
6AdvancedtopicsforSAPauthorizations
6.1Upgradingtoanewrelease(SU25)6.2IntroductiontoGRCAccessControl6.3Wrapup:Puttingabowonit
7Acknowledgements
AAbouttheauthor
BDisclaimer
Preface:IntroductiontoSAPSecurityandAuthorizationsconceptSAP has a wide range of built-in functionality to meet various securityrequirements, including network protection, data protection, and SAPauthorizations.Thisbookwill focusontheapplicationofSAPauthorizationsandhowuseraccesscanbelimitedbytransactioncodes,organizational levels, fieldvalues,etc.SAPSecurityandAuthorizationsisdesignedsothatthesystemmustexplicitlyindicatewhateachusercando.Thisisdonebyassigningauthorizationroles,whicharegroupingsofprofilescomprisedofauthorizations.
ThebasicarchitectureofSAPSecurityandAuthorizationsisa6-tieredapproach:
1. UserMasterRecord:AccountsforuserstoenableaccesstotheSAPsystem;primarilyusedforuseradministrationpurposes.
2. Role:Compilationoftransactionsandpermissionsthatareassignedtooneormoreusermasterrecords;usuallyincludescommonalityamongstajobroleorjobtask.
3. Profile:Assignedwhenaroleisgeneratedandaddedtoitscorrespondingusermasterrecord.
4. AuthorizationObjectClass:Logicalgroupingofauthorizationobjectsbybusinessarea.
5. AuthorizationObject:Groupingsof1-10authorizationfields;configurationisperformedagainstauthoritycheckstatementswrittenintheSAPcode.
6. AuthorizationField:Least-granularelementinwhichvaluescanbemaintainedtosecuredataandinformation.
Authorizationscanbeusefulinlimitingaccesstoitemssuchas:billingandvendorinformation, personnel and payroll information, key financial data, and criticalsystem areas such as basis, configuration, development, and security. Usersobtain their authorizations by being assigned to roles and users cannot start atransaction or complete a transaction without the proper authorization roleassignment. In order to perform an action, a user may need severalauthorizations.Forexample, inorder tocreateasalesorder, theuserwillneedaccesstothetransaction,the“create”authorization,generalauthorizationforthesalesorg,andtheauthorizationfor thespecificsalesdocumenttype.Therefore,therelationshipsrequiredinordertomeetuseraccessrequirementscanbecomeverycomplex.
TheSAPauthorizationconceptwascreatedonthebasisofauthorizationobjects.Each authorization object is comprised ofmultiple authorization fields. A user’spermissions always refer to authorization objects, which can contain a singlevalueora rangeofvalues foreach field.Both reportanddialog transactions inSAPhavepredefined“authorizationchecks”imbeddedintheprogramlogicwhichprotectsthefunctionsandinformationwithinthem.
The basis of an organization’s role design should always be the rule of leastprivilege,whichistheSAPSecuritybestpracticeofgivingusersexactlywhattheyneed to perform their job responsibilities, not much more, and not much less.Accesscreep is theadversaryof thisprivilegeasusersmayretainunnecessaryaccessafterajobfunctionchangeormayreceiveunnecessaryaccessasaresultof the application of permissions or transactions to roles which are sharedbetween users who have similar, but not identical, responsibilities. Ultimately,securityisthegatewaytotheSAPsystem,butitcanoftenbedifficulttomanageandunderstand.InformationstoredinSAPisavaluedbusinessasset,andSAPSecuritycanaidanorganizationbyincreasingflexibilityandcustomizationattheuserlevelandprotectingcriticalinformationfromunauthorizeduse.
ThisbookincludesSAPbestpracticesforuserandrolemaintenanceandhowtocreateanSAPSecuritydesignthatisbothlowmaintenanceandscalable.YouwilllearnhowtouseandinterpretSAPauthorizationsandtroubleshootsecurityandauthorizationissues.Lastly,youwilldiscoversomeadvancedtopicssurroundingSAP authorizations, including an overview on upgrading your SAP Securityenvironmentandreducingavoidablesegregationofdutiesconflicts.
Wehaveaddedafewiconstohighlightimportantinformation.Theseinclude:
Tips
Tips highlight information concerning more details about thesubject being described and/or additional backgroundinformation.
Examples
Exampleshelp illustratea topicbetterbyrelating it to realworldscenarios.
Attention
Attentionnoticesdrawattentiontoinformationthatyoushouldbeawareofwhen yougo through theexamples from this bookonyourown.
Finally,anoteconcerning thecopyright:allscreenshotsprinted in thisbookarethecopyrightofSAPSE.AllrightsarereservedbySAPSE.Copyrightpertainstoall SAP images in this publication. For simplification, we will not mention thisspecificallyunderneatheveryscreenshot.
1UsermaintenanceoverviewThis chapter covers creating users in the system and assigning roles totheir corresponding user master records. This section also providesinformationonassigningpersonalattributes toeachuser,password rulesinSAP, and creating and assigninguser groups.Additionally, the chapterincludesthemethodforperformingamasschangetousermasterrecords.
ApersonmusthaveanSAPuser IDandpassword inorder to log intoanSAPsystem.Thisinformationisstoredintheusermasterrecord.Usermasterrecordsareclient-specific.ItisimportanttoestablishanamingconventionfortheuserID,whichallows theuser tobeeasily identifiableafter taking intoaccountanypre-existingidentificationsystemswithintheorganization.Oftentimes,anexistinge-mailornetworknamingconventionisideal.Somecompilationofauser’snameisalsoaviableoption,forexample:
Firstletterofthefirstname,lastname
TLEVINE(TracyLevine)
Lastname,firstletterofthefirstname,firstletterofmiddlename
LEVINETM(TracyMLevine)
Lastname,countryoforigin
LEVINEMX(TracyLevine,Mexico)
UserIDsarelimitedtoaminimumlengthof3charactersandamaximumlengthof12characters.However,user IDs thatareboth requiredandpredeliveredbySAPinthesystem:SAP*andDDIC.SAP*isasuperuser inSAPanddoesnotneedausermasterrecord.ThisIDishard-codedinthesystemandprovidestheIDwithunlimitedaccess.TheSAP*defaultpasswordshouldbechanged,but itcannot be deleted. DDIC is the maintenance user in SAP and has specialprivileges surrounding the ABAP dictionary and installations. DDIC is the onlyuserIDthatcanlogonduringasystemupgrade.
1.1UsermasterrecordThe user master record maintenance transaction, SU01, is primarily used tocreate and modify user master records in the SAP system. As previouslymentioned, user master records are intended as a repository to store userinformationandassignnecessaryauthorizations toauser toperformnecessaryjobresponsibilities. Inthe initialSU01screen(seeFigure1.1), theSAPSecurityadministratorcancarryoutthefollowingactivities:
Createusermasterrecord(PAPERbutton)Changeusermasterrecord(PENCILbutton)Displayusermasterrecord(GLASSESbutton)Deleteusermasterrecord(TRASHCANbutton)Copyusermasterrecord(DUALPAPERbutton)Lock/Unlockusermasterrecord(LOCKbutton)Changepasswordofusermasterrecord(WRITINGPENCILbutton)
Figure1.1:Usermastermaintenanceinitialscreen(transactionSU01)
Inordertoexecuteanyoftheabovefunctions,auserIDmustbedefinedintheUSER field, as shown in Figure 1.1. An alias is used to perform activities thatinteractwithSAPviatheInternet.WhenauserregistersanaliasontheInternet(such as a customer or vendor name) a corresponding SAP user ID isautomaticallygeneratedatrandom.TheALIASfieldontheUSERMAINTENANCE initialscreenisusedtouncovertheunknownSAPuserIDsofInternetusers.
Figure1.2:Usermastermaintenanceaddresstab(transactionSU01)
TheADDRESStabinSU01(seeFigure1.2)isusedtomorecompletelyidentifytheusersandtosupplycontact information.TheADDRESS tabshouldbe filledoutascompletelyaspossible.ThebuttonforOTHERCOMMUNICATIONallowsforadditionalentriesofvariouscommunicationmethodsthataremoreatypical,andtherefore,not on themain screen (such asPAGER andURLHOMEPAGE). TheCOMM. METH
drop-downallowsyoutoidentifytheuser’spreferredcommunicationmethod.
Figure1.3:Usermastermaintenancelogondatatab(transactionSU01)
The LOGON DATA tab in SU01 (see Figure 1.3) is primarily focused on uservalidation upon logon. TheALIAS field allows the SAP Security administrator toassignarecognizable40-digitIDtotheuser,whichcanbeusedtosearchfortheuser IDon the initialSU01 screenas shown inFigure 1.1. The twomandatorysectionsontheLOGONDATA tabareUSERTYPE fieldand thePASSWORDarea.ThepurposeoftheUSERTYPEfieldistoidentifythetypeofuserwhowillbetransactingin the system. Section 1.2 outlines the different user types and their primarypurposes.Whenanewuseriscreated,theSAPSecurityadministratormustenteranINITIALPASSWORD.
The USER GROUP field is valuable when multiple security administrators areresponsibleformaintainingusermasterrecords,butfordifferentgroupsofusers.If nouser group is defined, anyadministrator has theability tomodify theusermasterrecord.
Maintainingdifferentusergroups:Example
IfanorganizationhasfiveSAPSecurityadministratorsandeachis responsible for one geographical region, five different usergroupsshouldbemaintained:
1.NORTH2.SOUTH3.EAST4.WEST5.CENTRAL
Other organizations can segregate user maintenance by company code orfunctionalarea.
Thevalidityperiodsection isbeneficial formultiple reasons.Manyorganizationsliketokeeparecordofallusermasterrecordsevenifanaccountorauserhasbeenterminated.TheVALIDTHROUGHfieldcanbeusedinthisinstancetoprohibitanyonefromlogging inwithaparticular ID.Theusermasterrecordcanalsobelockedbytheadministratorontheinitialscreen.VALIDFROMandVALIDTHROUGHareoftenusedasameansofassigningaccesstoatemporseasonalemployee.
Figure1.4:Usermastermaintenance,SNCtab(transactionSU01)
OntheSNCtabofSU01(seeFigure1.4)thefieldforSNCNAMEisusedwhentheuser will access the SAP system via a secure network connection rather thanlogginginwithauserIDandpassword.TheSAPsystemislimitedinthatonlyasingle SNC name can be assigned to each user in the system for auditing
purposes.
Figure1.5:Usermastermaintenance,defaultstab(transactionSU01)
TheDEFAULTStabinSU01(seeFigure1.5)isusedasit isdescribedtoestablishdefaultsettingsformaintainingtheuserID,suchasthedateandtimeformatthatwillbeappearthroughoutthesystem.TheOUTPUTDEVICEfieldisusedtodefineadefault printer to the user. If multiple languages have been configured in thesystemtheLOGONLANGUAGE fieldcanbeset foreachuser.Likewise, ifallusersarenottransactingatthesametime,thePERSONALTIMEZONEOFTHEUSERfieldcanbeset.TheSTARTMENUfieldismaintainedifthereisauserwhowantsaparticulardefaultmenuuponlogon.
Figure1.6:Usermastermaintenance,parameterstab(transactionSU01)
The PARAMETERS tab in SU01 is often maintained as a means of identifyingadditional user defaults and settings, which increase system convenience (seeFigure 1.6). Additionally, some user authorizations can be maintained via thePARAMETERStab.
Example
Ifauseronlyrequiresauthorizationforcompanycode2000,thisinformationcanbestoredunderthecorrespondingparameterID.Anytransactionalfieldsthatrefertothatorganizationunitwillbeautomaticallypopulatedwith2000.
Another example refers to user authorization rather than user defaults. Youwill learnmoreaboutauthorizationobjects later,butcurrently,standardSAPauthorizationobjectsonlyexistformaintainingglobal layouts(allreportsandtransactions) or finance-only related reports and transactions. AsdemonstratedinFigure1.6,theparameterSD_VARIANT_MAINTAINcontrolsa user’s authorization tomaintain variants for sales- and distribution-relatedreports and transactions. The following parameter values each equate to adifferentlevelofvariantmaintenance:
Figure1.7:Usermastermaintenance(transactionSU01,rolestab(transactionSU01)
AnSAProle isa compilationof transactionsandpermissions thatareassignedwithintheusermasterrecord.TheROLEStabinSU01iswheretheSAPSecurityadministratorcandisplayormodifyallroleassignmentsfortheuser(seeFigure1.7).Ausercanbeassignedtomorethanonerole.Moreonroletypeslateron,but theTYPE column in theROLES tab indicateswhether the role is acompositerole(acompilationofsinglerolesthatareassignedasagroup)orasinglerole.TheVALIDFROMandVALIDTO fields indicatewhentheassignmentwillbecomeorbecame active and when the role assignment will expire. The VALID TO fieldautomaticallydefaultsto“12/31/9999.”
If a single role is assigned as a result of the assignment of a correspondingcomposite role, the role name will appear in blue, rather than black. In thisinstance,theassignmentofthesesinglerolescannotbemaintainedindividually;assignments can only be removed and the validity dates modified at thecompositerolelevel.
Figure1.8:Usermastermaintenance,profilestab(transactionSU01)
Authorization profiles are created when roles are generated. When roles areadded to theusermaster record, thecorrespondingprofile(s)alsogetassignedvia thePROFILES tab (seeFigure1.8).With theexceptionofa fewpreconfiguredSAP profiles for super-user access, profiles should not be directly assigned tousers.Themaximumnumberofprofiles that canbeassigned toauser is312.The relationship of roles:profiles is typically 1:1, unless a role contains asignificant amount of transactions and permissions (i.e. a ‘display all’ or super-userrole).Asmentioned,SAPhastwoprimarypreconfiguredprofilesthatcanbeassignedonlytosystemadministratorsandSAPsupportusers.
1. SAP_ALLisacompilationofallstandardauthorizationsthatexistintheSAPsystem.
2. SAP_NEWisacompilationofallnewstandardauthorizationsthatexistintheSAPsystem(includesauthorizationobjectsbroughtinfromnewreleases).
Figure1.9:Usermastermaintenance,groupstab(transactionSU01)
MultipleusergroupscanbeassignedtotheusermasterrecordintheGROUPStab(seeFigure1.9). If therearemultipleuseradministrators,groupscanbesetupand assigned to specific users. SAP Security administrators are then assigneduser master record maintenance based on user group and, therefore, masschanges can be easily made to users in groups. See Section 1.3 for moreinformationonusergroups.
Figure1.10:Usermastermaintenance,personalizationtab(transactionSU01)
ThePERSONALIZATION tab in SU01 is just that; the location where personalizedobjects are stored, such as workflows, user layouts, time sheet settings,approvals,etc.(seeFigure1.10).Personalizationobjectscanalsobeassignedtoaspecificroleintherolemaintenancetransaction(PFCG)inthePERSONALIZATION
tab.
Figure1.11:Usermastermaintenance,licensedatatab(transactionSU01
The LICENSE DATA tab (see Figure 1.11) is used to track information that isprocessedfor licensingpurposesbySAP.SAPchargesdifferentratesbasedoncontractualusertypes,whicharedeterminedbasedontheamountoftransactingtheuserdoesinthesystem.
1.2UsertypesIntheSU01LOGONDATAtab,usersmustbeclassifiedasoneofthefollowingusertypes(seeFigure1.3):
Dialog:Dialogusersarethemostcommonusertypeassignedtoenduserswhowillbetransactinginthesystem.Dialogusersarecheckedatlogonforinitialpasswords,userID,passwordvalidity,andtheallowanceofmultiplelogons.Thepasswordforthedialogusercanbechangedbytheuser.Communication:CommunicationusersareassignedtoCPIC(commonprogramminginterfaceforcommunications)andRFC(remotefunctioncall)usersthatdonotrequiredialoglogon.CommunicationusersarecommonlyusedbetweenSAPandexternalsystemsandapplicationsforALE,TMS,andworkflow.System:SystemusersaresimilartocommunicationusersinthesensethattheyareassignedtoCPICandRFCusersthatdonotrequiredialoglogon.However,systemusersareusedforALE,backgroundprocessing,TMS,andworkflowwithinonesystem.Systemusershavenopasswordvalidityandmultiplelogonsareallowed.SystemuserpasswordscanonlybechangedbySAPSecurityadministrators.MultiplelogonsareallowedviaasystemuserID.Service:ServiceuserIDsareusedbytransacting-anonymousdialogusersthroughanITS(informationtechnologyservice),oftenaWebapplication.Multiplelogonsareallowed,butthereisnocheckforinitialorobsoletepasswords.MultiplelogonsareallowedviaaserviceuserID.Reference:ReferenceIDsareusedforgroupsofuserswhorequireidenticalauthorization.ReferenceuserssimplifytheassignmentofauthorizationsWebusers.Dialoglogonisnotpossibleforareferenceuser.
1.3UsergroupsUsergroupassignment isnota required fieldwhencreatingusers.However, inorder to delegate user maintenance authorization to different SAP Securityadministrators,thisisanecessarystep.
Figure1.12:Maintainusergroups(transactionSUGR)
Figure1.13:Assigninguserstousergroups(transactionSUGR)
User groups can be created, displayed, deleted, and modified via transactionSUGR as demonstrated in Figure 1.12. Users can also be assigned to a usergroup in transaction SUGR, as they can in theUSER GROUP tab in SU01 (seeFigure1.13).
1.4Massusermaintenance(SU10)Transaction SU10 allows for massmaintenance of user master records. UsingSU10,ausercanperformmostof thechangesmadeon individualusers in theusermaintenancetransaction(SU01),butformanyusersatonetime.
Figure1.14:Usermaintenance:Masschangesinitialscreen(transactionSU10)
AsdemonstratedinFigure1.14,ontheinitialSU10screenamaximumof25SAPuser IDscanbecopied from the clipboard for usermassmaintenance. Ifmasschangesarerequired formore than25users,awiderselectionofuserscanbechosen by clicking on theADDRESSDATA button orAUTHORIZATIONDATA button, ashighlighted.Ineachofthesetabs,agreaterlistofuserIDscanbecopiedfromaclipboardorselectedbasedonvariousattributes.
Figure1.16:SelectioncriteriapagefromSU10authorizationdatabutton
Figure1.15andFigure1.16showtheselectioncriteriathatcanbeusedtosearchforgroupsof users thataredesired tomassmaintain. If theuser IDs for theseindividualsarealreadyknown,theycanbecopiedfromanExcelspreadsheetandpastedfromtheclipboardbyclickingthearrowbuttonnexttotheUSERfieldontheSELECTIONCRITERIApagefromtheSU10AUTHORIZATIONDATAbutton.Furthermore,ifamasschangeisrequiredforallusersinthesystem,avalueof*canbeset intheUSERfield.
Figure1.17:Userstobechangedresultingfromuserselectioncriteria(transactionSU10)
Figure1.18:Selecteduserstobechanged(transactionSU10)
After executing the selection criteria, a list of all applicable users appears (seeFigure1.17). Inorder for theshownuserstobemasschanged,alldesiredusernamesmustbehighlightedandtheTRANSFERbuttonclicked(seeFigure1.18).
After defining the users to be changed, the user IDs and names appear in theinitialscreenof transactionSU10(aspreviouslyshowninFigure1.14).Possibleuserchanges in theSU10 initial screen reflect thoseon theSU01 initial screenwith one caveat, passwords cannot be defined and changed en masse. TheGENERATE PASSWORD button, as seen in Figure 1.14, will generate a uniquepasswordforeachuser.Generatedpasswordsforeachusercanbeviewedinthelogdisplayafterchangesarecomplete. Inorder tochangeuserattributes,suchaslogondata,userdefaults,androlesassigned,selectthepencil(change)buttonontheinitialscreen.
Figure1.19:Massuserchangestologondata(transactionSU10)
Addingandremovingroles
MakesuretoselecttheCHANGEindicator(seeFigure1.19)priortosavingchanges.
Figure1.20:Massuserchangestoroleassignment(transactionSU10)
Roleandprofile changesdiffer slightly fromother changes inSU10.Roles andprofilescanbeaddedorremovedduringasingleinstanceofSU10,butnotboth.
Massassignmentofaroleexample
Figure1.20 isanexampleofaddinga role toagroupofusers.Therolethatisbeingassignedisageneralend-userroleinthatithas the transactions and permissions needed for all userstransacting in the SAP system. If a new role is created in an
organizationandneedstobeassignedtoallormanyusers,transactionSU10isthemostefficientmethod.TheADD indicatormustbeselectedasnotedinFigure1.20.
Figure1.21:Warningmessageaftersaving(transactionSU10)
Figure1.22:Logdisplayaftermasschanges(transactionSU10)
Oncesaved,awarningmessageadvisesyouastothenumberofusersthatthechangeswillaffect(seeFigure1.21).ClicktheCHECKbuttontoindicatethatthesechangesaredesired.Afterconfirmation,alogdisplayappears(seeFigure1.22).Greentraffic lights indicatesuccessfulchanges,asshowninFigure1.22;yellowtraffic lights indicatewarningmessages (althoughnotnecessarilyunsuccessful);andredtrafficlightsindicateallorsomeofthechangeswereunsuccessful.
1.5PasswordsSAPhaspasswordsettingparametersthatinclude:
AminimumlengthofthreecharactersNoexpirationdatePreconfiguredblockedpasswordsCasesensitivityAnycharacter,butcannotstartwitha“?”or“!”Notallowing3sequentialcharactersfromtheuser’sSAPuserID
However, there are also additional suggested password settings that can beconfigured,suchas:
AminimumofsixcharactersPasswordsthatexpireatregularintervals(4-6weeks)UtilizationofthepasswordblockinglistRequirementofspecialcharacters
Recently, SAP introduced a new password protection feature called SecurityPolicies.With this new addition, different password rules and logon restrictionscanbeappliedtodifferentgroupsofuserswithinthesameclient.Securitypolicyconfiguration is done in DEV and transported to production via transactionSECPOL. Users are assigned a security policy via the LOGON DATA tab intransactionSU01orSU10.Ifthesecuritypolicyfieldontheusermasterrecordisleftblank,thesystemprofileparametersareappliedasadefault.
1.6Centraluseradministration(CUA)An SAP landscape consists of several SAP systems with potentially severalclients each. Most SAP ERP landscapes have at least one development(configuration),onequality(testing),andoneproduction(live)client.Theseclientsareusedtomaintainsystemstabilitybytransportingandtestingchangespriortointroductionintothelivesystem.Individualusermasterrecordsmustbecreatedandmaintainedineachclientwithineachsystem.
Utilizingcentraluseradministration (CUA)allowstheSAPSecurityadministratortocreateandmaintainallusersinonesystem.All informationstoredintheusermasterrecordisdistributedtothedependentsystems.
2RoleoverviewThischapterprovidesanoverviewofuserrolesinSAPandintroducestheprofilegeneratortransaction(PFCG).Arole inSAPcanbethoughtofasaperson’sjobinSAP,orasubsetofaperson’sjobresponsibilitiesinSAP.
ExampleofauserroleinSAP
Forexample,ifTracyLevineisasalesclerkatcompanyXYZ,herSAP user roles reflect sales clerk access. Tracy can have oneroleassigned toher thatwillbeacompilationofall transactionsandauthorizationsrequired.However,Tracycanalsohavemany
rolesassigned,whichintotalitywillprovideherthepermissionsnecessarytocompleteherjobtasks.
A role in SAP is created by the profile generator (transaction PFCG). Rolesprovideaccess to transactions, reports,Webapplications,etc.Withineach role,youcanalsoviewandmaintainuserassignments.TheruleofleastprivilegeisafundamentalprincipleinSAPSecurity.Therulecanbesummarizedbythenotionthatausershouldbegivenexactlywhatisneededtoperformthejob;notmuchmoreandnotmuchless.
2.1RoletypesTherearetwotypesofSAProles:singleandcomposite.Furthermore,singlerolescanbesetupasreference-derivedrolesorenablerroles.Thissectionprovidesabrief overview of each type of role and what each type is used for. Chapter 3shows how to create each role and maintain it using the profile generatortransaction(PFCG).
Singlerolesprovideaccesstoactionsandpermissionsthatmakeupauser’sjoborasubsetofjobresponsibilities.Actionscanbethoughtofastransactionsandpermissions thought of as authorization objects and associated field values.SinglerolesarethemostcommontypeofSAProle.
Actionsandpermissionsexample
SalesclerkToddLevineneedstobeabletocreateandmaintainsales orders in SAP. This translates to transaction codes VA01and VA02. However, Todd can only maintain certain sales doctypes (he is not allowed to create return orders) and is only
authorized to do so using company code 1000. These limitations arecontrolledbyhisexplicitaccesstovariousauthorizationobjectswithinhisuserroles.
Referenced-derived rolesare roles that inherit themenustructure,authorizationobjects, and authorization values from an existing role. Derived roles are oftencalledchildroles,whereastheimpartingrolemaybecalledtheparentormasterrole.Aderivedroleisusefulwhenyouwanttomirrortheexactsamefunctionalityas the master role, but want to manipulate the organizational levels. Whencreatingderivedroles,organization levelsanduserassignmentsarenotpassedfromtheparenttothechild.Infact,thesearetheonlyroleattributesthatshouldbemaintaineddirectlyinthederivedrole,allotherchangesshouldbemaintainedinthemasterroleandinheritedbythechildren.
Reference-derivedroleexample
Asnotedabove,ToddLevine isasalesclerk forcompanyXYZ.However,Toddonly needsaccess tomaintain and create salesorders for company code 1000. Marla Levine, however, needsaccess to maintain and create sales orders for company code
2000.Otherwise,theiraccessshouldbeidentical.Inthiscase,amasterrole,Z_MAINT_SALES_ORDERS_ALL would be created as the parent orimparting role. Two derived roles, Z_MAINT_SALES_ORDERS_1000 andZ_MAINT_SALES_ORDERS_2000 would be maintained as referenced-derivedroles.
Manycompaniesuseareference-derivedroleasatacticaltooltoreducethetimeandresourcesnecessaryforongoingrolemaintenance.Reference-derivedrolesare also used as a case for scalability because they can easily bemixed andmatched to fit a business user’s job responsibilities and organizationalassignments.
Anenablerrolecanbethoughtofasabolt-onrole.Unlikederivedroles,enablerrolesarecreatedwithoutanylinktoanalreadyexistingrole.Enablerroleshavemanuallyaddedauthorizationobjectsaddedtothemwithonlydesiredfieldvaluesmaintained.
Enablerroleexample
Releasestrategiesareacommonexampleofwhenenablerrolesareuseful.Anexampleiswhenacompanywantsallpurchasingadministratorstohaveaccesstoallpurchasing-relatedactivities,butwantstolimittheteam’saccesstospecificreleasestrategies
basedonlevels.ReleasestrategyauthorizationiscontrolledbyasingleSAPauthorizationobject:M_EINK_FRGwhichhas two fields,ReleaseCodeandRelease Group. This authorization object can be inactivated within thepurchasingadminroleandbolt-onenablerrolescanbecreated,oneforeachReleaseCodeandReleaseGroupcombinationandassignedadhoctoeachpurchasingadmin.
Acompositerole, also knownasa collective role, is agroupingof twoormoresingle roles. Composite roles are used for the purpose of simplifying theassignment of roles to users.Composite roles do not contain any authorizationdata, only other roles. Furthermore, composite roles can only be groupings ofsingleroles,notothercollectiveroles.
3ProfilegeneratorandrolemaintenanceoverviewThischapterintroducestheprofilegeneratortransaction,PFCG.TheprofilegeneratortoolisresponsibleforenablingtheSAPSecurityadministratortocreatespecificuser roles,whichcontainauthorizations tovarioussystemfunctions.Chapter4 identifiestherelationshipbetweenprofiles,roles,andauthorizationsandthebasicmaintenancefeatureswithinthetransaction.
3.1Whatisaprofile?Theprofilegenerator isa tool thatcreatesSAPuser roles,whichcorrespond toprofiles.AccesstotheprofilegeneratorisviatransactioncodePFCG.AprofileisacollectionorgroupingofSAPauthorizations.
Roledefinitions
Best-in-classSAPSecurity roledesigns take intoaccount somecritical success factors, considering sustainability and scalabilityare absolutely essential when designing SAP Security roles.Furthermore, involving the business in role content and
governanceisimperative.
3.2Whatisanauthorization?Thefollowinginformationisstoredinaprofile:
Authorizationobjectclasses
LogicalgroupingofauthorizationobjectsContainoneormoreauthorizationobjects
Authorizationobjects
FieldslinkedtovariousdatabasetablesCancontainupto10fields(seeFigure3.1)
Authorization
AninstanceofaspecificauthorizationobjectAllowingseveralauthorizationsforanauthorizationobjectwithcombinationsofdifferentfieldvaluesAninstancecanbetrackedbyuniquetwo-digitnumber
Authorizationobjectexample
AuthorizationobjectV_VBAK_AATiscontainedinthebelowroletwice, hence, two authorizations (T-I855600400 and T-I855600401). The authorization object class is SD (Sales andDistribution). This authorization object controls the assigned
users’ ability to maintain various sales document types. The twoauthorizations combined dictate authorization for the business process intotality.Theusercandisplayallsalesdocumenttypes,butonlymaintainandcreatestandardsalesorders.
Figure3.1:AuthorizationobjectasseenintransactionPFCG
Thereareover20,000standardSAPauthorizationobjects.
3.3ProfilesandrolesAlthough a role and a profile may seem similar, there are a few distinctdifferences.Rolesare theactualcontainers forstoringauthorizationobjectsandtheir values. Once the user roles are generated in PFCG, the profiles aregenerated. Typically, the ratio of roles:profiles is 1:1, however, only 150authorizations can fit intoaprofile. If thenumberof authorizationswithin a roleexceeds150,anewprofileisautomaticallycreatedwithintheprofilegenerator.
Roles are added to usermaster records via transactionSU01.When roles areadded with a proper validity date, the corresponding authorization profiles areassignedtotheuser.Asareminder,arolecanbethoughtofasauser’sroleorasubsetofjobresponsibilities.
Figure 3.2 is a simple graphical depiction provided by SAP of the SAPAuthorizationConcept.
Figure3.2:SAPAuthorizationConcept“(AuthorizationObjects-ASimpleGuide,”SAP)
4AdvancedtopicsforrolemaintenanceThe profile generator is an SAP tool in which roles are created and thengenerated to create profiles. As a reminder, a profile is a collection ofauthorizations.
4.1ProfilegeneratordeepdiveThefollowingsectionprovidesanoverviewintotheprofilegeneratortoolandhowthePFCGtransactioncanbeused.Role/profilemaintenanceisalwaysperformedinthedevelopmentclient, transportedtothequalityenvironmentfor testing,andfinallymovedtotheproductionenvironmentforuse.
Figure4.1:PFCGtransactionhomescreen
AsshowninFigure4.1,thehomescreenofPFCGhasanabundanceofbuttonsin order to create andmanipulate roles. The following is an explanation of themost importantscreenelements,beginningat the topof thescreenandmovingfromlefttoright:
TheDOUBLEPAPERbuttonisusedtocopyanexistingroleorelementsofoneroletoanother.
TheTRASHCANbuttonisusedtodeleteanexistingrole.
Tipfortransportingroledeletions
If a to-be-deleted role already exists in clients other thandevelopment(qualityandproduction)thenitmustbeplacedinatransportrequestfirst.Theprocesstodeletearolefrommultipleclients is to place it in a transport request in the development
client,delete therole in theprofilegenerator,and thenrelease the transportrequestandmoveittoqualityandproduction.Thisprocesswilltransportthedeletiontotheotherclientsaswell.
TheTRUCKbuttonisusedtotransportarolefromthedevelopmentenvironmenttoqualityandproduction.
ThefirstBOXWITHARROWSbuttonthatdisplaysthewordtransactionisusedtosearchforrolesthatcontainaspecifictransaction.
IntheROLEtextfield,therolethatistobecreated,changed,deleted,orcopiedmustbeentered.
Thenexttwobuttons,thePENCILbuttonandGLASSESbuttonarerepetitivein
theirmeaningthroughouttheSAPsystem.Theformerisforrolemaintenanceandthelatteristodisplayroles.
ThesecondBOXWITHARROWSbuttononthesameplaneastherolenamewilldisplayawhere-usedlistfortherole.Thewhere-usedlistappearsiftheidentifiedroleiscontainedinanycompositeroles.
Thefinaltwoimportantbuttons,theSINGLEPAPERandCOMPOSITEPAPERbuttons,indicatetheroletypetobecreated.InSection4.3youwilllearnmoreaboutthedifferencesbetweensingleandcompositeroles.
Inorder to createa role, first identify the rolename in theROLE text fieldof thePFCGlandingscreenandclicktheSINGLEPAPERbuttontocreate.
Rolenametip
Prior to role creation, an explicit naming convention should bedeterminedforallroles.Rolenamescanbeupto40charactersinlengthandshouldaccuratelyreflecttherolecontent,includingtransactions, authorizations, and organizational entities that it
providesaccessto.Rolenamesmustbeuniqueandcannotstartwith“SAP.”The roleswhichdobeginwith “SAP”arepredelivered templatesandshouldbecopiedandre-namedpriortobeingmaintained.
The following screens provide a walk-through of the role creation and profilegenerationprocesses.Rolemaintenanceworksinthesamemanner.Throughoutthe different tabs and screens within PFCG, you will notice an abundance ofTRAFFICLIGHTS. The traffic lights are red, yellow, or green indicators that indicatehowfaralongyouareintherolecreationprocess.
Figure4.2:PFCGdescriptiontab
Thedescriptiontab,asseeninFigure4.2,isusedtoprovideadescriptionoftherole and its contents. TheLONG TEXT box enables the security administrator tonote additional information that may be useful for future role maintenance andalsotoleavealogofallchangesthathavebeenmadetotheroleovertime.TheDESCRIPTIONtabidentifiestheusername,date,andtimethattherolewascreatedand the last time itwaschanged.Thiscanbeveryuseful information if there ismorethanonesecurityadministratorcreatingorchangingroles.
Transaction inheritance allows the role to derive authorizations fromanexistingrole. If the role isderived, theparentormaster roleappears in theDERIVEFROMROLEtextbox(moreonderivedrolesinSection4.3).
Figure4.3:PFCGmenutab
TheMENUtabisprimarilyusedtobuildtheroleatthetransactionlevel.Thisisthefirststepinsupplyingtherolewithauthorizationsthatallowuserstocompleteoneormore tasks in thesystem.Aside from transactions,otherobjectscanalsobeadded to the role via the MENU tab such as Web applications and reports.Additionally, foldersmaybeaddedto themenu(FOLDERbutton)andtransactionscanbearrangedusing these folders,whichwill translate tohowtheyappearontheuser’shomescreenuponloggingintoSAP.
ThefollowinglistprovidesanexplanationofalltheimportantscreenelementsinFigure4.3.
TheARROWbuttonsallowthesecurityadministratortonavigatethemenu.
TheTRANSACTIONbuttonisusedtoaddatransactiontoaroleorotherobjectsthatcanbeselectedfromthedrop-downlist.
Deletesatransaction,report,orotherobjectfromthemenu.
Togglestechnicalnamesonandoffinthemenu.
Technicalnamesinmenu
If technical names are enabled, transactionVA01will appear inthe MENU tab as “VA01 – Create Sales Order,” if they aredisabled, the transaction will appear simply in the menu as“CreateSalesOrder.”
COPYMENUSbuttoncanbeusedtocallrolemenusfromatemplateorwithinanotherrole.
ADDITIONALACTIVITIEsbuttonallowstheadministratortheabilityto:
TranslateanodefromonelanguagetoanotherDisplayanydocumentationfortransactions,programs,etc.SearchinReportDocumentation
Menutabexample
Auserneedsaccess to transactioncodeVA01 (CreateaSalesOrder).Thesecurityadministrator thengives theuseraccess tothistransactionbyaddingVA01tothemenuintheroletowhichtheyarealreadyassigned.
Ultimately,theMENUtabisusedtomanagerolecontentatthehighestlevel,whichtypicallyequatestotransactioncodes,reports,andWebservices.
Theheartoftherole/profilemaintenanceprocesslieswithintheauthorizationtabofPFCGbecause this iswhereall the authorization data is configured.As youcanseeinFigure4.4,noauthorizationcurrentlyexistsfortherole.
Figure4.4:PFCGauthorizationtab
Inordertoconfigureauthorizationdatafor therole,oneof twobuttonsneedstobepressed:
TheCHANGEAUTHORIZATIONDATAbuttonenablesyoutomanipulateauthorizationdatathatalreadyexistsintherole.
TheEXPERTMODEFORPROFILEGENERATIONbuttonallowstheroleadministratortochoosethemechanismforpopulatingandchangingroleauthorizationdata.
Manipulatingroleauthorizationdata
The best practice for manipulating role authorization data is toselect thebuttonEXPERTMODEFORPROFILEGENERATION.Whennoauthorization data currently exists for the role, no options forauthorizationmaintenanceappear.EXPERTMODEwillonlydisplay
optionsif theauthorizationdatawaspreviouslyconfiguredandsaved.Whenroledatahaspreviouslybeenconfigured,theroleadministratorshouldalwaysselect theoption for “ReadOldStatusandMergewithNewData.”Thiswilladd or remove any default authorization objects and values that SAPassociates with changes that have been made in theMENU tab. The datarepository that stores the relationships between transactions, authorizationobjects,andvalues(andcanbemanipulatedtomeettheneedsofthespecificSAPclient)isintransactionSU24(seeSection5.4).
The first screenwithin the authorization tab is theDEFINEORGANIZATIONAL LEVELSwindow as seen in Figure 4.5. The screen appears if any of the authorizationobjects associated with the transactions in the MENU tab check for anorganizationalfield.Suchfieldsincludecompanycode,salesorganization,plant,accounttype,etc.ArolecanhaveaccesstooneormoreorganizationalvaluesforeachfieldintheORGANIZATIONALLEVELSwindoworopen-wideaccess.
Fieldvalueswithopen-wideaccess
Ifthedesiredvalueforanauthorizationfieldisopenaccesstoallpossiblefieldvalues,the“*”indictormaybeused.Forexample,arolemay have access to all sales organizations within a singlecompany code. In this instance, the company code fieldwill be
populatedwith“1000”andthesalesorgfieldwillbemarkedas“*”withintheORGANIZATIONALLEVELSwindow.
TheSAPbestpracticeistopopulateorganizationfieldvaluesonlyinthiswindow.Any fields populated in this window will automatically distribute to anyauthorization objects inwhich they reside. This practice is essential in order to
ensure role integrity. TheORGANIZATIONAL LEVELS windows distribute the enteredvalues inallauthorizationobjects inwhicheach field ispresent,so that therolehas consistent access to the same organizational entities, which should bereflectedintherolename.
Figure4.5:Theroleorganizationlevelswindow
After theORGANIZATIONAL LEVELSwindow is populated and the values have beensaved, all authorization objects associated with the role appear, as shown inFigure 4.6. Youmay now be asking yourself, what really just happened?WhatexactlyamIlookingat?Here’sarecap:
1. TransactionswereaddedtotheMENUtabfortherole.2. Thenecessaryauthorizationobjectswereautomaticallypulledintotherole
basedonthetransaction/authorizationrelationshipdatastoredinSU24.3. Ascreenappeared,whichrequiredthatallorganizationaldatafortherole
bedefined.Thisorganizationaldataiscontainedinoneormoreauthorizationobjectswithintherole.
4. Ascreenappearswithtrafficlightindicators(seeFigure4.6)whenauthorizationdatafortheroleismaintained.
Figure4.6:Roleauthorizationdatascreen
Beforecontinuingonwithauthorizationmaintenance,hereisarecapofafewkeydefinitions:
Authorizationobjectclasses
LogicalgroupingofauthorizationobjectsContainoneormoreauthorizationobjectsSalesandDistributionisanexampleofanauthorizationobjectclassasseeninFigure4.6
Authorizationobjects
FieldslinkedtovariousdatabasetablesCancontainupto10fieldsV_VBAK_AATisanexampleofanauthorizationobjectasseeninFigure4.6
Authorization
AninstanceofaspecificauthorizationobjectEnablingseveralauthorizationsforanauthorizationobjectwithcombinationsofdifferentfieldvaluesAninstancecanbetrackedbyuniquetwo-digitnumberT-I855604900isanexampleofanauthorizationasseeninFigure4.6
Thefollowingscreenelementsontheroleauthorizationscreenareimportant:
Expandallroleauthorizationdata
Collapseallroleauthorizationdata
Generateauthorizationdata.Thisbuttonwillcreateorupdatetherole’sassociatedprofile(s)uponcompletionofauthorizationmaintenance.
Deleteauthorizationfromtherole
Manuallyaddauthorizationobjecttotherole
Specifyorganizationallevelsfortherole
Whatdothe“trafficlights”indicate?
Green:FullymaintainedauthorizationfieldsYellow:PartiallymaintainedauthorizationfieldsRed:Unmaintainedorganizationallevels.Aspreviouslystated,returningtotheORGANIZATIONALLEVELSwindowandmaintainingtheorgvaluesinthesinglelocationwillrectifythis.
Possible field entries for an unmaintained authorization field can be found byclicking on the PENCIL button.Various pop-upwindowsmay be visible upon thisaction to aid the administrator in populating authorization fields. Figure 4.7displays possible field values forSALES DOCUMENT TYPE for authorization objectV_VBAK_AAT.Upon clicking the PENCIL button, a pop-up appears inwhich fieldvalues can be manually entered or the administrator can further select from adrop-downmenu.Anadditionaloptionforthesecurityadministratoristopopulatearangeoffieldvaluesforthegivenauthorization.
Figure4.7:Authorizationobjectandpotentialfieldvalues
Onceall fieldshavebeenmaintained foranauthorization, theassociated trafficlightturnsgreen.Alltrafficlightsappeargreenwhenallauthorizationfieldswithinthe role have been maintained. Once all authorization fields have beenmaintained, the final step is to generate the profile(s) associated with the role.Thisstep isessential! If theprofile isnotgenerated, theassigneduserswillnotreceiveaccesstothetransactionsandauthorizationswithinthesystem.Inorder
togeneratetheprofile(s),clickthebeachballbuttonontheauthorizationscreen().Apop-upscreenappears toallow theadministrator tomanuallychange the
nameof theauthorizationprofileorkeepitastheSAPstandard.Oncethisstephas been completed, a message appears stating successful generation of theauthorizationprofile(s).
Recap
The SAP Security administrator just finished configuring all theauthorization data for the role. Field-level authorizations weredefined for all authorization objects automatically brought in bythe transaction codes in the MENU tab. The profile was then
generatedandanyuserassignedto thisrole isable toaccessthe identifiedtransactioncodesandfield-levelauthorizationswithintheSAPsystem.
A profile can only contain 150 individual authorizations. Therefore, if a rolecontainsmorethan150authorizations,aseparateprofilewillbegeneratedforeachset.
Ausermasterrecordcanonlybeassignedto312profiles.
Aftergeneratingtheprofile,itisbesttobackoutoftheauthorizationwindowandgototheUSERtab(seeFigure4.8).Withinthistab,auserorgroupofuserscanbeassignedtotheroleinthesamemanneranindividualusercanbeassignedtomultipleroleswithintheusermasterrecord.TheUSERCOMPAREbuttonreconcilesthe usermaster records of the users entered onto this tab. A user comparisonmustbecompletedafterusershavebeenenteredonthistabofPFCGinorderfortheseuserstoreceivetheauthorizationswithintheroles.TheFROMandTOfieldscanbeutilizedtospecifyusers’accesstoarolebydate,whichcanbeuseful ifthe user is substituting responsibilities for another or testing a particularfunctionality.
Usercomparison
A user comparison must be completed after users have beenselected in order for these users to receive the role and itsauthorizations. Not unlike the rest of the role maintenanceprocess,theUSERtabwillcontinuetohavearedtrafficlightuntila
usercomparisonhasbeencompleted.
Figure4.8:PFCGUsertab
Aspreviouslystated,SAPcomeswithhundredsofroletemplatesthatbeginwith“SAP”andcanbeusedastemplatesforrolecreation.
4.2Authorization-objectlevelsecurityNow that you have reviewed all the required steps in the role creation andmaintenance process, it is time to dig a little deeper. At this point youmay beaskingyourself,“Ok,soIknowallthetechnicalsteps,buthowdoIknowexactlywhatfieldvaluestoincludeforagivenauthorizationinPFCG?”TherearemanytipsandtricksthatwillaidtheSAPSecurityadministratorinfillingoutthecorrectinformation.
Thefirstandmostsimplisticwaytomaintainthefieldvaluesforanauthorizationistoaskafunctionalpersonwhoiswithinthedepartmentthatisrequestingtheroleto be created or changed. Continue to use authorization object V_VBAK_AAT,Authorization for Sales Document Types, with this example. V_VBAK_AATcontains twoauthorization fields:ACTIVITYandSALESDOCUMENTTYPE (seeFigure4.9).Thefunctionaldepartmentshouldbeprivytothesalesdocumenttypes(i.e.standard orders, return orders, and quotations) and activity types (i.e. create,change,anddelete)includedinthisrole.
Ifthefunctionaldepartmentcannotprovidetherequiredinformation,thenextstepwould be to use all of the relevant information on the screen and do furtherresearchwithintheSAPsystem.
Figure4.9:Roleauthorizationscreen
Noticethebuttonthatlookslikeamountainrange.Onceclicked,apop-upwindowappearsanddisplaysthetransactionsinthisrolethatareassociatedwiththeauthorizationobject(seeFigure4.10).Thepop-upwindowalsodisplaysthefieldvaluesthatareautomaticallybroughtintotheroleforthatobjectwhenthetransactionisadded.Asareminder,thisrelationshipinformationisstoredandcanbemanipulatedintransactionSU24.
Otherrelevantinformationprovidedontheauthorizationwindowisthetechnicalnameforeachfieldvalue.Ifthefunctionaldepartmentdoesn’tknowtheinformationyouareaskingthemtoprovide,youcanmakenoteofthetechnical
fieldname(inthiscaseAUART)andgotothecorrespondingtransactioncode(VA01).Lookforthefield(SALESDOCUMENTTYPE)onthescreen(seeFigure4.11)andshowittothefunctionalteam.
Figure4.10:Authorizationobjectandtransactionrelationship
Figure4.11:Salesdocumenttypeasitappearsinfunctionaltransaction
Ifyoucannotfindthefieldexplicitlylabeledonthescreen,youcanusethe“F1”key(help)oneachfielduntilyoufindthecorrectone(asinFigure4.11).Thispop-upwindowwilldisplayvaluableinformationaboutthefieldanditsuse,aswellasafunctionalbusinessexampleofitsapplication.Thepop-upwindowwillalsohavea TOOLS (technical information) button that when clicked will provide otherinformationthatmayproverelevant(seeFigure4.12).
Figure4.12:Fieldtechnicalinformation
InFigure4.12,youcansee that the technical fieldname(AUART)matches thetechnical name in the authorization role. At this point, the SAP Securityadministratorcanshowthefunctionalteamthefieldnameinthetransactiontheyareattemptingtodefine.
If an organizational field is unmaintained, it appears red in the authorizationwindow (seeFigure4.13).Noticehow the fieldnamehas theword$VKORG inthelinewherefieldvalueswouldordinarilybemaintained,this isoftenhowtheyappear when an organizational level has not been determined. Once the fieldlevel has been assigned in the ORGANIZATIONAL LEVELS window, $VKORGdisappearsandthefieldvaluesappearasmaintained.
Figure4.13:Authorizationobjectwithunmaintainedorglevel
Pressing“F1”onauthorizationobjectsand fieldswithin thePFCGauthorizationwindow will also produce a list of helpful information. Such information mayincludeadescriptionoftheauthorizationobjectandpotentialfieldvalues.
TransactionSU21canalsoaidthesecurityadministrator infindingsimilarusefulinformation. As seen in Figure 4.14, clicking on the respective module (in thiscase SD) and the authorization object (V_VBAK_AAT) will show additionalinformation.
Figure4.14:SU21landingscreen
ClickingtheDISPLAYOBJECTDOCUMENTATIONbuttoninFigure4.14producesapop-upwindow with the authorization object definition, field-level information, andpossiblefieldvalues(seeFigure4.15).
Figure4.15:Objectdocumentation
Once a role has been tested, it may be necessary to inactivate or delete aninstanceofanauthorizationobjectortheauthorizationobjectitselfifuseraccessisnotrequired.Remember:asingleauthorizationobjectcanhavemorethanoneset(instance)ofdefinedfieldvalues.
Figure4.16:Inactivatedauthorization
Toinactivateaninstanceofanauthorizationobject,clickontheMINUSbuttonfortheinstance,asseeninFigure4.16.
NoticethatonceaninstancehasbeeninactivatedaTRASHCANappears,sothattheinstancecanbedeleted.Ifmorethanoneinstanceofanauthorization
objectexists,thesamemethodisused,butclicktheINACTIVATEbuttonattheobjectlevel.
Thebuttonthatreplacestheinactivatebuttonallowsyoutore-activatetheinstanceorobjectthatwaspreviouslyinactivated.
Alwaysinactivate
Personalexperiencedictatesthat it isalwaysbetterto inactivatean instance of an authorization, but not to delete it. If the SAPSecurity administrator ever needs to refer back to the originalstateoftherole,theyareabletoifthispracticeisfollowed.
If the administrator wishes to copy an instance of an authorization object, theyonly need to click on the authorization, select EDIT from the menu path, andchoose COPY AUTHORIZATION. This will produce an identical instance of theauthorizationthatwasselected.
Oncealltheauthorizationdatafortherolehasbeenconfigured,theadministratorcancleanup theauthorizationwindowbymerging identicalauthorizations.Thiscan be done by selecting UTILITIES from the menu path and choosing MERGEAUTHORIZATIONS.Thistaskwillcombineauthorizationsandmayreducethenumberofprofilescreatedfortherole(rememberonly150authorizationscanfitwithinaprofile). To view all the profiles for a single role, select AUTHORIZATIONS from themenupathandchoosePROFILEOVERVIEW.Onlythefirstprofilewillbedisplayedontherole’sauthorizationtab.
4.3RoletypereviewThere are three different types of SAP standard roles: single, derived, andcomposite(collective)roles.
4.3.1SinglerolesA single role contains authorization data. Section 4.1 discussed how to createsinglerolesusingtheprofilegeneratortransaction(PFCG).
4.3.2CompositerolesAcompositerole, also knownasacollectiverole, is a grouping of single roles.Whenacompositeroleisassignedtoauser,allthesinglerolesassociatedwiththatcompositeroleappearintheusermasterrecord.Theuserwillhaveaccesstoalltheauthorizationdatacontainedinthosesinglerolesandiftheauthorizationsinasinglerolechange,thecompositerolewillautomaticallybeupdatedaswell.Creatingacompositerolealsobeginsintheprofilegeneratortransaction(PFCGlandingscreen).First,entertherolenameasdesired,inthiscaseZ_AP_CLERK(asseeninFigure4.17)andthenclicktheCOMP.ROLEbutton.
Figure4.17:Creatingacompositerole
Aswithasinglerole,makesuretoenteraroledescriptiononthedescriptiontab.Thelongtextboxcanalsobeusedtorecordadditionalinformationabouttheroleand its contents. It is in the roles tab that the single roles contained in thecompositeareidentified,asseeninFigure4.18.
Figure4.18:Rolestabincompositerole
Rolescanbemanuallyenteredorselectedfromthedrop-downboxandsearchedfor by a role.Any user assigned to a composite role can see a composite rolemenu upon logging intoSAP.On themenu tab of the role, allmenus from thesingle rolescanbe imported into thecomposite tocreateacollectivemenu.Aswithasinglerole,userscanbeassignedtoacompositerolewithintherole’susertaborfromtransactionSU01(usermasterrecord)orSU10.
Figure4.19:CompositeroleassignmentinSU01
You will notice in Figure 4.19 that the composite role assignment appearsdifferently in the usermaster record than previously assigned single roles. Thecolored circles next to the role name indicate the type of role that has beenassigned,onecircle indicatesasingle roleand twocircles indicateacompositerole.Thetypecolumnalsoshowswhethertherolehasbeendirectlyorindirectly(fromacompositerole)assigned.Thesinglerolesthatareassignedasaresultofthecompositeroleassignmentcannotberemovedfromtheuser’smasterrecordwithoutremovingtheentirecompositerole.
4.3.3DerivedrolesAreference-derivedrole isa typeofsingle role that inherits themenustructure,transactions,reports,andanyotherobjectsfromanexistingrole.Aderivedroleisusefulwhena need exists tomimic a role’s functionality, but provide access todifferent organizational levels. In a derived role, theonly elements not inheritedareuserassignmentsandorganizationallevels.Aderivedroleisalsoreferredtoas a child role, and the role from which it inherits its authorizations is oftenreferredtoasaparentroleormasterrole.
Derivedroleexamples
Jen and Allyson are both sales clerks and need access to thesame transaction codes and authorizations, however, Allysonworks in sales organization 2000, whereas Jen works in salesorganizations2000and3000.Theirboss,Tracy,worksacrossall
salesorganizations.Derived rolescanbecreatedbasedon theall-inclusiverole that Tracy has and limited to company codes 2000 and 3000. Jenwill
receivebothderivedrolesandAllysonwillreceiveonlytheonefor2000.
Now,youmayarguethatintheexampleabove,Tracy’srolecouldbecopiedandtheORGANIZATIONALLEVELSwindowcouldmerelybemanipulatedtoaccountforthedeviations insalesorgaccess.This ispossible;however, ifanewtransaction ismade to Tracy’s role, the corresponding derived roles would be updated,decreasingredundancyandman-hours tomaintain theroledesign. If therole iscopiedandchanged,thetransactionneedstobeaddedtothecopiedroles.
Tocreateaderivedrole,beginwiththesamestepsasforanysinglerole.Gototheprofilegenerator transaction (PFCG)andenter thederived rolename in theROLEtextboxandclicktheSINGLEROLEbutton,asseeninFigure4.20.
Figure4.20:Creatingaderivedrole
Thenextstep is toenter theparentormaster role in theDERIVEFROMROLE textbox. The system prompts you to confirm that you desire to enter the specifiedimpartingroleinapop-upwindow(seeFigure4.21).
Figure4.21:Identifyingtheparent(master)role
Aftersaving,themenutabtrafficlightturnsgreen.Thisisbecausethemenuhasbeen brought over from the parent role. Alternatively, the traffic light on theauthorizationtabisstillred.Theauthorizationsandtheirfieldvaluesstillneedtoberetrieved.Todothis,backoutof thederivedrole to thePFCGlandingpage,entertheparentroleinchangemode,andgototheauthorizationwindowfromtheauthorization tab. When a single role becomes a master role, a new buttonappears in theauthorizationwindow.ThisbuttonhasTWOBOXESANDTWOARROWS
onitandappearsnexttothePROFILEGENERATIONbutton(seeFigure4.22).
Figure4.22:Pushingauthorizationstochild(derived)roles
Thenewbuttonthatappears isusedtogenerate theassociatedderivedrole(s).Therecanbenumerousderivedrolesassociatedwithoneparentroleiftherearemanyorganizational levels forwhichaccessneeds tobedifferentiatedamongstthe user population. Upon clicking this button, a pop-up window appears to
confirmyouractionandoncethisiscomplete,theprofilesforthederivedrolesaregenerated and the authorization objects and field values are populated in theirrespectiveauthorizationwindows.
Thelaststepistoupdatethederivedrole’sorganizationalwindowwiththecorrectvalues todifferentiate it from themaster role.Such is thecasewith the role,asshowninFigure4.23,whichisspecifictosalesorganization1000.Asalways,therolemustbesavedandtheprofilegenerated.
Figure4.23:Updatingorglevelsinderivedrole
4.3.4BestpracticesforSAProledesignsThesinglemostimportantruletolivebyasanSAPSecurityadministratoristheruleof leastprivilege.Theruleof leastprivilegedictates thatusersshouldhaveexactly what they need to do their daily jobs and very little else. Most SAPSecurityexpertswillpromotea task-basedroledesign inwhicheachsinglerolecorrespondstoaspecific task in thesystem,suchasmaintainpurchaseorders.Byutilizingatask-basedroledesign,singlerolescanbemoreeasilymixedandmatched to account for differentiation between users who may have the exactsame job title, such as AP clerk, but may not need authorization to performidentical tasks. As previously stated, all role names should be as explicit aspossibleandbeanaccuraterepresentationoftheauthorizationscontainedintherole.Position-basedcompositeorcollectiveroles(i.e.RoleforAPClerk)canbecreated, but the best practice is to create these based on the lowest-levelcommondenominatorbetweentheuserswhosharethistitle.
Position-basedcompositeroles
Thereare3APclerksincompanyXYZ.XYZutilizesatask-basedrole design with position-based composite roles. AP Clerk 1needstaskrolesA,B,C,D,andE.APClerk2needstaskrolesA,B,C,D,andF.APClerk3needstaskrolesA,B,andC.The
compositeroleforAPClerkshouldincludetask-basedsinglerolesA,B,andC.Clerk1shouldalsoreceivetaskrolesDandE,andClerk2shouldreceivetaskroleDandF.
User access reviews should be performed on a periodic basis to certify theassignmentofrolesandauthorizationsandtoreduceaccesscreep.Accesscreepoccurs when users gain access to roles and authorizations that they do notrequire.
Accesscreepscenarios
Accesscreepmaybedifficulttodetectandcanoccurforavarietyofreasons.Themostcommonaccesscreepscenariosinclude:
1.Oneuserfillsinforanothertemporarilyandtheiraccessisnotremovedupontheoriginaluser’sreturntowork.
2.Auserrequiresaccesstoanadditionaltaskinthesystem.Thisaccessisthen added to one of the user’s roles and others who do not require theaccessinadvertentlyreceiveitthroughtherole.
3.Auserperformsataskonacyclicalbasisandretainstheaccesswhentheynolongerrequireit.
Now that you understand the rule of least privilege and access creep, you areready forsegregationofduties (SoD) risks.Theonlysegregationofduties risksthatshouldoccurwithinanSAPsystemare those thatareunavoidableandnotmerelyaresultofaccesscreep.SoDrisksareunavoidablewhentheresimplyarenotenoughindividualsinafunctionaldepartmenttosplitupallofthejobtasksinthemannernecessarysothatnorisksoccur.Securityadministratorscanworkinconjunctionwith a company’s internal audit team and external auditor to betterunderstand their specific risk and controlsmatrix and how to prevent avoidableSoDviolations.
4.4TransportingauthorizationsRolechangesarealwaysdoneinthedevelopmentenvironmentandtransportedto thequalityenvironment for testingand to theproduction system for liveuse.Usermasterrecordchangesareconducteddirectly inproduction,as it isabestpracticenottomoveuserroleassignmentswhentransportingroles.Thetransportmanagementprocessincludesthreedistinctsteps.
1.Createtransportrequest
Rolescanbetransportedindividuallyorinlargegroups.Inordertotransportasinglerole,clickontheTRUCKbuttononthePFCGlandingpage(seeFigure4.1)andfollowtheprompts.Totransportgroupsofroles,clickonUTILITIESinthemenubaronthePFCGhomescreenandchooseMASSTRANSPORT.Rolelistscanbeselectedfromthedrop-downboxorlistscanalsobecopiedfromtheclipboardpriortoexecuting,asseeninFigure4.24.
Figure4.24:Masstransportofroles
Thefollowingstepswillbethesameregardlessofwhetherasingleroleoragroupofrolesarebeingtransported.Apromptwillappearforacustomizingrequest(transport).Tocreateanewtransportrequest,clickthePAPERbuttononthepop-upbox(seeFigure4.25).EnterashortdescriptionandclicktheFLOPPYDISKbuttontosave.
Figure4.25:Creationofcustomizingrequest
Afterthetransporthasbeencreated,makesuretojotdownthetransportnumberbecauseyouwillneeditinthenextstep.OnceyouenterthroughthepromptforCUSTOMIZINGREQUESTscreen,therolesincludedinthetransportwillappear.Asalways,successisindicatedbygreentrafficlights,whereasredtrafficlightsindicateanerrorwiththeinclusionofaspecifiedrolewithinthetransport.Rolescanalsobeaddedtoanexistingtransportbysearchingfortheexistingrequestnumberinsteadofcreatinganewrequest.
2.Releasetransportrequest
GototransactionSE10(transportorganizer)toreleasethetransportrequest(seeFigure4.26).ClicktheDISPLAYbuttonandalistoftransportrequestswillappear.
Figure4.26:Transportorganizer
Selecttherequestnumberfromthelistandexpandtheselection,asseeninFigure4.27.Highlightthelineintherequestthatislabeledastask.ClicktheSINGLETRUCKbutton.Highlightthetoplineitemintherequest.ClicktheSINGLETRUCKbutton.
Figure4.27:Transportrequestreleasescreen
Amessagewillappearoncetherequesthasbeensuccessfullyreleased.
3.Movetransporttoqualityand/orproduction
Mostorganizationswillhaveadedicatedchangemanagementprocess,whichwillincludetheprocedurebehindtransportingandtestingsecurityrolechanges.TheresponsibilityofmovingtransportrequestsusuallyfallsontheSAPBasisresource.
5SAPSecurityandAuthorizationstrouble-shootingThis chapter covers some more advanced topics, including security andauthorizationtrouble-shootingtechniques.Italsotouchesonsomevaluabletools and tables for identifying user master records and role andauthorizationinformation.
5.1ReadinganSU53TransactionSU53isuseful ifauser isareceivinganerrormessagebecauseofmissingauthorizations.TodiagnoseauthorizationerrorsusingtransactionSU53,followthesesteps:
1.HavetheuserrecreatetheerrorandIMMEDIATELYgototransaction/nsu53andsendascreenshotofthatpage.
Figure5.1:ErrorMessage:“NoauthorizationfordocumenttypeOR1”
2.Thepagewillshowauthorizationobject‘’_’’_’’andvaluesthatareneeded.
Figure5.2:TransactionSU53displayslastauthorizationobjecterrorandmissingfieldvalues
SU53example
In theabovescreenshots, user “TESTID” is aiming to createastandard sales order (sales document type OR1) in SalesOrganization1000viatransactionVA01(createsalesorder).Theuser is able to execute the transaction, but upon sales order
creationreceivestheerrormessage“noauthorizationfordocumenttypeOR1”(Figure 5.1). The user executed transaction SU53 to diagnose theauthorizationerror(Figure5.2).Astheauthorizationerror indicates,theuserfailed on authorization object V_VBAK_AAT (authorization for sales doctypes). The field values requiredare also indicated;Activity 01 (create) andSalesDocumentTypeOR1(standardorder).Currently,therolethattheuserisassignedtoonlyhasauthorizationtodisplaystandardorders.
5.2Runningatrace(ST01)Oneof thedrawbacks tousing transactionSU53 is that it only shows themostrecentauthorizationerror.Onoccasion,SU53willproducemisinformationbasedonthelastauthorizationfailure.
SU53warning
Itisimportanttoask,“Whatisthisusertryingtodo?DoesSU53makesensebasedonthejobtaskbeingperformed?”SU53maysometimes give misinformation because it only reports the lastfailure, which may not be the authorization object required
specifictotheissuethatisarising.
If SU53 is not a suitable option to diagnose an authorization, transactionST01(system trace) is a more all-encompassing option (see Figure 5.3). Trace filesshow all authorization passes and failures over a given period of time. UnlikeSU53however, transactionST01 shouldbe reserved for security administratorsandothersuper-users,suchasbasisadminsanddevelopers.To runasecurityauthorizationtraceusingtransactionST01,followthesesteps:
1.SelecttheAUTHORIZATIONCHECKradiobutton
2.PutauserIDintheTRACEFORUSERONLYfieldintheGENERALFILTERsection
3.ClickthebuttontoTURNTRACEON
Figure5.3:Authorizationtracehomescreen
4.Havetheuserrecreateerror
5.ClickthebuttontoTURNTRACEOFF
6.ClickANALYSIS
7.Fillinthecredentials(makesuretheuserIDthatyouenteristheoneyouarerunningtraceagainst)andexecute(seeFigure5.4)
Figure5.4:Analysiscredentialsscreen
8.AnytimeRC(RETURNCODE)doesnotequal0,itisafailure(asseeninFigure5.5)
Figure5.5:Authorizationtraceoutputforanalysis
Figure5.5reflectstheidenticalauthorizationerrortoFigure5.2inthattheuserisunable to create a standard order (order type OR1) in transaction VA01. Aspreviouslymentioned,anytimea line item indicates thatRCdoesnotequal, anauthorization failure ispresent.Such failuresarealso represented inadifferentcolorontheST01outputscreen.
Tipforrunningtraces
Onrareoccasions,theinformationdisplayedinanST01tracefileonlyshowsauthorizationsthattheusercurrentlyhasandwillnotaccuratelydepictauthorizationfails,whichcanmakeitdifficulttodiagnoseissues.Inthisinstance,comparethetracefileofauser
whocancompletethetaskwithonewhocannot.Theanswershouldlieinthedifferences.
5.3UsefulSAPSecuritytablesandsensitiveauthorizationsSAP Security administrators and consultants will often need to utilize technicalSAPtablestoquerylargeamountsofdataasitrelatestousersandroles.ManySAPtransactionsstorefieldinformationthatishousedinthetablerepositoryandsuch information can be viewed in transactions SE16 and SE16N, the databrowsers(seeFigure5.6).ThemostcommonlyusedSAPSecurity tablesbeginwith“AGR”and“USR(seeSection5.3.1).”
Figure5.6:HomescreenoftransactionSE16withtablename“AGR_USERS”populated
TableinformationisreturnedbasedontheselectioncriteriapopulatedbytheSAPsecurityadministrator,asseeninFigure5.7.
Figure5.7:Selectioncriteriafortable“AGR_USERS”
Figure5.8depictsthetabledatareturnedfromthechosenselectioncriteria.
Figure5.8:Datapopulatedbasedonselectioncriteria
5.3.1UsefulSAPsecuritytablesTablename:
Tabledescription:AGR_1251
Roleobject,authorization,field,andvalueAGR_1252
OrganizationalelementsforauthorizationsAGR_AGRS
RolesincompositerolesAGR_DEFINE
Toseeallroles(Roledefinition)AGR_PROF
ProfilenameforroleAGR_TCODES
AssignmentofrolestoT-codesAGR_TEXTS
RoleandroledescriptionAGR_USERS
AssignmentofrolestousersTSTCT
TransactioncodetextsUSER_ADDR
AddressdataforusersUSGRP
UsergroupsUSR02
Userdata(logondata)USR03
Useraddressdata
Authorization for the following SAPECC (ERPCentral Component) transactioncodes(seeSection5.3.2)andauthorizationobjects(seeSection5.3.3)areonlytobe assigned to roles, which indicate the inclusion of sensitive information orcriticalactions.Suchrolesaretobeassignedtousermasterrecordswithafinetoothcombandaccessmustbemonitoredonaperiodicbasistoensureretentionof such authorizations is required. The business processes of finance, humanresources, basis, and security are commonly regarded as the most critical,regardlessofindustry,asreflectedinthelistsbelow.
5.3.2SensitiveandcriticalSAPtransactionsTransaction:
Transactiondescription:CA87
MassreplaceworkcenterCAT6
HumanResourcesCL04
DeleteclassF.34
CreditlimitmasschangesF.80
MassreversalofdocumentsF044
VendorarchivingFI12
ChangehousebanksorbankaccountsIP30
Run-datemonitoringLN08
Numberrangemaintenance:LVS_LENUMMMPV
CloseperiodsMMRV
AllowpostingtopreviousperiodPA20
DisplayHRmasterdataPA30
MaintainHRmasterdataPA70
FastentryPA97
Compensationadministration–matrixPFCG
Rolemaintenance–systemintegrity,stabilityatriskRZ04
MaintainSAPinstancesSA38
ABAPreporting–canrunprogramsnotprotectedappropriatelySARA
Archivingmanagement–shouldberestrictedtoarchiveadministratorSCC1
Clientcopy–specialselectionsSCC4
Clientadmin.–systemstabilityandintegrityatriskSCC5
Deleteclient–systemstabilityatrisk
SCC6Clientimport–systemstabilityandintegrityatrisk
SCC9Remoteclientcopy–systemstabilityandintegrityatrisk
SCCLLocalclientcopy–systemstabilityandintegrityatrisk
SE01Transportorganizer–systemstabilityandintegrityatrisk
SE11Datadictionarymaintenance–systemstabilityandintegrityatrisk
SE13Maintaintechtablessettings–systemstabilityatrisk
SE16Databrowser–exposuretoconfidentialinformation
SE37Functionbuilder
SE38ABAPeditor–systemstabilityandintegrityatrisk
SM01Locktransactions–systemstabilityatrisk
SM02Systemmessages–shouldberestrictedtosystemadministratorsonly
SM30Tablemaintenance–systemintegrityandstabilityatrisk
SM49ExecuteOScommands–systemstabilityatrisk
SM50Workprocessoverview–systemstabilityatrisk
SU01Usermaintenance–shouldberestrictedtouseradministratorsonly
SU02Profilemaintenance–systemstabilityandintegrityatrisk
SU03Maintainauthorizations
SU05MaintainInternetuser
SU10Usermassmaintenance–systemstabilityataveryhighrisk
SU20Authorizationobjectfields
SU21Authorizationobjects
SU24
MaintainassignmentofauthorizationobjectsSU25
Profilegeneratorupgradeandfirstinstallation
5.3.3SensitiveandcriticalSAPauthorizationobjectsandtheirvaluesRestrictedobjectRestrictedfield:Authorizationobjectdescription:
S_DEVELOPOBJTYPEPreventdirectdevelopmentaccesstoproductionthroughDEBUG,FUGR,orPROG
S_ADMI_FCDS_ADMI_FCDSystemadministrativefunctions
S_PROGRAMP_GROUPABAP:Programflowchecks
S_RFCRFC_NAMEAuthorizationcheckforRFCaccess
S_RFCACL{Multiple}AuthorizationcheckforRFCuser(e.g.trustedsystem)
S_TABU_DISDICBERCLSTableauthorizationgrouprestriction
S_BDC_MONI{Multiple}Batchmanagementauthorization
S_BTCH_ADMBTCADMINRestrictbatchadministratoraccess
S_BTCH_JOB{Multiple}Backgroundprocessing:Operationsonbackgroundjobs
S_BTCH_NAMBTCUNAMEBackgroundprocessing:Backgroundusername
S_ALV_LAYOACTVTSensitiveobject–S_ALV_LAYOforreportmaintenance
S_SCRP_TXT{Multiple}SAPscript:Standardtext
S_IDOCMONIEDI_MESEDImessagetyperestriction
S_USER_AGR{Multiple}Restrictthemaintenanceandassignmentofroles
S_USER_GRP{Multiple}Restrictthemaintenanceofusermasterrecords
S_SPO_ACT{Multiple}Maintenancetospoolrequestswhicharen’tyourown
S_SPO_DEVSPODEVICESpool:Deviceauthorizations
S_CTS_ADMICTS_ADMFCTControltheflowoftransportsintoproduction
S_TRANSPRT{Multiple}Transportorganizer
5.4Maintainauthorizationobjectassignmenttotransactioncodes(SU24)Transaction SU24 is the transaction code that allows you to maintain theassignment of authorization objects to transaction codes. SU24 ties the SAPSecurityandAuthorizationsconcepttogetheratitscore.Whenatransactioncodeisaddedtorole,authorizationobjects,andallorsomeoftheirfieldvaluesmaybeautomatically brought into the role. How does SAP know what authorizationobjectsandfieldvaluesaretiedtothetransaction?Well,thisinformationisstoredintransactionSU24.SAPhasdevelopedstandardsforalltransactioncodesandassociated authorization objects, but a company can also manually makechangestoSU24asrequired.
SU24example
Anytime VA01 (created sales order) is added to a role,authorization object V_VBAK_AAT (authorization for salesdocument type) is also automatically brought in. V_VBAK_AAThastwofields:ACTVT(activity)andAUART(salesdoctype). In
theactivityfield,activity“01”(create)isalsoautomaticallypopulated,howeverno automatic entries are populated for sales doc type. At company XYZ,anytime a user has access to VA01, they should automatically be able tocreate sales document type “OR1” (standard order). In this instance, VA01andV_VBAK_AATcanbeupdatedmanuallyviatransactionSU24to includeauthorizationforstandardorders.
In order tomanuallymaintain the assignment of authorization objects and theirvaluestotransactioncodesinSU24,followthesesteps:
1.GototransactionSU24(seeFigure5.9).
2.Asintheexampleabove,youwanttoaddsalesdoctype“OR1”anytimeVA01isaddedtoarole.Inthiscase,type“VA01”intheTRANSACTIONCODEbox.ClicktheEXECUTEbutton.Ifanytimetheauthorizationobjectappearedintheroleyouwant“OR1”tobeadded,switchtotheAUTHORIZATIONOBJECTtabandfollowthesamesteps.
Figure5.9:TransactionSU24landingpage
3.Alltheauthorizationobjectstiedtothattransactioncodewillbelisted(seeFigure5.10).ThePROPOSALSTATUSindicateswhetherornottheauthorizationisautomaticallybroughtintotherolewhenthetransactionisaddedtotherole’smenu.Highlighttheauthorizationobjectyoudesiretomanipulate,inthiscase,V_VBAK_AATandclicktheGLASSESANDPENCILbuttontoswitchthepagefromdisplaytochangemode(seeFigure5.11).
Figure5.10:Displayauthorizationobjectsassociated
4.Onceinchangemode,youcanclicktheCHANGEFIELDVALUESbuttonto
manipulatetheautomaticassignmentsfromV_VBAK_AAT.Youcanalsochangetheproposalindicatorforauthorizationobjects,amongotherthings.
Figure5.11:SU24changemode
5.ChangethedefaultauthorizationvaluesasdesiredandclicktheSAVEbutton(seeFigure5.12).
Figure5.12:AuthorizationobjectV_VBAK_AATwithchangesmadetoincludedefaultvalueOR1forsalesdocumenttype
5.5Userinformationsystem(SUIM)Theuserinformationsystem,transactionSUIM,isanotherusefultoolforreportingon user and authorization information based on a variety of criteria. SUIM isarrangedinthemannerofareportingtree.
Figure5.13:SUIMlandingpage
TransactionSUIM,asseen inFigure5.13,allows for reportingbasedonusers,roles, and profiles. In addition, more detailed reports exist on the basis oftransactionsandchangedocuments.Comparisonscanalsobemadetorolesandusersacrosssystems(seeFigure5.14).
Figure5.14:SUIMreportingtree
WhenusingSUIM
WhenchoosingwhichSUIMreporttoselect,startwiththeidea“ifthis, then this.”Forexample, if youhaveauser’sSAP ID, thenyou want to knowwhat roles are assigned to them or possiblywhattransactionstheusercanexecute.
6AdvancedtopicsforSAPauthorizationsThis chapter covers advanced topics for SAP Security. It provides anoverview of the security steps requiredwhen upgrading to a new releaseandintroducesGRCAccessControl.Finally,itgivesareviewtheentireSAPauthorizationconceptandtieseverythingtogether.
6.1Upgradingtoanewrelease(SU25)At a given point in time, a service pack upgrademay be required as part of alarger SAP project. In conjunction with this upgrade, new applications may beintroducedtotheenvironmentorSAPmayhavere-writtencodeforexistingSAPapplications.Therefore,additionalchangesmaybeintroducedwithinthecodeinthe formof newsecurity andauthorization checks.Theseadditionsor changesmustbeaccountedforwithintheexistingSAPSecurityroles.SAPprovidesatool,in the formof transactionSU25, for the purpose ofmanaging anSAPSecurityupgrade. In order to complete the upgrade activities, steps 2A-2D must becompleted(seeFigure6.1).
Figure6.1:HomescreenoftransactionSU25
ThefollowingisabriefsynopsisofthefourSAPSecuritytasks,steps2A-2D,to
becompletedinorder:
Step2A:AutomaticComparisonwithSU22DataComparesanyauthorizationdatamanuallymaintainedbythecustomerwithvaluesproposedbySAP.Step2B:ModificationComparisonwithSU22DataInformationreturnedbystep2Aismanuallycompared.Onebyone,thecustomerreviewsanyconflictbetweentheSAPproposedvaluesandthosemanuallymodifiedinthepast.Onecanchoosetoaccepttheproposedvaluesorkeepthosethathavebeenmanuallymodified.Step2C:RolestoBeCheckedRolesaffectedbytheupgradeareidentified.TheseroleshavetransactionsintheirmenuinwhichchangeshavebeenmadetotheproposedauthorizationvaluesinSU24.Step2D:DisplayChangedTransactionCodesThisstepisoptional.ItdisplaysanynewSAPtransactionsthathavebeenintroducedinplaceofthoseexistingandthelistofrolesaffected.
ThefinalmandatorystepintheSU25upgradeprocessistorunStep3:TransporttheCustomerTables.ThetransportofthetablesshouldbefollowedbyatransportforalltherolesthatweremodifiedandgeneratedaspartofStep2C.
6.2IntroductiontoGRCAccessControlSAPGovernanceRiskandCompliance(GRC)ispartofSAP’sanalyticsofferings.Theuseofsuchanalyticaltoolscaninfluencebusinessoutcomesbythechangesanorganizationmakeswhenusingintelligentdata.Figure6.2istheentiresuiteofSAPsolutionsforgovernance,risk,andcompliance.
Figure6.2:SAPsolutionsforgovernance,risk,andcompliance
SAPGRCsolutionsprovideaplatform fororganizations togainvisibility intoalltheir risk and compliance activities, but furthermore, to more effectively andefficientlymanage them.GRCAccessControl is theprimary solution to identifyandmitigateaccess riskswith real-time insight into segregationofduties (SoD)violations and critical access. GRC Access Control also provides the toolsnecessary for preventative user provisioning, through identification of conflictsprior tograntingaccess.TheGRCAccessControlsolution iscomprisedof fourprimarymodules:
AccessriskanalysisEmergencyaccessmanagementUseraccessreviewBusinessrolemanagement
The solution enables organizations to achieve greater efficiency, agility, andeffectivenessasitrelatestogovernance,risk,andcompliance.
GRCefficiencyprovidessavingsinhumanandfinancialcapitalresourcesby
reducingoperatingcostsandautomatingprocesses.GRCagilityiswhenanorganizationcanrespondrapidlytoachangeintheinternalorexternalriskandcontrolenvironments.GRCeffectivenessisachievedwhenorganizationshavegreaterreliabilityoftheinformationprovidedtointernalandexternalauditorsandwhentheorganizationisoperatingwithinthecontrolssetforth.
6.2.1Accessriskanalysis(ARA)Access risk analysis (ARA) is the tool that automates the monitoring ofsegregation of duties (SoD), and critical access riskswithin SAP and non-SAPsystems. ARA can leverage SAP’s standard rule set or custom rule set(s) foridentificationoftheseconflicts.Keyfeaturesinclude:
ComprehensiveandpredefinedSoDrisk-rulesetAbilitytosimulatechangestousersandrolesforthepurposeofpreventativeactionReal-timereporting
6.2.2Emergencyaccessmanagement(EAM)Emergencyaccessmanagement(EAM)providesthemeanstocentrallymanagetheemergencyandelevatedaccessacrossSAPandnon-SAPenvironments.Keyfeaturesinclude:
ReviewinguserandroletransactionusageuponcompletionoffirefighteractivitiesNotificationuponuseofcriticalorsensitiveaccess
6.2.3Accessrequestmanagement(ARM)Access request management (ARM) automates the user access provisioningprocess by utilizing built-in workflow and approval functionality. ARM alsoautomatestheprocessofreviewinguseraccessandSoDconflictsonaperiodicbasis.Keyfeaturesinclude:
Self-serviceaccessrequestandapprovalprocessusingpredefinedworkflowsande-mail-basednotificationtemplatesEmbeddedriskanalysisforpreventativeremediationofaccessrisksandapplicationofmitigatingcontrolsIntegrationwithIdM(identitymanagement)solutions
Periodicreviewofroleassignmentstousers,rolecontentassignments,andmitigatingcontrolassignments
6.2.4Businessrolemanagement(BRM)Business role management (BRM) is the tool that centralizes the creation andmaintenance of user roles and automates the workflow process for roledeployment.Keyfeaturesinclude:
Workflow-drivenmethodologyforroledefinitionandmaintenanceDefinitionofrolesusingbusinesstermsandalignmentwithbusinessprocesses
GRC Access Control has also deployed a new role management concept toreplacecompositeroles,calledGRCbusinessroles.Businessrolesworksimilarlytocompositerolesinthattheyareagroupingofmanyrolesinasingleentity,butbusinessrolescancontainrolesacrossvariousSAPandnon-SAPsystems.
6.3Wrapup:PuttingabowonitUser master records are created to house all applicable user information,including vital address data, logon credentials, password information, assignedroles,andprofiles.Whenauserlogsintothesystem,hisorherauthorizationsaretemporarilystored inmemory,alsoknownas theuserbuffer.Whenusers try toexecuteatransactioncodeorcompleteataskinthesystem,theyeitherhavetheauthorizationornot,whichisbasedontherolesandprofilesassignedtothemintheirusermasterrecords.
Rolescontainauthorizationsandwhengenerated,profilesarecreated.Rolesaredesigned in the profile generator transaction and the three most common roletypesaresingle,composite,andderived.Ifauserhasauthorizationtocompleteataskinthesystem,allauthorizationchecksthesystemperformedaresuccessfuland the authorization objects and required field values are contained in one ormoreoftheuser’sroles/profiles.Ifauserdoesnothaveauthorizationtocompletea task, trouble-shooting techniques can be deployed, such as throughSU53orrunningatrace.
Ultimately,SAPhasbuilt-infunctionalitytomeettheever-growingneedstoprotectapplication data and reduce risk exposure in the system.When designingSAPSecurityroles,itisimportanttoconsidertheruleofleastprivilegeandalignmentwithbusinessprocessesinconjunctionwithscalabilityandeaseofmaintenance.
7AcknowledgementsI would like to express my sincere gratitude to the many people who sawmethroughthisendeavor;toallthosewhoprovidedsupport,talkedthingsover,andofferedcomments.IwouldalsoliketothankEspressoTutorialsforenablingmetopublishthisbookandespeciallyAliceAdams,myeditor,whoencouragedmeandpushedmethroughoutthedurationofthejourney.
Thanks tomy two consulting families, both at IBM and itelligence. I became aconsultant because I loveworkingwith people from all walks of life, because Ibore easily, and because I love being a part of a team.None of thiswould bepossiblewithout any of you.And, of course, thank you tomy clientswho havemademycareermoreexcitingandrewardingthanIeverthoughtpossible.
Lastandcertainlynotleast,thankstomyfamilywhoIhaveconfidedinoverthepast5years–throughfirst jobs,newpositions,andchallengingclients;youaresimply the greatest. To my mom, who is the best mentor I could ask for – Ipromise todedicatemy firstmemoir to you,which ismost likelynevergoing tohappen. And special thanks to my husband Josh, who is always supportive,alwayshonest, andwhoalwaysmakesme feel better after a series of 80-hourweeksontheroadwhentheendisstillnotinsight.
Thankyou.
Youhavefinishedthebook.
Signupforournewsletter!
Wanttolearnmoreaboutnewe-books?
GetexclusivefreedownloadsandSAPtips.
Signupforournewsletter!
Pleasevisitusatnewsletter.espresso-tutorials.comtofindoutmore.
AAbouttheauthor
Tracy Juran (Levine), CPIM, is a Managing Consultant at IBM as part of theSecurityServicesRiskandCompliancepractice.ShehasextensiveexperienceinSAP Security and Authorizations; SAP Governance, Risk, and Compliance(GRC); and core cross-functional business processes. Tracy is a die-hardOhioStateBuckeyesfanandlovestoplanpartieswithfriendsandtraveltheworld;herfavoritedestinationsincludeThailand,Peru,andIsrael.SheresidesinCincinnati,Ohio with her husband, Josh, their dog, Markley, and cat, Misha. For moreinformationpleasevisitTracy-Levine.com.
BDisclaimerThispublicationcontainsreferencestotheproductsofSAPSE.
SAP,R/3,SAPNetWeaver,Duet,PartnerEdge,ByDesign,SAPBusinessObjectsExplorer,StreamWork,andotherSAPproductsandservicesmentionedhereinaswellastheirrespectivelogosaretrademarksorregisteredtrademarksofSAPSEinGermanyandothercountries.
Business Objects and the Business Objects logo, BusinessObjects, CrystalReports, Crystal Decisions, Web Intelligence, Xcelsius, and other BusinessObjectsproductsandservicesmentionedhereinaswellastheirrespectivelogosare trademarks or registered trademarks of Business Objects Software Ltd.BusinessObjectsisanSAPcompany.
SybaseandAdaptiveServer,iAnywhere,Sybase365,SQLAnywhere,andotherSybaseproductsandservicesmentionedhereinaswellastheirrespectivelogosare trademarks or registered trademarks of Sybase, Inc. Sybase is an SAPcompany.
SAP SE is neither the author nor the publisher of this publication and is notresponsiblefor itscontent.SAPGroupshallnotbeliableforerrorsoromissionswith respect to thematerials. The onlywarranties forSAPGroup products andservices are those that are set forth in the express warranty statementsaccompanying such products and services, if any. Nothing herein should beconstruedasconstitutinganadditionalwarranty.
MoreEspressoTutorialseBooksBorisRubarth:FirstStepsinABAP®
Step-by-StepinstructionsforbeginnersComprehensivedescriptionsandcodeexamplesAguidetocreateyourfirstABAPapplicationTutorialsthatprovideanswerstothemostcommonlyaskedprogrammingquestions
SydnieMcConnell,MartinMunzel:FirstStepsinSAP®,2ndedition
LearnhowtonavigateinSAPERPLearnSAPbasicsincludingtransactions,organizationalunits,andmasterdataWatchinstructionalvideoswithsimple,step-by-stepexamplesGetanoverviewofSAPproductsandnewdevelopmenttrends
AntjeKunz:SAP®LegacySystemMigrationWorkbench(LSMW)
DataMigration(NoProgrammingRequired)SAPLSMWExplainedinDepthDetailedPracticalExamplesTipsandTricksforaSuccessfulDataMigration
DarrenHague:UniversalWorklistwithSAP®NetWeaverPortal
LearntoEasilyExecuteBusinessTasksUsingUniversalWorklistExploreExpertInsightstoHelpYouConfigureUWLFunctionalityFindIn-DepthAdviceonhowtoMakeSAPWork-flowsandAlertsAvailable
LearnhowtoInclude3rdPartyWorkflowsinSAPNetWeaverPortal
MichałKrawczyk:SAP®SOAIntegration—EnterpriseServiceMonitoring
ToolsforMonitoringSOAScenariosForwardErrorHandling(FEH)andErrorConflictHandler(ECH)ConfigurationTipsSAPApplicationInterfaceFramework(AIF)CustomizationBestPracticesDetailedMessageMonitoringandReprocessingExamples
AnnCacciottolli:FirstStepsinSAP®FinancialAccounting(FI)
OverviewofkeySAPFinancialsfunctionalityandSAPERPintegrationStep-by-stepguidetoenteringtransactionsSAPFinancialsreportingcapabilitiesHands-oninstructionbasedonexamplesandscreenshots
KathiKones:SAPListViewer(ALV)–APracticalGuideforABAPDevelopers
LearnhowtowriteabasicSAPALVprogramWalkthroughtheobject-orientedcontrolframeworkandfunctionmodulesGettipsonaddingsortingandgroupingfeaturesDiveintohowtoaddeditablefields,events,andlayoutvariants
JelenaPerfiljeva:WhatonEarthisanSAPIDoc?
FundamentalsofinboundandoutboundIDocinterfacesandconfigurationLearnhowtoimplementinterfaceswithALEandEDITroubleshootcommonpost-implementationchallengesQuickreferenceguidetocommonIDoctransactioncodesandreports