TracyJuran

Beginner’sGuidetoSAP®SecurityandAuthorizations

ISBN: 978-3-9451-7087-8(ePUB)

Editor: LisaJackson

CoverDesign: PhilipEsch,MartinMunzel

CoverPhoto: Fotolia#51570006©larshallstrom

InteriorDesign: Johann-ChristianHanke

Allrightsreserved

1stEdition2016,Gleichen

©2016EspressoTutorialsGmbH

URL:www.espresso-tutorials.com

All rights reserved. Neither this publication nor any part of itmay be copied orreproduced in any form or by any means or translated into another languagewithoutthepriorconsentofEspressoTutorialsGmbH,ZumGelenberg11,37130Gleichen,Ger¬many

EspressoTutorialsmakesnowarranties or representationswith respects to thecontenthereofandspecificallydisclaimsanyimpliedwarrantiesofmerchantabilityorfitnessforanyparticularpurpose.EspressoTutorialsassumesnoresponsibilityforanyerrorsthatmayappearinthispublication.

Feedback:We greatly appreciate any kind of feedback you have concerning this book.Pleasemailusatinfo@espresso-tutorials.com.

ThankyouforpurchasingthisbookfromEspressoTutorials!Like a cup of espresso coffee, Espresso Tutorials SAP books are concise andeffective. We know that your time is valuable and we deliver information in asuccinctandstraightforwardmanner.ItonlytakesourreadersashortamountoftimetoconsumeSAPconcepts.Ourbooksarewellrecognizedintheindustryforleveraging tutorial-style instructionandvideos to showyoustepbystephow tosuccessfullyworkwithSAP.

CheckoutourYouTubechanneltowatchourvideosathttps://www.youtube.com/user/EspressoTutorials.

If you are interested inSAPFinance andControlling, join us at http://www.fico-forum.com/forum2/ to get your SAP questions answered and contribute todiscussions.

RelatedtitlesfromEspressoTutorials:

BorisRubarth:FirstStepsinABAP®http://5015.espresso-tutorials.comSydnieMcConnell,MartinMunzel:FirstStepsinSAP®,2ndeditionhttp://5045.espresso-tutorials.comAntjeKunz:SAP®LegacySystemMigrationWorkbench(LSMW)http://5051.espresso-tutorials.comDarrenHague:UniversalWorklistwithSAP®NetWeaverPortalhttp://5076.espresso-tutorials.comMichałKrawczyk:SAP®SOAIntegration—EnterpriseServiceMonitoringhttp://5077.espresso-tutorials.comAnnCacciottolli:FirstStepsinSAP®FinancialAccounting(FI)http://5095.espresso-tutorials.comKathiKones:SAPListViewer(ALV)—APracticalGuideforABAPDevelopershttp://5112.espresso-tutorials.comJelenaPerfiljeva:WhatonEarthisanSAPIDoc?http://5130.espresso-tutorials.com

TableofContentsCover

Title

Copyright/Imprint

Preface:IntroductiontoSAPSecurityandAuthorizationsconcept

1Usermaintenanceoverview

1.1Usermasterrecord1.2Usertypes1.3Usergroups1.4Massusermaintenance(SU10)1.5Passwords1.6Centraluseradministration(CUA)

2Roleoverview

2.1Roletypes

3Profilegeneratorandrolemaintenanceoverview

3.1Whatisaprofile?3.2Whatisanauthorization?3.3Profilesandroles

4Advancedtopicsforrolemaintenance

4.1Profilegeneratordeepdive4.2Authorization-objectlevelsecurity4.3Roletypereview4.4Transportingauthorizations

5SAPSecurityandAuthorizationstrouble-shooting

5.1ReadinganSU535.2Runningatrace(ST01)5.3UsefulSAPSecuritytablesandsensitiveauthorizations5.4Maintainauthorizationobjectassignmenttotransactioncodes(SU24)5.5Userinformationsystem(SUIM)

6AdvancedtopicsforSAPauthorizations

6.1Upgradingtoanewrelease(SU25)6.2IntroductiontoGRCAccessControl6.3Wrapup:Puttingabowonit

7Acknowledgements

AAbouttheauthor

BDisclaimer

ForAlexandTamara,whoseenthusiasmiscontagious,andforMerkel,whoalsocaughtthebug.

Preface:IntroductiontoSAPSecurityandAuthorizationsconceptSAP has a wide range of built-in functionality to meet various securityrequirements, including network protection, data protection, and SAPauthorizations.Thisbookwill focusontheapplicationofSAPauthorizationsandhowuseraccesscanbelimitedbytransactioncodes,organizational levels, fieldvalues,etc.SAPSecurityandAuthorizationsisdesignedsothatthesystemmustexplicitlyindicatewhateachusercando.Thisisdonebyassigningauthorizationroles,whicharegroupingsofprofilescomprisedofauthorizations.

ThebasicarchitectureofSAPSecurityandAuthorizationsisa6-tieredapproach:

1. UserMasterRecord:AccountsforuserstoenableaccesstotheSAPsystem;primarilyusedforuseradministrationpurposes.

2. Role:Compilationoftransactionsandpermissionsthatareassignedtooneormoreusermasterrecords;usuallyincludescommonalityamongstajobroleorjobtask.

3. Profile:Assignedwhenaroleisgeneratedandaddedtoitscorrespondingusermasterrecord.

4. AuthorizationObjectClass:Logicalgroupingofauthorizationobjectsbybusinessarea.

5. AuthorizationObject:Groupingsof1-10authorizationfields;configurationisperformedagainstauthoritycheckstatementswrittenintheSAPcode.

6. AuthorizationField:Least-granularelementinwhichvaluescanbemaintainedtosecuredataandinformation.

Authorizationscanbeusefulinlimitingaccesstoitemssuchas:billingandvendorinformation, personnel and payroll information, key financial data, and criticalsystem areas such as basis, configuration, development, and security. Usersobtain their authorizations by being assigned to roles and users cannot start atransaction or complete a transaction without the proper authorization roleassignment. In order to perform an action, a user may need severalauthorizations.Forexample, inorder tocreateasalesorder, theuserwillneedaccesstothetransaction,the“create”authorization,generalauthorizationforthesalesorg,andtheauthorizationfor thespecificsalesdocumenttype.Therefore,therelationshipsrequiredinordertomeetuseraccessrequirementscanbecomeverycomplex.

TheSAPauthorizationconceptwascreatedonthebasisofauthorizationobjects.Each authorization object is comprised ofmultiple authorization fields. A user’spermissions always refer to authorization objects, which can contain a singlevalueora rangeofvalues foreach field.Both reportanddialog transactions inSAPhavepredefined“authorizationchecks”imbeddedintheprogramlogicwhichprotectsthefunctionsandinformationwithinthem.

The basis of an organization’s role design should always be the rule of leastprivilege,whichistheSAPSecuritybestpracticeofgivingusersexactlywhattheyneed to perform their job responsibilities, not much more, and not much less.Accesscreep is theadversaryof thisprivilegeasusersmayretainunnecessaryaccessafterajobfunctionchangeormayreceiveunnecessaryaccessasaresultof the application of permissions or transactions to roles which are sharedbetween users who have similar, but not identical, responsibilities. Ultimately,securityisthegatewaytotheSAPsystem,butitcanoftenbedifficulttomanageandunderstand.InformationstoredinSAPisavaluedbusinessasset,andSAPSecuritycanaidanorganizationbyincreasingflexibilityandcustomizationattheuserlevelandprotectingcriticalinformationfromunauthorizeduse.

ThisbookincludesSAPbestpracticesforuserandrolemaintenanceandhowtocreateanSAPSecuritydesignthatisbothlowmaintenanceandscalable.YouwilllearnhowtouseandinterpretSAPauthorizationsandtroubleshootsecurityandauthorizationissues.Lastly,youwilldiscoversomeadvancedtopicssurroundingSAP authorizations, including an overview on upgrading your SAP Securityenvironmentandreducingavoidablesegregationofdutiesconflicts.

Wehaveaddedafewiconstohighlightimportantinformation.Theseinclude:

Tips

Tips highlight information concerning more details about thesubject being described and/or additional backgroundinformation.

Examples

Exampleshelp illustratea topicbetterbyrelating it to realworldscenarios.

Attention

Attentionnoticesdrawattentiontoinformationthatyoushouldbeawareofwhen yougo through theexamples from this bookonyourown.

Finally,anoteconcerning thecopyright:allscreenshotsprinted in thisbookarethecopyrightofSAPSE.AllrightsarereservedbySAPSE.Copyrightpertainstoall SAP images in this publication. For simplification, we will not mention thisspecificallyunderneatheveryscreenshot.

1UsermaintenanceoverviewThis chapter covers creating users in the system and assigning roles totheir corresponding user master records. This section also providesinformationonassigningpersonalattributes toeachuser,password rulesinSAP, and creating and assigninguser groups.Additionally, the chapterincludesthemethodforperformingamasschangetousermasterrecords.

ApersonmusthaveanSAPuser IDandpassword inorder to log intoanSAPsystem.Thisinformationisstoredintheusermasterrecord.Usermasterrecordsareclient-specific.ItisimportanttoestablishanamingconventionfortheuserID,whichallows theuser tobeeasily identifiableafter taking intoaccountanypre-existingidentificationsystemswithintheorganization.Oftentimes,anexistinge-mailornetworknamingconventionisideal.Somecompilationofauser’snameisalsoaviableoption,forexample:

Firstletterofthefirstname,lastname

TLEVINE(TracyLevine)

Lastname,firstletterofthefirstname,firstletterofmiddlename

LEVINETM(TracyMLevine)

Lastname,countryoforigin

LEVINEMX(TracyLevine,Mexico)

UserIDsarelimitedtoaminimumlengthof3charactersandamaximumlengthof12characters.However,user IDs thatareboth requiredandpredeliveredbySAPinthesystem:SAP*andDDIC.SAP*isasuperuser inSAPanddoesnotneedausermasterrecord.ThisIDishard-codedinthesystemandprovidestheIDwithunlimitedaccess.TheSAP*defaultpasswordshouldbechanged,but itcannot be deleted. DDIC is the maintenance user in SAP and has specialprivileges surrounding the ABAP dictionary and installations. DDIC is the onlyuserIDthatcanlogonduringasystemupgrade.

1.1UsermasterrecordThe user master record maintenance transaction, SU01, is primarily used tocreate and modify user master records in the SAP system. As previouslymentioned, user master records are intended as a repository to store userinformationandassignnecessaryauthorizations toauser toperformnecessaryjobresponsibilities. Inthe initialSU01screen(seeFigure1.1), theSAPSecurityadministratorcancarryoutthefollowingactivities:

Createusermasterrecord(PAPERbutton)Changeusermasterrecord(PENCILbutton)Displayusermasterrecord(GLASSESbutton)Deleteusermasterrecord(TRASHCANbutton)Copyusermasterrecord(DUALPAPERbutton)Lock/Unlockusermasterrecord(LOCKbutton)Changepasswordofusermasterrecord(WRITINGPENCILbutton)

Figure1.1:Usermastermaintenanceinitialscreen(transactionSU01)

Inordertoexecuteanyoftheabovefunctions,auserIDmustbedefinedintheUSER field, as shown in Figure 1.1. An alias is used to perform activities thatinteractwithSAPviatheInternet.WhenauserregistersanaliasontheInternet(such as a customer or vendor name) a corresponding SAP user ID isautomaticallygeneratedatrandom.TheALIASfieldontheUSERMAINTENANCE initialscreenisusedtouncovertheunknownSAPuserIDsofInternetusers.

Figure1.2:Usermastermaintenanceaddresstab(transactionSU01)

TheADDRESStabinSU01(seeFigure1.2)isusedtomorecompletelyidentifytheusersandtosupplycontact information.TheADDRESS tabshouldbe filledoutascompletelyaspossible.ThebuttonforOTHERCOMMUNICATIONallowsforadditionalentriesofvariouscommunicationmethodsthataremoreatypical,andtherefore,not on themain screen (such asPAGER andURLHOMEPAGE). TheCOMM. METH

drop-downallowsyoutoidentifytheuser’spreferredcommunicationmethod.

Figure1.3:Usermastermaintenancelogondatatab(transactionSU01)

The LOGON DATA tab in SU01 (see Figure 1.3) is primarily focused on uservalidation upon logon. TheALIAS field allows the SAP Security administrator toassignarecognizable40-digitIDtotheuser,whichcanbeusedtosearchfortheuser IDon the initialSU01 screenas shown inFigure 1.1. The twomandatorysectionsontheLOGONDATA tabareUSERTYPE fieldand thePASSWORDarea.ThepurposeoftheUSERTYPEfieldistoidentifythetypeofuserwhowillbetransactingin the system. Section 1.2 outlines the different user types and their primarypurposes.Whenanewuseriscreated,theSAPSecurityadministratormustenteranINITIALPASSWORD.

The USER GROUP field is valuable when multiple security administrators areresponsibleformaintainingusermasterrecords,butfordifferentgroupsofusers.If nouser group is defined, anyadministrator has theability tomodify theusermasterrecord.

Maintainingdifferentusergroups:Example

IfanorganizationhasfiveSAPSecurityadministratorsandeachis responsible for one geographical region, five different usergroupsshouldbemaintained:

1.NORTH2.SOUTH3.EAST4.WEST5.CENTRAL

Other organizations can segregate user maintenance by company code orfunctionalarea.

Thevalidityperiodsection isbeneficial formultiple reasons.Manyorganizationsliketokeeparecordofallusermasterrecordsevenifanaccountorauserhasbeenterminated.TheVALIDTHROUGHfieldcanbeusedinthisinstancetoprohibitanyonefromlogging inwithaparticular ID.Theusermasterrecordcanalsobelockedbytheadministratorontheinitialscreen.VALIDFROMandVALIDTHROUGHareoftenusedasameansofassigningaccesstoatemporseasonalemployee.

Figure1.4:Usermastermaintenance,SNCtab(transactionSU01)

OntheSNCtabofSU01(seeFigure1.4)thefieldforSNCNAMEisusedwhentheuser will access the SAP system via a secure network connection rather thanlogginginwithauserIDandpassword.TheSAPsystemislimitedinthatonlyasingle SNC name can be assigned to each user in the system for auditing

purposes.

Figure1.5:Usermastermaintenance,defaultstab(transactionSU01)

TheDEFAULTStabinSU01(seeFigure1.5)isusedasit isdescribedtoestablishdefaultsettingsformaintainingtheuserID,suchasthedateandtimeformatthatwillbeappearthroughoutthesystem.TheOUTPUTDEVICEfieldisusedtodefineadefault printer to the user. If multiple languages have been configured in thesystemtheLOGONLANGUAGE fieldcanbeset foreachuser.Likewise, ifallusersarenottransactingatthesametime,thePERSONALTIMEZONEOFTHEUSERfieldcanbeset.TheSTARTMENUfieldismaintainedifthereisauserwhowantsaparticulardefaultmenuuponlogon.

Figure1.6:Usermastermaintenance,parameterstab(transactionSU01)

The PARAMETERS tab in SU01 is often maintained as a means of identifyingadditional user defaults and settings, which increase system convenience (seeFigure 1.6). Additionally, some user authorizations can be maintained via thePARAMETERStab.

Example

Ifauseronlyrequiresauthorizationforcompanycode2000,thisinformationcanbestoredunderthecorrespondingparameterID.Anytransactionalfieldsthatrefertothatorganizationunitwillbeautomaticallypopulatedwith2000.

Another example refers to user authorization rather than user defaults. Youwill learnmoreaboutauthorizationobjects later,butcurrently,standardSAPauthorizationobjectsonlyexistformaintainingglobal layouts(allreportsandtransactions) or finance-only related reports and transactions. AsdemonstratedinFigure1.6,theparameterSD_VARIANT_MAINTAINcontrolsa user’s authorization tomaintain variants for sales- and distribution-relatedreports and transactions. The following parameter values each equate to adifferentlevelofvariantmaintenance:

Figure1.7:Usermastermaintenance(transactionSU01,rolestab(transactionSU01)

AnSAProle isa compilationof transactionsandpermissions thatareassignedwithintheusermasterrecord.TheROLEStabinSU01iswheretheSAPSecurityadministratorcandisplayormodifyallroleassignmentsfortheuser(seeFigure1.7).Ausercanbeassignedtomorethanonerole.Moreonroletypeslateron,but theTYPE column in theROLES tab indicateswhether the role is acompositerole(acompilationofsinglerolesthatareassignedasagroup)orasinglerole.TheVALIDFROMandVALIDTO fields indicatewhentheassignmentwillbecomeorbecame active and when the role assignment will expire. The VALID TO fieldautomaticallydefaultsto“12/31/9999.”

If a single role is assigned as a result of the assignment of a correspondingcomposite role, the role name will appear in blue, rather than black. In thisinstance,theassignmentofthesesinglerolescannotbemaintainedindividually;assignments can only be removed and the validity dates modified at thecompositerolelevel.

Figure1.8:Usermastermaintenance,profilestab(transactionSU01)

Authorization profiles are created when roles are generated. When roles areadded to theusermaster record, thecorrespondingprofile(s)alsogetassignedvia thePROFILES tab (seeFigure1.8).With theexceptionofa fewpreconfiguredSAP profiles for super-user access, profiles should not be directly assigned tousers.Themaximumnumberofprofiles that canbeassigned toauser is312.The relationship of roles:profiles is typically 1:1, unless a role contains asignificant amount of transactions and permissions (i.e. a ‘display all’ or super-userrole).Asmentioned,SAPhastwoprimarypreconfiguredprofilesthatcanbeassignedonlytosystemadministratorsandSAPsupportusers.

1. SAP_ALLisacompilationofallstandardauthorizationsthatexistintheSAPsystem.

2. SAP_NEWisacompilationofallnewstandardauthorizationsthatexistintheSAPsystem(includesauthorizationobjectsbroughtinfromnewreleases).

Figure1.9:Usermastermaintenance,groupstab(transactionSU01)

MultipleusergroupscanbeassignedtotheusermasterrecordintheGROUPStab(seeFigure1.9). If therearemultipleuseradministrators,groupscanbesetupand assigned to specific users. SAP Security administrators are then assigneduser master record maintenance based on user group and, therefore, masschanges can be easily made to users in groups. See Section 1.3 for moreinformationonusergroups.

Figure1.10:Usermastermaintenance,personalizationtab(transactionSU01)

ThePERSONALIZATION tab in SU01 is just that; the location where personalizedobjects are stored, such as workflows, user layouts, time sheet settings,approvals,etc.(seeFigure1.10).Personalizationobjectscanalsobeassignedtoaspecificroleintherolemaintenancetransaction(PFCG)inthePERSONALIZATION

tab.

Figure1.11:Usermastermaintenance,licensedatatab(transactionSU01

The LICENSE DATA tab (see Figure 1.11) is used to track information that isprocessedfor licensingpurposesbySAP.SAPchargesdifferentratesbasedoncontractualusertypes,whicharedeterminedbasedontheamountoftransactingtheuserdoesinthesystem.

1.2UsertypesIntheSU01LOGONDATAtab,usersmustbeclassifiedasoneofthefollowingusertypes(seeFigure1.3):

Dialog:Dialogusersarethemostcommonusertypeassignedtoenduserswhowillbetransactinginthesystem.Dialogusersarecheckedatlogonforinitialpasswords,userID,passwordvalidity,andtheallowanceofmultiplelogons.Thepasswordforthedialogusercanbechangedbytheuser.Communication:CommunicationusersareassignedtoCPIC(commonprogramminginterfaceforcommunications)andRFC(remotefunctioncall)usersthatdonotrequiredialoglogon.CommunicationusersarecommonlyusedbetweenSAPandexternalsystemsandapplicationsforALE,TMS,andworkflow.System:SystemusersaresimilartocommunicationusersinthesensethattheyareassignedtoCPICandRFCusersthatdonotrequiredialoglogon.However,systemusersareusedforALE,backgroundprocessing,TMS,andworkflowwithinonesystem.Systemusershavenopasswordvalidityandmultiplelogonsareallowed.SystemuserpasswordscanonlybechangedbySAPSecurityadministrators.MultiplelogonsareallowedviaasystemuserID.Service:ServiceuserIDsareusedbytransacting-anonymousdialogusersthroughanITS(informationtechnologyservice),oftenaWebapplication.Multiplelogonsareallowed,butthereisnocheckforinitialorobsoletepasswords.MultiplelogonsareallowedviaaserviceuserID.Reference:ReferenceIDsareusedforgroupsofuserswhorequireidenticalauthorization.ReferenceuserssimplifytheassignmentofauthorizationsWebusers.Dialoglogonisnotpossibleforareferenceuser.

1.3UsergroupsUsergroupassignment isnota required fieldwhencreatingusers.However, inorder to delegate user maintenance authorization to different SAP Securityadministrators,thisisanecessarystep.

Figure1.12:Maintainusergroups(transactionSUGR)

Figure1.13:Assigninguserstousergroups(transactionSUGR)

User groups can be created, displayed, deleted, and modified via transactionSUGR as demonstrated in Figure 1.12. Users can also be assigned to a usergroup in transaction SUGR, as they can in theUSER GROUP tab in SU01 (seeFigure1.13).

1.4Massusermaintenance(SU10)Transaction SU10 allows for massmaintenance of user master records. UsingSU10,ausercanperformmostof thechangesmadeon individualusers in theusermaintenancetransaction(SU01),butformanyusersatonetime.

Figure1.14:Usermaintenance:Masschangesinitialscreen(transactionSU10)

AsdemonstratedinFigure1.14,ontheinitialSU10screenamaximumof25SAPuser IDscanbecopied from the clipboard for usermassmaintenance. Ifmasschangesarerequired formore than25users,awiderselectionofuserscanbechosen by clicking on theADDRESSDATA button orAUTHORIZATIONDATA button, ashighlighted.Ineachofthesetabs,agreaterlistofuserIDscanbecopiedfromaclipboardorselectedbasedonvariousattributes.

Figure1.15:SU10addressdatabutton

Figure1.16:SelectioncriteriapagefromSU10authorizationdatabutton

Figure1.15andFigure1.16showtheselectioncriteriathatcanbeusedtosearchforgroupsof users thataredesired tomassmaintain. If theuser IDs for theseindividualsarealreadyknown,theycanbecopiedfromanExcelspreadsheetandpastedfromtheclipboardbyclickingthearrowbuttonnexttotheUSERfieldontheSELECTIONCRITERIApagefromtheSU10AUTHORIZATIONDATAbutton.Furthermore,ifamasschangeisrequiredforallusersinthesystem,avalueof*canbeset intheUSERfield.

Figure1.17:Userstobechangedresultingfromuserselectioncriteria(transactionSU10)

Figure1.18:Selecteduserstobechanged(transactionSU10)

After executing the selection criteria, a list of all applicable users appears (seeFigure1.17). Inorder for theshownuserstobemasschanged,alldesiredusernamesmustbehighlightedandtheTRANSFERbuttonclicked(seeFigure1.18).

After defining the users to be changed, the user IDs and names appear in theinitialscreenof transactionSU10(aspreviouslyshowninFigure1.14).Possibleuserchanges in theSU10 initial screen reflect thoseon theSU01 initial screenwith one caveat, passwords cannot be defined and changed en masse. TheGENERATE PASSWORD button, as seen in Figure 1.14, will generate a uniquepasswordforeachuser.Generatedpasswordsforeachusercanbeviewedinthelogdisplayafterchangesarecomplete. Inorder tochangeuserattributes,suchaslogondata,userdefaults,androlesassigned,selectthepencil(change)buttonontheinitialscreen.

Figure1.19:Massuserchangestologondata(transactionSU10)

Addingandremovingroles

MakesuretoselecttheCHANGEindicator(seeFigure1.19)priortosavingchanges.

Figure1.20:Massuserchangestoroleassignment(transactionSU10)

Roleandprofile changesdiffer slightly fromother changes inSU10.Roles andprofilescanbeaddedorremovedduringasingleinstanceofSU10,butnotboth.

Massassignmentofaroleexample

Figure1.20 isanexampleofaddinga role toagroupofusers.Therolethatisbeingassignedisageneralend-userroleinthatithas the transactions and permissions needed for all userstransacting in the SAP system. If a new role is created in an

organizationandneedstobeassignedtoallormanyusers,transactionSU10isthemostefficientmethod.TheADD indicatormustbeselectedasnotedinFigure1.20.

Figure1.21:Warningmessageaftersaving(transactionSU10)

Figure1.22:Logdisplayaftermasschanges(transactionSU10)

Oncesaved,awarningmessageadvisesyouastothenumberofusersthatthechangeswillaffect(seeFigure1.21).ClicktheCHECKbuttontoindicatethatthesechangesaredesired.Afterconfirmation,alogdisplayappears(seeFigure1.22).Greentraffic lights indicatesuccessfulchanges,asshowninFigure1.22;yellowtraffic lights indicatewarningmessages (althoughnotnecessarilyunsuccessful);andredtrafficlightsindicateallorsomeofthechangeswereunsuccessful.

1.5PasswordsSAPhaspasswordsettingparametersthatinclude:

AminimumlengthofthreecharactersNoexpirationdatePreconfiguredblockedpasswordsCasesensitivityAnycharacter,butcannotstartwitha“?”or“!”Notallowing3sequentialcharactersfromtheuser’sSAPuserID

However, there are also additional suggested password settings that can beconfigured,suchas:

AminimumofsixcharactersPasswordsthatexpireatregularintervals(4-6weeks)UtilizationofthepasswordblockinglistRequirementofspecialcharacters

Recently, SAP introduced a new password protection feature called SecurityPolicies.With this new addition, different password rules and logon restrictionscanbeappliedtodifferentgroupsofuserswithinthesameclient.Securitypolicyconfiguration is done in DEV and transported to production via transactionSECPOL. Users are assigned a security policy via the LOGON DATA tab intransactionSU01orSU10.Ifthesecuritypolicyfieldontheusermasterrecordisleftblank,thesystemprofileparametersareappliedasadefault.

1.6Centraluseradministration(CUA)An SAP landscape consists of several SAP systems with potentially severalclients each. Most SAP ERP landscapes have at least one development(configuration),onequality(testing),andoneproduction(live)client.Theseclientsareusedtomaintainsystemstabilitybytransportingandtestingchangespriortointroductionintothelivesystem.Individualusermasterrecordsmustbecreatedandmaintainedineachclientwithineachsystem.

Utilizingcentraluseradministration (CUA)allowstheSAPSecurityadministratortocreateandmaintainallusersinonesystem.All informationstoredintheusermasterrecordisdistributedtothedependentsystems.

2RoleoverviewThischapterprovidesanoverviewofuserrolesinSAPandintroducestheprofilegeneratortransaction(PFCG).Arole inSAPcanbethoughtofasaperson’sjobinSAP,orasubsetofaperson’sjobresponsibilitiesinSAP.

ExampleofauserroleinSAP

Forexample,ifTracyLevineisasalesclerkatcompanyXYZ,herSAP user roles reflect sales clerk access. Tracy can have oneroleassigned toher thatwillbeacompilationofall transactionsandauthorizationsrequired.However,Tracycanalsohavemany

rolesassigned,whichintotalitywillprovideherthepermissionsnecessarytocompleteherjobtasks.

A role in SAP is created by the profile generator (transaction PFCG). Rolesprovideaccess to transactions, reports,Webapplications,etc.Withineach role,youcanalsoviewandmaintainuserassignments.TheruleofleastprivilegeisafundamentalprincipleinSAPSecurity.Therulecanbesummarizedbythenotionthatausershouldbegivenexactlywhatisneededtoperformthejob;notmuchmoreandnotmuchless.

2.1RoletypesTherearetwotypesofSAProles:singleandcomposite.Furthermore,singlerolescanbesetupasreference-derivedrolesorenablerroles.Thissectionprovidesabrief overview of each type of role and what each type is used for. Chapter 3shows how to create each role and maintain it using the profile generatortransaction(PFCG).

Singlerolesprovideaccesstoactionsandpermissionsthatmakeupauser’sjoborasubsetofjobresponsibilities.Actionscanbethoughtofastransactionsandpermissions thought of as authorization objects and associated field values.SinglerolesarethemostcommontypeofSAProle.

Actionsandpermissionsexample

SalesclerkToddLevineneedstobeabletocreateandmaintainsales orders in SAP. This translates to transaction codes VA01and VA02. However, Todd can only maintain certain sales doctypes (he is not allowed to create return orders) and is only

authorized to do so using company code 1000. These limitations arecontrolledbyhisexplicitaccesstovariousauthorizationobjectswithinhisuserroles.

Referenced-derived rolesare roles that inherit themenustructure,authorizationobjects, and authorization values from an existing role. Derived roles are oftencalledchildroles,whereastheimpartingrolemaybecalledtheparentormasterrole.Aderivedroleisusefulwhenyouwanttomirrortheexactsamefunctionalityas the master role, but want to manipulate the organizational levels. Whencreatingderivedroles,organization levelsanduserassignmentsarenotpassedfromtheparenttothechild.Infact,thesearetheonlyroleattributesthatshouldbemaintaineddirectlyinthederivedrole,allotherchangesshouldbemaintainedinthemasterroleandinheritedbythechildren.

Reference-derivedroleexample

Asnotedabove,ToddLevine isasalesclerk forcompanyXYZ.However,Toddonly needsaccess tomaintain and create salesorders for company code 1000. Marla Levine, however, needsaccess to maintain and create sales orders for company code

2000.Otherwise,theiraccessshouldbeidentical.Inthiscase,amasterrole,Z_MAINT_SALES_ORDERS_ALL would be created as the parent orimparting role. Two derived roles, Z_MAINT_SALES_ORDERS_1000 andZ_MAINT_SALES_ORDERS_2000 would be maintained as referenced-derivedroles.

Manycompaniesuseareference-derivedroleasatacticaltooltoreducethetimeandresourcesnecessaryforongoingrolemaintenance.Reference-derivedrolesare also used as a case for scalability because they can easily bemixed andmatched to fit a business user’s job responsibilities and organizationalassignments.

Anenablerrolecanbethoughtofasabolt-onrole.Unlikederivedroles,enablerrolesarecreatedwithoutanylinktoanalreadyexistingrole.Enablerroleshavemanuallyaddedauthorizationobjectsaddedtothemwithonlydesiredfieldvaluesmaintained.

Enablerroleexample

Releasestrategiesareacommonexampleofwhenenablerrolesareuseful.Anexampleiswhenacompanywantsallpurchasingadministratorstohaveaccesstoallpurchasing-relatedactivities,butwantstolimittheteam’saccesstospecificreleasestrategies

basedonlevels.ReleasestrategyauthorizationiscontrolledbyasingleSAPauthorizationobject:M_EINK_FRGwhichhas two fields,ReleaseCodeandRelease Group. This authorization object can be inactivated within thepurchasingadminroleandbolt-onenablerrolescanbecreated,oneforeachReleaseCodeandReleaseGroupcombinationandassignedadhoctoeachpurchasingadmin.

Acompositerole, also knownasa collective role, is agroupingof twoormoresingle roles. Composite roles are used for the purpose of simplifying theassignment of roles to users.Composite roles do not contain any authorizationdata, only other roles. Furthermore, composite roles can only be groupings ofsingleroles,notothercollectiveroles.

3ProfilegeneratorandrolemaintenanceoverviewThischapterintroducestheprofilegeneratortransaction,PFCG.TheprofilegeneratortoolisresponsibleforenablingtheSAPSecurityadministratortocreatespecificuser roles,whichcontainauthorizations tovarioussystemfunctions.Chapter4 identifiestherelationshipbetweenprofiles,roles,andauthorizationsandthebasicmaintenancefeatureswithinthetransaction.

3.1Whatisaprofile?Theprofilegenerator isa tool thatcreatesSAPuser roles,whichcorrespond toprofiles.AccesstotheprofilegeneratorisviatransactioncodePFCG.AprofileisacollectionorgroupingofSAPauthorizations.

Roledefinitions

Best-in-classSAPSecurity roledesigns take intoaccount somecritical success factors, considering sustainability and scalabilityare absolutely essential when designing SAP Security roles.Furthermore, involving the business in role content and

governanceisimperative.

3.2Whatisanauthorization?Thefollowinginformationisstoredinaprofile:

Authorizationobjectclasses

LogicalgroupingofauthorizationobjectsContainoneormoreauthorizationobjects

Authorizationobjects

FieldslinkedtovariousdatabasetablesCancontainupto10fields(seeFigure3.1)

Authorization

AninstanceofaspecificauthorizationobjectAllowingseveralauthorizationsforanauthorizationobjectwithcombinationsofdifferentfieldvaluesAninstancecanbetrackedbyuniquetwo-digitnumber

Authorizationobjectexample

AuthorizationobjectV_VBAK_AATiscontainedinthebelowroletwice, hence, two authorizations (T-I855600400 and T-I855600401). The authorization object class is SD (Sales andDistribution). This authorization object controls the assigned

users’ ability to maintain various sales document types. The twoauthorizations combined dictate authorization for the business process intotality.Theusercandisplayallsalesdocumenttypes,butonlymaintainandcreatestandardsalesorders.

Figure3.1:AuthorizationobjectasseenintransactionPFCG

Thereareover20,000standardSAPauthorizationobjects.

3.3ProfilesandrolesAlthough a role and a profile may seem similar, there are a few distinctdifferences.Rolesare theactualcontainers forstoringauthorizationobjectsandtheir values. Once the user roles are generated in PFCG, the profiles aregenerated. Typically, the ratio of roles:profiles is 1:1, however, only 150authorizations can fit intoaprofile. If thenumberof authorizationswithin a roleexceeds150,anewprofileisautomaticallycreatedwithintheprofilegenerator.

Roles are added to usermaster records via transactionSU01.When roles areadded with a proper validity date, the corresponding authorization profiles areassignedtotheuser.Asareminder,arolecanbethoughtofasauser’sroleorasubsetofjobresponsibilities.

Figure 3.2 is a simple graphical depiction provided by SAP of the SAPAuthorizationConcept.

Figure3.2:SAPAuthorizationConcept“(AuthorizationObjects-ASimpleGuide,”SAP)

4AdvancedtopicsforrolemaintenanceThe profile generator is an SAP tool in which roles are created and thengenerated to create profiles. As a reminder, a profile is a collection ofauthorizations.

4.1ProfilegeneratordeepdiveThefollowingsectionprovidesanoverviewintotheprofilegeneratortoolandhowthePFCGtransactioncanbeused.Role/profilemaintenanceisalwaysperformedinthedevelopmentclient, transportedtothequalityenvironmentfor testing,andfinallymovedtotheproductionenvironmentforuse.

Figure4.1:PFCGtransactionhomescreen

AsshowninFigure4.1,thehomescreenofPFCGhasanabundanceofbuttonsin order to create andmanipulate roles. The following is an explanation of themost importantscreenelements,beginningat the topof thescreenandmovingfromlefttoright:

TheDOUBLEPAPERbuttonisusedtocopyanexistingroleorelementsofoneroletoanother.

TheTRASHCANbuttonisusedtodeleteanexistingrole.

Tipfortransportingroledeletions

If a to-be-deleted role already exists in clients other thandevelopment(qualityandproduction)thenitmustbeplacedinatransportrequestfirst.Theprocesstodeletearolefrommultipleclients is to place it in a transport request in the development

client,delete therole in theprofilegenerator,and thenrelease the transportrequestandmoveittoqualityandproduction.Thisprocesswilltransportthedeletiontotheotherclientsaswell.

TheTRUCKbuttonisusedtotransportarolefromthedevelopmentenvironmenttoqualityandproduction.

ThefirstBOXWITHARROWSbuttonthatdisplaysthewordtransactionisusedtosearchforrolesthatcontainaspecifictransaction.

IntheROLEtextfield,therolethatistobecreated,changed,deleted,orcopiedmustbeentered.

Thenexttwobuttons,thePENCILbuttonandGLASSESbuttonarerepetitivein

theirmeaningthroughouttheSAPsystem.Theformerisforrolemaintenanceandthelatteristodisplayroles.

ThesecondBOXWITHARROWSbuttononthesameplaneastherolenamewilldisplayawhere-usedlistfortherole.Thewhere-usedlistappearsiftheidentifiedroleiscontainedinanycompositeroles.

Thefinaltwoimportantbuttons,theSINGLEPAPERandCOMPOSITEPAPERbuttons,indicatetheroletypetobecreated.InSection4.3youwilllearnmoreaboutthedifferencesbetweensingleandcompositeroles.

Inorder to createa role, first identify the rolename in theROLE text fieldof thePFCGlandingscreenandclicktheSINGLEPAPERbuttontocreate.

Rolenametip

Prior to role creation, an explicit naming convention should bedeterminedforallroles.Rolenamescanbeupto40charactersinlengthandshouldaccuratelyreflecttherolecontent,includingtransactions, authorizations, and organizational entities that it

providesaccessto.Rolenamesmustbeuniqueandcannotstartwith“SAP.”The roleswhichdobeginwith “SAP”arepredelivered templatesandshouldbecopiedandre-namedpriortobeingmaintained.

The following screens provide a walk-through of the role creation and profilegenerationprocesses.Rolemaintenanceworksinthesamemanner.Throughoutthe different tabs and screens within PFCG, you will notice an abundance ofTRAFFICLIGHTS. The traffic lights are red, yellow, or green indicators that indicatehowfaralongyouareintherolecreationprocess.

Figure4.2:PFCGdescriptiontab

Thedescriptiontab,asseeninFigure4.2,isusedtoprovideadescriptionoftherole and its contents. TheLONG TEXT box enables the security administrator tonote additional information that may be useful for future role maintenance andalsotoleavealogofallchangesthathavebeenmadetotheroleovertime.TheDESCRIPTIONtabidentifiestheusername,date,andtimethattherolewascreatedand the last time itwaschanged.Thiscanbeveryuseful information if there ismorethanonesecurityadministratorcreatingorchangingroles.

Transaction inheritance allows the role to derive authorizations fromanexistingrole. If the role isderived, theparentormaster roleappears in theDERIVEFROMROLEtextbox(moreonderivedrolesinSection4.3).

Figure4.3:PFCGmenutab

TheMENUtabisprimarilyusedtobuildtheroleatthetransactionlevel.Thisisthefirststepinsupplyingtherolewithauthorizationsthatallowuserstocompleteoneormore tasks in thesystem.Aside from transactions,otherobjectscanalsobeadded to the role via the MENU tab such as Web applications and reports.Additionally, foldersmaybeaddedto themenu(FOLDERbutton)andtransactionscanbearrangedusing these folders,whichwill translate tohowtheyappearontheuser’shomescreenuponloggingintoSAP.

ThefollowinglistprovidesanexplanationofalltheimportantscreenelementsinFigure4.3.

TheARROWbuttonsallowthesecurityadministratortonavigatethemenu.

TheTRANSACTIONbuttonisusedtoaddatransactiontoaroleorotherobjectsthatcanbeselectedfromthedrop-downlist.

Deletesatransaction,report,orotherobjectfromthemenu.

Togglestechnicalnamesonandoffinthemenu.

Technicalnamesinmenu

If technical names are enabled, transactionVA01will appear inthe MENU tab as “VA01 – Create Sales Order,” if they aredisabled, the transaction will appear simply in the menu as“CreateSalesOrder.”

COPYMENUSbuttoncanbeusedtocallrolemenusfromatemplateorwithinanotherrole.

ADDITIONALACTIVITIEsbuttonallowstheadministratortheabilityto:

TranslateanodefromonelanguagetoanotherDisplayanydocumentationfortransactions,programs,etc.SearchinReportDocumentation

Menutabexample

Auserneedsaccess to transactioncodeVA01 (CreateaSalesOrder).Thesecurityadministrator thengives theuseraccess tothistransactionbyaddingVA01tothemenuintheroletowhichtheyarealreadyassigned.

Ultimately,theMENUtabisusedtomanagerolecontentatthehighestlevel,whichtypicallyequatestotransactioncodes,reports,andWebservices.

Theheartoftherole/profilemaintenanceprocesslieswithintheauthorizationtabofPFCGbecause this iswhereall the authorization data is configured.As youcanseeinFigure4.4,noauthorizationcurrentlyexistsfortherole.

Figure4.4:PFCGauthorizationtab

Inordertoconfigureauthorizationdatafor therole,oneof twobuttonsneedstobepressed:

TheCHANGEAUTHORIZATIONDATAbuttonenablesyoutomanipulateauthorizationdatathatalreadyexistsintherole.

TheEXPERTMODEFORPROFILEGENERATIONbuttonallowstheroleadministratortochoosethemechanismforpopulatingandchangingroleauthorizationdata.

Manipulatingroleauthorizationdata

The best practice for manipulating role authorization data is toselect thebuttonEXPERTMODEFORPROFILEGENERATION.Whennoauthorization data currently exists for the role, no options forauthorizationmaintenanceappear.EXPERTMODEwillonlydisplay

optionsif theauthorizationdatawaspreviouslyconfiguredandsaved.Whenroledatahaspreviouslybeenconfigured,theroleadministratorshouldalwaysselect theoption for “ReadOldStatusandMergewithNewData.”Thiswilladd or remove any default authorization objects and values that SAPassociates with changes that have been made in theMENU tab. The datarepository that stores the relationships between transactions, authorizationobjects,andvalues(andcanbemanipulatedtomeettheneedsofthespecificSAPclient)isintransactionSU24(seeSection5.4).

The first screenwithin the authorization tab is theDEFINEORGANIZATIONAL LEVELSwindow as seen in Figure 4.5. The screen appears if any of the authorizationobjects associated with the transactions in the MENU tab check for anorganizationalfield.Suchfieldsincludecompanycode,salesorganization,plant,accounttype,etc.ArolecanhaveaccesstooneormoreorganizationalvaluesforeachfieldintheORGANIZATIONALLEVELSwindoworopen-wideaccess.

Fieldvalueswithopen-wideaccess

Ifthedesiredvalueforanauthorizationfieldisopenaccesstoallpossiblefieldvalues,the“*”indictormaybeused.Forexample,arolemay have access to all sales organizations within a singlecompany code. In this instance, the company code fieldwill be

populatedwith“1000”andthesalesorgfieldwillbemarkedas“*”withintheORGANIZATIONALLEVELSwindow.

TheSAPbestpracticeistopopulateorganizationfieldvaluesonlyinthiswindow.Any fields populated in this window will automatically distribute to anyauthorization objects inwhich they reside. This practice is essential in order to

ensure role integrity. TheORGANIZATIONAL LEVELS windows distribute the enteredvalues inallauthorizationobjects inwhicheach field ispresent,so that therolehas consistent access to the same organizational entities, which should bereflectedintherolename.

Figure4.5:Theroleorganizationlevelswindow

After theORGANIZATIONAL LEVELSwindow is populated and the values have beensaved, all authorization objects associated with the role appear, as shown inFigure 4.6. Youmay now be asking yourself, what really just happened?WhatexactlyamIlookingat?Here’sarecap:

1. TransactionswereaddedtotheMENUtabfortherole.2. Thenecessaryauthorizationobjectswereautomaticallypulledintotherole

basedonthetransaction/authorizationrelationshipdatastoredinSU24.3. Ascreenappeared,whichrequiredthatallorganizationaldatafortherole

bedefined.Thisorganizationaldataiscontainedinoneormoreauthorizationobjectswithintherole.

4. Ascreenappearswithtrafficlightindicators(seeFigure4.6)whenauthorizationdatafortheroleismaintained.

Figure4.6:Roleauthorizationdatascreen

Beforecontinuingonwithauthorizationmaintenance,hereisarecapofafewkeydefinitions:

Authorizationobjectclasses

LogicalgroupingofauthorizationobjectsContainoneormoreauthorizationobjectsSalesandDistributionisanexampleofanauthorizationobjectclassasseeninFigure4.6

Authorizationobjects

FieldslinkedtovariousdatabasetablesCancontainupto10fieldsV_VBAK_AATisanexampleofanauthorizationobjectasseeninFigure4.6

Authorization

AninstanceofaspecificauthorizationobjectEnablingseveralauthorizationsforanauthorizationobjectwithcombinationsofdifferentfieldvaluesAninstancecanbetrackedbyuniquetwo-digitnumberT-I855604900isanexampleofanauthorizationasseeninFigure4.6

Thefollowingscreenelementsontheroleauthorizationscreenareimportant:

Expandallroleauthorizationdata

Collapseallroleauthorizationdata

Generateauthorizationdata.Thisbuttonwillcreateorupdatetherole’sassociatedprofile(s)uponcompletionofauthorizationmaintenance.

Deleteauthorizationfromtherole

Manuallyaddauthorizationobjecttotherole

Specifyorganizationallevelsfortherole

Whatdothe“trafficlights”indicate?

Green:FullymaintainedauthorizationfieldsYellow:PartiallymaintainedauthorizationfieldsRed:Unmaintainedorganizationallevels.Aspreviouslystated,returningtotheORGANIZATIONALLEVELSwindowandmaintainingtheorgvaluesinthesinglelocationwillrectifythis.

Possible field entries for an unmaintained authorization field can be found byclicking on the PENCIL button.Various pop-upwindowsmay be visible upon thisaction to aid the administrator in populating authorization fields. Figure 4.7displays possible field values forSALES DOCUMENT TYPE for authorization objectV_VBAK_AAT.Upon clicking the PENCIL button, a pop-up appears inwhich fieldvalues can be manually entered or the administrator can further select from adrop-downmenu.Anadditionaloptionforthesecurityadministratoristopopulatearangeoffieldvaluesforthegivenauthorization.

Figure4.7:Authorizationobjectandpotentialfieldvalues

Onceall fieldshavebeenmaintained foranauthorization, theassociated trafficlightturnsgreen.Alltrafficlightsappeargreenwhenallauthorizationfieldswithinthe role have been maintained. Once all authorization fields have beenmaintained, the final step is to generate the profile(s) associated with the role.Thisstep isessential! If theprofile isnotgenerated, theassigneduserswillnotreceiveaccesstothetransactionsandauthorizationswithinthesystem.Inorder

togeneratetheprofile(s),clickthebeachballbuttonontheauthorizationscreen().Apop-upscreenappears toallow theadministrator tomanuallychange the

nameof theauthorizationprofileorkeepitastheSAPstandard.Oncethisstephas been completed, a message appears stating successful generation of theauthorizationprofile(s).

Recap

The SAP Security administrator just finished configuring all theauthorization data for the role. Field-level authorizations weredefined for all authorization objects automatically brought in bythe transaction codes in the MENU tab. The profile was then

generatedandanyuserassignedto thisrole isable toaccessthe identifiedtransactioncodesandfield-levelauthorizationswithintheSAPsystem.

A profile can only contain 150 individual authorizations. Therefore, if a rolecontainsmorethan150authorizations,aseparateprofilewillbegeneratedforeachset.

Ausermasterrecordcanonlybeassignedto312profiles.

Aftergeneratingtheprofile,itisbesttobackoutoftheauthorizationwindowandgototheUSERtab(seeFigure4.8).Withinthistab,auserorgroupofuserscanbeassignedtotheroleinthesamemanneranindividualusercanbeassignedtomultipleroleswithintheusermasterrecord.TheUSERCOMPAREbuttonreconcilesthe usermaster records of the users entered onto this tab. A user comparisonmustbecompletedafterusershavebeenenteredonthistabofPFCGinorderfortheseuserstoreceivetheauthorizationswithintheroles.TheFROMandTOfieldscanbeutilizedtospecifyusers’accesstoarolebydate,whichcanbeuseful ifthe user is substituting responsibilities for another or testing a particularfunctionality.

Usercomparison

A user comparison must be completed after users have beenselected in order for these users to receive the role and itsauthorizations. Not unlike the rest of the role maintenanceprocess,theUSERtabwillcontinuetohavearedtrafficlightuntila

usercomparisonhasbeencompleted.

Figure4.8:PFCGUsertab

Aspreviouslystated,SAPcomeswithhundredsofroletemplatesthatbeginwith“SAP”andcanbeusedastemplatesforrolecreation.

4.2Authorization-objectlevelsecurityNow that you have reviewed all the required steps in the role creation andmaintenance process, it is time to dig a little deeper. At this point youmay beaskingyourself,“Ok,soIknowallthetechnicalsteps,buthowdoIknowexactlywhatfieldvaluestoincludeforagivenauthorizationinPFCG?”TherearemanytipsandtricksthatwillaidtheSAPSecurityadministratorinfillingoutthecorrectinformation.

Thefirstandmostsimplisticwaytomaintainthefieldvaluesforanauthorizationistoaskafunctionalpersonwhoiswithinthedepartmentthatisrequestingtheroleto be created or changed. Continue to use authorization object V_VBAK_AAT,Authorization for Sales Document Types, with this example. V_VBAK_AATcontains twoauthorization fields:ACTIVITYandSALESDOCUMENTTYPE (seeFigure4.9).Thefunctionaldepartmentshouldbeprivytothesalesdocumenttypes(i.e.standard orders, return orders, and quotations) and activity types (i.e. create,change,anddelete)includedinthisrole.

Ifthefunctionaldepartmentcannotprovidetherequiredinformation,thenextstepwould be to use all of the relevant information on the screen and do furtherresearchwithintheSAPsystem.

Figure4.9:Roleauthorizationscreen

Noticethebuttonthatlookslikeamountainrange.Onceclicked,apop-upwindowappearsanddisplaysthetransactionsinthisrolethatareassociatedwiththeauthorizationobject(seeFigure4.10).Thepop-upwindowalsodisplaysthefieldvaluesthatareautomaticallybroughtintotheroleforthatobjectwhenthetransactionisadded.Asareminder,thisrelationshipinformationisstoredandcanbemanipulatedintransactionSU24.

Otherrelevantinformationprovidedontheauthorizationwindowisthetechnicalnameforeachfieldvalue.Ifthefunctionaldepartmentdoesn’tknowtheinformationyouareaskingthemtoprovide,youcanmakenoteofthetechnical

fieldname(inthiscaseAUART)andgotothecorrespondingtransactioncode(VA01).Lookforthefield(SALESDOCUMENTTYPE)onthescreen(seeFigure4.11)andshowittothefunctionalteam.

Figure4.10:Authorizationobjectandtransactionrelationship

Figure4.11:Salesdocumenttypeasitappearsinfunctionaltransaction

Ifyoucannotfindthefieldexplicitlylabeledonthescreen,youcanusethe“F1”key(help)oneachfielduntilyoufindthecorrectone(asinFigure4.11).Thispop-upwindowwilldisplayvaluableinformationaboutthefieldanditsuse,aswellasafunctionalbusinessexampleofitsapplication.Thepop-upwindowwillalsohavea TOOLS (technical information) button that when clicked will provide otherinformationthatmayproverelevant(seeFigure4.12).

Figure4.12:Fieldtechnicalinformation

InFigure4.12,youcansee that the technical fieldname(AUART)matches thetechnical name in the authorization role. At this point, the SAP Securityadministratorcanshowthefunctionalteamthefieldnameinthetransactiontheyareattemptingtodefine.

If an organizational field is unmaintained, it appears red in the authorizationwindow (seeFigure4.13).Noticehow the fieldnamehas theword$VKORG inthelinewherefieldvalueswouldordinarilybemaintained,this isoftenhowtheyappear when an organizational level has not been determined. Once the fieldlevel has been assigned in the ORGANIZATIONAL LEVELS window, $VKORGdisappearsandthefieldvaluesappearasmaintained.

Figure4.13:Authorizationobjectwithunmaintainedorglevel

Pressing“F1”onauthorizationobjectsand fieldswithin thePFCGauthorizationwindow will also produce a list of helpful information. Such information mayincludeadescriptionoftheauthorizationobjectandpotentialfieldvalues.

TransactionSU21canalsoaidthesecurityadministrator infindingsimilarusefulinformation. As seen in Figure 4.14, clicking on the respective module (in thiscase SD) and the authorization object (V_VBAK_AAT) will show additionalinformation.

Figure4.14:SU21landingscreen

ClickingtheDISPLAYOBJECTDOCUMENTATIONbuttoninFigure4.14producesapop-upwindow with the authorization object definition, field-level information, andpossiblefieldvalues(seeFigure4.15).

Figure4.15:Objectdocumentation

Once a role has been tested, it may be necessary to inactivate or delete aninstanceofanauthorizationobjectortheauthorizationobjectitselfifuseraccessisnotrequired.Remember:asingleauthorizationobjectcanhavemorethanoneset(instance)ofdefinedfieldvalues.

Figure4.16:Inactivatedauthorization

Toinactivateaninstanceofanauthorizationobject,clickontheMINUSbuttonfortheinstance,asseeninFigure4.16.

NoticethatonceaninstancehasbeeninactivatedaTRASHCANappears,sothattheinstancecanbedeleted.Ifmorethanoneinstanceofanauthorization

objectexists,thesamemethodisused,butclicktheINACTIVATEbuttonattheobjectlevel.

Thebuttonthatreplacestheinactivatebuttonallowsyoutore-activatetheinstanceorobjectthatwaspreviouslyinactivated.

Alwaysinactivate

Personalexperiencedictatesthat it isalwaysbetterto inactivatean instance of an authorization, but not to delete it. If the SAPSecurity administrator ever needs to refer back to the originalstateoftherole,theyareabletoifthispracticeisfollowed.

If the administrator wishes to copy an instance of an authorization object, theyonly need to click on the authorization, select EDIT from the menu path, andchoose COPY AUTHORIZATION. This will produce an identical instance of theauthorizationthatwasselected.

Oncealltheauthorizationdatafortherolehasbeenconfigured,theadministratorcancleanup theauthorizationwindowbymerging identicalauthorizations.Thiscan be done by selecting UTILITIES from the menu path and choosing MERGEAUTHORIZATIONS.Thistaskwillcombineauthorizationsandmayreducethenumberofprofilescreatedfortherole(rememberonly150authorizationscanfitwithinaprofile). To view all the profiles for a single role, select AUTHORIZATIONS from themenupathandchoosePROFILEOVERVIEW.Onlythefirstprofilewillbedisplayedontherole’sauthorizationtab.

4.3RoletypereviewThere are three different types of SAP standard roles: single, derived, andcomposite(collective)roles.

4.3.1SinglerolesA single role contains authorization data. Section 4.1 discussed how to createsinglerolesusingtheprofilegeneratortransaction(PFCG).

4.3.2CompositerolesAcompositerole, also knownasacollectiverole, is a grouping of single roles.Whenacompositeroleisassignedtoauser,allthesinglerolesassociatedwiththatcompositeroleappearintheusermasterrecord.Theuserwillhaveaccesstoalltheauthorizationdatacontainedinthosesinglerolesandiftheauthorizationsinasinglerolechange,thecompositerolewillautomaticallybeupdatedaswell.Creatingacompositerolealsobeginsintheprofilegeneratortransaction(PFCGlandingscreen).First,entertherolenameasdesired,inthiscaseZ_AP_CLERK(asseeninFigure4.17)andthenclicktheCOMP.ROLEbutton.

Figure4.17:Creatingacompositerole

Aswithasinglerole,makesuretoenteraroledescriptiononthedescriptiontab.Thelongtextboxcanalsobeusedtorecordadditionalinformationabouttheroleand its contents. It is in the roles tab that the single roles contained in thecompositeareidentified,asseeninFigure4.18.

Figure4.18:Rolestabincompositerole

Rolescanbemanuallyenteredorselectedfromthedrop-downboxandsearchedfor by a role.Any user assigned to a composite role can see a composite rolemenu upon logging intoSAP.On themenu tab of the role, allmenus from thesingle rolescanbe imported into thecomposite tocreateacollectivemenu.Aswithasinglerole,userscanbeassignedtoacompositerolewithintherole’susertaborfromtransactionSU01(usermasterrecord)orSU10.

Figure4.19:CompositeroleassignmentinSU01

You will notice in Figure 4.19 that the composite role assignment appearsdifferently in the usermaster record than previously assigned single roles. Thecolored circles next to the role name indicate the type of role that has beenassigned,onecircle indicatesasingle roleand twocircles indicateacompositerole.Thetypecolumnalsoshowswhethertherolehasbeendirectlyorindirectly(fromacompositerole)assigned.Thesinglerolesthatareassignedasaresultofthecompositeroleassignmentcannotberemovedfromtheuser’smasterrecordwithoutremovingtheentirecompositerole.

4.3.3DerivedrolesAreference-derivedrole isa typeofsingle role that inherits themenustructure,transactions,reports,andanyotherobjectsfromanexistingrole.Aderivedroleisusefulwhena need exists tomimic a role’s functionality, but provide access todifferent organizational levels. In a derived role, theonly elements not inheritedareuserassignmentsandorganizationallevels.Aderivedroleisalsoreferredtoas a child role, and the role from which it inherits its authorizations is oftenreferredtoasaparentroleormasterrole.

Derivedroleexamples

Jen and Allyson are both sales clerks and need access to thesame transaction codes and authorizations, however, Allysonworks in sales organization 2000, whereas Jen works in salesorganizations2000and3000.Theirboss,Tracy,worksacrossall

salesorganizations.Derived rolescanbecreatedbasedon theall-inclusiverole that Tracy has and limited to company codes 2000 and 3000. Jenwill

receivebothderivedrolesandAllysonwillreceiveonlytheonefor2000.

Now,youmayarguethatintheexampleabove,Tracy’srolecouldbecopiedandtheORGANIZATIONALLEVELSwindowcouldmerelybemanipulatedtoaccountforthedeviations insalesorgaccess.This ispossible;however, ifanewtransaction ismade to Tracy’s role, the corresponding derived roles would be updated,decreasingredundancyandman-hours tomaintain theroledesign. If therole iscopiedandchanged,thetransactionneedstobeaddedtothecopiedroles.

Tocreateaderivedrole,beginwiththesamestepsasforanysinglerole.Gototheprofilegenerator transaction (PFCG)andenter thederived rolename in theROLEtextboxandclicktheSINGLEROLEbutton,asseeninFigure4.20.

Figure4.20:Creatingaderivedrole

Thenextstep is toenter theparentormaster role in theDERIVEFROMROLE textbox. The system prompts you to confirm that you desire to enter the specifiedimpartingroleinapop-upwindow(seeFigure4.21).

Figure4.21:Identifyingtheparent(master)role

Aftersaving,themenutabtrafficlightturnsgreen.Thisisbecausethemenuhasbeen brought over from the parent role. Alternatively, the traffic light on theauthorizationtabisstillred.Theauthorizationsandtheirfieldvaluesstillneedtoberetrieved.Todothis,backoutof thederivedrole to thePFCGlandingpage,entertheparentroleinchangemode,andgototheauthorizationwindowfromtheauthorization tab. When a single role becomes a master role, a new buttonappears in theauthorizationwindow.ThisbuttonhasTWOBOXESANDTWOARROWS

onitandappearsnexttothePROFILEGENERATIONbutton(seeFigure4.22).

Figure4.22:Pushingauthorizationstochild(derived)roles

Thenewbuttonthatappears isusedtogenerate theassociatedderivedrole(s).Therecanbenumerousderivedrolesassociatedwithoneparentroleiftherearemanyorganizational levels forwhichaccessneeds tobedifferentiatedamongstthe user population. Upon clicking this button, a pop-up window appears to

confirmyouractionandoncethisiscomplete,theprofilesforthederivedrolesaregenerated and the authorization objects and field values are populated in theirrespectiveauthorizationwindows.

Thelaststepistoupdatethederivedrole’sorganizationalwindowwiththecorrectvalues todifferentiate it from themaster role.Such is thecasewith the role,asshowninFigure4.23,whichisspecifictosalesorganization1000.Asalways,therolemustbesavedandtheprofilegenerated.

Figure4.23:Updatingorglevelsinderivedrole

4.3.4BestpracticesforSAProledesignsThesinglemostimportantruletolivebyasanSAPSecurityadministratoristheruleof leastprivilege.Theruleof leastprivilegedictates thatusersshouldhaveexactly what they need to do their daily jobs and very little else. Most SAPSecurityexpertswillpromotea task-basedroledesign inwhicheachsinglerolecorrespondstoaspecific task in thesystem,suchasmaintainpurchaseorders.Byutilizingatask-basedroledesign,singlerolescanbemoreeasilymixedandmatched to account for differentiation between users who may have the exactsame job title, such as AP clerk, but may not need authorization to performidentical tasks. As previously stated, all role names should be as explicit aspossibleandbeanaccuraterepresentationoftheauthorizationscontainedintherole.Position-basedcompositeorcollectiveroles(i.e.RoleforAPClerk)canbecreated, but the best practice is to create these based on the lowest-levelcommondenominatorbetweentheuserswhosharethistitle.

Position-basedcompositeroles

Thereare3APclerksincompanyXYZ.XYZutilizesatask-basedrole design with position-based composite roles. AP Clerk 1needstaskrolesA,B,C,D,andE.APClerk2needstaskrolesA,B,C,D,andF.APClerk3needstaskrolesA,B,andC.The

compositeroleforAPClerkshouldincludetask-basedsinglerolesA,B,andC.Clerk1shouldalsoreceivetaskrolesDandE,andClerk2shouldreceivetaskroleDandF.

User access reviews should be performed on a periodic basis to certify theassignmentofrolesandauthorizationsandtoreduceaccesscreep.Accesscreepoccurs when users gain access to roles and authorizations that they do notrequire.

Accesscreepscenarios

Accesscreepmaybedifficulttodetectandcanoccurforavarietyofreasons.Themostcommonaccesscreepscenariosinclude:

1.Oneuserfillsinforanothertemporarilyandtheiraccessisnotremovedupontheoriginaluser’sreturntowork.

2.Auserrequiresaccesstoanadditionaltaskinthesystem.Thisaccessisthen added to one of the user’s roles and others who do not require theaccessinadvertentlyreceiveitthroughtherole.

3.Auserperformsataskonacyclicalbasisandretainstheaccesswhentheynolongerrequireit.

Now that you understand the rule of least privilege and access creep, you areready forsegregationofduties (SoD) risks.Theonlysegregationofduties risksthatshouldoccurwithinanSAPsystemare those thatareunavoidableandnotmerelyaresultofaccesscreep.SoDrisksareunavoidablewhentheresimplyarenotenoughindividualsinafunctionaldepartmenttosplitupallofthejobtasksinthemannernecessarysothatnorisksoccur.Securityadministratorscanworkinconjunctionwith a company’s internal audit team and external auditor to betterunderstand their specific risk and controlsmatrix and how to prevent avoidableSoDviolations.

4.4TransportingauthorizationsRolechangesarealwaysdoneinthedevelopmentenvironmentandtransportedto thequalityenvironment for testingand to theproduction system for liveuse.Usermasterrecordchangesareconducteddirectly inproduction,as it isabestpracticenottomoveuserroleassignmentswhentransportingroles.Thetransportmanagementprocessincludesthreedistinctsteps.

1.Createtransportrequest

Rolescanbetransportedindividuallyorinlargegroups.Inordertotransportasinglerole,clickontheTRUCKbuttononthePFCGlandingpage(seeFigure4.1)andfollowtheprompts.Totransportgroupsofroles,clickonUTILITIESinthemenubaronthePFCGhomescreenandchooseMASSTRANSPORT.Rolelistscanbeselectedfromthedrop-downboxorlistscanalsobecopiedfromtheclipboardpriortoexecuting,asseeninFigure4.24.

Figure4.24:Masstransportofroles

Thefollowingstepswillbethesameregardlessofwhetherasingleroleoragroupofrolesarebeingtransported.Apromptwillappearforacustomizingrequest(transport).Tocreateanewtransportrequest,clickthePAPERbuttononthepop-upbox(seeFigure4.25).EnterashortdescriptionandclicktheFLOPPYDISKbuttontosave.

Figure4.25:Creationofcustomizingrequest

Afterthetransporthasbeencreated,makesuretojotdownthetransportnumberbecauseyouwillneeditinthenextstep.OnceyouenterthroughthepromptforCUSTOMIZINGREQUESTscreen,therolesincludedinthetransportwillappear.Asalways,successisindicatedbygreentrafficlights,whereasredtrafficlightsindicateanerrorwiththeinclusionofaspecifiedrolewithinthetransport.Rolescanalsobeaddedtoanexistingtransportbysearchingfortheexistingrequestnumberinsteadofcreatinganewrequest.

2.Releasetransportrequest

GototransactionSE10(transportorganizer)toreleasethetransportrequest(seeFigure4.26).ClicktheDISPLAYbuttonandalistoftransportrequestswillappear.

Figure4.26:Transportorganizer

Selecttherequestnumberfromthelistandexpandtheselection,asseeninFigure4.27.Highlightthelineintherequestthatislabeledastask.ClicktheSINGLETRUCKbutton.Highlightthetoplineitemintherequest.ClicktheSINGLETRUCKbutton.

Figure4.27:Transportrequestreleasescreen

Amessagewillappearoncetherequesthasbeensuccessfullyreleased.

3.Movetransporttoqualityand/orproduction

Mostorganizationswillhaveadedicatedchangemanagementprocess,whichwillincludetheprocedurebehindtransportingandtestingsecurityrolechanges.TheresponsibilityofmovingtransportrequestsusuallyfallsontheSAPBasisresource.

5SAPSecurityandAuthorizationstrouble-shootingThis chapter covers some more advanced topics, including security andauthorizationtrouble-shootingtechniques.Italsotouchesonsomevaluabletools and tables for identifying user master records and role andauthorizationinformation.

5.1ReadinganSU53TransactionSU53isuseful ifauser isareceivinganerrormessagebecauseofmissingauthorizations.TodiagnoseauthorizationerrorsusingtransactionSU53,followthesesteps:

1.HavetheuserrecreatetheerrorandIMMEDIATELYgototransaction/nsu53andsendascreenshotofthatpage.

Figure5.1:ErrorMessage:“NoauthorizationfordocumenttypeOR1”

2.Thepagewillshowauthorizationobject‘’_’’_’’andvaluesthatareneeded.

Figure5.2:TransactionSU53displayslastauthorizationobjecterrorandmissingfieldvalues

SU53example

In theabovescreenshots, user “TESTID” is aiming to createastandard sales order (sales document type OR1) in SalesOrganization1000viatransactionVA01(createsalesorder).Theuser is able to execute the transaction, but upon sales order

creationreceivestheerrormessage“noauthorizationfordocumenttypeOR1”(Figure 5.1). The user executed transaction SU53 to diagnose theauthorizationerror(Figure5.2).Astheauthorizationerror indicates,theuserfailed on authorization object V_VBAK_AAT (authorization for sales doctypes). The field values requiredare also indicated;Activity 01 (create) andSalesDocumentTypeOR1(standardorder).Currently,therolethattheuserisassignedtoonlyhasauthorizationtodisplaystandardorders.

5.2Runningatrace(ST01)Oneof thedrawbacks tousing transactionSU53 is that it only shows themostrecentauthorizationerror.Onoccasion,SU53willproducemisinformationbasedonthelastauthorizationfailure.

SU53warning

Itisimportanttoask,“Whatisthisusertryingtodo?DoesSU53makesensebasedonthejobtaskbeingperformed?”SU53maysometimes give misinformation because it only reports the lastfailure, which may not be the authorization object required

specifictotheissuethatisarising.

If SU53 is not a suitable option to diagnose an authorization, transactionST01(system trace) is a more all-encompassing option (see Figure 5.3). Trace filesshow all authorization passes and failures over a given period of time. UnlikeSU53however, transactionST01 shouldbe reserved for security administratorsandothersuper-users,suchasbasisadminsanddevelopers.To runasecurityauthorizationtraceusingtransactionST01,followthesesteps:

1.SelecttheAUTHORIZATIONCHECKradiobutton

2.PutauserIDintheTRACEFORUSERONLYfieldintheGENERALFILTERsection

3.ClickthebuttontoTURNTRACEON

Figure5.3:Authorizationtracehomescreen

4.Havetheuserrecreateerror

5.ClickthebuttontoTURNTRACEOFF

6.ClickANALYSIS

7.Fillinthecredentials(makesuretheuserIDthatyouenteristheoneyouarerunningtraceagainst)andexecute(seeFigure5.4)

Figure5.4:Analysiscredentialsscreen

8.AnytimeRC(RETURNCODE)doesnotequal0,itisafailure(asseeninFigure5.5)

Figure5.5:Authorizationtraceoutputforanalysis

Figure5.5reflectstheidenticalauthorizationerrortoFigure5.2inthattheuserisunable to create a standard order (order type OR1) in transaction VA01. Aspreviouslymentioned,anytimea line item indicates thatRCdoesnotequal, anauthorization failure ispresent.Such failuresarealso represented inadifferentcolorontheST01outputscreen.

Tipforrunningtraces

Onrareoccasions,theinformationdisplayedinanST01tracefileonlyshowsauthorizationsthattheusercurrentlyhasandwillnotaccuratelydepictauthorizationfails,whichcanmakeitdifficulttodiagnoseissues.Inthisinstance,comparethetracefileofauser

whocancompletethetaskwithonewhocannot.Theanswershouldlieinthedifferences.

5.3UsefulSAPSecuritytablesandsensitiveauthorizationsSAP Security administrators and consultants will often need to utilize technicalSAPtablestoquerylargeamountsofdataasitrelatestousersandroles.ManySAPtransactionsstorefieldinformationthatishousedinthetablerepositoryandsuch information can be viewed in transactions SE16 and SE16N, the databrowsers(seeFigure5.6).ThemostcommonlyusedSAPSecurity tablesbeginwith“AGR”and“USR(seeSection5.3.1).”

Figure5.6:HomescreenoftransactionSE16withtablename“AGR_USERS”populated

TableinformationisreturnedbasedontheselectioncriteriapopulatedbytheSAPsecurityadministrator,asseeninFigure5.7.

Figure5.7:Selectioncriteriafortable“AGR_USERS”

Figure5.8depictsthetabledatareturnedfromthechosenselectioncriteria.

Figure5.8:Datapopulatedbasedonselectioncriteria

5.3.1UsefulSAPsecuritytablesTablename:

Tabledescription:AGR_1251

Roleobject,authorization,field,andvalueAGR_1252

OrganizationalelementsforauthorizationsAGR_AGRS

RolesincompositerolesAGR_DEFINE

Toseeallroles(Roledefinition)AGR_PROF

ProfilenameforroleAGR_TCODES

AssignmentofrolestoT-codesAGR_TEXTS

RoleandroledescriptionAGR_USERS

AssignmentofrolestousersTSTCT

TransactioncodetextsUSER_ADDR

AddressdataforusersUSGRP

UsergroupsUSR02

Userdata(logondata)USR03

Useraddressdata

Authorization for the following SAPECC (ERPCentral Component) transactioncodes(seeSection5.3.2)andauthorizationobjects(seeSection5.3.3)areonlytobe assigned to roles, which indicate the inclusion of sensitive information orcriticalactions.Suchrolesaretobeassignedtousermasterrecordswithafinetoothcombandaccessmustbemonitoredonaperiodicbasistoensureretentionof such authorizations is required. The business processes of finance, humanresources, basis, and security are commonly regarded as the most critical,regardlessofindustry,asreflectedinthelistsbelow.

5.3.2SensitiveandcriticalSAPtransactionsTransaction:

Transactiondescription:CA87

MassreplaceworkcenterCAT6

HumanResourcesCL04

DeleteclassF.34

CreditlimitmasschangesF.80

MassreversalofdocumentsF044

VendorarchivingFI12

ChangehousebanksorbankaccountsIP30

Run-datemonitoringLN08

Numberrangemaintenance:LVS_LENUMMMPV

CloseperiodsMMRV

AllowpostingtopreviousperiodPA20

DisplayHRmasterdataPA30

MaintainHRmasterdataPA70

FastentryPA97

Compensationadministration–matrixPFCG

Rolemaintenance–systemintegrity,stabilityatriskRZ04

MaintainSAPinstancesSA38

ABAPreporting–canrunprogramsnotprotectedappropriatelySARA

Archivingmanagement–shouldberestrictedtoarchiveadministratorSCC1

Clientcopy–specialselectionsSCC4

Clientadmin.–systemstabilityandintegrityatriskSCC5

Deleteclient–systemstabilityatrisk

SCC6Clientimport–systemstabilityandintegrityatrisk

SCC9Remoteclientcopy–systemstabilityandintegrityatrisk

SCCLLocalclientcopy–systemstabilityandintegrityatrisk

SE01Transportorganizer–systemstabilityandintegrityatrisk

SE11Datadictionarymaintenance–systemstabilityandintegrityatrisk

SE13Maintaintechtablessettings–systemstabilityatrisk

SE16Databrowser–exposuretoconfidentialinformation

SE37Functionbuilder

SE38ABAPeditor–systemstabilityandintegrityatrisk

SM01Locktransactions–systemstabilityatrisk

SM02Systemmessages–shouldberestrictedtosystemadministratorsonly

SM30Tablemaintenance–systemintegrityandstabilityatrisk

SM49ExecuteOScommands–systemstabilityatrisk

SM50Workprocessoverview–systemstabilityatrisk

SU01Usermaintenance–shouldberestrictedtouseradministratorsonly

SU02Profilemaintenance–systemstabilityandintegrityatrisk

SU03Maintainauthorizations

SU05MaintainInternetuser

SU10Usermassmaintenance–systemstabilityataveryhighrisk

SU20Authorizationobjectfields

SU21Authorizationobjects

SU24

MaintainassignmentofauthorizationobjectsSU25

Profilegeneratorupgradeandfirstinstallation

5.3.3SensitiveandcriticalSAPauthorizationobjectsandtheirvaluesRestrictedobjectRestrictedfield:Authorizationobjectdescription:

S_DEVELOPOBJTYPEPreventdirectdevelopmentaccesstoproductionthroughDEBUG,FUGR,orPROG

S_ADMI_FCDS_ADMI_FCDSystemadministrativefunctions

S_PROGRAMP_GROUPABAP:Programflowchecks

S_RFCRFC_NAMEAuthorizationcheckforRFCaccess

S_RFCACL{Multiple}AuthorizationcheckforRFCuser(e.g.trustedsystem)

S_TABU_DISDICBERCLSTableauthorizationgrouprestriction

S_BDC_MONI{Multiple}Batchmanagementauthorization

S_BTCH_ADMBTCADMINRestrictbatchadministratoraccess

S_BTCH_JOB{Multiple}Backgroundprocessing:Operationsonbackgroundjobs

S_BTCH_NAMBTCUNAMEBackgroundprocessing:Backgroundusername

S_ALV_LAYOACTVTSensitiveobject–S_ALV_LAYOforreportmaintenance

S_SCRP_TXT{Multiple}SAPscript:Standardtext

S_IDOCMONIEDI_MESEDImessagetyperestriction

S_USER_AGR{Multiple}Restrictthemaintenanceandassignmentofroles

S_USER_GRP{Multiple}Restrictthemaintenanceofusermasterrecords

S_SPO_ACT{Multiple}Maintenancetospoolrequestswhicharen’tyourown

S_SPO_DEVSPODEVICESpool:Deviceauthorizations

S_CTS_ADMICTS_ADMFCTControltheflowoftransportsintoproduction

S_TRANSPRT{Multiple}Transportorganizer

5.4Maintainauthorizationobjectassignmenttotransactioncodes(SU24)Transaction SU24 is the transaction code that allows you to maintain theassignment of authorization objects to transaction codes. SU24 ties the SAPSecurityandAuthorizationsconcepttogetheratitscore.Whenatransactioncodeisaddedtorole,authorizationobjects,andallorsomeoftheirfieldvaluesmaybeautomatically brought into the role. How does SAP know what authorizationobjectsandfieldvaluesaretiedtothetransaction?Well,thisinformationisstoredintransactionSU24.SAPhasdevelopedstandardsforalltransactioncodesandassociated authorization objects, but a company can also manually makechangestoSU24asrequired.

SU24example

Anytime VA01 (created sales order) is added to a role,authorization object V_VBAK_AAT (authorization for salesdocument type) is also automatically brought in. V_VBAK_AAThastwofields:ACTVT(activity)andAUART(salesdoctype). In

theactivityfield,activity“01”(create)isalsoautomaticallypopulated,howeverno automatic entries are populated for sales doc type. At company XYZ,anytime a user has access to VA01, they should automatically be able tocreate sales document type “OR1” (standard order). In this instance, VA01andV_VBAK_AATcanbeupdatedmanuallyviatransactionSU24to includeauthorizationforstandardorders.

In order tomanuallymaintain the assignment of authorization objects and theirvaluestotransactioncodesinSU24,followthesesteps:

1.GototransactionSU24(seeFigure5.9).

2.Asintheexampleabove,youwanttoaddsalesdoctype“OR1”anytimeVA01isaddedtoarole.Inthiscase,type“VA01”intheTRANSACTIONCODEbox.ClicktheEXECUTEbutton.Ifanytimetheauthorizationobjectappearedintheroleyouwant“OR1”tobeadded,switchtotheAUTHORIZATIONOBJECTtabandfollowthesamesteps.

Figure5.9:TransactionSU24landingpage

3.Alltheauthorizationobjectstiedtothattransactioncodewillbelisted(seeFigure5.10).ThePROPOSALSTATUSindicateswhetherornottheauthorizationisautomaticallybroughtintotherolewhenthetransactionisaddedtotherole’smenu.Highlighttheauthorizationobjectyoudesiretomanipulate,inthiscase,V_VBAK_AATandclicktheGLASSESANDPENCILbuttontoswitchthepagefromdisplaytochangemode(seeFigure5.11).

Figure5.10:Displayauthorizationobjectsassociated

4.Onceinchangemode,youcanclicktheCHANGEFIELDVALUESbuttonto

manipulatetheautomaticassignmentsfromV_VBAK_AAT.Youcanalsochangetheproposalindicatorforauthorizationobjects,amongotherthings.

Figure5.11:SU24changemode

5.ChangethedefaultauthorizationvaluesasdesiredandclicktheSAVEbutton(seeFigure5.12).

Figure5.12:AuthorizationobjectV_VBAK_AATwithchangesmadetoincludedefaultvalueOR1forsalesdocumenttype

5.5Userinformationsystem(SUIM)Theuserinformationsystem,transactionSUIM,isanotherusefultoolforreportingon user and authorization information based on a variety of criteria. SUIM isarrangedinthemannerofareportingtree.

Figure5.13:SUIMlandingpage

TransactionSUIM,asseen inFigure5.13,allows for reportingbasedonusers,roles, and profiles. In addition, more detailed reports exist on the basis oftransactionsandchangedocuments.Comparisonscanalsobemadetorolesandusersacrosssystems(seeFigure5.14).

Figure5.14:SUIMreportingtree

WhenusingSUIM

WhenchoosingwhichSUIMreporttoselect,startwiththeidea“ifthis, then this.”Forexample, if youhaveauser’sSAP ID, thenyou want to knowwhat roles are assigned to them or possiblywhattransactionstheusercanexecute.

6AdvancedtopicsforSAPauthorizationsThis chapter covers advanced topics for SAP Security. It provides anoverview of the security steps requiredwhen upgrading to a new releaseandintroducesGRCAccessControl.Finally,itgivesareviewtheentireSAPauthorizationconceptandtieseverythingtogether.

6.1Upgradingtoanewrelease(SU25)At a given point in time, a service pack upgrademay be required as part of alarger SAP project. In conjunction with this upgrade, new applications may beintroducedtotheenvironmentorSAPmayhavere-writtencodeforexistingSAPapplications.Therefore,additionalchangesmaybeintroducedwithinthecodeinthe formof newsecurity andauthorization checks.Theseadditionsor changesmustbeaccountedforwithintheexistingSAPSecurityroles.SAPprovidesatool,in the formof transactionSU25, for the purpose ofmanaging anSAPSecurityupgrade. In order to complete the upgrade activities, steps 2A-2D must becompleted(seeFigure6.1).

Figure6.1:HomescreenoftransactionSU25

ThefollowingisabriefsynopsisofthefourSAPSecuritytasks,steps2A-2D,to

becompletedinorder:

Step2A:AutomaticComparisonwithSU22DataComparesanyauthorizationdatamanuallymaintainedbythecustomerwithvaluesproposedbySAP.Step2B:ModificationComparisonwithSU22DataInformationreturnedbystep2Aismanuallycompared.Onebyone,thecustomerreviewsanyconflictbetweentheSAPproposedvaluesandthosemanuallymodifiedinthepast.Onecanchoosetoaccepttheproposedvaluesorkeepthosethathavebeenmanuallymodified.Step2C:RolestoBeCheckedRolesaffectedbytheupgradeareidentified.TheseroleshavetransactionsintheirmenuinwhichchangeshavebeenmadetotheproposedauthorizationvaluesinSU24.Step2D:DisplayChangedTransactionCodesThisstepisoptional.ItdisplaysanynewSAPtransactionsthathavebeenintroducedinplaceofthoseexistingandthelistofrolesaffected.

ThefinalmandatorystepintheSU25upgradeprocessistorunStep3:TransporttheCustomerTables.ThetransportofthetablesshouldbefollowedbyatransportforalltherolesthatweremodifiedandgeneratedaspartofStep2C.

6.2IntroductiontoGRCAccessControlSAPGovernanceRiskandCompliance(GRC)ispartofSAP’sanalyticsofferings.Theuseofsuchanalyticaltoolscaninfluencebusinessoutcomesbythechangesanorganizationmakeswhenusingintelligentdata.Figure6.2istheentiresuiteofSAPsolutionsforgovernance,risk,andcompliance.

Figure6.2:SAPsolutionsforgovernance,risk,andcompliance

SAPGRCsolutionsprovideaplatform fororganizations togainvisibility intoalltheir risk and compliance activities, but furthermore, to more effectively andefficientlymanage them.GRCAccessControl is theprimary solution to identifyandmitigateaccess riskswith real-time insight into segregationofduties (SoD)violations and critical access. GRC Access Control also provides the toolsnecessary for preventative user provisioning, through identification of conflictsprior tograntingaccess.TheGRCAccessControlsolution iscomprisedof fourprimarymodules:

AccessriskanalysisEmergencyaccessmanagementUseraccessreviewBusinessrolemanagement

The solution enables organizations to achieve greater efficiency, agility, andeffectivenessasitrelatestogovernance,risk,andcompliance.

GRCefficiencyprovidessavingsinhumanandfinancialcapitalresourcesby

reducingoperatingcostsandautomatingprocesses.GRCagilityiswhenanorganizationcanrespondrapidlytoachangeintheinternalorexternalriskandcontrolenvironments.GRCeffectivenessisachievedwhenorganizationshavegreaterreliabilityoftheinformationprovidedtointernalandexternalauditorsandwhentheorganizationisoperatingwithinthecontrolssetforth.

6.2.1Accessriskanalysis(ARA)Access risk analysis (ARA) is the tool that automates the monitoring ofsegregation of duties (SoD), and critical access riskswithin SAP and non-SAPsystems. ARA can leverage SAP’s standard rule set or custom rule set(s) foridentificationoftheseconflicts.Keyfeaturesinclude:

ComprehensiveandpredefinedSoDrisk-rulesetAbilitytosimulatechangestousersandrolesforthepurposeofpreventativeactionReal-timereporting

6.2.2Emergencyaccessmanagement(EAM)Emergencyaccessmanagement(EAM)providesthemeanstocentrallymanagetheemergencyandelevatedaccessacrossSAPandnon-SAPenvironments.Keyfeaturesinclude:

ReviewinguserandroletransactionusageuponcompletionoffirefighteractivitiesNotificationuponuseofcriticalorsensitiveaccess

6.2.3Accessrequestmanagement(ARM)Access request management (ARM) automates the user access provisioningprocess by utilizing built-in workflow and approval functionality. ARM alsoautomatestheprocessofreviewinguseraccessandSoDconflictsonaperiodicbasis.Keyfeaturesinclude:

Self-serviceaccessrequestandapprovalprocessusingpredefinedworkflowsande-mail-basednotificationtemplatesEmbeddedriskanalysisforpreventativeremediationofaccessrisksandapplicationofmitigatingcontrolsIntegrationwithIdM(identitymanagement)solutions

Periodicreviewofroleassignmentstousers,rolecontentassignments,andmitigatingcontrolassignments

6.2.4Businessrolemanagement(BRM)Business role management (BRM) is the tool that centralizes the creation andmaintenance of user roles and automates the workflow process for roledeployment.Keyfeaturesinclude:

Workflow-drivenmethodologyforroledefinitionandmaintenanceDefinitionofrolesusingbusinesstermsandalignmentwithbusinessprocesses

GRC Access Control has also deployed a new role management concept toreplacecompositeroles,calledGRCbusinessroles.Businessrolesworksimilarlytocompositerolesinthattheyareagroupingofmanyrolesinasingleentity,butbusinessrolescancontainrolesacrossvariousSAPandnon-SAPsystems.

6.3Wrapup:PuttingabowonitUser master records are created to house all applicable user information,including vital address data, logon credentials, password information, assignedroles,andprofiles.Whenauserlogsintothesystem,hisorherauthorizationsaretemporarilystored inmemory,alsoknownas theuserbuffer.Whenusers try toexecuteatransactioncodeorcompleteataskinthesystem,theyeitherhavetheauthorizationornot,whichisbasedontherolesandprofilesassignedtothemintheirusermasterrecords.

Rolescontainauthorizationsandwhengenerated,profilesarecreated.Rolesaredesigned in the profile generator transaction and the three most common roletypesaresingle,composite,andderived.Ifauserhasauthorizationtocompleteataskinthesystem,allauthorizationchecksthesystemperformedaresuccessfuland the authorization objects and required field values are contained in one ormoreoftheuser’sroles/profiles.Ifauserdoesnothaveauthorizationtocompletea task, trouble-shooting techniques can be deployed, such as throughSU53orrunningatrace.

Ultimately,SAPhasbuilt-infunctionalitytomeettheever-growingneedstoprotectapplication data and reduce risk exposure in the system.When designingSAPSecurityroles,itisimportanttoconsidertheruleofleastprivilegeandalignmentwithbusinessprocessesinconjunctionwithscalabilityandeaseofmaintenance.

7AcknowledgementsI would like to express my sincere gratitude to the many people who sawmethroughthisendeavor;toallthosewhoprovidedsupport,talkedthingsover,andofferedcomments.IwouldalsoliketothankEspressoTutorialsforenablingmetopublishthisbookandespeciallyAliceAdams,myeditor,whoencouragedmeandpushedmethroughoutthedurationofthejourney.

Thanks tomy two consulting families, both at IBM and itelligence. I became aconsultant because I loveworkingwith people from all walks of life, because Ibore easily, and because I love being a part of a team.None of thiswould bepossiblewithout any of you.And, of course, thank you tomy clientswho havemademycareermoreexcitingandrewardingthanIeverthoughtpossible.

Lastandcertainlynotleast,thankstomyfamilywhoIhaveconfidedinoverthepast5years–throughfirst jobs,newpositions,andchallengingclients;youaresimply the greatest. To my mom, who is the best mentor I could ask for – Ipromise todedicatemy firstmemoir to you,which ismost likelynevergoing tohappen. And special thanks to my husband Josh, who is always supportive,alwayshonest, andwhoalwaysmakesme feel better after a series of 80-hourweeksontheroadwhentheendisstillnotinsight.

Thankyou.

Youhavefinishedthebook.

Signupforournewsletter!

Wanttolearnmoreaboutnewe-books?

GetexclusivefreedownloadsandSAPtips.

Signupforournewsletter!

Pleasevisitusatnewsletter.espresso-tutorials.comtofindoutmore.

AAbouttheauthor

Tracy Juran (Levine), CPIM, is a Managing Consultant at IBM as part of theSecurityServicesRiskandCompliancepractice.ShehasextensiveexperienceinSAP Security and Authorizations; SAP Governance, Risk, and Compliance(GRC); and core cross-functional business processes. Tracy is a die-hardOhioStateBuckeyesfanandlovestoplanpartieswithfriendsandtraveltheworld;herfavoritedestinationsincludeThailand,Peru,andIsrael.SheresidesinCincinnati,Ohio with her husband, Josh, their dog, Markley, and cat, Misha. For moreinformationpleasevisitTracy-Levine.com.

BDisclaimerThispublicationcontainsreferencestotheproductsofSAPSE.

SAP,R/3,SAPNetWeaver,Duet,PartnerEdge,ByDesign,SAPBusinessObjectsExplorer,StreamWork,andotherSAPproductsandservicesmentionedhereinaswellastheirrespectivelogosaretrademarksorregisteredtrademarksofSAPSEinGermanyandothercountries.

Business Objects and the Business Objects logo, BusinessObjects, CrystalReports, Crystal Decisions, Web Intelligence, Xcelsius, and other BusinessObjectsproductsandservicesmentionedhereinaswellastheirrespectivelogosare trademarks or registered trademarks of Business Objects Software Ltd.BusinessObjectsisanSAPcompany.

SybaseandAdaptiveServer,iAnywhere,Sybase365,SQLAnywhere,andotherSybaseproductsandservicesmentionedhereinaswellastheirrespectivelogosare trademarks or registered trademarks of Sybase, Inc. Sybase is an SAPcompany.

SAP SE is neither the author nor the publisher of this publication and is notresponsiblefor itscontent.SAPGroupshallnotbeliableforerrorsoromissionswith respect to thematerials. The onlywarranties forSAPGroup products andservices are those that are set forth in the express warranty statementsaccompanying such products and services, if any. Nothing herein should beconstruedasconstitutinganadditionalwarranty.

MoreEspressoTutorialseBooksBorisRubarth:FirstStepsinABAP®

Step-by-StepinstructionsforbeginnersComprehensivedescriptionsandcodeexamplesAguidetocreateyourfirstABAPapplicationTutorialsthatprovideanswerstothemostcommonlyaskedprogrammingquestions

SydnieMcConnell,MartinMunzel:FirstStepsinSAP®,2ndedition

LearnhowtonavigateinSAPERPLearnSAPbasicsincludingtransactions,organizationalunits,andmasterdataWatchinstructionalvideoswithsimple,step-by-stepexamplesGetanoverviewofSAPproductsandnewdevelopmenttrends

AntjeKunz:SAP®LegacySystemMigrationWorkbench(LSMW)

DataMigration(NoProgrammingRequired)SAPLSMWExplainedinDepthDetailedPracticalExamplesTipsandTricksforaSuccessfulDataMigration

DarrenHague:UniversalWorklistwithSAP®NetWeaverPortal

LearntoEasilyExecuteBusinessTasksUsingUniversalWorklistExploreExpertInsightstoHelpYouConfigureUWLFunctionalityFindIn-DepthAdviceonhowtoMakeSAPWork-flowsandAlertsAvailable

LearnhowtoInclude3rdPartyWorkflowsinSAPNetWeaverPortal

MichałKrawczyk:SAP®SOAIntegration—EnterpriseServiceMonitoring

ToolsforMonitoringSOAScenariosForwardErrorHandling(FEH)andErrorConflictHandler(ECH)ConfigurationTipsSAPApplicationInterfaceFramework(AIF)CustomizationBestPracticesDetailedMessageMonitoringandReprocessingExamples

AnnCacciottolli:FirstStepsinSAP®FinancialAccounting(FI)

OverviewofkeySAPFinancialsfunctionalityandSAPERPintegrationStep-by-stepguidetoenteringtransactionsSAPFinancialsreportingcapabilitiesHands-oninstructionbasedonexamplesandscreenshots

KathiKones:SAPListViewer(ALV)–APracticalGuideforABAPDevelopers

LearnhowtowriteabasicSAPALVprogramWalkthroughtheobject-orientedcontrolframeworkandfunctionmodulesGettipsonaddingsortingandgroupingfeaturesDiveintohowtoaddeditablefields,events,andlayoutvariants

JelenaPerfiljeva:WhatonEarthisanSAPIDoc?

FundamentalsofinboundandoutboundIDocinterfacesandconfigurationLearnhowtoimplementinterfaceswithALEandEDITroubleshootcommonpost-implementationchallengesQuickreferenceguidetocommonIDoctransactioncodesandreports