day5 r3 basis security
DESCRIPTION
SAP day5TRANSCRIPT
Day 5 :SAP R/3 Application Authorization Concept
ERP 系統維護 Enterprise Technology - SAP
Course Content
Unit 6 Access Control and UserAdministration
Unit 1 Introduction
Unit 2 Conception withASAP Methodology
Unit 3 Elements of the R/3Authorization Concept
Unit 4 The User Master
Unit 5 Working with the ProfileGenerator
IntroductionIntroduction
Security Requirements
SAP Security Levels
SAP Access Control
Users, Roles and Authorizations
Technical Implementation of Roles
Contents:
Introduction
Describe the SAP authorization concept as part ofa comprehensive security concept
Explain the access control mechanisms
Explain how users, roles and authorizations arerelated
Describe the technical implementation of a role-based authorization concept
At the conclusion of this unit, you will be able to:
Introduction Unit Objectives
Technology
Hardware Router
DB Backup
Password Rules
Authorizations
...
Organization
Procedures
Training
Environment
Fire Alarms
Water Detection
Technology
Disk Crash
Power SupplyInterruptionThreats
Measures
Assets
Persons
Incorrect Operation
Hackers
Environment Floods
Earthquakes
Security - Overview
Hardware
Software
Data
Persons
Security Considerations
Access control, virus scanners, encryption
Access control, packetfiltering, encryption
Layer Components
GUI,Browser,PC
SAProuter ,Network,SNC
Presentation
Communication
SAP users, passwordrules, authorizations
Access to SAP tables, backup, consistency
Access to SAP files, OS services
Application modules, work processes, interfaces
Relational database
UNIX,Windows NT,OS/ 400, OS 390
Application
Database
Operating System
Encryption, certificates, Single Sign-On
ITSWeb Connection
SAP Security Levels
DataData
FunctionsFunctions
System Access Control
Users must identify themselvesin the system
Configuration of system accesscontrol (e.g. password rules)
Access Control
Access rights for functions anddata must be granted explicityusing authorizations
Authorization checks for
Transaction/report calls
Program execution
SAP Access Control
CreatePurchaseRequisition(ME51)
OrderPurchaseRequisition(ME58)
ReleasePurchaseRequisition(ME54)
Employees have roles with specific functions and need authorizations for these functions Employees Employees have roles roles with specific functions functions and need authorizations authorizations for these functions
Users, Roles, and Authorizations
KarenKaren
SusanSusan
JohnJohn
Pro
curem
ent
EmployeeService
Representative
EmployeeService
RepresentativeManager
EmployeePurchaser
Authorization to createpurchase requisitions
Authorization to releasepurchase requisitions
Authorization to createpurchase orders
RoleProfessional Purchaser
RoleProfessional Purchaser
Technical Implementation of Roles
Role Menu
Accessible Transctions, Reports,Web Links
Structure of the Menus/AccessPaths
Authorizations
Selective Access to BusinessFunctions and Data
User
SAP Easy Access - User-Specific Menus
Menu Edit Favorites Extras System Help
Other menu Create menu Assign users
Role BC_USER_ADMIN
Favorites
SM51 List of SAP Systems
User Administration
SU01 - User Maintenance
PFCG - Role Maintenance
SU01D - Display User
SU05 - Internet User Maintenance
SU10 - User Mass Maintenance
SUGR - Maintain User Groups
Describe the SAP authorization concept as part ofa comprehensive security concept
Explain the access control mechanisms
Explain how users, roles and authorizations arerelated
Describe the technical implementation of a role-based authorization concept
You are now able to:
Introduction: Unit Summary
Conception with ASAP Methodology
Conception with ASAP Methodology
ASAP methodology for creating an authorization concept
Project preparation
Analysis and design of the authorization concept
Implementation of the authorization concept
Testing and quality assurance
Cutover
Contents:
Conception with ASAP Methodology
List the steps necessary to implement anauthorization concept
Describe the activities to be performed in eachstep
Assign responsible persons to each activity
Use the ASAP procedure model for implementingan authorization concept for your own projects
At the conclusion of this unit, you will be able to:
Conception with ASAP Methodology: Unit Objectives
Before going live, your company wants toimplement an authorization concept.
The steps required to realize the authorizationconcept must be planned in the context of theentire implementation process.
During the planning phase you want to estimatethe time and personnel resources needed.
Conception with ASAP Methodology: BusinessScenario
Role and Authorization Concept: Steps
PreparationPreparation AnalysisAnalysis
& & Conception Conception
A Role and Authorization Concept is Implemented in 5 Steps
Each Step Comprises Different Activities
Each Activity is Associated with a Responsible Person
User Administration and Authorization ManagementOrganization is Parallel to User and Authorization ConceptImplementation
Implement-Implement- ationation
QualityQuality Assurance Assurance
& Tests& Tests CutoverCutover
Determine User andDetermine User and Authorization Administration StrategyAuthorization Administration Strategy
Measures:
Set Up a Team for User Roles and Authorizations
Clarify Prerequisites for Authorization Assignment
Train the Team for User Roles and Authorizations
Trigger Role and Authorization Project
Step 1: Preparation
PreparationPreparation Implement-
ation
Analysis &
Conception
Quality Assurance
& Tests Cutover
BASISPP
HRSD/ MM
FI/ CO KUKU
BCBC
KUKUKUKU
KUKU
BCBC
KUKU
Team for User Roles and Authorizations
KU = Key User BC = Basis User (technical
authorization management)
SAP AG 1999
Step 2: Analysis & Conception
Preparation Implement-
ation
Quality Assurance
& Tests Cutover
AnalysisAnalysis & &
Conception Conception
Measures:
Determine User Roles
Complete Roles
Determine Framework for Implementing the Roles
Check Framework for Implementing the Roles
Authorization List - Role Design
Business Processes
Financial Accounting
General Ledger Processing
Closing Operations
Profit and Loss Adjustment
General ledger: Profit and Loss Adjustment
General ledger: Update Balance Sheet Adj.
General ledger: Post Balance Sheet Readj.
General ledger: Balance Sheet Readj., Log
General ledger: B/S Readj., Spec. Functions
Accounts Payable Accounting
Invoices and Credit Memos
Parked Document Posting [Vendors]
Post Parked Document
Change Parked Document
Display Parked Document
Change Parked Doc. (Header)
Document Changes: Parked Documents
Reject Parked Document
Vendor Account Analysis
Balance Analysis
Customer Account Analysis
Vendor Account Balance
Display Vendor Balances
Vendor Line Items
Correspondence with Vendors
Correspondence with Vendors
Correspondence: Print Requests
Correspondence: Print Internal Docs.
Correspondence: Delete Requests
Correspondence: Maintain Requests
Instruction...
Enterprise area
Role name
Scope Scope Scope
Analysis: Determine User Roles
F.50
F.5D
F.5E
F.5F
F.5G
FBV0
FBV2
FBV3
FBV4
FBV5
FBV6
FD11
FK10
FK10N
FBL1N
F.61
F.62
F.63
F.64
FI_Manag AP_Manag AP_AccAuthorization List - Role Design
Business Processes
Financial Accounting
General Ledger Processing
Closing Operations
Profit and Loss Adjustment
General ledger: Profit and Loss Adjustment
General ledger: Update Balance Sheet Adj.
General ledger: Post Balance Sheet Readj.
General ledger: Balance Sheet Readj., Log
General ledger: B/S Readj., Spec. Functions
Accounts Payable Accounting
Invoices and Credit Memos
Parked Document Posting [Vendors]
Post Parked Document
Change Parked Document
Display Parked Document
Change Parked Doc. (Header)
Document Changes: Parked Documents
Reject Parked Document
Vendor Account Analysis
Balance Analysis
Customer Account Analysis
Vendor Account Balance
Display Vendor Balances
Vendor Line Items
Correspondence with Vendors
Correspondence with Vendors
Correspondence: Print Requests
Correspondence: Print Internal Docs.
Correspondence: Delete Requests
Correspondence: Maintain Requests
Instruction...
Enterprise area
Rollenname
Scope Scope Scope
FI FI FI
xxxx
x
x x xx x xx x xx x xx x xx x x
x x x x
x x x x
Conception: Complete User Roles (1)
F.50
F.5D
F.5E
F.5F
F.5G
FBV0
FBV2
FBV3
FBV4
FBV5
FBV6
FD11
FK10
FK10N
FBL1N
F.61
F.62
F.63
F.64
Balance Analysis
Vendor LineItems
DisplayVendor
Balances
MaintainAccountBalances
G/L DocumentMaintenance
Accounts PayableAccounting Manager
PostDocuments
ChangeDocuments
........
Activity Block(Group of RelatedActivities)Role
ActivitiesTransactions,Reports
User RoleComposite Role
Accounts Payable Accountant
UserUser Master Record
Technical Conception: Role Implementation (1)
BalanceAnalysis
Correspondence
Accounts Payable Accounting Manager
Accounts Payable Accountant
MaintainDocuments
MaintainDocuments
MaintainDocuments
ClosingOperations
BalanceAnalysis
Correspondence
MaintainDocuments
ClosingOperations
Financial Accounting Manager
Technical Conception: Role Implementation (2)
Step 3: Implementation
Preparation Quality
Assurance & Tests
Cutover Analysis
& Conception
Implement-Implement- ationation
Measures:
Create Roles
Create Derived Roles
Create Composite Roles
Step 4: Quality Assurance & Tests
Preparation Implement-
ation Cutover
Analysis &
Conception
QualityQuality Assurance Assurance
& Tests& Tests
Measures:
Test User Roles and Authorization Concept
Release Roles and Authorization Concept
Step 5: Cutover
Preparation Implement-
ation
Quality Assurance
& Tests
Analysis &
Conception CutoverCutover
Measures:
Set Up Productive Environment
Create User Master Records for Productive Users
Accept Role and Authorization Project
User and Authorization Administration Strategy
Preparation Implement-
ation
Quality Assurance
& Tests Cutover
Analysis &
Conception
Determine User andDetermine User and Authorization Administration StrategyAuthorization Administration Strategy
Measures:
Specify Technical User and Authorization Administration
Strategy
Specify User and Authorization Administration Procedure
Train Users and Authorization Administrators
Development System User Administration System
User and Authorization Administration Strategy
System Administrator
Authorization DataAdministrator
CreateRole
ActivateProfile
MaintainRole
Authorization ProfileAdministrator
UserAdministrator
MaintainUsers
AssignRole
List the steps necessary to implement anauthorization concept
Describe the activities to be performed in eachstep
Assign responsible persons to each activity
Use the ASAP procedure model for implementingan authorization concept for your own projects
You are now able to:
Conception with ASAP Methodology: Unit Summary
Elements of SAP Authorization Concept
Elements of SAP Authorization Concept
The SAP R/3 authorization concept preventsunauthorized access to the system and to data andobjects within the system. Users that are toperform specific functions in the SAP R/3 Systemneed a user master record with the relevantauthorizations.
Elements of the SAP R/3 Authorization Concept:Business Scenario
Authorizationobject class
Authorizationobject
Authorization Profile - Role
User
Authorization field:
Overview of the elements of the SAP R/3authorization concept
Authorization Fields, Objects, Object Classes
Authorization Fields Authorization Objects AuthorizationObject Classes
BUKRS
ACTVT
WERKS
BEGRU
M_RECH_BUK
F_BKPF_BUK
F_KNA1_BUK
C_KAPA_PLA
C_ARPL_WRK
M_MSEG_WWA
V_KNA1_BRG
C_DRAW_BGR
MM_R
FI
PP
MM_B
SD
CV
Authorization
BUKRS 1000, 2000ACTVT 01, 02, 03 1000 2000 3000 2000 3000
Authorization AAuthorization A
BUKRS
ACTVT
CreateChangeDisplay
BUKRS 1000, 2000, 3000ACTVT 03 1000 2000 3000 2000 3000
Authorization BAuthorization B
BUKRS
ACTVT
CreateChangeDisplay
Authorizations and Authorization Profiles
AuthorizationObjects
WorkCenter 1
WorkCenter 2
WorkCenter 3
F-22, F-27FB02, FB03
F-43, F-41FB02, FB03
01, 02, 031000
01, 02, 031000, 2000
01, 02, 03A, D, S 01, 02, 03
K.......
.......
S_TCODETCD
F_BKPF_BUKACTVTBUKRS
F_BKPF_GSPACTVTGSBER
F_BKPF_KOAACTVTKOART.......
01, 02, 032000
Authorization
AuthorizationProfile
F-22, F-27FB02, FB03
01, 02, 031000
01, 02, 032000
01, 02, 03D.......
031000
Authorization Check in the Program
ChangeAccountingDocument
Transaction FB02Program SAPMF05L
....
AUTHORITY-CHECKOBJECT ´F_BKPF_BUK´ID ´ACTVT´ FIELD ´02´ID ´BUKRS´ FIELD BUK.
IF SY-SUBRC NE 0.MESSAGE E083 WITH BUK.
ENDIF......
UserAuthorizations
Object F_BKPF_BUK
Authorization BUK
1000
Check
Result
Field ValueACTVT 02, 03BUKRS 1000
Authorization BUK 1000Authorization BUK 1000
Security Checks during Transaction Start
ChangeAccountingDocument
System Program
Authorization for transaction (Authorization ObjectS_TCODE)?
Authorization for authorization object in table TSTCA?
NoNo
NoNo
ABAP ProgramAuthorization Checks
STOPSTOP
YYEESS
Initial Screen
Next Screen
Roles and Authorization Profiles
Create Roles Using the Profile Generator (PFCG)
Choose Activities(Transactions, Reports, Web links)
Maintain AuthorizationData (Define Authorization Objects) Generation
User Menu
Authorization Profile
Authorization forAuthorization Object xxx....
Roles and the Easy Access Menu
Menu Edit Favorites Extras System Help
Other menu Create menu Assign users
Role SAP_BC_USER_ADMIN_AG
Favorites
SU01 User Maintenance
User Administration
SU01 - User Maintenance
PFCG - Role Maintenance
SU01D - Display User
SU05 - Internet User Maintenance
SU10 - User Mass Maintenace
SUGR - Maintain User Groups
Describe the elements of the authorizationconcept
Describe the process flow of an authorizationcheck in the program
Describe the authorization checks duringtransaction start
Describe the differences between roles andauthorization profiles
Explain what the relationship between roles andthe Easy Access menu
You are now able to:
Elements of the SAP R/3 Authorization Concept: UnitSummary
User Master User Master
Identifying users by means of the user master record
SAP R/3 user types
Components of the user master record
User buffer
Change documentation
Contents:
The User Master Record
List the different SAP R/3 user types
Distinguish between the components of the usermaster record
Create and change user master records
Evaluate change documents
Display and archive change documents
Analyze the user buffer
Understand the function of the user buffer andevaluate the buffered user authorizations
At the conclusion of this unit, you will be able to:
The User Master Record: Unit Objectives
To access the SAP R/3 System and work with thedata in the system, a user master record withappropriate authorizations is required. Otherelements of the user master record make it easierto work with the SAP R/3 System.
The User Master Record: Business Scenario
User Master Record Components
Personal Personal DataData,,CommunicationCommunicationDataData, , CompanyCompany
AddressAddress
User GroupUser Group,,User User Type,Type,
Validity PeriodValidity Period
Start Start MenuMenu,,LogonLogon LanguageLanguage,,Standard PrinterStandard Printer
Default Default Parameter Parameter IDsIDs
Assignment of Assignment of RolesRoles
Assignment of Assignment of ProfilesProfiles
Address Logon Data Defaults Parameters Roles Profiles Groups
Display Display UserUser
Saved
User
Last changed by
Assignment ofAssignment ofUser GroupsUser Groups
User Buffer
UserWolfMeier
RoleMY_FI_AR_DISPLAY_MASTER_DATA
Authorization ProfileT-T0030107
Logon to the SAP R/3 System
User BufferObject Authorization...........F_BKPF_KOA T-T003010700F_KNA1_AEN T-T003010700F_KNA1_APP T-T003010700F_KNA1_APP T-T003010701F_KNA1_BED T-T003010700F_KNA1_BUK T-T003010700F_KNA1_GEN T-T003010700F_KNA1_GEN T-T003010701...............
List the different SAP R/3 user types
Distinguish between the components of the usermaster record
Create and change user master records
Evaluate change documents
Display and archive change documents
Analyze the user buffer
Understand the function of the user buffer andevaluate the buffered user authorizations
You are now able to:
The User Master Record: Unit Summary
Working with Profile GeneratorWorking with Profile Generator
This unit describes how to design SAP Easy Accessuser menus for the various work centers (or roles) inyour company and how to automatically generateauthorization profiles for those menus.
The first part of this unit deals with simpler basicmaintenance. The focus is placed on the creation ofmenus and the associated authorizations, profiles, anduser assignments.
The second part deals with more advanced topics:The focus here is placed on derived and compositeroles.
Contents:
Working with the Profile Generator
Perform the steps involved in assigningauthorizations with the Profile Generator
Copy, change, and create roles and determinetheir activities
Display and maintain authorizations that weregenerated automatically
At the conclusion of this unit, you will be able to:
Working with the Profile Generator: Unit Objectives
When you create authorizations and authorizationprofiles for groups of users, you should use theProfile Generator. Based on selected menufunctions, the Profile Generator automaticallygenerates authorization data and offers it forpostprocessing.
Working with the Profile Generator:Business Scenario
The Profile Generator: Steps
Role
ProfileGenerator
Work centre
description:
- Activity 1
- Activity 2
- ...
Description Menu Authorizations User
Define Role Names
• Define Activities• Design User Menus
• MaintainAuthorization Data• GenerateAuthorization Profile
• Assign Users• Adjust User Master Records
Profile Generator: Views
Basic Maintenance: • Menu• Authorizations• Agents
Overview:• Menu• Authorizations• Tasks• Agents• Organisational Management
Role SAP_FI_AR_MASTER_DATA
Description Accounts Payable Clerk
Display Change Create Create Composite Role
Simple Maintenance (Workplace Menu Maintenance)
Basic Maintenance (Menus, Profiles, Other Objects)
Overview (Organisational Management and Workflow)
Information
Simple Maintenance: • Menu• Agents
Simple Maintenance: • Menu• Agents
SAP AG 1999
Profile Generator: Steps
Define Role Name
Determine Activities
Design User Menus
Maintain Authorization Data
Generate Authorizaion Profile
Assign Users
Adjust User Master Records
Role
Description
MY_ROLE
FI: Accounts Payable Accountant
Display Change Create Create Composite Role
Information
Role
Descrption FI: AccountsPayable Accountant
Description Menu Authorizations User Pers...
Information Other Role
Beschreibung Menü Berechtigungen Benutzer
Define Role Name and Description
Define Role Name
Determine Activities
Design User Menus
Maintain Authorization Data
Generate Authorizaion Profile
Assign Users
Adjust User Master Records
Profile Generator: Steps
Determine Activities
WebLink
TransactionTA1
Role 1
Role 2
TransactionTA1
???
TransactionTA2
ReportReportxyzxyz
TransactionTA1 Web
LinkReportReport
xyzxyz
ReportReportxyzxyz
TransactionTA1
WebLinkTransaction
TA3
TransactionTA1
TransactionTA1
ReportReportxyzxyz
Description Menu Authorizations User
Profile Generator: Steps
Define Role Name
Determine Activities
Design User Menus
Maintain Authorization Data
Generate Authorizaion Profile
Assign Users
Adjust User Master Records
Design Menus
TransactionTA3
Define Functions
ReportReportxxxxxx
ReportReportzabzab
ReportReportxyzxyz
WebLink
WebLink
WebLink
CustomizeMenuStructure
TransactionTA2
TransactionTA1
Correspondence
Closing
Reporting
Withholding Tax
Information System
Other
Addresses
From the SAP Menu
From Other Role
From Area Menu
Import From File
Translate Node
Display Documentation
Find in Docu.
Role MY_ROLE
Description FI: Accounts Payable Accountant - (Template Copy)
Description Menu Authoirzations Users Pers..
URL - www.mysap.com
URL - Route Planner
SM04 - User ListSE16 - Data BroswerAccount Master Data
FK01 - Create VendorFK02 - Change VendorFK03 - Display VendorFK04 - Display ChangesFK05 - Lock Vendor
FK06 - Set Deletion Flag
Confirmation of ChangeCompare
Transaction Report Other All
T70CLNT400
Distribute
drag&drop
Role Menu
Description Menu Authorizations User
Profile Generator: Steps
Define Role Name
Determine Activities
Design User Menus
Maintain Authorization Data
Generate Authorizaion Profile
Assign Users
Adjust User Master Records
Profile Generator: Create Authorization Profiles
Role MY_ROLE
Description FI: Accounts Payable Accountant - created from SAP template
Description Menu Authorizations User
Angelegt Letzte Änderung
Informationen zum Berechtigungsprofil
Maintain Authorization Data and Generate Profiles
User MEYERS
Date 16.01.2000
Time 13:22:12
Benutzer BENZ
Datum 18.01.2000
Uhrzeit 17:50:59
Profile name T-K6840005
Profile text Profile for Role MY_ROLE
Status Current Version Not Generated
Change Authorization Data
Expert Mode for Profile Generation
MY_ROLE FI: Accounts Payable Accountant
Maint: 0 Unmaint. Org levels, 7 Open Fields , Status: Saved
Gepflegt Old Cross-Application Authorization ObjectsGepflegt Old Asset ManagementGepflegt New Basis - Administration
Standard New Authorization for File Access
Standard New Authorization for File Access
Maintained Old SAPscript: Standard text
Standard Old Basis - Development EnvironmentMaintained New Basis - Central FunctionsStandard Old Materials Management - Procurement
AktivityPhysical File NameABAP Program Name
Description Menu Authorizations User
Profile Generator: Steps
Define Role Name
Determine Activities
Design User Menus
Maintain Authorization Data
Generate Authorizaion Profile
Assign Users
Adjust User Master Records
MY_ROLE FI: Accounts Payable Accountant
Maint.: 0 Unmaint. Org Levels, 7 Open Fields, Status: Saved
Maintained Old Cross-Application Authorization ObjectsMaintained Old Asset ManagementMaintained New Basis - Administration
Standard Old Basis - Development EnvironmentMaintained New Basis - Central FunctionsStandard Old Materials Management - Procurement
ActivityPhysical FilenameABAP Program Name
Standard New Authorization for File Access
Standard New Authorization for File Access
Maintained Old SAPscript: Standardtext
Generate
Description Menu Authorizations User
You can change the default profile name here
Profie lname MY_ROLE_PF
You will not be able to change this profile name laterText Profile for role MY_ROLE
Assign Profile Name for Generated Authorization Profile
Generate Authorization Profile
Define Role Name
Determine Activities
Design User Menus
Maintain Authorization Data
Generate Authorization Profile
Assign Users
Adjust User Master Records
Profile Generator : Steps
Role 4Role 3
Assigning Users to Roles
Role 1
Role 2
Profile Generator: Steps
Define Role Name
Determine Activities
Design User Menus
Maintain Authorization Data
Generate Authorizaion Profile
Assign Users
Adjust User Master Records
Comparing the User Master
Description Menu Authorizations User Pers...
Selection User Compare
Role
Description
MY_ROLE
FI: Accounts Payable Accountant
Other Role Information
Last Comparison
User
Date
Time
Complete Adjustment
User
Date
Time
Information for user master comparison
Status User authorization changed since last save
Complete Compare Expert Mode for Compare Information
Compare Role User Master Record
Description Menu Authorizations User
Derived Roles
(Reference)Role
Authorizations for:
• Plant 1• Company Code 0020• Business Area 110•...
Authorizations for:
• Plant 1• Company Code 0020• Business Area *•...
OrganisationalStructure
OrganisationalStructure
OrganisationalStructure
DerivedRole 3
Authorizations for:
• Plant 2• Company Code 0001• Business Area 100• ...
DerivedRole 1
DerivedRole 2
Menus of Derived Roles
ReferenceRole
DerivedRole 1
Changes to the menuare only possible here
DerivedRole 2
DerivedRole 3
Composite Roles
Role 1
Role 2
Role 3Role 4
Role 6
Role 5
CompositeRole A
CompositeRole B
Role 7
Menus of Composite Roles
Role 1
MenuRole 1
MenuRole 2
Role 2
MenuRole 1
MenuRole 2
Composite Role
Changes to the Entire Menu ArePossible!
Perform the steps involved in assigningauthorizations with the Profile Generator
Copy, change, and create roles and determinetheir activities
Display and maintain authorizations that weregenerated automatically
You are now able to:
Working with the Profile Generator: Unit Summary
Access Control and User Administration
Access Control and User Administration
Access Control and User Administration
Special Users
Administration Tasks in User and AuthorizationAdministration
SAP Authorization Objects for Protection from Accessto Administration Functions
Scenarios for Distributing Administration Tasks in theSystem Infrastructure
Contents:
Access Control and User Administration:Unit Objectives
Protect special users in SAP R/3.
Describe tasks in user and authorizationadministration
List options for separating functions of user andauthorization administration.
Describe options for decentralization of useradministration.
Create user and authorization administrators withlimited rights
At the conclusion of this unit, you will be able to:
Access Control and User Administration:Business Scenario
In order to protect your SAP R/3 System againstunauthorized access, you must define passwordrules, set the relevant profile parameters andprotect special users.
You must also define areas of responsibility foruser and authorization administration.
The organizational areas of responsibility must beclearly defined technically using authorizations.
Special Users
Initial Logon Procedure in SAP Clients
Client 000 001 066 Client (new)
User SAP* DDIC EarlyWatch SAP*
Initialpassword 06071992 19920706 support pass
! Since these users are generally known, they must beprotected against unauthorized access.
User and Authorization Administration: Activities
Create, maintain, lock and unlockusers, and change passwords
Create and Maintain Roles
Maintain Transaction Selections andAuthorization Data in Roles
Generate Authorization Profiles
Assign Roles and Profiles
Transport Roles
Monitor Using the Information System
Archive Change Documents
An administrator may not
Administer users and
Maintain authorizations and
Generate authorization profiles
Separation of functions
Principle of dual control
User administration
Authorization maintenance and generation
Principle of triple control
User administration
Authorization maintenance
Authorization generation
Security Requirements
Separation of Functions
User Administrator
Authorization DataAdministrator
Authorization ProfileAdministrator Maintain user master records
Assign roles to users Assign profiles to users (only T...) Display authorizations and profiles Call "Information System Authorizations"
Superuser
Maintain roles Change transaction selection Change authorization data
Call "Information System Authorizations"
Maintain roles Create authorizations (only T-...) Create profiles (only T-...)
Execute Transaction SUPC Call "Information System Authorizations"
PP
UserAdmin.
MM
UserAdmin.
SD
UserAdmin.
CO
UserAdmin.
FI
UserAdmin.
Location 1
Location 2
Location 3
Location 4
User Administrator
User Administrator
User Administrator
User Administrator
Decentral User Administration
Central user administration
One user administrator for all users
Unlimited authorizations for all user administration tasks of theuser administrator
Central maintenance of roles and profiles
One administrator takes on both roles
Authorization data administrator
Authorization profile administrator
All authorizations for maintaining the roles and profiles
Principle of dual control
Scenario 1
Decentral user administration (production system)
One user administrator per application area (FI, MM)
Authorized to maintain a certain user group
Authorized to assign a certain number of roles and profiles
No other restrictions in the specific user administrationtasks
Central maintenance of roles and profiles
Separation of responsibilities
One authorization data administrator
One authorization profile administrator
No other restrictions in the specific roles or profiles for bothadministrators
Principle of triple control
Scenario 2
Central creation and deletion for all users (prod.)
Decentral user administration (production system)
One user administrator per application area (FI, MM)
Authorized to maintain a certain user group
Authorized to assign a certain number of roles and profiles
Authorized for only certain user administration tasks(change, lock/unlock, reset password)
Central maintenance of roles and profiles
Separation of responsibilities
One authorization data administrator
One authorization profile administrator
No other restrictions in the specific roles or profiles for bothadministrators
Principle of triple control
Scenario 3
Change password rules with system profileparameters
Protect special users in the R/3 System.
Describe tasks in user and authorizationadministration
List options for separating functions of user andauthorization administration
Describe options for decentralization of useradministration
Create user and authorization administrators withlimited rights
You are now able to:
Access Control and User Administration:Unit Summary