day5r3basissecurity-1220849300989485-9

Day 5 :SAP R/3 Application Authorization Concept

Course ContentUnit 6Access Control and UserAdministrationUnit 1IntroductionUnit 2Conception withASAP MethodologyUnit 3Elements of the R/3Authorization ConceptUnit 4The User MasterUnit 5Working with the ProfileGenerator

Introduction

lSecurity RequirementslSAP Security LevelslSAP Access ControllUsers, Roles and AuthorizationslTechnical Implementation of RolesContents:Introduction

lDescribe the SAP authorization concept as part ofa comprehensive security conceptlExplain the access control mechanismslExplain how users, roles and authorizations arerelatedlDescribe the technical implementation of a role-based authorization conceptAt the conclusion of this unit, you will be able to:Introduction Unit Objectives

lTechnologynHardware RouternDB BackupnPassword RulesnAuthorizationsn...lOrganizationnProceduresnTraininglEnvironmentnFire AlarmsnWater DetectionlTechnologynDisk CrashnPower SupplyInterruptionThreatsMeasuresAssetslPersonsnIncorrect OperationnHackerslEnvironmentnFloodsnEarthquakesSecurity - OverviewlHardwarelSoftwarelDatalPersons

SAP Security Levels

DataDataFunctionsFunctionslSystem Access ControlnUsers must identify themselvesin the systemnConfiguration of system accesscontrol (e.g. password rules)lAccess ControlnAccess rights for functions anddata must be granted explicityusing authorizationsnAuthorization checks forwTransaction/report callswProgram executionSAP Access Control

CreatePurchaseRequisition(ME51)OrderPurchaseRequisition(ME58)ReleasePurchaseRequisition(ME54) Employees have roles with specific functions and need authorizations for these functions Employees Employees have roles roles with specific functions functions and need authorizations authorizations for these functionsUsers, Roles, and AuthorizationsKarenKarenSusanSusanJohnJohnProcurementlEmployeelServiceRepresentativelEmployeelServiceRepresentativelManagerlEmployeelPurchaserAuthorization to createpurchase requisitionsAuthorization to releasepurchase requisitionsAuthorization to createpurchase orders

RoleProfessional PurchaserRoleProfessional PurchaserTechnical Implementation of RoleslRole MenunAccessible Transctions, Reports,Web Linksn Structure of the Menus/AccessPathslAuthorizationsnSelective Access to BusinessFunctions and DatalUser

SAP Easy Access - User-Specific MenusMenu Edit Favorites Extras System HelpOther menuCreate menuAssign usersRole BC_USER_ADMINFavoritesSM51 List of SAP SystemsUser AdministrationSU01 - User MaintenancePFCG - Role MaintenanceSU01D - Display UserSU05 - Internet User MaintenanceSU10 - User Mass MaintenanceSUGR - Maintain User Groups

lDescribe the SAP authorization concept as part ofa comprehensive security conceptlExplain the access control mechanismslExplain how users, roles and authorizations arerelatedlDescribe the technical implementation of a role-based authorization conceptYou are now able to:Introduction: Unit Summary

Conception with ASAP Methodology

lASAP methodology for creating an authorization conceptlProject preparationlAnalysis and design of the authorization conceptlImplementation of the authorization conceptlTesting and quality assurancelCutoverContents:Conception with ASAP Methodology

lList the steps necessary to implement anauthorization conceptlDescribe the activities to be performed in eachsteplAssign responsible persons to each activitylUse the ASAP procedure model for implementingan authorization concept for your own projectsAt the conclusion of this unit, you will be able to:Conception with ASAP Methodology: Unit Objectives

lBefore going live, your company wants toimplement an authorization concept.lThe steps required to realize the authorizationconcept must be planned in the context of theentire implementation process.lDuring the planning phase you want to estimatethe time and personnel resources needed.Conception with ASAP Methodology: BusinessScenario

Role and Authorization Concept: StepsPreparationPreparation AnalysisAnalysis & & Conception ConceptionlA Role and Authorization Concept is Implemented in 5 StepslEach Step Comprises Different ActivitieslEach Activity is Associated with a Responsible PersonlUser Administration and Authorization ManagementOrganization is Parallel to User and Authorization ConceptImplementation Implement-Implement- ationation QualityQuality Assurance Assurance & Tests& Tests CutoverCutover Determine User andDetermine User and Authorization Administration StrategyAuthorization Administration Strategy

Measures:lSet Up a Team for User Roles and AuthorizationslClarify Prerequisites for Authorization AssignmentlTrain the Team for User Roles and AuthorizationslTrigger Role and Authorization ProjectStep 1: PreparationPreparationPreparation Implement- ation Analysis & Conception Quality Assurance & Tests Cutover

BASISPPHRSD/ MMFI/ COKUKUBCBCKUKUKUKUKUKUBCBCKUKUTeam for User Roles and AuthorizationsKU = Key User BC =Basis User (technical authorization management)

SAP AG 1999Step 2: Analysis & ConceptionPreparation Implement- ation Quality Assurance & Tests Cutover AnalysisAnalysis & & Conception ConceptionMeasures:lDetermine User RoleslComplete RoleslDetermine Framework for Implementing the RoleslCheck Framework for Implementing the Roles

Authorization List - Role DesignBusiness Processes Financial Accounting General Ledger Processing Closing Operations Profit and Loss Adjustment General ledger: Profit and Loss Adjustment General ledger: Update Balance Sheet Adj. General ledger: Post Balance Sheet Readj. General ledger: Balance Sheet Readj., Log General ledger: B/S Readj., Spec. Functions Accounts Payable Accounting Invoices and Credit Memos Parked Document Posting [Vendors] Post Parked Document Change Parked Document Display Parked Document Change Parked Doc. (Header) Document Changes: Parked Documents Reject Parked Document Vendor Account Analysis Balance Analysis Customer Account Analysis Vendor Account Balance Display Vendor Balances Vendor Line Items Correspondence with Vendors Correspondence with Vendors Correspondence: Print Requests Correspondence: Print Internal Docs. Correspondence: Delete Requests Correspondence: Maintain RequestsInstruction...Enterprise area Role nameScope Scope ScopeAnalysis: Determine User RolesF.50F.5DF.5EF.5FF.5GFBV0FBV2FBV3FBV4FBV5FBV6FD11FK10FK10NFBL1NF.61F.62F.63F.64

FI_Manag AP_Manag AP_AccAuthorization List - Role DesignBusiness Processes Financial Accounting General Ledger Processing Closing Operations Profit and Loss Adjustment General ledger: Profit and Loss Adjustment General ledger: Update Balance Sheet Adj. General ledger: Post Balance Sheet Readj. General ledger: Balance Sheet Readj., Log General ledger: B/S Readj., Spec. Functions Accounts Payable Accounting Invoices and Credit Memos Parked Document Posting [Vendors] Post Parked Document Change Parked Document Display Parked Document Change Parked Doc. (Header) Document Changes: Parked Documents Reject Parked Document Vendor Account Analysis Balance Analysis Customer Account Analysis Vendor Account Balance Display Vendor Balances Vendor Line Items Correspondence with Vendors Correspondence with Vendors Correspondence: Print Requests Correspondence: Print Internal Docs. Correspondence: Delete Requests Correspondence: Maintain RequestsInstruction...Enterprise area RollennameScope Scope Scope FI FI FIxxxxxx x xx x xx x xx x xx x xx x x x x x x x x x xConception: Complete User Roles (1)F.50F.5DF.5EF.5FF.5GFBV0FBV2FBV3FBV4FBV5FBV6FD11FK10FK10NFBL1NF.61F.62F.63F.64

Balance AnalysisVendor LineItemsDisplayVendorBalancesMaintainAccountBalancesG/L DocumentMaintenanceAccounts PayableAccounting Manager PostDocumentsChangeDocuments........Activity Block(Group of RelatedActivities)RoleActivitiesTransactions,ReportsUser RoleComposite RoleAccounts Payable AccountantUserUser Master RecordTechnical Conception: Role Implementation (1)

BalanceAnalysisCorrespondenceAccounts Payable Accounting ManagerAccounts Payable AccountantMaintainDocumentsMaintainDocumentsMaintainDocumentsClosingOperationsBalanceAnalysisCorrespondence Financial Accounting ManagerTechnical Conception: Role Implementation (2)

Step 3: ImplementationPreparation Quality Assurance & Tests Cutover Analysis & Conception Implement-Implement- ationationMeasures:lCreate RoleslCreate Derived RoleslCreate Composite Roles

Step 4: Quality Assurance & TestsPreparation Implement- ation Cutover Analysis & Conception QualityQuality Assurance Assurance & Tests& TestsMeasures:lTest User Roles and Authorization ConceptlRelease Roles and Authorization Concept

Step 5: CutoverPreparation Implement- ation Quality Assurance & Tests Analysis & Conception CutoverCutoverMeasures:lSet Up Productive EnvironmentlCreate User Master Records for Productive UserslAccept Role and Authorization Project

User and Authorization Administration StrategyPreparation Implement- ation Quality Assurance & Tests Cutover Analysis & Conception Determine User andDetermine User and Authorization Administration StrategyAuthorization Administration StrategyMeasures:lSpecify Technical User and Authorization AdministrationStrategylSpecify User and Authorization Administration ProcedurelTrain Users and Authorization Administrators

Development SystemUser Administration SystemUser and Authorization Administration StrategySystem AdministratorAuthorization DataAdministratorCreateRoleAuthorization ProfileAdministratorUserAdministratorMaintainUsersAssignRole

lList the steps necessary to implement anauthorization conceptlDescribe the activities to be performed in eachsteplAssign responsible persons to each activitylUse the ASAP procedure model for implementingan authorization concept for your own projectsYou are now able to:Conception with ASAP Methodology: Unit Summary

Elements of SAP Authorization Concept

lThe SAP R/3 authorization concept preventsunauthorized access to the system and to data andobjects within the system. Users that are toperform specific functions in the SAP R/3 Systemneed a user master record with the relevantauthorizations.Elements of the SAP R/3 Authorization Concept:Business Scenario

Authorizationobject classAuthorizationobjectAuthorizationProfile-RoleUser Authorization field:Overview of the elements of the SAP R/3authorization concept

Authorization Fields, Objects, Object Classes Authorization FieldsAuthorization ObjectsAuthorizationObject ClassesBUKRSACTVTWERKSBEGRUM_RECH_BUKF_BKPF_BUKF_KNA1_BUKC_KAPA_PLAC_ARPL_WRKM_MSEG_WWAV_KNA1_BRGC_DRAW_BGRMM_RFIPPMM_BSDCV

AuthorizationBUKRS1000, 2000ACTVT01, 02, 03 1000 2000 3000 2000 3000Authorization AAuthorization A BUKRS ACTVTCreateChangeDisplayBUKRS1000, 2000, 3000ACTVT03 1000 2000 3000 2000 3000Authorization BAuthorization B BUKRS ACTVTCreateChangeDisplay

Authorizations and Authorization ProfilesAuthorizationObjectsWorkCenter 1WorkCenter 2WorkCenter 3F-22, F-27FB02, FB03F-43, F-41FB02, FB0301, 02, 03100001, 02, 031000, 200001, 02, 03A, D, S01, 02, 03K..............S_TCODETCDF_BKPF_BUKACTVTBUKRSF_BKPF_GSPACTVTGSBERF_BKPF_KOAACTVTKOART.......01, 02, 032000AuthorizationAuthorizationProfileF-22, F-27FB02, FB0301, 02, 03100001, 02, 03200001, 02, 03D.......031000

Authorization Check in the ProgramChangeAccountingDocumentTransaction FB02Program SAPMF05L....AUTHORITY-CHECKOBJECT F_BKPF_BUKID ACTVT FIELD 02ID BUKRS FIELD BUK.IF SY-SUBRC NE 0.MESSAGE E083 WITH BUK.ENDIF...... UserAuthorizationsObject F_BKPF_BUKAuthorization BUK1000CheckResultField ValueACTVT 02, 03BUKRS 1000Authorization BUK 1000Authorization BUK 1000

Security Checks during Transaction StartChangeAccountingDocumentSystem ProgramAuthorization for transaction (Authorization ObjectS_TCODE)?Authorization for authorization object in table TSTCA?NoNoNoNoABAP ProgramAuthorization ChecksYYEESSInitial ScreenNext Screen

Roles and Authorization ProfilesCreate Roles Using the Profile Generator (PFCG)Choose Activities(Transactions, Reports, Web links)Maintain AuthorizationData (Define Authorization Objects)GenerationUser MenuAuthorization ProfileAuthorization forAuthorization Object xxx....

Roles and the Easy Access MenuMenu Edit Favorites Extras System HelpOther menuCreate menuAssign usersRole SAP_BC_USER_ADMIN_AGFavoritesSU01 User MaintenanceUser AdministrationSU01 - User MaintenancePFCG - Role MaintenanceSU01D - Display UserSU05 - Internet User MaintenanceSU10 - User Mass MaintenaceSUGR - Maintain User Groups

lDescribe the elements of the authorizationconceptlDescribe the process flow of an authorizationcheck in the programlDescribe the authorization checks duringtransaction startlDescribe the differences between roles andauthorization profileslExplain what the relationship between roles andthe Easy Access menuYou are now able to:Elements of the SAP R/3 Authorization Concept: UnitSummary

User Master

lIdentifying users by means of the user master recordlSAP R/3 user typeslComponents of the user master recordlUser bufferlChange documentationContents:The User Master Record

lList the different SAP R/3 user typeslDistinguish between the components of the usermaster recordlCreate and change user master recordslEvaluate change documentslDisplay and archive change documentslAnalyze the user bufferlUnderstand the function of the user buffer andevaluate the buffered user authorizationsAt the conclusion of this unit, you will be able to:The User Master Record: Unit Objectives

lTo access the SAP R/3 System and work with thedata in the system, a user master record withappropriate authorizations is required. Otherelements of the user master record make it easierto work with the SAP R/3 System.The User Master Record: Business Scenario

User Master Record ComponentsPersonal Personal DataData,,CommunicationCommunicationDataData, , CompanyCompanyAddressAddressUser GroupUser Group,,User User Type,Type,Validity PeriodValidity PeriodStart Start MenuMenu,,LogonLogon LanguageLanguage,,Standard PrinterStandard PrinterDefault Default Parameter Parameter IDsIDsAssignment of Assignment of ProfilesProfiles Address Logon Data Defaults Parameters Roles Profiles GroupsDisplay Display UserUserSavedUserLast changed byAssignment ofAssignment ofUser GroupsUser Groups

User BufferUserWolfMeierRoleMY_FI_AR_DISPLAY_MASTER_DATAAuthorization ProfileT-T0030107Logon to the SAP R/3 SystemUser BufferObjectAuthorization...........F_BKPF_KOAT-T003010700F_KNA1_AENT-T003010700F_KNA1_APPT-T003010700F_KNA1_APPT-T003010701F_KNA1_BEDT-T003010700F_KNA1_BUKT-T003010700F_KNA1_GENT-T003010700F_KNA1_GENT-T003010701...............

lList the different SAP R/3 user typeslDistinguish between the components of the usermaster recordlCreate and change user master recordslEvaluate change documentslDisplay and archive change documentslAnalyze the user bufferlUnderstand the function of the user buffer andevaluate the buffered user authorizationsYou are now able to:The User Master Record: Unit Summary

Working with Profile Generator

lThis unit describes how to design SAP Easy Accessuser menus for the various work centers (or roles) inyour company and how to automatically generateauthorization profiles for those menus.lThe first part of this unit deals with simpler basicmaintenance. The focus is placed on the creation ofmenus and the associated authorizations, profiles, anduser assignments.lThe second part deals with more advanced topics:The focus here is placed on derived and compositeroles.Contents:Working with the Profile Generator

lPerform the steps involved in assigningauthorizations with the Profile GeneratorlCopy, change, and create roles and determinetheir activitieslDisplay and maintain authorizations that weregenerated automaticallyAt the conclusion of this unit, you will be able to:Working with the Profile Generator: Unit Objectives

lWhen you create authorizations and authorizationprofiles for groups of users, you should use theProfile Generator. Based on selected menufunctions, the Profile Generator automaticallygenerates authorization data and offers it forpostprocessing.Working with the Profile Generator:Business Scenario

The Profile Generator: StepsRoleProfileGeneratorWork centre description: - Activity 1 - Activity 2 - ...Define Role Names Define Activities Design User Menus MaintainAuthorization Data GenerateAuthorization Profile Assign Users Adjust User Master Records

Profile Generator: ViewsBasic Maintenance: Menu Authorizations AgentsOverview: Menu Authorizations Tasks Agents Organisational ManagementRole SAP_FI_AR_MASTER_DATADescription Accounts Payable ClerkDisplay Change Create Create Composite RoleSimple Maintenance (Workplace Menu Maintenance)Basic Maintenance (Menus, Profiles, Other Objects)Overview (Organisational Management and Workflow)Information Simple Maintenance: Menu AgentsSimple Maintenance: Menu Agents

SAP AG 1999Profile Generator: Steps

RoleDescriptionMY_ROLEFI: Accounts Payable AccountantDisplay Change Create Create Composite RoleInformation RoleDescrptionFI: AccountsPayable AccountantDescription Menu Authorizations User Pers...Information Other RoleBeschreibung Men Berechtigungen BenutzerDefine Role Name and Description

Define Role NameDetermine ActivitiesDesign User MenusMaintain Authorization DataGenerate Authorizaion ProfileAssign UsersAdjust User Master RecordsProfile Generator: Steps

Determine ActivitiesDescription Menu Authorizations User

Profile Generator: StepsDefine Role NameDetermine ActivitiesDesign User MenusMaintain Authorization DataGenerate Authorizaion ProfileAssign UsersAdjust User Master Records

Design Menus Define FunctionsCustomizeMenuStructureCorrespondenceClosingReportingWithholding TaxInformation SystemOtherAddressesFrom the SAP MenuFrom Other RoleFrom Area MenuImport From FileTranslate NodeDisplay DocumentationFind in Docu.Role MY_ROLEDescription FI: Accounts Payable Accountant - (Template Copy)Description MenuAuthoirzations Users Pers..URL - www.mysap.comURL - Route PlannerSM04 - User ListSE16 - Data BroswerAccount Master DataFK01 - Create VendorFK02 - Change VendorFK03 - Display VendorFK04 - Display ChangesFK05 - Lock VendorFK06 - Set Deletion FlagConfirmation of ChangeCompareTransaction Report Other AllT70CLNT400 Distributedrag&dropRole MenuDescription Menu Authorizations User

Profile Generator: Create Authorization ProfilesMY_ROLE FI: Accounts Payable AccountantMaint: 0 Unmaint. Org levels, 7 Open Fields , Status: SavedGepflegt Old Cross-Application Authorization ObjectsGepflegt Old Asset ManagementGepflegt New Basis - AdministrationStandard New Authorization for File AccessStandard New Authorization for File AccessMaintained Old SAPscript: Standard textStandard Old Basis - Development EnvironmentMaintained New Basis - Central FunctionsStandard Old Materials Management - ProcurementAktivityPhysical File NameABAP Program NameDescription Menu Authorizations User

Description Menu Authorizations UserYou can change the default profile name hereProfie lname MY_ROLE_PFYou will not be able to change this profile name laterText Profile for role MY_ROLEAssign Profile Name for Generated Authorization ProfileGenerate Authorization Profile

Define Role NameDetermine ActivitiesDesign User MenusMaintain Authorization DataGenerate Authorization ProfileAssign UsersAdjust User Master RecordsProfile Generator : Steps

Role 4Role 3Assigning Users to RolesRole 1Role 2

Comparing the User MasterDescription Menu Authorizations User

Derived Roles(Reference)RoleAuthorizations for: Plant 1 Company Code 0020 Business Area 110...Authorizations for: Plant 1 Company Code 0020 Business Area *...OrganisationalStructureOrganisationalStructureOrganisationalStructureDerivedRole 3Authorizations for: Plant 2 Company Code 0001 Business Area 100 ...DerivedRole 1DerivedRole 2

Menus of Derived RolesReferenceRoleDerivedRole 1Changes to the menuare only possible hereDerivedRole 2DerivedRole 3

Composite RolesRole 1Role 2Role 3Role 4Role 6Role 5CompositeRole ACompositeRole BRole 7

Menus of Composite RolesRole 1MenuRole 1MenuRole 2Role 2MenuRole 1MenuRole 2Composite RoleChanges to the Entire Menu ArePossible!

lPerform the steps involved in assigningauthorizations with the Profile GeneratorlCopy, change, and create roles and determinetheir activitieslDisplay and maintain authorizations that weregenerated automaticallyYou are now able to:Working with the Profile Generator: Unit Summary

Access Control and User Administration

Access Control and User AdministrationlSpecial UserslAdministration Tasks in User and AuthorizationAdministrationlSAP Authorization Objects for Protection from Accessto Administration FunctionslScenarios for Distributing Administration Tasks in theSystem InfrastructureContents:

Access Control and User Administration:Unit ObjectiveslProtect special users in SAP R/3.lDescribe tasks in user and authorizationadministrationlList options for separating functions of user andauthorization administration.lDescribe options for decentralization of useradministration.lCreate user and authorization administrators withlimited rightsAt the conclusion of this unit, you will be able to:

Access Control and User Administration:Business ScenariolIn order to protect your SAP R/3 System againstunauthorized access, you must define passwordrules, set the relevant profile parameters andprotect special users.lYou must also define areas of responsibility foruser and authorization administration.lThe organizational areas of responsibility must beclearly defined technically using authorizations.

Special Users Initial Logon Procedure in SAP ClientsClient 000001066 Client (new)User SAP*DDICEarlyWatch SAP*Initialpassword0607199219920706support pass!Since these users are generally known, they must beprotected against unauthorized access.

User and Authorization Administration: ActivitieslCreate, maintain, lock and unlockusers, and change passwordslCreate and Maintain RoleslMaintain Transaction Selections andAuthorization Data in RoleslGenerate Authorization ProfileslAssign Roles and ProfileslTransport RoleslMonitor Using the Information SystemlArchive Change Documents

lAn administrator may notnAdminister users andnMaintain authorizations andnGenerate authorization profileslSeparation of functionsnPrinciple of dual controlwUser administrationwAuthorization maintenance and generationnPrinciple of triple controlwUser administrationwAuthorization maintenancewAuthorization generationSecurity Requirements

Separation of FunctionsUser AdministratorAuthorization DataAdministratorAuthorization ProfileAdministratorl Maintain user master recordsl Assign roles to usersl Assign profiles to users (only T...)l Display authorizations and profilesl Call "Information System Authorizations"Superuserl Maintain rolesn Change transaction selectionn Change authorization datal Call "Information System Authorizations"l Maintain rolesn Create authorizations (only T-...)n Create profiles (only T-...)l Execute Transaction SUPCl Call "Information System Authorizations"

PPUserAdmin.MMUserAdmin.SDUserAdmin.COUserAdmin.FIUserAdmin.Location 1Location 2Location 3Location 4User AdministratorUser AdministratorUser AdministratorUser AdministratorDecentral User Administration

lCentral user administrationnOne user administrator for all usersnUnlimited authorizations for all user administration tasks of theuser administratorlCentral maintenance of roles and profilesnOne administrator takes on both roleswAuthorization data administratorwAuthorization profile administratornAll authorizations for maintaining the roles and profileslPrinciple of dual controlScenario 1

lDecentral user administration (production system)nOne user administrator per application area (FI, MM)wAuthorized to maintain a certain user groupwAuthorized to assign a certain number of roles and profileswNo other restrictions in the specific user administrationtaskslCentral maintenance of roles and profilesnSeparation of responsibilitieswOne authorization data administratorwOne authorization profile administratornNo other restrictions in the specific roles or profiles for bothadministratorslPrinciple of triple controlScenario 2

lCentral creation and deletion for all users (prod.)lDecentral user administration (production system)nOne user administrator per application area (FI, MM)wAuthorized to maintain a certain user groupwAuthorized to assign a certain number of roles and profileswAuthorized for only certain user administration tasks(change, lock/unlock, reset password)lCentral maintenance of roles and profilesnSeparation of responsibilitieswOne authorization data administratorwOne authorization profile administratornNo other restrictions in the specific roles or profiles for bothadministratorslPrinciple of triple controlScenario 3

lChange password rules with system profileparameterslProtect special users in the R/3 System.lDescribe tasks in user and authorizationadministrationlList options for separating functions of user andauthorization administrationlDescribe options for decentralization of useradministrationlCreate user and authorization administrators withlimited rightsYou are now able to:Access Control and User Administration:Unit Summary

day5r3basissecurity-1220849300989485-9

Documents

roles roles

authorizations authorizations

sap authorization concept

authorization conceptltesting

specific functions functions

user groupsldescribe

user masterunit

functions employees