r3 security 2
TRANSCRIPT
-
7/31/2019 R3 Security 2
1/39
USER TYPES IN R/3 SECURITY:Characterization of user types
Dialog user 'A Individual system access (personalized) Logon with SAPGUI is possible. The user is therefore interaction-capable with the SAPGUI. Expired or initial passwords are checked. Users have the option of changing their own passwords. Multiple logon is possible but we can restrict by parameter
Ex : End users, Support users etc. Service user 'S Shared system access (anonymous)
Logon with SAPGUI is possible. The user is therefore interaction-capable with the SAPGUI. The passwords are not subject to the password change requirement, that is, they cannot be initial or
expired. Only a user administrator can change the password. Multiple logon is permitted.
Ex : Fire Fighter Id System user 'B System-dependent and system-internal operations
Logon with SAPGUI is not possible. The user is therefore not interaction-capable with the SAPGUI. The passwords are not subject to the password change requirement, that is, they cannot be initial or
expired. Only an administrator user can change the password. It is used to communicate within the system. Ex : Internal RFC, background processing, external RFC (for example, ALE, workflow, TMS, CUA) Communication user 'C : Logon with SAPGUI is not possible. The user is therefore not interaction-capable with the SAPGUI. It is also one type of background user and communicates between the systems. Ex : external RFC , CUA
Reference user 'L' Authorization enhancement No dialog logon is possible. Reference users are used for providing extra privileges of a user who is going on vacation or leave to
existing users. Ex : Internet users with identical authorizations
For more information visit www.keylabstraining.com
HOW TO CREATE USER IN SAP?Before creating the user in sap system we need details of the user(i.e User id, First name, Last name, email Id,User Group, validity period & required authorizations(Roles/Profiles)etc). After that we need to take the approvals from the appropriate managers.Important Note :- For creation of the new user account some of the mandatory fields that we need to fill are Userid, Last name, Password. There after we have to follow bellow steps:
1. Execute SU01
2. Enter user name and press CREATE (notepad)
http://www.keylabstraining.com/http://www.keylabstraining.com/http://www.keylabstraining.com/http://www.keylabstraining.com/ -
7/31/2019 R3 Security 2
2/39
3. Enter necessary details such as Firstname and Lastname
4. Click on Logon Data Tab and enter password a password eg: Keylabs123
5. Then give the required authorizations in Roles, profiles tab.6. Click Save . Now you can informed the user that his/her account has been created.
AUTHORIZATION CHECKS :
Authorization Checks Starting SAP Transactions :
When a user starts a transaction, the system performs the following checks:
-
7/31/2019 R3 Security 2
3/39
The system checks in table TSTC whether the transaction code is valid and whether the systemadministrator has locked the transaction.
The system then checks whether the user has authorization to start the transaction. The SAP systemperforms the authorization checks every time a user starts a transaction from the menu or by entering acommand. Indirectly called transactions are not included in this authorization check. For more complextransactions, which call other transactions, there are additional authorization checks.
The authorization object S_TCODE (transaction start) contains the field TCD (transaction code). Theuser must have an authorization with a value for the selected transaction code.
If an additional authorization is entered using transaction SE93 for the transaction to be started, the useralso requires the suitable defined authorization object ( TSTA , table TSTCA ).
If you create a transaction in transaction SE93 , you can assign an additional authorization to thistransaction. This is useful, if you want to be able to protect a transaction with a separate authorization. If this is not the case, you should consider using other methods to protect the transaction (such asAUTHORITY-CHECK at program level).
The system checks whether the transaction code is assigned an authorization object. If so, a check is madethat the user has authorization for this authorization object.
The check is not performed in the following cases: You have deactivated the check of the authorization objects for the transaction (with transaction SU24 )
using check indicators, that is, you have removed an authorization object entered using transaction SE93 .You cannot deactivate the check for objects from the SAP NetWeaver and HR areas.
This can be useful, as a large number of authorization objects are often checked when transactions areexecuted, since the transaction calls other work areas in the background. In order for these checks to beexecuted successfully, the user in question must have the appropriate authorizations. This results in someusers having more authorization than they strictly need. It also leads to an increased maintenanceworkload. You can therefore deactivate authorization checks of this type in a targeted manner usingtransaction SU24 .
You have globally deactivated authorization objects for all transactions with transaction SU24 ortransaction SU25 .
So that the entries that you have made with transactions SU24 and SU25 become effective, you must setthe profile parameter AUTH/NO_CHECK_IN_SOME_CASES to Y (using transaction RZ10).
All of the above checks must be successful so that the user can start the transaction. Otherwise, the
transaction is not called and the system displays an appropriate message. Checking Assignment of Authorization Groups to Tables You can also assign authorization groups to tables to avoid users accessing tables using general access
tools (such as transaction SE16). A user requires not only authorization to execute the tool, but must alsohave authorization to be permitted to access tables with the relevant group assignments. For this case, wedeliver tables with predefined assignments to authorization groups. The assignments are defined in tableTDDAT ; the checked authorization object is S_TABU_DIS .
SAP SECURITY,AUTHORIZATIONS :
An authorization is a permission to perform a certain action in the SAP System.
Authorizations are used to control access at the application level.. SAP Authorization concept is basically used for SAP Security. Security: Security means protecting your data and your business.
-
7/31/2019 R3 Security 2
4/39
SAP Authorization Architecture
Structure of Authorization is as follows :
Field : Smallest unit against which a check should be run. It is a least granular element/data element to secure thedata/information.
Authorizations : Authorizations are used to control access at the application level.
Authorization Object : Groups 1 to 10 authorization fields together. These fields are then checkedsimultaneously.
Authorization Object Class : Logical grouping of authorization objects.
Profile : Profiles is to provide Authorization based on provided Authorizations and Authorization Objects. Weused to create profiles up to 4.6C version in SU02 Transaction Code, after 4.6C version these profiles will createautomatically while modifying/creating roles or generation roles.
Role : Its is a combination of Menu s, Authorizations, Profiles and personalization. A role is a group of activities performed within business scenarios. Or Activities assigned to the user. Or a role is a set of functions describing aspecific work area. Roles consist of Menu, Authorizations, Organizational values.
PROFILE PARAMETERS FOR LOGON:
Parameters Explanation
login/min_password_lng
Defines the minimum length of thepassword.Default value: 3; permissible values: 3
8
login/min_password_digits
Defines the minimum number of digits (0-9) in passwords.Default value: 0; permissible values: 0
8Available as of SAP Web AS 6.10
login/min_password_letters
Defines the minimum number of letters (A-Z) in passwords.Default value: 0; permissible values: 0
8
http://3.bp.blogspot.com/-nF6UKix6TN4/T04LDMWvgzI/AAAAAAAAAH0/qmWMdT7paEg/s1600/auths.jpg -
7/31/2019 R3 Security 2
5/39
-
7/31/2019 R3 Security 2
6/39
Why SU25 is required?
In SAP security the two standered tables are USOBT&USOBX which contains SAP security type data. This is a single time activity.when you click on initially fill the customer tables option the data will be
copied into customer tables USOBT_C ,USOBX_C from USOBT &USOBX. The table USOBT contains T-CODE Vs Authorization object. The Table USOBX contains checkindicators for USOBT table After upgrading SAP with the new release, you need to make adjustment to the all the roles and
transaction codes .SU25 is the transaction code for upgrading profile generator. This has 6 different steps and the execution of these steps depends on whether you were already usingprofile generator in the last release.
This transaction has 6 steps. This transaction is used to fill the customer tables of the Profile Generator the firsttime the Profile Generator is used, it will update the customer tables after an upgrade. The customers tables of theProfile Generator are used to add a copy of the SAP default values for the check indicators and field values. Thesecheck indicators and field values are maintained in transaction SU24 . If you have made changes to check indicators, you can compare these with the SAP default values and adjust your check indicators as needed.Step1: If you have not yet used the Profile Generator or you want to add all SAP default values again, use theinitial fill procedure for the customer tables.If you have used the Profile Generator in an earlier Release and want to compare the data with the new SAPdefaults after an upgrade, use steps 2a to 2d . Execute the steps in the order specified here.Step 2a: Is used to prepare the comparison and must be executed first.
Step 2b: If you have made changes to check indicators or field values in transaction SU24 , you can comparethese with the new SAP default values. The values delivered by SAP are displayed next to the values you havechosen so that you can adjust them if necessary. If you double-click on the line, you can assign check indicatorsand field values. You maintain these as described in the documentation for transaction SU24 .Note on the list of transactions to be checked To the right of the list you can see the status which showswhether or not a transaction has already been checked. At first the status is set to to be checked.If you choose the transaction in the change mode and then choose save, the status is automatically set to checked.By choosing the relevant menu option in the list of transactions you can manually set the status to checkedwithout changing check indicators or field values, or even reset this status to to be checked.If you want to use the SAP default values for all the transactions that you have not yet checked manually, you canchoose the menu option to copy the remaining SAP default values.Step 2c: You can determine which roles are affected by changes to authorization data. The correspondingauthorization profiles need to be edited and regenerated. The affected roles are assigned the status profilecomparison required . Alternatively you can dispense with editing the roles and manually assign the users the profile SAP_NEW (makesure the profile SAP_NEW only contains the sub profiles corresponding to your release upgrade. This profilecontains authorizations for all new ch ecks in existing transactions). The roles are assigned the status profilecomparison required and can be modified at the next required change (for example, when the role menu ischanged). This procedure is useful if a large number of roles are used as it allows you to modify each role as youhave time.Step 2d: Transactions in the R/3 System are occasionally replaced by one or more other transactions.This step is used to create a list of all roles that contain transactions replaced by one or more other transactions.The list includes the old and new transaction codes. You can replace the transactions in the roles as needed.Double-click the list to go to the role.Step 3: This step transports the changes made in steps 1 , 2a , and 2b .Tailoring the Authorization ChecksThis area is used to make changes to the authorization checks.Step 4: Changes to the check indicators are made in step 4 . You can also go to step 4 by calling transactionSU24.-You can then change an authorization check within a transaction.
-
7/31/2019 R3 Security 2
7/39
-When a profile to grant the user authorization to execute a transaction is generated, the authorizations are onlyadded to the Profile Generator when the check indicator is set to Check/Maintain.-If the check indicator is set to do not check, the system does not check the authorization object of the relevanttransaction.-You can also edit authorization templates that can be added to the authorizations for a role in the ProfileGenerator. These are used to combine general authorizations that many users need. SAP delivers a number of templates that you can add directly to the role, or copy and then create your own templates, which you can alsoadd to roles.In step 5 you can deactivate authorization objects system wide.In step 6 you can create roles from authorization profiles that you generated manually. You then need to tailorand check these roles.
USER MASTER RECORD :
The concept of user master records User master records defines the user accounts for enabling access to theSAP system. The user master record is mainly used for user administrative and Authorization management (RoleAdministration). Normally, the user master record contains the user id as well as a wealth of other informationwhich can be used by SAP system administrators in managing users effectively.For example, the user master record contains information which validates a user log on session. User masterrecord stores important information like users access rights to SAP, user's passwords, the authorization profilesand so on. User master records can be accessed using the Transaction T Code SU01. In t-code SU01, users can bedisplayed by user id or in case one does not know the user id, users can be displayed using all possible entries.You need authorizations to create or maintain user master records:
Authorization to create and/or maintain user master records and to assign a user group (Auth.objectS_USER_GRP).
Authorization for the authorization profiles you want to assign to users (Auth.object S_USER_PRO ). Authorization to create and maintain authorizations (object S_USER_AUTH ). Authorization to protect roles. You can use this authorization object to determine which roles may be
processed and which activities ( Create, Display, Change and so on) are available for the role(s) (objectS_USER_AGR).
Authorization for transactions that you may assign to the role and for which you can assign authorizationat the start of the transaction in the Profile Generator (object S_USER_TCD ).
Authorization to restrict the values which a system administrator can insert or change in a role in theProfile generator ( S_USER_VAL )
CENTRAL USER ADMINISTRATION:
http://3.bp.blogspot.com/-vnSRIqti4Fw/T18-oP-SVuI/AAAAAAAAAL8/MG4_RvznhVA/s1600/cua1.png -
7/31/2019 R3 Security 2
8/39
SYSTEM SETUP
Setting up ALE user for all clients. creating Logical Systems. assigning Logical Systems to Clients. define Target systems for RFC calls. creating Distribution model in the central system. generating Partner profiles in central system. distributing Model views. generating Partner profiles in client system. assigning the Central User Administration distribution Model. user distribution field selection testing Central User Administration. migrating Existing Users to Central System (SCUG) testing Migrated Data in Central System. log display for Central User Administration.
Advantage of Central User Administration o Maintain user mater records centrally in one systemo Make administrative job easy.o Less possibility of user data inconsistencyo Time Saving.
MASS USER ADMINISTRATION(SU10): SU10 transaction is used to perform mass user administration activities like creation, modification,
Lock/Unlock and assigning roles. Disadvantage of SU10 is we can not maintain individual address data for each user and also cannot assign
different to values to different users.
http://3.bp.blogspot.com/-myg9SXOrcUw/T18_55VnYnI/AAAAAAAAAME/xcNXL02fVGI/s1600/djgdjg.png -
7/31/2019 R3 Security 2
9/39
Mass user locking:
-
7/31/2019 R3 Security 2
10/39
CREATION OF CUSTOMIZED AUTH.OBJECTS(SU21):
When entered Su21 T-Code u will get
http://1.bp.blogspot.com/-5zrBQtd-CLU/T2cU0B3w3OI/AAAAAAAAAMU/5GeGIn1AcjA/s1600/auth1.png -
7/31/2019 R3 Security 2
11/39
Click on create button and select authorization object
Then provide your customized auth.object class name and text and click on save button.when you click on save then it will ask package name ---->provide name of the package name and save it
http://2.bp.blogspot.com/-cx62ngyhAVw/T2cVH6X_R3I/AAAAAAAAAMc/kaWH2Wd5U-M/s1600/auth2.pnghttp://2.bp.blogspot.com/-8dcOF9vc6DQ/T2cXAiBnpHI/AAAAAAAAAMs/BouH_Fyf8TM/s1600/nikki.png -
7/31/2019 R3 Security 2
12/39
Under this Auth.object we can maintain our own auth.fields also
http://3.bp.blogspot.com/-My4Urd3k9Cg/T2cXf1jR_vI/AAAAAAAAAM0/vTsZ37jaeQA/s1600/auth4.pnghttp://4.bp.blogspot.com/-rFRKMOv5KmQ/T2cWV_zLaJI/AAAAAAAAAMk/aZLzXKM_ia8/s1600/auth3.png -
7/31/2019 R3 Security 2
13/39
MAINTAING AUTH.OBJECTS AS CHECK INDICATOR(SU24):
http://2.bp.blogspot.com/-wdRh4xuTQSc/T2cfrv0wbUI/AAAAAAAAANc/o5vtCXlW_Cs/s1600/6.pnghttp://4.bp.blogspot.com/-Pymoz1zOH68/T2cfCTl2dhI/AAAAAAAAANU/yNeD39T9IiY/s1600/5.png -
7/31/2019 R3 Security 2
14/39
http://2.bp.blogspot.com/-xPExIYRJA6g/T2cgGksxiqI/AAAAAAAAANs/JP0ruj93Udk/s1600/8+.jpghttp://3.bp.blogspot.com/-SPWazC5TIn0/T2cf2cW-s-I/AAAAAAAAANk/Re-zq4kUlU0/s1600/7.png -
7/31/2019 R3 Security 2
15/39
http://4.bp.blogspot.com/-9tpV_cmm9r4/T2cheJEZIEI/AAAAAAAAAOM/M5txTiy0IKY/s1600/10.pnghttp://2.bp.blogspot.com/-c8UeEIBLrx0/T2cgwj5SaVI/AAAAAAAAAN0/xp8-4a0SmIc/s1600/9.png -
7/31/2019 R3 Security 2
16/39
SAP SECURITY PROFILE GENERATOR:The objective today is to provide a brief overview of SAP Security and to discuss the best practice of PFCG.
In SAP, a User ID is assigned with one or more Security Role based on his/her Job Role. SAPs documentationcalls it Role, but I prefer to use the term Security Role to differentiate it from Job Role. For those who are usingpre-profile generator sap system, an ID is assigned with one or more profiles. Is there anyone here who is still on3.0? I feel your pain in creating a profile. However, I find that those who have experience with the manualmethod tends to have a better understanding of how SAP Security works.
http://3.bp.blogspot.com/-5xHSvvPv0eM/T3MF8-Xph_I/AAAAAAAAAP0/fic-_YTER40/s1600/ppt3.pnghttp://4.bp.blogspot.com/-y-Gj0zOobqA/T2chRd2V8YI/AAAAAAAAAOE/WDD19x3ow78/s1600/11.png -
7/31/2019 R3 Security 2
17/39
With the advent of Profile Generator, a Security Role may have one or more Profile and each profile may containup to 150 authorizations.
http://1.bp.blogspot.com/-YQp-_9auVLQ/T3MHs3R6Z8I/AAAAAAAAAQE/OFJixGyBKao/s1600/ppt5.pnghttp://4.bp.blogspot.com/-Ykww65qleIg/T3MGysL4f7I/AAAAAAAAAP8/gUgLbskuPY8/s1600/ppt4.png -
7/31/2019 R3 Security 2
18/39
If you create a role that has 450 authorizations, then Profile Generator will create 3 profiles.
You might wonder whats the difference between Authorization Object and Authorization?Auth.Object has one or more fields and is the foundation of all SAP Security program checks. When you addvalue or combination of values to the field, it becomes an authorization. One Auth.Object can be used to createone or more Auth. For example, S_TCODE has only one field and therefore you can only create one Standardauthorization per Security Role.
However, with S_USR_GRP it has two fields. Therefore you may create multiple authorizations using differentcombination to satisfy your business requirement.
http://1.bp.blogspot.com/-Bewzio5lcss/T3MJbgrbMVI/AAAAAAAAAQU/Gw-eN19rFJk/s1600/ppt7.pnghttp://3.bp.blogspot.com/-fI67gMro6cU/T3MI8bi10CI/AAAAAAAAAQM/TJl2EdbOL20/s1600/ppt6.png -
7/31/2019 R3 Security 2
19/39
Lets say that you are creating a security helpdesk role that has the ability to create, change, & delete only usersfrom the Houston region and display access to all users. The first authorization would contain objectS_USR_GRP and the Activity would have 01, 02, 06 and User Group value would be Houston.
http://1.bp.blogspot.com/-ToavOIZmeno/T3MMd2acSOI/AAAAAAAAAQk/jroBkjw7Sl8/s1600/ppt9.pnghttp://1.bp.blogspot.com/-XhrYQt-br28/T3ML1huvc0I/AAAAAAAAAQc/3u5VqP60-0Q/s1600/ppt8.png -
7/31/2019 R3 Security 2
20/39
The second authorization using the same object would have 03 for Activity and * for Class. As a result you nowhave 2 authorizations
Now that we have an understanding of how an ID is linked to a Role and the Role to Profile & Authorization,lets discuss the mechanic of SAPs Authority -Check. When a user logs in to SAP, his authorizations are loadedinto the User Buffer. When he execute SU01 to maintain user, the program perform an A-C against theauthorization in the buffer to see if it contain the object S_TCODE. If yes, it then performs the next check againstthe field TCD fo r value SU01 .
Then it checks the next authorization for objects S_USR_GRP. Once the program verifies all the necessary auth,it will allow you to perform the task.
http://2.bp.blogspot.com/-77P0M6MSPno/T3MNZMVnqqI/AAAAAAAAAQ0/l4--JEAEX9Y/s1600/ppt11.pnghttp://3.bp.blogspot.com/-bF6E_0BDUt4/T3MM9rVcwEI/AAAAAAAAAQs/r0k4UWWXPks/s1600/ppt10.png -
7/31/2019 R3 Security 2
21/39
SAP SECURITY TABLES:
Table Description Notes
AGR_1016Roleand Profile
AGR_1016B Role and Profile
AGR_1250Role andAuthorization data
AGR_1251Role Object,Authorization, Field and Value
AGR_1252Organizationalelements for authorizations
AGR_AGRSRoles in CompositeRoles
AGR_DEFINETo See All Roles(Role definition)
AGR_HIER2Menu structureinformation Customer vers
AGR_HIERT Role menu texts
AGR_OBJAssignment of MenuNodes to Role
AGR_PROFProfile name forrole
AGR_TCDTXTAssignment of rolesto Tcodes
AGR_TCODESAssignment of rolesto Tcodes
AGR_TEXTSFile Structure forHierarchical Menu Cus
AGR_TIMETime Stamp forRole: Including profile
-
7/31/2019 R3 Security 2
22/39
AGR_USERSAssignment of rolesto users
DD02L SAP Tables
DD02T R/3 DD- SAP table texts
DD03L Table Fields
DD04T Data element texts
TDDAT
TSTC SAP Transaction Codes
TSTCATransaction Code,Object, Field and Value
TSTCT Transaction Code Texts
USER_ADDRAddress Data forusers
USGRP User groups
USGRPTText table forUSGRP
USH02
Change history for
logon data
USOBTRelationtransaction to authorization object (SAP)
USOBT_CRelationTransaction to Auth. Object (Customer)
USOBXCheck table fortable USOBT
USOBX_CCheck Table forTable USOBT_C
USOBXFLAGSTemporary table forstoring USOBX/T* chang
USR01User Master(runtime data)
-
7/31/2019 R3 Security 2
23/39
USR02Users Data (logondata)
USR03 User address data
USR04User masterauthorization (one row per user)
USR05 User Master Parameter ID
USR06 Additional Data per User
USR10Authorisationprofiles (i.e. &_SAP_ALL)
USR11Text forauthorisation profiles
USR12Authorisationvalues
USR13Short text forauthorisation
USR40Table for illegalpasswords
UST04
User profiles
(multiple rows per user)
UST10CComposit profiles(i.e. profile has sub profile)
SAP SECURITY AUTHORIZATIONS:
The Authorization Concept Introduction on Authorizations
Authorization objects enable complex checks of an authorization, which allows a user to carry out anaction. An authorization object can group up to 10 authorization fields that are checked in an ANDrelationship.
For an authorization check to be successful, all field values of the authorization object must be maintainedaccordingly. The fields in an object should not be seen as input fields on a screen. Instead, fields should beregarded as system elements, such as infotypes, which are to be protected.
You can define as many system access authorizations as you wish for an object by creating a number of allowed values for the fields in an object. These value sets are called authorizations . The system checksthese authorizations in OR relationships.
Authorization:
-
7/31/2019 R3 Security 2
24/39
Authorization means permission to perform a particular function in the sap system. It is achievedby assigning authorization profiles to users.
Authorization Field:1.It is an element which requires protection.
2.The is the least granular field against which SAP system is protected. 3.These fields are associated with the data elements of the ABAP/4 dictionary 4.This is defined in the transaction SU20 . 5.Data Element : It is least granular element which has a valuable name defined by length and type.
Activity: 1.It is defined the type of action which can be performed an authorization field.Example: Create, Modify, Delete, Display,
Approve, Save, Reverse, Print, etc. 2.Activities are defined in the table.
Authorization Object: 1. R/3 uses authorization objects to assign authorizations to users.2. An authorization object is a template for an authorization.For example, authorization object F_SKA1_BUK - G/L Account: Authorization for company codes requires thespecification of two field values: Company Code and Activity. To allow a General Ledger supervisor to create a
general ledger master record, he/she must be assigned an authorization to create (Activity 1) accounts for aspecific company code (eg. Company Code 2000). Such an authorization is created using the objectF_SKA1_BUK by assigning these field values and naming the authorization following an appropriate convention(eg. Z_SCC20001).3. The Authorization object defines an activity that needs to be protected in the SAP System.4. An authorization object groups together upto 10 authorization fields that are checked together in anauthorization check.5. Authorization objects are defined in transaction SU21 (Most are in-built)
Object Class:
1. Depending on Application Area, Group of relevant authorization objects are grouped into an object class.2. These are defined in transaction SU22 .
Authorizations:
1. Authorization is used to define permitted values for the fields of an authorization object.2. Authorizations are defined in SU20 .
Authorization Profiles:
1. As a rule authorizations are not directly assigned to a user. Instead these authorizations are clubbed in anauthorization profile and are then assigned to the user master records.2. A group of not more than 150 authorizations is called an authorization profile.3. Before 4.6c version, profiles created manually in SU02 . From 4.6c onwards, profiles are generated usingProfile Generator.
-
7/31/2019 R3 Security 2
25/39
Composite Profile: 1. A group of authorization profiles (sap_all, sap_new) 2. These are used for administrative purpose, however when it exceeds more than 150
authorizations , another profile will be created and generated.Role:
1. Role is the group of Profiles, menus, transactions, reports and user assignments andpersonalization.
2. Roles are defined in Transaction code PFCG 3. Roles are called as Activity Groups until 4.6c
Types of Roles: 1.Single Role
i. Parent Role or Role ii. Derived Role or Child Role 2. Composite Role
Figure: Role Types
SAP SECURITY CHECK INDICATORS-SU24: Transaction SU24 maintains the USOBT_C and USOBX_C tables. These tables hold the relationships betweenthe particular transaction and its authorization objects. It is possible to add or subtract the checks performed in thetransaction by changing the appropriate flag.The benefit of transaction SU24 occurs when transactions are added to or deleted from Role Groups using theProfile Generator.When new transactions are added, the Profile Generator will add all authorization values maintained in SU24 for the transaction(s).When deleting transaction the Profile Generator will remove all authorization values that are maint ained in SU24for the transaction.Activities performed: Check/Maintain Authorization Values Addition of Authorization Object to tcode Deletion of Authorization Object from tcode
Check Ind. Proposal Meaning ExplanationCheck YS Check /Maintained The object will be inserted along with the values in the role. The object willbe checked along with the values during runtime of the transaction.
-
7/31/2019 R3 Security 2
26/39
-
7/31/2019 R3 Security 2
27/39
COMPOSITE ROLES IN SAP SECURITY:
Composite roles: 1. A composite role is a container with several different roles. For reasons of clarity, it does not make sense andis therefore not allowed to add composite roles to composite roles. Composite roles are also called roles.2. It is used to simplify the administration.3. Composite roles do not contain authorization data. If you want to change the authorizations (that arerepresented by a composite role), you must maintain the data for each role of the composite role.4. It only groups the roles, but menus can be compressed.5. Creating composite roles makes sense if some of your employees need authorizations from several roles.Instead of adding each user separately to each role required, you can set up a composite role and assign the usersto that group.6. The users assigned to a composite role are automatically assigned to the corresponding (elementary) rolesduring comparison.7. Composite roles are identified by customer naming conventions only.1. These are created in PFCG .2. These are earlier called as CAGS (Composite Activity Groups).
3. Example for Composite Role. Here the role name, BASIS Role is defined as Composite Role
The menu tree of a composite role is, in the simplest case, a combination of the menus of the roles contained.When you create a new composite role, the initial menu tree is empty at first. You can set up the menu tree bychoosing Read menu to add the menus of all roles included. This merging may lead to certain menu items beinglisted more than once. For example, a transaction or path contained in role 1 and role 2 would appear twice.
If the set of roles contained in a composite role changes, the menu tree is also affected. In such a case, you cancompletely rebuild the menu tree or process only the changes. If you choose the latter option, the ProfileGenerator removes all items from the menu which are not contained in any of the roles referenced.
It is possible (and often necessary) to change the menu of a composite role at any time. You adjust these menusin the same way as the menus for roles (see above).
-
7/31/2019 R3 Security 2
28/39
-
7/31/2019 R3 Security 2
29/39
http://2.bp.blogspot.com/-vXlDOwrtPNE/T3w9hmDaUUI/AAAAAAAAABw/FPbsFslTu_A/s1600/comp4.png -
7/31/2019 R3 Security 2
30/39
http://3.bp.blogspot.com/-IzmaX7Z-rtk/T3w-tVTPm9I/AAAAAAAAACY/5iBNmUs9g44/s1600/comp7.pnghttp://1.bp.blogspot.com/-hLHWlDNozKo/T3w-nH3OuUI/AAAAAAAAACQ/3vpqkidUJI4/s1600/comp6.png -
7/31/2019 R3 Security 2
31/39
Specify the descriptionIn composite role it doesn't contain authorizations tab.it is nothing but group of one or more roles.if they need tochange in composite role i.e only in menu tab.Specify the rolesAssigne this composite role to the existing user.Click on Read menu tab.when you click on this read menu tab then it will fetch authorizations from the single
roles.Now log on with that specified user.
TYPES OF ROLES IN SAP SECURITY:Role: 1.Role is the group of Profiles, menus, transactions, reports and user assignments and personalization.2.Roles are defined in Transaction code PFCG3.Roles are called as Activity Groups until4.6cTypes of Roles: 1. Single Role
i. Parent Role or Roleii.Derived Role or Child Role
2. Composite Role
3.CopyRole
CREATING DERIVED ROLES IN SAP SECURITY:Derived roles :1. Derived roles refer to roles that already exist. The derived roles inherit the menu structure and the functionsincluded (transactions, reports, Web links, and so on) from the role referenced or simply you can call as ParentRole. A role can only inherit menus and functions if no transaction codes have been assigned to it before.
2. These are used to define to handle the security at organization levels.3 These are created for administrative purpose to minimize the maintenance.4. Derived roles specify the division or unit for which the security can be provided.5. Derived roles are inherited from parent role/ single role/ generic role differed by there organization levels.6. Derived roles are also called as child roles.7. The higher-level role passes on its authorizations to the derived role as default values which can be changedafterwards. Organizational level definitions are not passed on. They must be created a new in the inheriting role.User assignments are not passed on either.
-
7/31/2019 R3 Security 2
32/39
8. Derived roles are an elegant way of maintaining roles that do not differ in their functionality (identicalmenus and identical transactions) but have different characteristics with regard to the organizational level.
-
7/31/2019 R3 Security 2
33/39
9. The menus passed on cannot be changed in the derived roles. Menu maintenance takes place exclusively inthe role that passes on its values. Any changes immediately affect all inheriting roles.10. You can remove the inheritance relationship, but afterwards the inheriting role is treated like any other normalrole. Once a relationship is removed, it cannot be established again.11. In derived roles, menus are fixed.12. These are created in PFCG 13. In versions earlier than 4.6 c, derived roles are also called as Derived Activity Groups DAGS.
-
7/31/2019 R3 Security 2
34/39
-
7/31/2019 R3 Security 2
35/39
http://1.bp.blogspot.com/-US57LbQp-F0/T3xFgFJwr-I/AAAAAAAAADY/oDShp6Txgrw/s1600/der6.pnghttp://4.bp.blogspot.com/-wZqGPZJzD4s/T3xFcxwbofI/AAAAAAAAADQ/k1N8ocKMBuI/s1600/der5.png -
7/31/2019 R3 Security 2
36/39
EVALUTION OF AUTHORIZATIONS (SU53) IN SAP SECURITY:TROUBLE SHOOTING USING SU53:Troubleshooting security issues is one of the daily tasks of any security administrator. The first method of investigating authorization failures is the ubiquitous SU53 transaction. It involves us asking the affected user torun the step(s) to replicate the issue and immediately on getting the error, execute /nsu53 through the commandwindow. The screen-shots below show the sequence of actions.The user tries to create another user through SU01 and gets an authorization error
The user gets a pop up window with the message that he doesnt have authorization to create user.
Many times clicking the help button can provide important information about the background of the error.
-
7/31/2019 R3 Security 2
37/39
To get the SU53 screen, we execute /nsu53 from the command window immediately after getting the error. TheSU53 window shows the last check for an authorization which has returned a non zero value (authorizationfailure) for the user.
The biggest limitation of SU53 is the fact that it only shows the last authorization failure of an user. In a typicaltransaction, there can be an entire sequence of authorization checks, any of which might fail. To view the entiresequence of authorization checks, we use the authorization trace tool (transaction ST01).
SOME IMPORTANT TRANSACTION CODES IN SAP:
User Administration: SU01- User MaintenanceSU01D- User DisplaySU02- Maintain Authorization ProfilesSU03- Maintain AuthorizationsSU05 -Maintain Internet usersSU10 -User Mass MaintenanceSMLG- Maintain Logon GroupSUPC -Profiles for activity groupsSUIM -Info system Authorizations
PFCG -Profile GeneratorPFUD- User Master Data ReconciliationClient Administration: SCC3 -Checking Client Copy LogSCC4 -Client AdministrationSCC5 -Client DeleteSCC7 -Client Import Post-ProcessingSCC8 -Client ExportSCCL -Local Client CopySCC9 -Remote client copyDatabase Administration: DB01- Analyze exclusive lock waits
-
7/31/2019 R3 Security 2
38/39
DB02 -Analyze tables and indexesDB12 -DB Backup MonitorDB13 -DBA Planning CalendarDB15 -Data Archiving: Database TablesTransport Management System: STMS -Transport Management SystemSE01 -Transport and Correction SystemSE06 -Set Up Workbench OrganizerSE07 -CTS Status DisplaySE09 -Workbench OrganizerSE10 -Customizing OrganizerSE11 -ABAP/4 Dictionary MaintenanceSE16 -Data BrowserSE80 -Repository BrowserSM30 -Call View MaintenanceSM31 -Table MaintenanceBackground Jobs Administration: SM36 -Define Background JobSM37 -Background Job OverviewSM39 -Job AnalysisSM49 --Execute External OS commands
SM62 Maintain EventsSM64 -Release of an EventSM65 -Background Processing Analysis ToolSM69 -Maintain External OS CommandsSpool Administration: SP01 -Output ControllerSP11 -TemSe directorySP12 -TemSe AdministrationSPAD -Spool AdministrationOther Administration Tcodes: AL11 -Display SAP DirectoriesBD54 -Maintain Logical SystemsOSS1 -Logon to Online Service SystemSALE IMG -Application Link EnablingSARA -Archive ManagementSICK -Installation CheckSM14 -Update Program AdministrationSM35 -Batch Input MonitoringSM56 -Number Range BufferSM58- Asynchronous RFC Error LogSM59 -RFC Destinations (Display/Maintain)SAINT -SAP Add-on Installation ToolSPAM -SAP Patch Manager (SPAM)
SPAU -Display modified DE objectsSPDD -Display modified DDIC objectsST11 -Display Developer TracesDaily monitoring TCodes: AL08 -Current Active UsersSM12 -Display and Delete LocksSM13 -Display Update RecordsSM21 -System LogSM50 -Work Process OverviewSM51 -List of SAP ServersSM66 -System Wide Work Process Overview
-
7/31/2019 R3 Security 2
39/39
ST22 -ABAP/4 Runtime Error AnalysisST01 -System TraceST02 -Setups/Tune BuffersST03 -Performance, SAP Statistics, WorkloadST04 -Select DB activitiesST05 -Performance traceST06 -Operating System MonitorST10 -Table call statisticsSU56 -Analyze User BufferOther Monitoring Tcodes: OS01 -LAN check with pingRZ01 -Job Scheduling MonitorRZ03 -Presentation, Control SAP InstancesST07 -Application monitorSTAT- Local transaction statisticsOther Useful Transactions Codes AL22 -Dependent objects displayBAOV -Add-On Version InformationSA38 -ABAP reportingSE38 -ABAP EditorHIER -Internal Application Component Hierarchy Maintenance
ICON -Display IconsWEDI -IDoc and EDI BasisWE02 -IDoc displayWE07- IDoc statisticsWE20 -Partner profilesWE21 -Port definitionWE46 -lDoc administrationWE47 -Status Maintenance$TAB -Refreshes the table buffers$SYNC- Refreshes all buffers, except the program buffer