SAP Security Overview
Download
Report
Transcript SAP Security Overview
How to Properly
Maintain Security using
Profile Generator
Objective
• SAP Security Overview
• Profile Generator Best Practice
• Summary
SAP Security Overview
USER ID, e.g. TTSAN
User
Security
Role 1
Security
Role 2
Security
Role 3
SAP Security Overview
Security Role, e.g. Security Administrator
Profile 1
Profile 2
Profile 3
SAP Security Overview
Profile (Contain up to 150 Authorizations)
Authorization
1
Authorization
2
Authorization
150
SAP Security Overview
Authorization Object 1, e.g. S_TCODE
Field
(TCD)
Value
(SU01)
SAP Security Overview
Authorization Object 2, e.g. S_USR_GRP
Field (ACTV)
Value (01, 02, 03, 06)
Field (CLASS)
Value (Customer Define)
SAP Security Overview
Authorization Object 2, e.g. S_USR_GRP
Field (ACTV)
Value (01, 02, 06)
Field (CLASS)
Value (HOUSTON)
SAP Security Overview
Authorization Object 2, e.g. S_USR_GRP
Field (ACTV)
Value (03)
Field (CLASS)
Value (*)
SAP Security Overview
Execute “SU01” – Change User
AUTHORITY-CHECK “Authorization1”
Object 1 =
“S_TCODE”
TCD =
“SU01”
SAP Security Overview
Execute “SU01” – Change User
AUTHORITY-CHECK “Authorization2”
Object 2 =
“S_USR_GRP”
ACTV =
“02”
CLASS =
“HOUSTON”
Profile Generator
Transaction
Profile Generator
Change authorization
data
Profile Generator
Expert mode for
profile generation
Profile Generator
Delete and recreate profile and
authorizations
Profile Generator
Edit old status
Profile Generator
Read old status and merge with
new data
SAP Security Overview
$BURKS
Missing Organization Value
Profile Generator
Organizational
Level
Profile Generator
Missing Customer Define Value
Profile Generator
No open field
Profile Generator
Authorization Status
Profile Generator
Authorization Status
STANDARD - SAP Standard Value
MAINTAIN - Customer Maintained Value
CHANGED - SAP Standard Value
maintained by Customer
MANUALLY – Manually inserted Value
Profile Generator
Removing Authorization Value
S_USR_GRP
01, 02, 03, 05, 06, 08, 24
Profile Generator
Removing Authorization Value
Status = Changed
Profile Generator
Common Security Issue
New Authorization
Profile Generator
Best Practice
Make Copy
Inactive Original
Profile Generator
Best Practice
Make changes to copy
Profile Generator
Best Practice
Changed Authorization
without Inactive
Standard
Profile Generator
Best Practice
Double-click to add
comment
Profile Generator
Does making changes to Copied
Authorization Applies to all situation?
M_MATE_MAT
(01, 02)
Profile Generator
Where-Used Icon
Profile Generator
Where-used
MM01 = 01
Profile Generator
Adding Authorization Value
What if you want to
add value 03?
Profile Generator
SU53 Errors
What if SU53 indicates
that MM01 requires an
Activity of 24?
Profile Generator
Static Value vs. Dynamic Value
Static Value – a value that is required by a
transaction no matter who execute it.
Dynamic Value – a customer-defined
value such as company code.
Profile Generator
Static Value
MM01 always requires
an Activity of 01?
Profile Generator
Dynamic Value
Company Code value
may vary from user to
user depending on
business restriction.
Profile Generator
Static Value vs. Dynamic Value
Static Value – add to USOBT using
transaction SU24.
Dynamic Value – add directly to the
Authorization or Org. Data.
Profile Generator
Reorganize & Generate
Authorization
counter = 1
Profile Generator
Reorganize & Generate
Reorganize
Profile Generator
Reorganize & Generate
Authorization
counter = 0
USOBT – SU24
Overview
Profile Generator
Summary of Rules and Restrictions
1. NEVER modify S_TCODE unless the Role is built
manually.
2. Modify Standard delivered authorization:
a. Only modify when there’s a request to REMOVE
authorization and IF AND ONLY IF no other
transaction is linked to that value. Otherwise, by
removing the transaction, it will remove the value.
Profile Generator
Summary of Rules and Restrictions
2. Modify Standard delivered authorization (CONT’D):
b. Always make a copy of the authorization and make
changes.
c. Inactive the original authorization.
d. Modify the copied authorization and the status
become Changed.
e. Double-click on description of the authorization to
document the reason. The same applies to
manually inserted authorization.
Profile Generator
Summary of Rules and Restriction
3. If a Changed authorization exists without an Inactived
Standard authorization, delete the Changed
authorization.
4. Bogus SU53 check most of the time:
a. S_ADMI_FCD (SM02).
b. S_CTS_ADMI.
c. S_LAYO_ALV (023).
Profile Generator
Question?
Profile Generator
Contact Information
Thomas Tsan
SAP Security Architect
TK Consultants, Inc.
Email: [email protected]
Phone: (281) 412-6800
Thank you for attending!
Please remember to complete
and return your evaluation form
following this session.
Session Code:
[801]