Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
1. Authorization fields
Authorization fields identify the elements of the system that need to be protected.
These fields are associated with the data elements of the ABAP/4 Dictionary. For
example if you consider Sales order creation as an activity for which authorization is
required, the fields associated with this activity are :
VKORG – Sales Organization
VTWEG – Distribution Channel
SPART – Division
These fields form the part of the standard ABAP/4 function call AUTHORITY-
CHECK.
2. Authorization object
Authorization object identifies an activity that needs to be protected in the SAP
system. For example Creation of a Sales Order is an activity. An object is made up of
authorization fields. A user can perform an activity only if they satisfy the
authorization check for each field in the authorization object.
Eg. V_VBAK_VKO is an object for Sales Area comprising of the following fields:
VKORG – Sales Organization
VTWEG – Distribution Channel
SPART – Division
ACTVT – Activity
Authorization objects are grouped into Object class depending up on the application
area.
3. Authorization
Authorization is used to define permitted values for the fields of an authorization
object. For example you want to define an authorization for displaying a sales order
for a Sales organization 3000, Distribution Channed 01 and Division 02, the
values that will be assigned to fields of the object V_VBAK_VKO are:
VKORG – 3000
VTWEG – 01
SPART – 02
ACTVT – 03 (Display)
4. Authorization profiles
As a rule authorizations are not directly assigned to a user. Instead these authorization
are clubbed in an authorization profile and are then assigned to the user master
records.
What is the Profile Generator?
The process of security implementation with the new PG is based on the creation
of activity groups or a collection of linked or associated activities, such as tasks, reports,
and transactions. An activity group is a data container for the PG to generate
authorization profiles and usually represents a job role in your company.
For example, to implement security for a buyer:
1. Create an activity group, Buyer
2. Include all of the business transactions Buyer can access
3. Generate the appropriate authorization profile for Buyer
4. Assign Buyer to a new user or a position in your system
5. Update the user master record for the user
The new user now has all the necessary access rights needed to work as a buyer in your
company.
Activity groups are user-defined and allow you to systematically organize and efficiently
maintain system activities. The SAP Session Manager, SAP Business Workflow, and
Personnel Planning and Development require activity information. Using an activity
group as an information database reduces data entry time. Select the criteria, such as
access rights, and divide the activities into appropriate groups. For example, you could
decide to group activities by subject matter, such as personnel, payroll, or budgeting. Or,
you could group activities by job classes, such as translation activities, computer
programmer activities, or secretarial activities. You could also set up a combination of
subject matter and job-oriented activity groups. Activity groups are created and
maintained in the activity group maintenance transaction, PFCG. After setting up activity
groups, you may assign them to various R/3 objects.
• R/3 Users
An R/3 user is an individual who is recognized by the R/3 System and is allowed to
logon. For the system to recognize users, their names must be entered in the user
master record of the Basis component.
• Jobs
A job represents a general classification of work duties, such as secretary, computer
programmer, instructor, etc. Many employees in your company may hold the same
job classification. (For example, there might be 20 people whose job is secretary.)
Positions are usually based on jobs. Anyone who holds a job automatically inherits
the infotype settings, attributes, and properties of the job. Unless the activity groups
grants general access rights such as the rights needed to work with SAPoffice, be
careful when assigning activity groups to jobs.
• Positions
A position represents a unique, individual employee assignment within a company
(for example, marketing secretary, sales manager, etc.) Positions should not be
confused with jobs. You can handle authorization management in an almost
completely position-oriented fashion. All the access rights are then linked to the
position, so it does not matter who fills this position. Once a user changes positions
after the user master record is updated, the authorization profile automatically
changes.
• Organizational units
Organizational units represent any organizational entity that performs a specified set
of functions within a company. For example, organizational units represent
subsidiaries, divisions, departments, groups, special project teams, etc. Identify the
organizational structure at your firm by creating organizational units and identifying
the relationships among the units. Anyone who is assigned to an organizational unit
automatically inherits the infotype settings, attributes, and properties of this
organizational unit.
Steps for Implementing Profile Generator
Note : SU25 while configuring first time on the m/c we got a information saying that
“PROFGEN_INFO_TEXT does not exists “
this may be because of the first time .
Enter transaction SPRO => F5 => Basis components => System Admin => Users and
Authorizations => Maintain Authorizations and Profiles using profile generator =>
Generate company menu => Execute. Alternatively use transaction SSM1.
10. Make sure that English is present in the choose languages section
11. Click execute for 1. SAP standard menu generation. Click enter at information box.
Takes few minutes and completes successfully.
12. Click execute next to 2a. Company menu generation. Click enter at information box.
Takes few minutes and completes successfully.
13. Click Activate next to 2c. Activate company menu. Click yes at confirmation for
activating the company menu.
14. Create an activity group using transaction PFCG to test the setup of profile generator.
• Through Company Menu : Here if a user wants to execute a menu function, the
authorization for this can be added by using the Menu option of transaction PFCG.
1. Schedule Everything
Make security an integral part of the R/3 project plan by:
· Scheduling time to interview each application area
· Identifying requirements
· Documenting roles
· Constructing the authorization profile
· Testing
· Fixing discrepancies
· Implementing the system
Schedule time for post-upgrade activities, such as assessing security differences and upgrade
profiles. R/3 security used to be one of the most underestimated tasks and was frequently
addressed as a post-live activity. Most users started out with the SAP_ALL profile, making
further authorization restrictions a good idea.
2. Plan Ahead
Consider the following questions:
What is your organization’s security philosophy? What level of security does your data require?
How much risk are you willing to assume in each application area?
The less risk your company assumes, the greater the resources needed to successfully implement
R/3 security. These guidelines need to be established before the security implementation.
End-user training documents can be a part of this process. All necessary authorizations should be
based on activity selection and the appropriate activity groups. Authorization profiles should be
based on the supplied roles. The activity group, therefore, represents the corresponding job role as
specifically as possible. Nevertheless, activities, such as printing rights, will need to be in a
separate activity group so that a user can have more than one assigned activity group at a time.
Two different approaches for documenting the job role matrix are:
9. Test
With the help of application area representatives, perform security unit testing for each created
test user. The job role matrix can be used as the foundation for this test plan. Each role should be
thoroughly tested before your go-live date. Be careful when testing roles in end-user training,
because if a user’s authorizations are missing, your entire training schedule may be delayed.
The following are some of the most important issues that should be noted for creating a
successful security system in SAP
• No default access will be given; users will have access only to the specific functions within
the SAP application that they have a business or system reason to perform.
• The Authorization concept in SAP is implemented by creating profiles and assigning them to
the users.
• Profiles contain the system access paths for users depending on their responsibilities.
• Profiles will be created using the Automatic Profile Generator, Manually, Using Templates or
by creating Simple and Composite profiles. Profiles (simple profiles) with authorizations
performing specific business functions will be created to reflect a particular job function.
• In case of Simple Profiles, these (simple) profiles will be combined to create composite
profiles, which will reflect job responsibilities performed by personnel.
• Sensitive system functions will be defined, and access will be controlled by the "owner" of
the system function. These functions include, but are not limited to, the authorization granted
by the authorization object S_ADMI_FCD, Archiving, Corrections & Transport, IMG, and
the SAP Data Dictionary.
• Various security reporting and auditing tools will continually be refined and improved.
• If you are using the Profile Generator, you should divide the system administration tasks as
shown in the graphic below to ensure greater system security.
You should also decide whether user, activity groups, authorization profile, and authorization
maintenance should be centralized or decentralized. We recommend centralizing maintenance
until your go-live date and first roll-out. Centralized administrators have a better understanding of
what is involved in a roll-out, and centralizing the administrative tasks establishes naming
standards. By the first roll-out, all administrative functions should be documented and can then be
decentralized.
Conversely, when the administrative functions are decentralized up-front, administrators use
different naming standards for their activity groups, authorization profiles, and authorizations,
and different approaches to implementing security. If each administrator creates his or her own
standards, everything will have to be renamed once the authorization implementation is
standardized.
The super-user sets up user master records, profiles, and authorizations for administrators in a
department, a cost center, and other organizational units. Within an area, administrative tasks are
divided between the user administrator, the authorization data administrator, and the authorization
profile administrator.
• User Administrator
Without the appropriate authorization to generate the profile, the authorization data administrator
saves the profile and accept the default profile name T, or a name that follows your naming
convention.
Finally, the user administrator assigns the activity group to a user or a PD object such as a
position and updates the user master record. The authorization profile is then added to the user
master record.
Appendix – C
User Administration
Policies
• User maintenance
- The system administration department has to receive the User Modification Request Form,
with e-mail, signed by the user’s application department manager.
- All profiles that the user requires must be specifically listed on the request form. The form
must indicate whether the user is temporary or permanent.
- For temporary employees, an account expiration date must be included.
- The User Modification Request Form must be filled out and signed by the application
department manager.
- A copy of this form must be sent to HR department.
- The HR department manager must sign the request for deletion.
- This manager sends the signed copy back to the system administration department.
- All employee master record information, including internal post office, must be deleted.
Procedures
• User maintenance
The User Modification Request Form must be completed and mailed to the system
administration department.
The User Modification Request Form must be completed and sent to the system
administration department and to the HR department manager. The HR department
manager must sign the form and return the signed copy to the system administration
department.
Task Role
Maintaining super users System administrator
Maintaining naming conventions Application department manager/HR
department
Maintaining users Application department manager/System
administrator
Maintaining users leaving company Application department manager/System
administrator/HR
department
System Security
Policies
• IT Manager
The IT Manager, who is responsible for all aspects of system security, must review the
security strategy every two months.
• Super-users
For revision and security purposes, the super-user SAP* will not be used for system
maintenance. All maintenance has to be performed with newly defined super-users.
• System passwords
System passwords (DB user sapr3, O.S. user <SID>ADM, DDIC) must be changed every
four weeks. In case of an emergency, password access must be ensured.
• User passwords
To protect the system from unauthorized access, make users change their password every
four weeks. A minimum password length of six characters is required. After three
unsuccessful logon attempts the account will be locked.
• SAP connection
The connection to SAP is opened only for a service session. These connections are OSS,
Early Watch, and Remote Consulting. Connection to SAP can only be opened from the
customer site. Connections have to be monitored with an appropriate tool.
• SAProuter
SAProuter, a SAP supplied-tool for securing R/3 access, is necessary for connecting to
SAP systems.
• Remote connections
For external connections (Mobile end-users), fixed IP addresses are assigned. One
explicit entry per external connection is maintained in the permission list for SAProuter.
Procedures
• IT-Manager
Every two months, the IT-Manager and the system administrator will review system
security.
• Super-users
The SAP_ALL profile is removed from the user SAP*, and the SAP* user is locked. All
maintenance tasks are performed using accounts with the SAP_ALL profile.
• System passwords
The system administrator will change the system passwords every four weeks. The
system administrator must write down the current passwords and place them in a sealed
envelope, which must be stored in the data safe and be accessible in case of emergency.
Use report RSUSR003 to check if system passwords have been changed.
• User passwords
Users must change their passwords every four weeks by setting the appropriate
parameters in the DEFAULT profile. This step ensures that the settings are valid in the
entire system. The minimum number of characters for a password is six, and the intruder-
lockout count is set to three.
• SAP connection
A connection between SAP and the customer is established by starting SAProuter in the
customer network and starting, for example, SAPGui for an OSS connection.
• SAProuter
SAProuter is started and stopped once a day to ensure there is no open connections.
• Remote connections
For remote users, dedicated IP addresses are maintained. These addresses must also be
maintained in the saprouttab to make sure that unauthorized users do not log onto R/3.
To name an authorization profile, use profile names that do not begin with T.
Authorization profiles beginning with T may contain critical (S_USER*) authorization
objects. Also, use the PG to exclude further authorization objects (for example, HR data)
from the profile. To avoid conflicts between customer-defined profiles and those profiles
supplied by SAP, you should not use any name that has an underscore in the second
position. SAP places no other restrictions on the naming of authorization profiles
To develop the SAP application security, the SAP Security Team will work directly with
representatives from each of the departments. These representatives (security liaisons), appointed
by the Department Supervisors, will be responsible for assisting SAP HELP Desk, and for
disseminating information to the departments concerning security.
The SAP Security Team will be responsible for developing application security, creating and
processing access forms, and monitoring SAP application security. The users on all SAP clients
will be monitored on a regular basis to ensure that all users are approved and that access is
authorized.
Only the SAP Security Team and a backup person should have access to update user master
records and should have no access on SAP that would cause segregation of duties issues.