Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Authorization Example
2. Profile: Example
Object: Authorizations:
S_Program ABAP:
1
Authorization System:
Field group for an object has multiple values and can be shared across
objects
2
Initial Defaults
1. Initial Clients
3
3. Initial Security Parameters
4
Adding Users
1. Each user must have a master record.
2. Each user master record refers to one or more profiles that determine
the access rights for the user.
• User ID
• Password
• User groups
• User type
• Period of validity
• references to authorization profiles
Master records can be deleted but it will affect the audit trail. Better to lock
the user’s master record Menu Path: Tools - Administration - User
Maintenance - User - Lock/Unlock.
4. User Group
5
Adding Profiles
Profiles and Authorizations exist in both maintenance and active versions.
Allows for updates to maintenance before it is activated. Separation of
maintenance and activation functions.
1. System Profiles
6
2. Startup Profiles
7
Adding Authorizations
Authorization objects are used to check a user’s authority to perform actions
and access data in R/3. A user’s action is approved only if the user passes
the authorization test for each field listed in an object.
1. Authorization Objects
8
2. Objects
• Objects are defined in the system and contain one or more fields
that are used to test user access.
• Are lists of all values (for each field) for which a user is
authorized.
• Usually used to define tasks
• Profile allocate the tasks (authorization value set) to logical
functions. These profiles are assigned to a physical user (master
record).
9
4. Basis System Authorization Objects
10
attributes of fields
Table Maintenance Authorization class Authorize users to view
Activity and/or modify table
contents
Batch Processing: Administrator Give user administrator
Batch Administrator authorization over
background processing
Batch Processing: Authorized user Specify user Ids that a
Batch User Name user may specify as the
authorization for
running background
jobs
Batch Processing: Operations Job Group Specify the operations
Operations on Batch that users may perform
Jobs on background jobs
(Release, delete, etc.)
Batch Input Queue group name Authorize a user to
Authorizations Activity work with batch input
sessions
Queue Management Queue group name Management of queues
Authorizations Activity for trouble-shooting or
problem analysis
Authorization Check for Administration To authorized users to
SM04, SM50 lock or unlock
transactions and to
manage user sessions
other than their own.
Authorization for Administration Authorization to
Update Administration manage update records
for other users
Enqueue: Activities Authorize users to
Displaying and Deleting maintain lock entries of
Lock Entries other users
Spool: Device Output Device Authorizes users to use
Authorization particular printers
Spool Actions Spool action Value Authorizes an
administrator to
perform specified
actions on the spool
system
Public Holiday and Activity Authorization to display
11
Calendar Access and/or maintain
Privileges calendars
Number Range Activity Authorize users to
Maintenance Number range object maintain number ranges
Change Documents Activity Authorization to
display, maintain,
and/or delete change
documents
Tools Performance Authorization name Authorization to use
Monitor sensitive functions of
the performance
monitor
12
Objects - Authorizations
• S_TOOLS_EX Access to view logon parameters
13
• S_NUMBER Number range authorization
ACTVT 02 Change
03 Display
11 Change the last-used number in a number
range interval
13 Initialize the last-used number when
transporting ranges between clients
17 Maintain number range object (pre 3.0)
14
Processes
1. Batch Number of transactions entered into the system as
a batch. Batch inputs can take place in the
background where no changes can be made or in
the foreground where transactions containing
errors
can be interactively corrected.
• Restricting Access
• The Batch Input object restricts user activities in different batch
input sessions.
• ANAL Analyze sessions. Display session, log, and queue dump
• DELE Delete sessions
• LOCK Lock and unlock sessions
• FREE Release sessions
• ABTC Submit sessions for background execution
• AONL Run sessions in interactive modes
2. On-Line
In either case the user must have a User ID to run the job. Users could be
authorized to run background jobs but not foreground jobs.
Before a background job can run, it must be released. The releasing of jobs
is usually restricted to “Batch Administrators”.
• Restricting Access
15
• The field Admin in the Batch Admin object is used to give a user
administration authorizations. If this field contains a “Y”, the user
has access to all background jobs in a SAP system and can perform
any operation on any job.
• The field Activity in the S_PROGRAM object determines
activities users are able to perform on an ABAP. A value of
BTCSUBMIT allows a user to schedule the ABAP/4 program for
background execution.
• The Auth user field of the Batch User Name object is used to
restrict user-IDs specified as the authorized user for running a job.
• The Operation field of the Operations on Batch Jobs object is
used to specify the operations that a user can perform on their own
jobs. This is used to restrict users from deleting or releasing jobs.
4. Services
• Dialog
• Update
• Enqueue
• Background
• Message Server
• CPI-C Gateway Server
• Spool
5. Work Processes
16
Transactions
SAP transactions allow different functions to be performed within R/3.
Menu selection also generates transactions. To see which transaction is
currently executing select Menu Path: System - Status.
2. All transactions are listed in the TSTC Table. This table includes:
17
Transaction types:
18
Tables
SAP is characterized by the use of thousands of application and control
tables. The setup of the control tables, to a large extent, determines in which
way a SAP installation functions.
Logical views provided by the ABAP/4 Dictionary of all data (control data,
master data, and transaction data) stored in SAP system.
Control tables can be displayed and maintained on-line. Menu Path: System
- Services - Table Maintenance. In order to restrict tables a number of table
authorization classes should be defined. All standard tables have been
assigned to authorization classes. Authorization object, Table
Maintenance is used to maintain the tables in each authorization class.
Two levels of access are allowed value = 02 (add, change, or delete) and 03
(display only).
19
1. TSTC Transactions
2. MAC Matchcodes
5. USRxx Profiles
10. TUSR05 Field defaults for each R/3 user and field.
20
20. TACTZ Valid activity codes for each authorization object
22. TDDAT Defines the link between tables and their authorization
classes
21
Logs
Errors and important events are logged in the system logs. These logs
should be reviewed daily.
The servers in an SAP system record events and problems in a set of local
and central system logs. These logs may be displayed and maintained on-
line from the Menu Path: Tools - Administration - Monitoring - System log.
Local logs keep only messages issued by the local application server. Each
application server has a local log file.
Transaction SU93 and SU91 display changes made to a user’s master record
or profiles.
22
Reports for Auditing Security
3. Human Resources: HR
Change Management
Security Administration
23
Users who are able to change user master records, profiles and/or
authorization value sets need to be tightly controlled. The system provides a
number of standard authorization objects that can be used.
Fields Values
User group Names of the user groups for
which an administrator is
authorized.
24
• Authorization Profile S_USER_PRO
Fields Values
Profile name The profile names for
which an administrator is
authorized.
02: Edit
03: Display
06: Delete a profile
08: Display change records
22: Add profiles to user master
record
• Authorizations Value Sets S_USER_AUT
Fields Values
Object name The names of the authorization
objects for which an
administrator is authorized.
25
Fields Values
Fields Values
Object S_USER_GRP
26
Object S_ADMI_FCD
27
ABAP/4 Dictionary
R/3 uses an external database (Oracle in most cases) to hold application
data, but it makes use of its own ABAP/4 Dictionary. This Dictionary gives
R/3 the functionality to control the environment.
• The format of the field must match the definition in the ABAP/4
Dictionary (character, numeric, date, etc.)
• A number of discrete values may be contained in the domain that
are valid for the field.
• A table can be specified that contains all the values allowed for a
particular field. If a table is specified, there must be procedures for
ensuring that the table’s contents are kept up-to-date.
• Restricting Access
• Controlled by the authorization object System Admin
Functions. Only users with the value = DDIC in the Admin
Function fields can make changes to the ABAP/4 Dictionary or use
the database table utility.
• It is not possible to further restrict access to alterable tables.
• Changes are logged by the system and can be queried using the
ABAP/4 Dictionary Information System Menu Path: Development
- ABAP/4 Dictionary - Info System
• Dictionary changes should be reviewed daily.
28
ABAP/4 Programming
ABAP/4 is the fourth generation interpretative language in which all R/3
applications are written. The Basis System is written in C.
1. Location
• On Application Server
• Restricting Access
29
ABAP that have been assigned to a program group can only be run by users
who are authorized to that program group using object S_PROGRAM.
This object further restricts the manner in which a user is able to run an
ABAP.
ABAP/4 Query
30
ABAP/4 Query is the report writing software that allows users to generate
reports quickly and easily without programming knowledge. It generates an
ABAP program. Users cannot access any information to which the user
would otherwise not have access.
• Restricting Access
• Must be assigned to a user group before they can be run
• User group contains the functional areas and the names of all
people authorized to run queries.
• Ensure that procedures are in effect to update the user groups when
job assignments change.
• Any user can run any queries defined for a user group of which
he/she is a member, regardless of who wrote the query.
• In order to create or maintain ABAP/4 Queries, a user must be a
member of one or more user groups and have a value = 02
(change) in the activity field of the ABAP/4 Query authorization
object.
• In order to maintain the ABAP/4 Query user groups, a user needs
the value = 23 (Maintain Environment) in the activity field of the
ABAP/4 Query authorization object. This should be restricted to
administrators.
31
Operating Systems
1. Unix
2. NT
Dynpros are the input screens used when processing SAP transactions. They
include details of the processing logic to be performed on the fields.
32
Number Ranges
SAP provides an “internal” and “external” numbering mechanism
Matchcodes
These are secondary indexes to enable users to find specific records when
the primary key is unknown.
33
Weaknesses
1. In the standard system, none of the ABAPs are assigned to
authorization groups.
2. Do not use native SQL calls in ABAPs as they will bypass the
dictionary consistency checks. Use open SQL statements.
Unlike normal ABAP statements, native SQL and open SQL do not
trigger any authorization checks at run time. But using ABAPs with
AUTHORITY-CHECK statement, the users authority can be checked
at run time for specified objects.
34
6. Ad-hoc Queries
• SQL*Plus
• ODBC
7. Oracle Tables
35
Standard Reports
RSAVGL00 Table comparison across clients
RSDECOMP Comparing tables across two systems
RSDELSAP Delete SAP* from client 066 (EarlyWatch client)
RSKEYS00 Tables comparison: system versus sequential file
RSTABL00 As for RSKEYS00
RSSTAT92 Table changes for a selected month
RSSTAT95 Table access statistics
RSPARAM Display system parameters settings
RSUSER01 Test SAP_ALL
RSUSR000 List all active users
36
Financial
Authorization Objects
Master Data
- GL
- Customer
- Vendor
- Bank
Documents
Balance Sheets
Credit Control Data
Payment Runs
Dunning Runs
Example:
Fields Values
37