Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
CONFIDENTIAL
Day 7 : Agenda
09:00 AM - 11:00 AM User Master & Authorization Object AS ABAP 11:00 AM - 11:15 AM Break
22 April 2012
22 April 2012
22 April 2012
User Concept
Every SAP user requires a unique user ID to login into the system The user can login with the user ID only in the SAP application. The user does not gain access to the underlying database instance or the Operating system Users and Authorization Data are client-dependent Therefore every user in SAP will have a unique user master record In the system there is an authorization check every time any transaction is called or certain functions within the transaction are called
22 April 2012
22 April 2012
22 April 2012
You must maintain at least the following input fields when creating a user: Last name on the Address tab page, initial password and identical repetition of password on the Logon Data tab page.
22 April 2012
SU01 Tabs
Address Tab Logon Data Tab
Defaults Tab
Roles Tab
22 April 2012
22 April 2012
LOCK
UNLOCK
It is possible to reset the password in case the user has forgotten the password
PASSWORD RESET
22 April 2012
Authorization Concept
The authorizations for users are created using roles and profiles. Administrators create the roles, and the system supports them in creating the associated authorizations Authorizations in SAP are built on the concept of Authorization Objects
22 April 2012
22 April 2012
22 April 2012
22 April 2012
22 April 2012
BREAK
22 April 2012
22 April 2012
22 April 2012
22 April 2012
Usage of PFCG
Taking the example of the role TCS_PP_ALL , the next screens will indicate the structure of a role and the underlying authorization objects.
22 April 2012
Usage of PFCG
Authorizations are categorized on the basis of the SAP Functional areas. Take the example of Production Planning
22 April 2012
Usage of PFCG
Authorization Objects
22 April 2012
22 April 2012
After adding , you must perform a user comparison , so that the user master records are updated
22 April 2012
22 April 2012
SAP ROLE 1
Z_SD_COMP1
VA01 VA02 MM01
USER 2
SU53
SP01
SE11
AUTHORIZATION OBJECTS
Objects Fields Value
SAP ROLE 2
USER 3
Z_FI_COMP1
FBLN . F-05 .. . .
USERS WHO HAVE BEEN GRANTED THIS ROLE UNDERLYING AUTHORIZATION OBJECTS
22 April 2012
22 April 2012
22 April 2012
LUNCH BREAK
22 April 2012
22 April 2012
22 April 2012
NOTE : The user master record in SAP is in the database table : USR02
22 April 2012
22 April 2012
22 April 2012
22 April 2012
Using SUIM
22 April 2012
22 April 2012
22 April 2012
The SU53 report shows that the transaction SE11 has not been assigned to any of the roles that has been granted to the TEST USER. The solution would be explicitly add the authorization object , known as S_TCODE with value SE11 in any one of the roles assigned to TEST USER.
22 April 2012
22 April 2012
AS Java provides an open architecture supported by service providers for the storage of user and group data. The AS Java is supplied with the following service providers which are also referred to as a user store: DBMS provider: storage in the system database UDDI provider: storage via external service providers (Universal Description, Discovery and Integration) UME provider: Connection of the integrated User Management Engine The DBMS and UDDI providers implement standards and therefore ensure that AS Java is J2EE-compliant. When AS Java is installed, SAP's own User Management Engine (UME) is always set up as the user store and is the correct choice for most SAP customers. The UME is the only way to flexibly set up and operate user and authorization concepts.
22 April 2012
22 April 2012
UME Architecture
22 April 2012
22 April 2012
BREAK
22 April 2012
22 April 2012
22 April 2012
The figure on the right hand side shows how principles are assigned
22 April 2012
Assigning Roles
It is also possible to assign roles to users directly. The Principle group supports hierarchies of groups. A group may also possess superordinate and subordinate groups. Users actually possess the roles which are directly assigned to them are assigned to the groups to which they belong are assigned to the superordinate group of the groups to which they belong When performing a search in the UME Administration Console, you must check the Search Recursively field if you want to see indirectly assigned principles.
22 April 2012
The ABAP users are visible in AS Java and can log onto AS Java with their ABAP passwords. The ABAP roles are depicted in AS Java as UME groups of the same name. In AS Java, the assignment of ABAP users to ABAP (composite) roles appears as the assignment of UME users to UME groups.
22 April 2012
22 April 2012
22 April 2012
With both types of authorization check, the developer needs to define the authorizations query in the application. The developer decides which type of authorization check is to be used. This means in practice that whether J2EE security roles or UME roles are used depends on the application.
J2EE security roles are part of the J2EE standard. UME roles are an (SAP) extension of the J2EE security roles. You can define the same authorization checks with J2EE security roles and UME roles. However, it is easier and more precise to assign authorizations with UME roles. A J2EE security role comprises one object and UME roles many authorization objects (known as actions). This means that many J2EE security roles but perhaps only one UME role need to be assigned for the same authorizations. It is recommended that you always use UME roles, except in cases in which J2EE security roles are sufficient. Note: A role in the ABAP environment is roughly equivalent to a UME role. An authorization object in the ABAP environment can be compared to a security role.
22 April 2012
22 April 2012
1. 2. 3. 4. 5. 6. 7.
22 April 2012
22 April 2012
22 April 2012
You define the password for the administration user when installing an AS Java. After the installation, you can, of course, create other users with the same authorizations. However, the one and only administration user is special because this is not only used by the administrator in person but is also used for deployment via the SDM server
You need to activate an emergency user for the UME if the user management has been incorrectly configured and no one can log on to an application, or all administration users are locked. This emergency user is called SAP* and can log on to any application and to the configuration tools. The SAP* user has full administration authorizations and, for security reasons, does not have a default password. You set the password as part of emergency user activation.
22 April 2012
BREAKOUT SESSION
22 April 2012
Exercise
EXERCISE Special Note : Instructions for instructor Set Check/Maintain on all authorization objects for MM01 using SU24 Login into the system with the userid/password provided by your instructor Start transaction SU01 , and create a test user TESTGRP(x). Start transaction PFCG , and open the role TCS_FI_ALL Create a copy of this role with the name TCS_FI_ALL_Group(X) Open the role , and with the help of the instructor , insert the authorization object S_TCODE. For field value , enter MM01 Assign your test user to this role , and do user comparison Login with the new user and password , and run transaction MM01 Try and create a new material. Check for any authorization errors. Run SU53 immediately and analyze the report
22 April 2012
Q&A Session
22 April 2012