SAP Audit Information and Approach

Authorization Example
1. User Master Record
User: Frank W. Lons
Profile: Example
2. Profile: Example
Object: Authorizatios:
!"Pro#ram A$AP:

%. Authorizatio: A$AP: Object: !"Pro#ram
&alues: 'ields:
( Pro#ram )roup
!U$M*+, &AR*A-+ Acti.it/
1
Authorizatio !/stem:
1. Profiles Oe or more assi#ed to a user
2. Objects Must be ui0ue ames 1ith oe or more
fields
%. 'ields 2otai .alues for authorit/ chec3i#
4. Authorizatios 2a ha.e the same ames as the/ are
ph/sicall/ ad ph/sicall/ li3ed to a
object
'ield #roup for a object has multiple .alues ad ca be shared across objects
2
Initial !efaults
1. *itial 2liets
2liet 555 !tadard model
2liet 551 Model for user defied cliets. 6template7
2. *itial User *ds
!AP( 8efault super user. A user master record is created duri#
istallatio but it is ot eeded b/ !AP( to access the complete
s/stem. *f the !AP( master record is deleted, the !AP( accout has
the follo1i# special pri.ile#es:
*t is ot subject to authorizatio chec3s ad therefore has all
authorizatios
*t has the pass1ord 9PA!!:, 1hich ca ot be cha#ed
1ithout creati# a e1 user master record.
+o pre.et deletio, assi# !AP( user to a #roup called
!UPER ad ol/ super user should be able to maitai user
#roup !UPER.
%
%. *itial !ecurit/ Parameters
Parameters for user lo#o
lo#i;mi"pass1ord;l#
Miimum pass1ord le#th default is 6%7
lo#i;pass1ord"expiratio"time
-umber of da/s after 1hich a pass1ord must be
cha#ed. +he default is zero, 1hich does ot eforce
pass1ord cha#es. Recommeded .alue < 4=.
lo#i;fails"to"sessio"ed
-umber of times a user ca eter a icorrect
pass1ord before the s/stem eds the lo#i attempt.
+he default is 6%7.
lo#i;fails"to"user"loc3
-umber of times a user ca eter a icorrect
pass1ord before the s/stem loc3s the user a#aist
further lo#o attempts. +he default is 6127.
Recommed 6%7. >he a pass1ord is loc3ed i this
maer, it is automaticall/ uloc3ed b/ the s/stem at
the start of the ext da/ 6midi#ht7.
4
Addin" Users
1. Each user must ha.e a master record.
2. Each user master record refers to oe or more profiles that determie
the access ri#hts for the user.
%. Master record cotais:
User *8
Pass1ord
User #roups
User t/pe
Period of .alidit/
refereces to authorizatio profiles
Master records ca be deleted but it 1ill affect the audit trail. $etter to loc3
the user?s master record Meu Path: +ools @ Admiistratio @ User
Maiteace @ User @ Aoc3;Uloc3.
4. User )roup
*f a perso is assi#ed to a user #roup, ol/ the admiistrators 1ho
are authorized for that user #roup ca alter user master records. *f a
user is ot assi#ed to a #roup the a/ user admiistrator ca alter
the user master record.
=
Addin" Profiles
Profiles ad Authorizatios exist i both maiteace ad acti.e .ersios.
Allo1s for updates to maiteace before it is acti.ated. !eparatio of
maiteace ad acti.atio fuctios.
1. !/stem Profiles
SAP Standard and Super User
Profiles
!"A.!B!+EM Ulimited access to all users,
profiles, ad authorizatios
!"A.A8M*- Authorizatios for !AP s/stem
admiistratio. +his icludes all
authorizatios except for:
Maiteace of users i user
#roup !UPER
Maiteace of profiles ad
authorizatios 1ith ames
be#ii# 9!"A.:
!"A.2U!+OM*C Authorizatios for use i the !AP
2ustomizi# s/stem
!"A.8E&EAOP Authorizatios for use i the !AP
8e.elopmet e.iromet 6excludes
a/ user or profile authorizatios7
!"A.U!ER $asis s/stem authorizatios for ed@
users 6e.#., !"Pro#ram,
!"8$2"MO-*, etc.
D
2. !tartup Profiles
Profile #ame !escription
!"A$AP"AAA All A$AP;4 authorizatios
!"A8M*"AAA All s/stem admiistratio fuctios
!"$82"AAA All batch iput acti.ities
!"$+2E"AAA All batch processi# authorizatios
!"88*2"AAA 88*2: All authorizatios
!"88*2"!U 8ata 8ictioar/: All authorizatios
!"-UM$ER -umber ra#e maiteace: All
authorizatios
!"!285"AAA 2ha#e documets: All
authorizatios
!"!2RP"AAA All !APscript text, st/les, la/out sets
maiteace
!"!POOA"AAA All spool authorizatios
!"!B!+"AAA All s/stem authorizatios
!"+A$U"AAA !tadard table maiteace: All
authorizatios
!"+!FE"AAA All s/stem admiistratio
authorizatios
!"U!ER"AAA User maiteace: All authorizatios
!AP"AAA Pro.ides ulimited access to maitai
all !AP R;% s/stem authorizatios,
1ith the follo1i# exceptios:
Maiteace of users i user
#roup !UPER
Maiteace of profiles ad
authorizatios 1ith ames
be#ii# !"U!ER
!AP"A->E-8 All !AP R;% 6excludi# s/stem7
applicatio authorizatios
!AP"-E> Pro.ides ulimited access to all
authorizatios added 1ith e1
releases of !AP R;%.
C"A->E-8 All user authorizatios 6excludi# $2
s/stem7
%. Profiles ad their associated authorizatio .alue sets are stored i
U!Rxx tables.
G
Addin" Authorizations
Authorizatio objects are used to chec3 a user?s authorit/ to perform actios
ad access data i R;%. A user?s actio is appro.ed ol/ if the user passes
the authorizatio test for each field listed i a object.
1. Authorizatio Objects
!AP cotais a umber of authorizatio objects that are used to
restrict the abilit/ of users to perform certai fuctios ad access
iformatio. Authorizatio objects ca cotai up to te
authorizatio *8s represeti# such s/stem elemets as
trasactios, tables, fields, or pro#rams.
A user is allo1ed access if the their master record lists the object
for 1hich the authorizatio is bei# tested ad the user passes the
authorizatio test for each authorizatio *8.
A authorizatio .alue set is re0uired for access 52 < cha#e
Authorizatio Profiles are used to #rat the authorizatio .alue sets
to a user. +he user master record refers to profiles ad the profiles,
i tur, refer, to .alue sets that determie the access capabilities of
the user.
-e1 authorizatio objects ca be created b/ Meu Path: !/stem @
!er.ices @ +able Maiteace. Merel/ creati# a e1 object does
ot iitiate a/ authorizatio chec3i#. Either A$APs eed to be
modified to test the e1 objects, or additioal authorizatio chec3s
eed to be defied.
'irst assi# a object class for the e1 object.
-ext use AU+EOR*+B@2EE2F for A$AP;4 pro#rams
Or add additioal authorizatio chec3s to the +!+2
6trasactio table7 Meu Path: !/stem @ !er.ices @ +able
Maiteace.
H
2. Objects
Objects are defied i the s/stem ad cotai oe or more fields
that are used to test user access.
%. Authorizatio &alue !ets
Are lists of all .alues 6for each field7 for 1hich a user is authorized.
Usuall/ used to defie tas3s
Profile allocate the tas3s 6authorizatio .alue set7 to lo#ical
fuctios. +hese profiles are assi#ed to a ph/sical user 6master
record7.
I
4. $asis !/stem Authorizatio Objects
$%&ect Fields Uses
!@PRO)RAM Pro#ram #roup Acti.it/ A$AP;4 pro#rams that
ma/ be ru.
!"E8*+OR Pro#ram #roup Acti.it/ A$AP;4 pro#rams that
ma/ be displa/ed or
edited
A$AP;4 Juer/
!"JUERB
Acti.it/ >hether a user ca ru
0ueries ad 1hether the
user ca maitai
A$AP;4 Juer/ user
#roups
!/stem Admiistratio
'uctios
Admiistratio
'uctios
A .ariet/ of s/stem
fuctios such as:
1. >hether a user ma/
eter a .alue
iteracti.el/ to pass a
authorizatio test that he
does ot ha.e
authorizatio for i his
user master record
2. Access to the
A$AP;4 8ictioar/
%. Access to the
iterface paiter
4. !/stem trace
authorit/
=. Abilit/ to add or
delete additioal
authorizatio tests i the
+!+2 table
D. Execute host
operati# s/stem
commads
2etral 'ield !electio Acti.it/
Authorizatio #roup
>hich A$AP;4
pro#rams a user ca use
to d/amicall/ alter
15
attributes of fields
+able Maiteace Authorizatio class
Acti.it/
Authorize users to .ie1
ad;or modif/ table
cotets
$atch Processi#: $atch
Admiistrator
Admiistrator )i.e user admiistrator
authorizatio o.er
bac3#roud processi#
$atch Processi#: $atch
User -ame
Authorized user !pecif/ user *ds that a
user ma/ specif/ as the
authorizatio for
rui# bac3#roud
jobs
$atch Processi#:
Operatios o $atch
Kobs
Operatios Kob )roup !pecif/ the operatios
that users ma/ perform
o bac3#roud jobs
6Release, delete, etc.7
$atch *put
Authorizatios
Jueue #roup ame
Acti.it/
Authorize a user to
1or3 1ith batch iput
sessios
Jueue Maa#emet
Authorizatios
Jueue #roup ame
Acti.it/
Maa#emet of 0ueues
for trouble@shooti# or
problem aal/sis
Authorizatio 2hec3 for
!M54, !M=5
Admiistratio +o authorized users to
loc3 or uloc3
trasactios ad to
maa#e user sessios
other tha their o1.
Authorizatio for
Update Admiistratio
Admiistratio Authorizatio to maa#e
update records for other
users
E0ueue:
8ispla/i# ad 8eleti#
Aoc3 Etries
Acti.ities Authorize users to
maitai loc3 etries of
other users
!pool: 8e.ice
Authorizatio
Output 8e.ice Authorizes users to use
particular priters
!pool Actios !pool actio &alue Authorizes a
admiistrator to perform
specified actios o the
spool s/stem
Public Eolida/ ad
2aledar Access
Acti.it/ Authorizatio to displa/
ad;or maitai
11
Pri.ile#es caledars
-umber Ra#e
Maiteace
Acti.it/
-umber ra#e object
Authorize users to
maitai umber ra#es
2ha#e 8ocumets Acti.it/ Authorizatio to
displa/, maitai, ad;or
delete cha#e
documets
+ools Performace
Moitor
Authorizatio ame Authorizatio to use
sesiti.e fuctios of
the performace moitor
12
$%&ects ' Authorizations
!"+OOA!"EL Access to .ie1 lo#o parameters
!"PRO)RAM A$AP pro#ram access
Fields (alues )omments
P")ROUP ( Pro#ram #roup
P"A2+*O- !U$M*+ Execute pro#ram
E8*+ Maitai pro#ram attributes ad texts
&AR*A-+ !tart ad maitai .ariats
$+2!U$M*+ !ubmit pro#rams for bac3#roud
executio
!"E8*+OR A$AP pro#ram access
Fields (alues )omments
P")ROUP ( Pro#ram #roup
E8*+"A2+*O- !EO> 8ispla/ pro#ram source
E8*+ Amed pro#ram source
!"$82"MO-* $atch iput sessio
Fields (alues )omments
$82)ROUP*8 ( -ame of batch sessio for 1hich a user is
authorized 6e.#. 9'RA-F:7
$82AF+* A$+2 !ubmit sessios for executio
AO-A Ru sessios i iteracti.e mode
A-AA Aal/ze sessios, lo# ad 0ueue
'REE Release sessios
AO2F Aoc3;uloc3 sessios
8EAE 8elete sessios
1%
!"-UM$ER -umber ra#e authorizatio
Fields (alues )omments
-RO$K ( -umber ra#e object ame for a .edor
A2+&+ 52 2ha#e
5% 8ispla/
11 2ha#e the last@used umber i a umber
ra#e iter.al
1% *itialize the last@used umber 1he
trasporti# ra#es bet1ee cliets
1G Maitai umber ra#e object 6pre %.57
!"!28O 2ha#e documet authorizatio
Fields (alues )omments
A2+&+ 52 Maitai ad displa/ cha#e documets
5D 8elete cha#e documets
5H 8ispla/ cha#e documets
12 Maitai cha#e documet objects
14
Processes
1. $atch -umber of trasactios etered ito the s/stem as
a batch. $atch iputs ca ta3e place i the
bac3#roud 1here o cha#es ca be made or i
the fore#roud 1here trasactios cotaii# errors
ca be iteracti.el/ corrected.
Restricti# Access
+he $atch *put object restricts user acti.ities i differet batch
iput sessios.
A-AA Aal/ze sessios. 8ispla/ sessio, lo#, ad 0ueue dump
8EAE 8elete sessios
AO2F Aoc3 ad uloc3 sessios
'REE Release sessios
A$+2 !ubmit sessios for bac3#roud executio
AO-A Ru sessios i iteracti.e modes
2. O@Aie
%. $ac3#roud Pro#ram executes o a bac3#roud processi#
ser.er 1ithout iteracti.e user iput. +o ru it must
be scheduled.
+his ca be doe t1o 1a/s:
Meu Path: A$AP;4 @ !/stem !er.ices @ Reporti# @ $atch Re0uest fuctio
'rom bac3#roud processi# meu b/ selecti# #oto @ $atch Re0uest
* either case the user must ha.e a User *8 to ru the job. Users could be
authorized to ru bac3#roud jobs but ot fore#roud jobs.
$efore a bac3#roud job ca ru, it must be released. +he releasi# of jobs
is usuall/ restricted to 9$atch Admiistrators:.
Restricti# Access
1=
+he field Ad mi n i the $atch Admi object is used to #i.e a user
admiistratio authorizatios. *f this field cotais a 9B:, the user
has access to all bac3#roud jobs i a !AP s/stem ad ca perform
a/ operatio o a/ job.
+he field Acti v i t y i the !"PRO)RAM object determies
acti.ities users are able to perform o a A$AP. A .alue of
$+2!U$M*+ allo1s a user to schedule the A$AP;4 pro#ram for
bac3#roud executio.
+he Aut h user field of the $atch User -ame object is used to
restrict user@*8s specified as the authorized user for rui# a job.
+he O p e r a ti o n field of the Operatios o $atch Kobs object is
used to specif/ the operatios that a user ca perform o their o1
jobs. +his is used to restrict users from deleti# or releasi# jobs.
4. !er.ices
2a ru o differet ser.ers.
8ialo#
Update
E0ueue
$ac3#roud
Messa#e !er.er
2P*@2 )ate1a/ !er.er
!pool
=. >or3 Processes
+!FE +as3 Eadler
8B-P !cree Processor
A$AP Pro#ram Processor
8$@!! 8atabase iterface that co.erts A$AP;4 !JA ito
8$M! !JA.
1D
*ransactions
!AP trasactios allo1 differet fuctios to be performed 1ithi R;%. Meu
selectio also #eerates trasactios. +o see 1hich trasactio is curretl/
executi# select Meu Path: !/stem @ !tatus.
!/stem trasactios are applicable to the basis s/stem ad applicatio
trasactios are specific to a certai module.
+rasactios ca be loc3ed ad uloc3ed usi# Meu Path: Admiistratio @
+code Admiistratio. >he a trasactio is loc3ed, users ca ot execute
that trasactio. +o perform this fuctio, a user re0uires the authorizatio
object Aut h o r i z ati o n c h e c k for !M54, !M5= 1ith a .alue of ! i the
Ad mi n field.
1. 2otrolled b/ 8B-P processor
2hec3s 1hether additioal authorizatio chec3s are re0uired to ru
the trasactio 6i +!+2 +able7.
*terprets the 8/pros, 1hich i.ol.es creati# the screes ad
appl/i# the lo#ic defied i the d/pro 6field chec3s, etc.7.
2. All trasactios are listed i the +!+2 +able. +his table icludes:
A idicator that the trasactio has bee loc3ed or is a.ailable to
be used. +he abilit/ to loc3 ad uloc3 trasactios is cotrolled
usi# authorizatio object Authorizatio 2hec3 for !M54, !M=5.
Additioal authorizatio chec3s to be performed. Ol/ users 1ith
the .alue +2O8 i the field, Ad mi n Fu n c ti o n s i n o b j e c t,
Sy st e m Ad mi n Fu n c ti o n s ha.e the abilit/ to add, alter, or
delete these additioal authorizatio tests.
*f a trasactio is ot mar3ed as re0uiri# authorizatio chec3s the
a/ user ca ru the trasactio.
1G
+rasactio t/pes:
!UI% ad !UI1 8ispla/s cha#es master records ad profiles
!E%5 +race fuctio
!U=% Authorizatio chec3 failures
!U52 Acti.atio of profiles
!U5% Acti.atio of authorizatios
!U5 Assi#met of user *8
!U51 Assi#met of users to profiles ad alter the
pass1ord of a/ user
!U15 Assi#met of profiles for a ra#e of users
!U12 8elete all users
+U52 &ie1 lo#o parameters
!M=2 Uix commad lie prompt
!U21 )roupi# of objects ito object classes
6example is $asis Admiistratio,
'iacial Accouti#7
1H
*a%les
!AP is characterized b/ the use of thousads of applicatio ad cotrol
tables. +he setup of the cotrol tables, to a lar#e extet, determies i 1hich
1a/ a !AP istallatio fuctios.
Ao#ical .ie1s pro.ided b/ the A$AP;4 8ictioar/ of all data 6cotrol data,
master data, ad trasactio data7 stored i !AP s/stem.
All cotrol tables start 1ith the letter 9+:.
2otrol tables ca be displa/ed ad maitaied o@lie. Meu Path: !/stem @
!er.ices @ +able Maiteace. * order to restrict tables a umber of table
authorizatio classes should be defied. All stadard tables ha.e bee
assi#ed to authorizatio classes. Authorizatio object, Ta b l e
Ma i nt e n a n c e is used to maitai the tables i each authorizatio class.
+1o le.els of access are allo1ed .alue < 52 6add, cha#e, or delete7 ad 5%
6displa/ ol/7.
+o modif/ a table structure Meu Path: +ools @ 2A!E @ 8e.elopmet @ 8ata
8ictioar/ @ Maiteace.
Ao##i# of cha#es ca be accomplished b/ usi# cha#e documet objects
to specif/ 1hich tables are lo##ed ad the le.el of lo##i# performed o each
table.
1I
1. +!+2+rasactios
2. MA2 Matchcodes
%. +551 8etails about a compa/
4. +551$ 8efies accouti# periods for compa/ +551.
=. U!Rxx Profiles
D. +U!R54 Authorizatio Profiles
G. +U!R51 User master record
H. +U!R52 User *8 ad pass1ord
I. +U!R5% Exteded iformatio about the user.
15. +U!R5= 'ield defaults for each R;% user ad field.
11. +O$K Pre@defied authorizatio objects ad fields
12. +O$K+ 8escripti.e text of the authorizatio objects.
1%. +U!R15 Authorizatio Profiles ad 8escriptios
ad
+U!R11
14. +5== 'ield #roup fields
1=. +5==) 'ield #roups
1D. +5==+ 'ield )roup descriptios
1G. AU+E *teral table @ 'iacial objects
1H. +A2+ Acti.it/ codes
1I. +A2++ Acti.it/ codes descriptios
25
25. +A2+C &alid acti.it/ codes for each authorizatio object
21. U!R45 2ustom pass1ord chec3s
22. +88A+ 8efies the li3 bet1ee tables ad their authorizatio
classes
2%. +555 !AP 2liets
24. +551 !AP compaies
2=. +)!$ $usiess Areas ad Plats
21
Lo"s
Errors ad importat e.ets are lo##ed i the s/stem lo#s. +hese lo#s should
be re.ie1ed dail/.
+he ser.ers i a !AP s/stem record e.ets ad problems i a set of local
ad cetral s/stem lo#s. +hese lo#s ma/ be displa/ed ad maitaied o@lie
from the Meu Path: +ools @ Admiistratio @ Moitori# @ !/stem lo#.
Aocal lo#s 3eep ol/ messa#es issued b/ the local applicatio ser.er. Each
applicatio ser.er has a local lo# file.
!/stem lo#s are cofi#ured b/ setti# parameters i the s/stem profile.
+rasactio !UI% ad !UI1 displa/ cha#es made to a user?s master record
or profiles.
Ao##i# of 2ha#es to Authorizatios:
All cha#es to user master records, profiles, ad authorizatio .alue
sets. 'or example, user master records 1ill displa/ added or
deleted from the list i the user master records. *t 1ill ot displa/
modified profiles rather, the lo# of cha#es to profiles could be used
to idetified cha#ed profiles.
2ha#es to a user?s pass1ord, user t/pe, user #roup, period of
.alidit/, ad accout umber.
'or each item i the lo#, the s/stem reports both the old ad e1
.ersio of a/ lies that ha.e cha#ed. +his lo# is a .aluable
cotrol o.er uauthorized cha#es to users? access capabilities ad
eeds to be re.ie1ed dail/.
22
Reports for Auditi# !ecurit/
Meu Path: *formatio @ 2urret *formatio
8ispla/s detailed iformatio o user master records,
authorizatio profiles, authorizatio objects, ad
authorizatio .alue sets. >ith this facilit/, it is possible to
displa/ all user master records ad;or profiles that cotai a
specific object.
+odules
!AP applicatio modules.
1. $2 !AP $asis module
2. Ao#istics: !8, MM, PP, JM, PM
%. Euma Resources: ER
4. 'iacial ad Admiistratio: '*, 2O, AM, P!, O2
)han"e +ana"ement
,ackup and -eco.er
8ail/ bac3ups are ecessar/ to esure the reco.erabilit/ of data, i the e.et
of a disaster.
!AP icludes !AP8$A pro#ram that is used to perform database
admiistratio tas3s.
!AP ca be bac3ed up o@lie.
Redo lo#s 6Oracle7 should also be archi.ed dail/.
Securit Administration
2%
Users 1ho are able to cha#e user master records, profiles ad;or
authorizatio .alue sets eed to be ti#htl/ cotrolled. +he s/stem pro.ides a
umber of stadard authorizatio objects that ca be used.
User )roups !"U!ER")RP
Fields (alues
User #roup -ames of the user #roups for
1hich a admiistrator is
authorized.
Admiistrator 51: 2reate user master records
actios add profiles to e1 or
existi# records
52: Edit
5%: 8ispla/
5=: Aoc3 or uloc3 user
5D: 8elete a user master record
5H: 8ispla/ user cha#e records
24
Authorizatio Profile !"U!ER"PRO
Fields (alues
Profile ame +he profile ames for
1hich a admiistrator is
authorized.
Admiistrator 51: 2reate profiles ad eter
actios authorizatios ito them

52: Edit
5%: 8ispla/
5D: 8elete a profile
5H: 8ispla/ cha#e records
22: Add profiles to user master
record
Authorizatios &alue !ets !"U!ER"AU+
Fields (alues
Object ame +he ames of the authorizatio
objects for 1hich a
admiistrator is authorized.
Authorizatio +he ames of the authorizatio
ame .alue sets for 1hich a
admiistrator is authorized
Admiistrator 51: 2reate authorizatio .alue
actios set
52: Edit
5%: 8ispla/
5D: 8elete
5G: Acti.ate
5H: 8ispla/ cha#e records
22: Eter authorizatios ito a
profile

+able Maiteace !"+A$U"8*!
2=
Fields (alues
8*2$ER2A! +able classes for 1hich a user
access is authorized
A2+&+ Acti.it/ code
+able Maiteace Across 2liets !"+A$U"2A*
Fields (alues
2A*8MA*-+ Access idicator

Object !"U!ER")RP
8etermies 1hich user #roups ca be admiistered ad
cose0uetl/ all users 1ho are assi#ed to those #roups.
2D
Object !"A8M*"'28
9!/stems Admiistratio 'uctios: pro.ides po1erful s/stems
admiistratio fuctios, icludi# the follo1i# 6field < 9!/stems
Admiistratio 'uctios:7:
-A8M @ -et1or3 Admiistratio 6!M=4, ==, =I7
UA8M @ Update Admiistratio 6!M1%7
+555 @ 2reate -e1 2liet
+A2F @ Aoc3;Uloc3 +rasactios
!PA8 @ Authorizatio for spool admiistratio i all
cliets
!PAR @ Authorizatio for cliet@depedet spool
admiistratio
!P51 @ Authorizatio for admiistratio of spool
re0uests i spool output cotrol 6all users
ad cliets7
!POR @ !pool admiistratio
$+2E @ +est e.iromet, batch
U-*L @ Execute U-*L commads from
!APM!O!5
R!E+ @ Reset;delete data 1ithout archi.i#
!B-2 @ Reset buffers
2G
A,AP/0 !ictionar
R;% uses a exteral database 6Oracle i most cases7 to hold applicatio data,
but it ma3es use of its o1 A$AP;4 8ictioar/. +his 8ictioar/ #i.es R;%
the fuctioalit/ to cotrol the e.iromet.
1. Each field i the A$AP;4 8ictioar/ is described b/ a domai. >he
a/ iput is ot .alid i terms of the domai, it 1ill ot be accepted
ad the user 1ill ha.e to correct the etr/ i the 8B-PRO scree
before cotiui#. +he A$AP;4 8ictioar/ pro.ides the follo1i#
domai chec3s:
+he format of the field must match the defiitio i the A$AP;4
8ictioar/ 6character, umeric, date, etc.7
A umber of discrete .alues ma/ be cotaied i the domai that
are .alid for the field.
A table ca be specified that cotais all the .alues allo1ed for a
particular field. *f a table is specified, there must be procedures for
esuri# that the table?s cotets are 3ept up@to@date.
Restricti# Access
2otrolled b/ the authorizatio object Sy st e m Ad mi n
Fu n c ti o n s . Ol/ users 1ith the .alue < 88*2 i the Admi
'uctio fields ca ma3e cha#es to the A$AP;4 8ictioar/ or use
the database table utilit/.
*t is ot possible to further restrict access to alterable tables.
2ha#es are lo##ed b/ the s/stem ad ca be 0ueried usi# the
A$AP;4 8ictioar/ *formatio !/stem Meu Path: 8e.elopmet @
A$AP;4 8ictioar/ @ *fo !/stem
8ictioar/ cha#es should be re.ie1ed dail/.
2H
A,AP/0 Pro"rammin"
A$AP;4 is the fourth #eeratio iterpretati.e la#ua#e i 1hich all R;%
applicatios are 1ritte. +he $asis !/stem is 1ritte i 2.
A$AP;4 is a comprehesi.e pro#rammi# la#ua#e. A$AP statemets ca
be 1ritte that 1ill read ad update data, create e1 records, etc. A$AP also
ca cotai !JA statemets allo1i# almost urestricted access to the
database.
A$AP;4 must be ti#htl/ cotrolled. -o A$AP statemet cha#es should be
allo1ed i the productio s/stem?s e.iromet.
1. Aocatio
O Applicatio !er.er
Restricti# Access
Each A$AP eeds to be assi#ed to a authorizatio #roup i the report
attributes set 1he creati# a A$AP report. A/ A$AP that has ot
bee assi#ed to a authorizatio #roup ma/ be ru b/ a/ user 1ith
authorizatio for object !"PRO)RAM.
2I
A$AP that ha.e bee assi#ed to a pro#ram #roup ca ol/ be ru b/ users
1ho are authorized to that pro#ram #roup usi# object !"PRO)RAM.
+his object further restricts the maer i 1hich a user is able to ru a
A$AP.
!U$M*+ +he user ma/ start pro#rams iteracti.el/
$+2!U$M*+ +he user ma/ submit pro#rams for executio i the
bac3#roud partitio.
E8*+ +he user ca maitai attributes ad text elemets
ad use utilities for cop/i# ad deleti# reports 6
+his does ot allo1 the user to edit A$AP;4
pro#rams7.
&AR*A-+ +he user ma/ maitai .ariats. &ariats are
parameters that are passed to a A$AP pro#ram.
* the stadard s/stem, oe of the A$APs are assi#ed to authorizatio
#roups. +herefore a/ user that ca ru trasactio !A%H 6or !E%H to
de.elop A$AP;4 pro#rams7, ca ru a/ of the stadard A$APs. *t is
recommeded that all A$APs be placed i authorizatio classes ad that
users should ol/ ha.e authorizatio for authorizatio classes 6A$APs7 that
are re0uired for their job fuctios. -o matter 1hat, the database iterface
chec3s are still i pla/ for all A$APs ad the user 1ill ot be able to act o
data for 1hich the/ ha.e o authorit/.
A$APs ma/ be de.eloped o@lie usi# the !AP A$AP editor.
+he A$AP pro#rams ca be assi#ed to authorizatio #roups. +he
!"E8*+OR authorizatio object is used to restrict authorizatio
#roups a user is able to edit. A/ user 1ith !"E8*+OR
authorizatio object is able to edit a/ A$AP pro#ram that has ot
bee assi#ed to a authorizatio #roup.
-o users should ha.e !"E8*+OR. Other1ise the/ ma/ 1rite a
d/amic !JA that allo1s complete access to all cliet?s data.
A,AP/0 1uer
%5
A$AP;4 Juer/ is the report 1riti# soft1are that allo1s users to #eerate
reports 0uic3l/ ad easil/ 1ithout pro#rammi# 3o1led#e. *t #eerates a
A$AP pro#ram. Users caot access a/ iformatio to 1hich the user
1ould other1ise ot ha.e access.
Restricti# Access
Must be assi#ed to a user #roup before the/ ca be ru
User #roup cotais the fuctioal areas ad the ames of all people
authorized to ru 0ueries.
Esure that procedures are i effect to update the user #roups 1he
job assi#mets cha#e.
A/ user ca ru a/ 0ueries defied for a user #roup of 1hich
he;she is a member, re#ardless of 1ho 1rote the 0uer/.
* order to create or maitai A$AP;4 Jueries, a user must be a
member of oe or more user #roups ad ha.e a .alue < 52 6cha#e7
i the acti.it/ field of the A$AP;4 Juer/ authorizatio object.
* order to maitai the A$AP;4 Juer/ user #roups, a user eeds
the .alue < 2% 6Maitai E.iromet7 i the acti.it/ field of the
A$AP;4 Juer/ authorizatio object. +his should be restricted to
admiistrators.
%1
$peratin" Sstems
1. Uix
!tart@Up Profiles are stored i ;usr;sapM!AP !/stem
-ameN;s/s;profile
2. -+
!ata%ase +ana"ement Sstems
1. Oracle
!npros Screen 2enerator
8/pros are the iput screes used 1he processi# !AP trasactios. +he/
iclude details of the processi# lo#ic to be performed o the fields.
1. 8/pros ca be de.eloped o@lie usi# the stadard !AP 8/pro
!cree Paiter Meu Path: +ools @ 2ase @ 8e.elopmet @ !cree
Paiter.
2. 2otrols eed to be i place to esure that cha#es to 8/pros are
authorized, tested, ad appro.ed.
%2
#um%er -an"es
!AP pro.ides a 9iteral: ad 9exteral: umberi# mechaism
1. *teral umbers are se0uetial codes #i.e b/ the s/stem for
documets, article umbers, persoel umbers, etc.
2. $oth iteral ad exteral umbers are stored i a file !B!&.
+atchcodes
+hese are secodar/ idexes to eable users to fid specific records 1he the
primar/ 3e/ is u3o1.
1. !tored i +able MA2
2. +able MA2 ca be edited o@lie usi# trasactio !M%1 ad
accessible throu#h the Meu Path: !/stem @ !er.ices @ +able
Maiteace.
%%
Weaknesses
1. * the stadard s/stem, oe of the A$APs are assi#ed to
authorizatio #roups.
2. 8o ot use ati.e !JA calls i A$APs as the/ 1ill b/pass the
dictioar/ cosistec/ chec3s. Use ope !JA statemets.
Uli3e ormal A$AP statemets, ati.e !JA ad ope !JA do ot
tri##er a/ authorizatio chec3s at ru time. $ut usi# A$APs 1ith
AU+EOR*+B@2EE2F statemet, the users authorit/ ca be chec3ed
at ru time for specified objects.
%. !AP( is the default user *8 ad it has ulimited access capabilities. *t
should ol/ be #i.e to the s/stem admiistrators 6!UPERU!ER7.
4. 8efault s/stem profiles ma/ pro.ide too much authorit/.
=. 8efault lo#o *ds
!AP( pass1ord < 5D5G1II2
!AP( pass1ord < PA!!
88*2 pass1ord < 1II25G5D
Oracle
!/s pass1ord < cha#e"o"istall
!/stem pass1ord < maa#er
!apr% pass1ord < sapr%
!AP;R% applicatio *8
!AP8$A
'rot@ed to !JA(8$A
2a perform all 8$A fuctios 1ithi !AP
Autheticatio is completed i U-*L
%4
D. Ad@hoc Jueries
!JA(Plus
O8$2
G. Oracle +ables
User52 +able cotais all !AP user *8s ad pass1ords
%=
Standard -eports
R!A&)A55 +able compariso across cliets
R!8E2OMP 2ompari# tables across t1o s/stems
R!8EA!AP 8elete !AP( from cliet 5DD 6Earl/>atch cliet7
R!FEB!55 +ables compariso: s/stem .ersus se0uetial file
R!+A$A55 As for R!FEB!55
R!!+A+I2 +able cha#es for a selected moth
R!!+A+I= +able access statistics
R!PARAM 8ispla/ s/stem parameters setti#s
R!U!ER51 +est !AP"AAA
R!U!R555 Aist all acti.e users
%D
Financial
Authorizatio Objects
Master 8ata
@ )A
@ 2ustomer
@ &edor
@ $a3
8ocumets
$alace !heets
2redit 2otrol 8ata
Pa/met Rus
8ui# Rus
Example:
Object < 2ompa/ 2odes
Fields (alues
2ompa/ codes 51 2reate
52 2ha#e
5% 8ispla/
5= $loc3;Ubloc3
5D 8elete
5H 8ispla/ cha#e documets
%G