APPS2 SAP SnA Fresher Training Document PDF

Introduction to SAP - ECC Security
November 2015
Rajesh Murty – Consultant SAP GRC & Security

Agenda
What is SAP
SAP System Architecture and Landscape
SAP System & Client
SAP user Types
User Administration User Creation/Maintenance
Authorization and Roles and Profiles in SAP

Types of Roles
Creating Role – PFCG

Authorization Check
Table Security
Central User Management
Troubleshooting
Q&A
Copyright © Capgemini 2012. All Rights Reserved 2

What is SAP ?
 SAP stands for Systems, Applications, and Products in Data Processing.

 SAP AG [SAP SE 2014] is a German global software corporation that provides
enterprise software applications and support to businesses of all sizes globally.
 Headquartered in Walldorf Germany.
 Its largest enterprise software company in the world.
 The company's best known products are its SAP Enterprise Resource Planning
(SAP ERP) and SAP Business Objects software.
 Founded in June 1972 by five former IBM engineers .

SAP R/3 Conceptual Areas
SAP Conceptual Areas
Basis Area Development Area

Application Area The technical
Initiate and execute A developer’s
administration of
SAP transactions Workbench, Create & Test
the system
ABAP programs
(Functional) (Technical)
(Authorizations/Ids/etc)

SAP R/3 System Architecture
SAP R/3: SAP real time 3

tier
•Presentation Layer-
Where SAP GUI Installed
•Application Layer –
Where SAP Installed.
•Database Layer –
Where Database installed.

SAP Systems Landscape
Transport Request
Quality
Development Production
System
System [Qua-100] System
[Dev-100] [PRD-100]
Client 100, 300..

What is SAP Landscape?
 Landscape is like a server system or like a layout of the servers. SAP is divided into three
different landscape DEV, QAS and PRD.
DEVELOPMENT : is where the consultants do the customization as per the company's

requirement.
QUALITY : is where the core team members and other members test the customization.
PRODUCTION : is where the live data of the company is recorded.
A request will flow from Dev -> Qual -> Prod and not backwards.
 1. Sandbox server: In the initial stages of any implementation project, you are given a
sandbox server where you do all the configuration/customization as per the company’s
business process.
 2. Development Server: - Once the Blue Print gets signed off, the configuration is done is
development server and saved in workbench requests, to be transported to Production
server.
 3. Production Server: This is the last/ most refined client where the user will work after
project GO LIVE. Any changes/ new development is done is development client and the
request is transported to production.

SAP System Client
 SAP comes with three "standard clients" :-

000
001
066
000 Client :- We can find this client in the system as soon as we install SAP R/3 software.
This is called master client. Client 000 contains a simple organizational structure of a test
company and includes parameters for all applications, standard settings, and
configurations for the control of standard transactions and examples to be used in many
different profiles of the business applications. It contains client independent data.
001 Client :- This client is a copy of the 000 client including the test company. This
client's settings are client-independent if it is configured or customized. People normally
use 001 client to create a new client.
066 Client :- This client is called early watch client. The SAP early watch alert is a
diagnosis service, for solution monitoring of SAP and non-SAP systems in the SAP Solution
Manager. Alert may contain Performance issue, average response time, current system
load, Database administration, etc..

SAP User Types
 The SAP system categorizes users into several types for different purposes as shown
below:
 Dialog 'A‘
A normal dialog user is used by one person only for all types of logon. During a dialog logon, the system checks for expired and initial
passwords and provides an option to change the password. Multiple dialog logons are checked and logged if necessary.
 System 'B'
Use the system user type for internal system processes (-> background processing) or system-related processes (-> ALE, workflow, TMS,
CUA).
Dialog logon (using SAP GUI) is not possible. A user of this type is excluded from the general settings for password validity. Only user
administrators can change the password using transaction SU01 (Goto -> Change Password).
 Communication 'C‘
Use users of type Communication for dialog-free communication between systems (-> RFC) . Dialog logon (using SAP GUI) is not possible.
 Service 'S‘
A user of the type Service is a dialog user that is available to an anonymous, larger group of users. Generally, this type of user should only
be assigned very restricted authorizations. During logon, the system does not check for expired and initial passwords. Only the user
administrator can change the password. Multiple logon is allowed.
 Reference 'L‘
Like the service user, a reference user is a general user, not assigned to a particular person. You cannot log on using a reference user.
The reference user is only used to assign additional authorization. On the Roles tab, you can specify a reference user for additional rights
for dialog users.

User Types

User Administration [SU01/SU10]
 User Master Record contains the privileges of the user.

 User authorization information, including assigned roles and profiles
 Roles are assigned via transaction SU01
 User Master Record contains
• Address and contact information, default date format, decimal format, default printers,
and default data-entry screen characteristics
• User Parameter data
• User Groups.
 When a user logs into SAP, all assigned authorizations are loaded from the User Master
Record into the User Buffer
SU01 T code Screen

SAP User maintenance SU01 Screen
1 : Create user [Create Button Symbol]
2: Change user [Change Button Symbol]
1 2 3 4 5 6 7 3: Display User [Display Button Symbol]
4: Delete user [Delete Button Symbol]
5: Copy Users [Copy Button Symbol]
Single user creation SU01 6: Lock/Unlock User [Lock/Unlock Button

Mass User creation SU10 Symbol]
Display user SU01D
7: User Password Reset [Password reset
Symbol]

User Maintenance Screen SU01
Create User Screen Copy User Screen

User Maintenance Screen SU01
SU01- User Lock

User Lock / Unlock
Screen
User Password
reset Screen

Create User ID - SU01
 SU01 - Create ID Example
 User ID: TESTUSER

Create User ID - SU01
 Logon Data Tab:
 Set Password
 User Type
 User Group
 Validity Peroid

Create User Id - SU01
 Roles Tab
 Enter role name as per authorized user request

 If a role should give a user only temporary access, specify Validity periods

Create User SU01
 SNC Tab in SU01:
 "SNC is a software layer in the SAP system architecture that provides an interface to an external
security product. With SNC, you can strengthen the security of your SAP system by implementing
additional security functions that SAP systems do not directly provide (for example, the use of smart
cards for user authentication).
 SNC provides security at the application level. This means that a secure connection between the
components of the SAP system (for example, between the SAP GUI and the SAP application server)
 Default Tab in SU01:
 Decimal notation
 Date format
 Time Zone
 Output Device

User Group SUGR
User group can be used for different purpose and in different way in an SAP environment –
One of the Primary uses of user groups is to sort users into logical groups.
This allows users to be categorized in a method that is not dependent on roles,

Responsibilities & Profiles etc.
User Groups also allow segregation of user maintenance, this is especially useful in a large
organization as you can control who your user admin team can maintain - an example
would be giving a team leader the authority to change passwords for users in their team.

Transaction
 Transactions are unique business activities that cannot be broken down further.
FK01 Create Vendor (Accounting)

FK02 Change Vendor (Accounting)
FK03 Display Vendor (Accounting)
ME21N Create Purchase Order
ME22N Change Purchase Order
ME23N Display Purchase Order
SU01 User Maintenance
 Users need access to a transaction followed by access to subsequent data to be able to process this
transaction.

Authorization Objects, Object class and Fields
 Authorization Objects are templates upon which authorizations are being built upon.
 An authorization object allows complex tests of an Authorization for multiple conditions.
 For an authorization check to be successful, all field values of the authorization object must
be maintained in the user master.
 Object Class is a collection of authorization objects which map to same functional area.
 Fields are mapped to objects which allow to define the authorizations.
Authorization Object
Object Class

Authorization Object Class
• Authorization Objects are grouped in Authorization Object Classes

• Object Classes are a classification by functional area
• There are more than 40 classes (listed via transaction SU21)

• Authorization Objects protect data

• Authorization Objects are group of authorization fields representing values for individual
system elements
• Authorizations Objects employ an “AND” relationship
• There are more than 900 SAP supplied authorization objects
• Authorization objects used by many transactions
Authorization Objects for Transaction SU01 via SU24

Fields and Values
 Authorization Objects contain 1-10 Fields

 Each field can be populated with many values like,
• 01 – create
• 02 – change
• 03 – display
• 06 – delete
• * - all values
 Table TACT contains a complete activity list (SE16 → TACT)
Authorization Objects, Fields and Values for Transaction SU01 via SU24

Authorizations
• The key building blocks of SAP security.

• Access to all system functionality is achieved through a complex array of authorizations.
• Authorizations are derived from Authorization Objects
• Authorizations grant access to the unique combination of fields defined for an
authorization object
• Typically there are many authorizations for each authorization object

How Authorizations work

How Authorization Concept Works
User Logon Login

Credentials
Authorization Concept
Pass
Fail Logon Failed
Transaction Code Access Check (S_TCODE)

Transaction
Access
Pass
Fail No Authorization for Transaction
Authorizations – Standard Authorization Objects Access

Activity Level
Access
No Authorization to
Pass
Fail Activity…(Create/Change/Display)
Organization Fields… (Plant, Company code)
Transaction Successfully Executed

SAP Authorization Concept
 R/3 Authorization Concept allows you to protect transactions and programs from unauthorized use
 Access to the system is restricted through authorization objects
 Access must be explicitly granted through the use of authorizations
 Users are assigned authorization profiles (or roles) which determine the specific access a user is
granted
 Only users with active user master records can log onto the system
Transaction Based Security Access
 Access to SAP Functions is enabled through transaction codes (ex: FB50 - post journal entry)
 1st checkpoint for SAP security is the transaction code

controls access to the function
 2nd checkpoint for SAP security is the authorization object

Each SAP transaction has a combination of authorization objects that are standard delivered
Controls how far and what organizational access a user can have

Profile and Roles in SAP
Profile:
• User authorizations are not usually assigned directly to user master records, but grouped
together in authorization profiles.
• Authorizations can be collected in authorization profiles to reduce the maintenance effort
which would be required to enter individual authorizations in the user master record.
• They contain specific access rights, identified by an object name and a corresponding
authorization name.
• Profile changes only take effect when the user next logs on. Users who are logged on
when the change takes place are not affected in their current session.
Role:
• SAP Roles are defined as collections of certain activities used in different business
scenarios.
• In business each users is assigned with some activities and restricted to others to ensure
that business data is always secure. To complete these assigned activities users need to
access the different SAP transactions, reports, or Web-based applications in the SAP.
• Role can be either assigned from SAP predefined roles or a new role can be created to
meet the client's specific requirement.

Roles in SAP
 While assigning a role to the users, the following points needs to

be kept in mind:
• Separate menu should be created and assigned to each role
• Only required authorization, task and activities needs to be added
in each authorization profile
• Necessary restrictions needs to be imposed to ensure data
security
Object Class
Authorization
Fields Fields Values`

Role Concept and Structure
Role A Role is a container consisting of a profile which is a collection of

authorizations and menu containing navigation attributes
Profiles contain the authorization objects with their

Consists of Profile values. These values define the access levels
Consists of Authorizations
Authorization Objects
Are built on
Authorizations are instantiations of the
Authorization objects with values
entered for fields in that object
Role Menu Contains the navigation entries for users to select

PFCG Profile Generator Overview
 Transaction PFCG : Profile Generator (PFCG) is a tool used for security design and configuration.
 Roles are set up using the PFCG at the Job Function or Task Level
• (Functional - logical grouping of activities).
 Each Role may contain several activities

• Example: Role - Bank Reconciliation
• Activities: Input Manual Bank Statement, Display Line Items for Reconciliation
 Authorization profiles are created and updated when Roles are generated
 Profile Generator (PFCG) is driven by transaction codes (activities performed by users) that are assigned to each Role

Types of Roles in SAP
Role is the group of Profiles, menus, transactions, reports and user assignments and
personalization.
 Roles are defined in Transaction code PFCG
 Roles are called as Activity Groups until 4.6c
Types of Roles:
 1. Single Role
i. Parent Role
ii.Derived Role or Child Role
 2. Composite Role Roles
Single Role Composite Role
Parent Role Derived Role
Inherits Properties

Types of Roles in SAP
1: Single Role:
 Single Role are roles which along with the transactions will also contain the authorization data and org entities
maintained in the same role.
 Single roles are better for a smaller structure and occasions where few org restrictions are only required.
 Mostly used for Production Support roles.
2: Composite Role:
 A combination of one or more single roles
 Transactions cannot be assigned directly to the composite role
 Function and task are extremely important considerations
 The composite role menu is derived by inheriting the menus from each single role
3: Master/Parent Role [Derived Role]:
 Master/Derived roles are used to enforce organizational level restrictions

 Segregate access by company code, plant, etc.
 Master roles are templates and usually not assigned to users
 Derived roles inherit characteristics from their master role, such as transactions, menu structures, field values, and other
pieces of authorization information
 Derived roles are intrinsically very similar, with only slight differences in the organizational elements
 Organizational elements are maintained at the derived role level
 Authorization information changes are maintained at the master role level and then “pushed” down to the derived roles.
The derived roles will each inherit the changes made to the master role
 Authorization information changes made directly in the derived role will break the link between it and the master role
 Any changes to either Master or Derived roles need to be Mass Transported

Creating a Role - PFCG
– The Description Tab is Displayed
– The Role is auto-populated with the

name previously entered.
– Short description and long description of

the role can be placed in the appropriate
text boxes.
– Save

Menu Tab - Adding a Transaction folder
 Create a folder for transactions you want to add • Transactions are commonly added to the role
 The transaction folders, and transactions within, will by clicking on the Add Transaction command
appear in the user’s menu upon login button
• Select the folder icon to add a new folder
• Specify a folder name descriptive of transactions

Authorizations Tab
 Once you have created a role and added the required transactions to it, select the “Authorizations” tab
 Select the Expert mode for profile generation
• Expert Mode allows to bring in Auth objects, fields and values from the USOBT_C table

Authorizations
 The overview button displays the transaction(s) that brought over the specific
authorization object. These objects are brought from USOBT_C table (modifiable via SU24)

Authorization Tab : Organizational Level
 Organizational Level values are centrally maintained

• Company Code, Sales Organization,
Controlling Area, Business Area… etc.

Traffic Lights in Authorization
Traffic Light Notes
Authorization fields have been filled
Authorization fields have not been completely filled

If you click a yellow light in the status line, the system asks if you want
to assign the full authorization asterisk (*) to all authorizations that are
not filled.
Organizational levels are not filled. Choose Org. levels to edit the
organizational levels.

Analyzing Authorization Checks: Introduction
If you do not know the required authorizations for a transaction, you can determine them in the following
ways:
 Authorization error analysis
You can use transaction SU53 to analyze an access-denied error in your system that just occurred.
You can use the transaction SU53 from any of your sessions, not just the one in which the error
occurred. You cannot analyze an authorization error in another user’s logon session from your own
session.
 System trace
You can use the system trace function (transaction ST01) to record authorization checks in your own
and in external sessions, if the trace and the transaction to be traced are running on the same
application server. The trace records each authorization object that is tested, along with the object’s
fields and the values tested.

SAP Users
1: SAP* is a super user Id

• It comes with the system
• SAP_ALL is assigned to SAP*
• Default password is well known (06071922)
• SAP* user master record should not be deleted
 SAP_ALL provides full access to the system

Contains * for authorizations
 SAP_NEW is an upgrade profile

• Required to release new functionality for a given upgrade
• Composite Profile containing Simple Profiles for each new release
2: DDIC
• Special privileges for software logistics and ABAP/4 dictionary
• Automatically created when clients 000 and 001 created
• Required for certain installation and setup tasks
• Secure DDIC
• Change passwords in all clients including 000 and 001 (check with RSUSR003)
• Do not delete the DDIC user master record

Table Security
• Access is controlled via a combination of Authorization Groups assigned to tables

• The primary method for restricting direct table maintenance is through the authorization object
S_TABU_DIS and S_TABU_CLI.
• S_TABU_DIS controls access at the table level via transactions SM30 and SE16
• S_TABU_CLI grants permission to client independent tables
 Tables are assigned to Authorization Groups

• Users are granted access to the tables via authorization groups
• Tables containing related information are grouped together into an authorization group
 TDDAT contains the table authorization group information

Security related Tables
Table Description
AGR_1250 Authorization data for the activity group
AGR_1251 Authorization data for the activity group
AGR_1252 Organizational elements for authorizations
AGR_AGRS Roles in Composite Roles
AGR_DEFINE Role definition
AGR_PROF Profile name for role
AGR_TEXTS File Structure for Hierarchical Menu – Cus
AGR_USERS Assignment of roles to users
USGRP User groups
USR01 User Master Data (runtime data)
USR02 Logon data (password, user name, validity date etc...)
USR04 User master authorization (one row per user)
USR06 License data
USR10 Authorisation profiles (i.e. &_SAP_ALL)
USR12 Authorization values
USR40 Table for illegal passwords ( never enter * in this table)
USOBT Relation transaction to authorization object (SAP)
USOBT_C Relation Transaction to Auth. Object (Customer)
USOBX Check table for table USOBT
USOBX_C Check Table for Table USOBT_C

Structured User Information System (SUIM):
• You can use the User Information System to obtain an overview of the authorizations
and users in your SAP System at any time using search criteria that you define.
• In particular, you can display lists of users to whom authorizations classified as critical
are assigned. You can also use the User Information System to:
• Displaying authorizations in a user

• Display change documents for a user, role, profile
• Compare users and roles within a system
• Display the transactions contained in a role

Central User Management
• Manage Users from one SAP client

• Simplifies User administration and can save a lot of time –especially for large
environments
• If you own SAP, you already own this. All you need is someone to configure it
• There are several issues that frequently come up when installing. It is recommend
contacting a consultant who is CUA consultant.
• Asynchronous! Ultimately, the Users and Roles exist in each client. CUA is only the place
you log in to make changes!

Troubleshooting
SU53
• First and basic troubleshooting tool is Transaction SU53.
• Shows last Authorization check that failed.
• May or may not be the Authorization that the User actually needs. Look at context clues to
determine if it is appropriate.
• User may need more Authorization Objects after this one is added.

Troubleshooting
SU56
• We can also check User buffer with Transaction SU56.
• When a User logs into the system, all of the Authorizations that the User has are loaded
into a special place in memory called the User Buffer.
• As the User attempts to perform activities, the system checks whether the user has the
appropriate Authorization Objects in the User Buffer.

Troubleshooting
ST01
• Authorization Trace, ST01 records all Authorization Checks performed while a User is in the
system.
• Return code values confirms if Authorization Check is passed or failed (0=Pass, 4=Field
value is missing and 8=Object is missing).
• Does not include Structural Authorizations in HR Security.

Thank you for
your attention!
Any Questions?

About Capgemini
With more than 120,000 people in 40 countries, Capgemini is one
of the world's foremost providers of consulting, technology and
outsourcing services. The Group reported 2011 global revenues
of EUR 9.7 billion.
Together with its clients, Capgemini creates and delivers
business and technology solutions that fit their needs and drive
the results they want. A deeply multicultural organization,
Capgemini has developed its own way of working, the
Collaborative Business ExperienceTM, and draws on Rightshore ®,
its worldwide delivery model.
Rightshore® is a trademark belonging to Capgemini

www.capgemini.com
The information contained in this presentation is proprietary.

© 2015 Capgemini. All rights reserved.

APPS2 SAP SnA Fresher Training Document PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

APPS2 SAP SnA Fresher Training Document PDF

Uploaded by

Copyright:

Available Formats

Introduction to SAP - ECC Security

Rajesh Murty – Consultant SAP GRC & Security

Authorization and Roles and Profiles in SAP

Creating Role – PFCG

Copyright © Capgemini 2012. All Rights Reserved 2

 SAP stands for Systems, Applications, and Products in Data Processing.

Copyright © Capgemini 2012. All Rights Reserved 3

SAP Conceptual Areas

Basis Area Development Area

Copyright © Capgemini 2012. All Rights Reserved 4

SAP R/3: SAP real time 3

Copyright © Capgemini 2012. All Rights Reserved 5

Client 100, 300..

Copyright © Capgemini 2012. All Rights Reserved 6

DEVELOPMENT : is where the consultants do the customization as per the company's

Copyright © Capgemini 2012. All Rights Reserved 7

 SAP comes with three "standard clients" :-

Copyright © Capgemini 2012. All Rights Reserved 8

Copyright © Capgemini 2012. All Rights Reserved 9

Copyright © Capgemini 2012. All Rights Reserved 10

 User Master Record contains the privileges of the user.

SU01 T code Screen

Copyright © Capgemini 2012. All Rights Reserved 11

1 : Create user [Create Button Symbol]

2: Change user [Change Button Symbol]

1 2 3 4 5 6 7 3: Display User [Display Button Symbol]

4: Delete user [Delete Button Symbol]

5: Copy Users [Copy Button Symbol]

Single user creation SU01 6: Lock/Unlock User [Lock/Unlock Button

Copyright © Capgemini 2012. All Rights Reserved 12

Create User Screen Copy User Screen

Copyright © Capgemini 2012. All Rights Reserved 13

SU01- User Lock

Copyright © Capgemini 2012. All Rights Reserved 14

 SU01 - Create ID Example

 User ID: TESTUSER

Copyright © Capgemini 2012. All Rights Reserved 15

 Logon Data Tab:

Copyright © Capgemini 2012. All Rights Reserved 16

 Enter role name as per authorized user request

Copyright © Capgemini 2012. All Rights Reserved 17

 SNC Tab in SU01:

 Default Tab in SU01:

Copyright © Capgemini 2012. All Rights Reserved 18

This allows users to be categorized in a method that is not dependent on roles,

Copyright © Capgemini 2012. All Rights Reserved 19

FK01 Create Vendor (Accounting)

Copyright © Capgemini 2012. All Rights Reserved 20

Copyright © Capgemini 2012. All Rights Reserved 21

• Authorization Objects are grouped in Authorization Object Classes

Copyright © Capgemini 2012. All Rights Reserved 22

• Authorization Objects protect data

Authorization Objects for Transaction SU01 via SU24

Copyright © Capgemini 2012. All Rights Reserved 23

 Authorization Objects contain 1-10 Fields

 Table TACT contains a complete activity list (SE16 → TACT)

Copyright © Capgemini 2012. All Rights Reserved 24

• The key building blocks of SAP security.

Copyright © Capgemini 2012. All Rights Reserved 25

Copyright © Capgemini 2012. All Rights Reserved 26

User Logon Login

Transaction Code Access Check (S_TCODE)

Authorizations – Standard Authorization Objects Access