Professional Documents
Culture Documents
November 2015
What is SAP
SAP System Architecture and Landscape
SAP System & Client
SAP user Types
User Administration User Creation/Maintenance
Table Security
Central User Management
Troubleshooting
Q&A
•Presentation Layer-
Where SAP GUI Installed
•Application Layer –
Where SAP Installed.
•Database Layer –
Where Database installed.
Transport Request
Quality
Development Production
System
System [Qua-100] System
[Dev-100] [PRD-100]
Landscape is like a server system or like a layout of the servers. SAP is divided into three
different landscape DEV, QAS and PRD.
A request will flow from Dev -> Qual -> Prod and not backwards.
1. Sandbox server: In the initial stages of any implementation project, you are given a
sandbox server where you do all the configuration/customization as per the company’s
business process.
2. Development Server: - Once the Blue Print gets signed off, the configuration is done is
development server and saved in workbench requests, to be transported to Production
server.
3. Production Server: This is the last/ most refined client where the user will work after
project GO LIVE. Any changes/ new development is done is development client and the
request is transported to production.
000 Client :- We can find this client in the system as soon as we install SAP R/3 software.
This is called master client. Client 000 contains a simple organizational structure of a test
company and includes parameters for all applications, standard settings, and
configurations for the control of standard transactions and examples to be used in many
different profiles of the business applications. It contains client independent data.
001 Client :- This client is a copy of the 000 client including the test company. This
client's settings are client-independent if it is configured or customized. People normally
use 001 client to create a new client.
066 Client :- This client is called early watch client. The SAP early watch alert is a
diagnosis service, for solution monitoring of SAP and non-SAP systems in the SAP Solution
Manager. Alert may contain Performance issue, average response time, current system
load, Database administration, etc..
The SAP system categorizes users into several types for different purposes as shown
below:
Dialog 'A‘
A normal dialog user is used by one person only for all types of logon. During a dialog logon, the system checks for expired and initial
passwords and provides an option to change the password. Multiple dialog logons are checked and logged if necessary.
System 'B'
Use the system user type for internal system processes (-> background processing) or system-related processes (-> ALE, workflow, TMS,
CUA).
Dialog logon (using SAP GUI) is not possible. A user of this type is excluded from the general settings for password validity. Only user
administrators can change the password using transaction SU01 (Goto -> Change Password).
Communication 'C‘
Use users of type Communication for dialog-free communication between systems (-> RFC) . Dialog logon (using SAP GUI) is not possible.
Service 'S‘
A user of the type Service is a dialog user that is available to an anonymous, larger group of users. Generally, this type of user should only
be assigned very restricted authorizations. During logon, the system does not check for expired and initial passwords. Only the user
administrator can change the password. Multiple logon is allowed.
Reference 'L‘
Like the service user, a reference user is a general user, not assigned to a particular person. You cannot log on using a reference user.
The reference user is only used to assign additional authorization. On the Roles tab, you can specify a reference user for additional rights
for dialog users.
User Password
reset Screen
Set Password
User Type
User Group
Validity Peroid
Roles Tab
"SNC is a software layer in the SAP system architecture that provides an interface to an external
security product. With SNC, you can strengthen the security of your SAP system by implementing
additional security functions that SAP systems do not directly provide (for example, the use of smart
cards for user authentication).
SNC provides security at the application level. This means that a secure connection between the
components of the SAP system (for example, between the SAP GUI and the SAP application server)
Decimal notation
Date format
Time Zone
Output Device
User group can be used for different purpose and in different way in an SAP environment –
One of the Primary uses of user groups is to sort users into logical groups.
Transactions are unique business activities that cannot be broken down further.
Users need access to a transaction followed by access to subsequent data to be able to process this
transaction.
Authorization Objects are templates upon which authorizations are being built upon.
An authorization object allows complex tests of an Authorization for multiple conditions.
For an authorization check to be successful, all field values of the authorization object must
be maintained in the user master.
Object Class is a collection of authorization objects which map to same functional area.
Fields are mapped to objects which allow to define the authorizations.
Authorization Object
Object Class
Authorization Objects, Fields and Values for Transaction SU01 via SU24
Pass
Fail Logon Failed
Pass
Fail No Authorization for Transaction
No Authorization to
Pass
Fail Activity…(Create/Change/Display)
Organization Fields… (Plant, Company code)
Transaction Successfully Executed
R/3 Authorization Concept allows you to protect transactions and programs from unauthorized use
Users are assigned authorization profiles (or roles) which determine the specific access a user is
granted
Only users with active user master records can log onto the system
Access to SAP Functions is enabled through transaction codes (ex: FB50 - post journal entry)
Profile:
• User authorizations are not usually assigned directly to user master records, but grouped
together in authorization profiles.
• Authorizations can be collected in authorization profiles to reduce the maintenance effort
which would be required to enter individual authorizations in the user master record.
• They contain specific access rights, identified by an object name and a corresponding
authorization name.
• Profile changes only take effect when the user next logs on. Users who are logged on
when the change takes place are not affected in their current session.
Role:
• SAP Roles are defined as collections of certain activities used in different business
scenarios.
• In business each users is assigned with some activities and restricted to others to ensure
that business data is always secure. To complete these assigned activities users need to
access the different SAP transactions, reports, or Web-based applications in the SAP.
• Role can be either assigned from SAP predefined roles or a new role can be created to
meet the client's specific requirement.
Object Class
Authorization Object
Authorization
Consists of Authorizations
Authorization Objects
Are built on
Authorizations are instantiations of the
Authorization objects with values
entered for fields in that object
Transaction PFCG : Profile Generator (PFCG) is a tool used for security design and configuration.
Roles are set up using the PFCG at the Job Function or Task Level
• (Functional - logical grouping of activities).
Authorization profiles are created and updated when Roles are generated
Profile Generator (PFCG) is driven by transaction codes (activities performed by users) that are assigned to each Role
Role is the group of Profiles, menus, transactions, reports and user assignments and
personalization.
Roles are defined in Transaction code PFCG
Roles are called as Activity Groups until 4.6c
Types of Roles:
1. Single Role
i. Parent Role
ii.Derived Role or Child Role
2. Composite Role Roles
Inherits Properties
1: Single Role:
Single Role are roles which along with the transactions will also contain the authorization data and org entities
maintained in the same role.
Single roles are better for a smaller structure and occasions where few org restrictions are only required.
Mostly used for Production Support roles.
2: Composite Role:
A combination of one or more single roles
Transactions cannot be assigned directly to the composite role
Function and task are extremely important considerations
The composite role menu is derived by inheriting the menus from each single role
– Save
Create a folder for transactions you want to add • Transactions are commonly added to the role
The transaction folders, and transactions within, will by clicking on the Add Transaction command
appear in the user’s menu upon login button
• Select the folder icon to add a new folder
• Specify a folder name descriptive of transactions
Once you have created a role and added the required transactions to it, select the “Authorizations” tab
Select the Expert mode for profile generation
• Expert Mode allows to bring in Auth objects, fields and values from the USOBT_C table
The overview button displays the transaction(s) that brought over the specific
authorization object. These objects are brought from USOBT_C table (modifiable via SU24)
Organizational levels are not filled. Choose Org. levels to edit the
organizational levels.
If you do not know the required authorizations for a transaction, you can determine them in the following
ways:
Authorization error analysis
You can use transaction SU53 to analyze an access-denied error in your system that just occurred.
You can use the transaction SU53 from any of your sessions, not just the one in which the error
occurred. You cannot analyze an authorization error in another user’s logon session from your own
session.
System trace
You can use the system trace function (transaction ST01) to record authorization checks in your own
and in external sessions, if the trace and the transaction to be traced are running on the same
application server. The trace records each authorization object that is tested, along with the object’s
fields and the values tested.
2: DDIC
• Special privileges for software logistics and ABAP/4 dictionary
• Automatically created when clients 000 and 001 created
• Required for certain installation and setup tasks
• Secure DDIC
• Change passwords in all clients including 000 and 001 (check with RSUSR003)
• Do not delete the DDIC user master record
Table Description
AGR_1250 Authorization data for the activity group
AGR_1251 Authorization data for the activity group
AGR_1252 Organizational elements for authorizations
AGR_AGRS Roles in Composite Roles
AGR_DEFINE Role definition
AGR_PROF Profile name for role
AGR_TEXTS File Structure for Hierarchical Menu – Cus
AGR_USERS Assignment of roles to users
USGRP User groups
USR01 User Master Data (runtime data)
USR02 Logon data (password, user name, validity date etc...)
USR04 User master authorization (one row per user)
USR06 License data
USR10 Authorisation profiles (i.e. &_SAP_ALL)
USR12 Authorization values
USR40 Table for illegal passwords ( never enter * in this table)
USOBT Relation transaction to authorization object (SAP)
USOBT_C Relation Transaction to Auth. Object (Customer)
USOBX Check table for table USOBT
USOBX_C Check Table for Table USOBT_C
• You can use the User Information System to obtain an overview of the authorizations
and users in your SAP System at any time using search criteria that you define.
• In particular, you can display lists of users to whom authorizations classified as critical
are assigned. You can also use the User Information System to:
SU53
• First and basic troubleshooting tool is Transaction SU53.
• Shows last Authorization check that failed.
• May or may not be the Authorization that the User actually needs. Look at context clues to
determine if it is appropriate.
• User may need more Authorization Objects after this one is added.
SU56
• We can also check User buffer with Transaction SU56.
• When a User logs into the system, all of the Authorizations that the User has are loaded
into a special place in memory called the User Buffer.
• As the User attempts to perform activities, the system checks whether the user has the
appropriate Authorization Objects in the User Buffer.
ST01
• Authorization Trace, ST01 records all Authorization Checks performed while a User is in the
system.
• Return code values confirms if Authorization Check is passed or failed (0=Pass, 4=Field
value is missing and 8=Object is missing).
• Does not include Structural Authorizations in HR Security.