Professional Documents
Culture Documents
Mickael QUESNOT ©
Motivation for change
Solution proposal
Objectives Directive
System Steps
Troubleshooting
• Due to timing constraints during the Picard and Fnac
implementations the approach regarding security was to
manage accesses via the FIORI front end (apps/catalogue)
• This model facilitates the restriction of authorisation,
by the assignment of only the required applications per
functional area to the FIORI catalogue
• The SAP S4 “backend” systems authorisations
restrictions are not necessary in this model
(assignment of SAP_ALL)
• The initial premise was that only the FIORI UX would
be used, therefore making this model sustainable
for Change • Due to the change in approach from using solely the FIORI
UX, to the additional use of the S4 GUI the requirement to
manage authorizations has become necessary and urgent
• SAP’s audit findings will recommend that the SAP_ALL
Access be removed
• The proposed solution can be implemented in a relatively
short time frame
• The Best Practice SAP standard roles are to be
identified per functional area:
• Finance
• Store Operations
• Buyer – (Pricing & Purchasing)
• Master Data
Solution • DC Operations
• Custom composite “shell” roles will be created per
Proposal functional area and contain the SAP Best Practice
roles
• Analysis will be done to ensure that only low risk
transactions overlap the functional areas, e.g.
display transactions
• Organization area segregation is not critical at this
point of time (no separation between Fnac and
Picard, except store operations managed via FIORI)
• Identify SAP authorizations into 5 high level areas,
the approach was taken as to avoid future
authorization issues, due to changing business
requirements
• Per operational area the SAP Standard Roles were
identified, this was done in the following way,
extract all roles from Table AGR_1251 (single roles
only), (AGR_TCODES can be used to the
transaction assignment)
Directive • Roles were identified with based on role name,
e.g. *FI*, *CO*, *BUYER*
• An additional step was to ensure these roles have
the required transactions per operational are
• Other helpful tools T/Code SUIM
System Steps
▪Once SU25 has run the SAP roles should be completed (60%)
▪Next make copies of the SAP standard roles, this is best practice as the SAP standard roles
might change with an upgrade
▪This is done using T/Code PFCG (or mass program - ZZ_PAUL_COPY_PFCG)
SAP_MM_PUR_LIS_GENERAL
Z_MM_PUR_LIS_GENERAL
System Steps
Z_BPR_BUYER_16
Z_ISR_PUR_PURCHASEORDER
Z_ISR_PROMOTION_ADMIN
Z_MM_PUR_CONDITIONS
Z_MM_IM_REPORTS
System Steps – SAP Solution
• https://help.sap.com/saphelp_ewm92/helpdata/en/85
/be3fff35604fa09a1668dd97ef4407/frameset.htm
Troubleshooting
• ME21N
• ME22N
Master • MIRO
Finance Logistics Purchasing • MIGO
Data
▪This was a Finance user that received this error and if the business decides that the Finance
user must create articles, assign the Master Data composite role to this user only
• There are 2 possible issues why authorization is
missing
• The user does not have the transaction because
none of the roles assigned to the user contain
the transaction
• To resolve - high level – Find a role with the
required auths an assign to user /
Composite role
Troubleshooting • The user has the transaction contained in a role
already assigned, this scenario is a little more
difficult to resolve
• See next steps
Troubleshooting
▪If the Master User is missing this authorization, the following steps will assist in correcting
the missing authorization:
▪Is the transaction an operational specific sensitive transaction, e.g. MM41
▪If this is the case the transaction must be only assigned to the composite role of the
operational area, here Z_DONNEES_MAITRES
▪Always ask the user to run T/Code SU53, directly after the authorization error:
▪The users SU53 can be viewed by you by
clicking
Troubleshooting