SAP Security - Day 1 2nd Half - Rakesh

IBM Global Business Services
INTRODUCTION TO ELEMENTS OF AUTHORIZATION
SAP/Introduction to Elements Of Author

ization
March-2007
2007 IBM Corporation

Objectives
The participants will be able to
Know about the authorization architecture upon which SAP works
Key authorization concepts
Authorization architecture key components (eg: roles, profiles etc)
SAP/Introduction to Elements Of Authorization
March-2007

SAP Application Security Mechanism in R/3 Systems is controlled by means of the
Authorizations.
What are Authorizations?
Authorizations consist of values by means of which users are allowed to conduct activities
within the R/3 System.
Authorizations are the basic building blocks for SAP Net weaver Security which consists of
various components. They are the following:-
Authorization object class
Authorization objects
Authorization fields and Field Values
Profiles
Roles
Users
March-2007

Auth Object Class
Auth Object
USER
TRANS 1
Auth Object
REPORTS
TRANS 2
Authorization1#
ROLES
Authoization2#
Authorization3#
Profiles
March-2007

Authorization object class
Authorization object classes encompasses all the authorizations within it.

Object classes are segregated based on the different components of the System. eg:Basis, FI, HR etc.
An Auth. Object class can contain multiple objects which are subsequently required for
gaining access to run certain activities. Eg:- executing
transactions and reports
March-2007

Authorization objects
They are containers for the authorization fields and their respective field values. A max.
of ten fields can be present per object and each field is related by AND condition.i.e only
if all field values are satisfied, then only the concerned user would be allowed to
execute that activity.
It allows complex tests of an authorization for multiple conditions
NB:- An Authorization object can belong to a single class only.
March-2007

Authorization Fields and Field Values
In authorization objects, authorization fields represent the values to be tested during
authorization checks.
In SAP R/3 System, transactional security is maintained within the Authorization Fields
where the fields' Authorization Checking occurs. Examples of Authorization Fields include:
company codes, sales distribution groups, user groups, activity, application areas and
development classes.
March-2007

PROFILES
Profiles are containers in which standard as well as additional authorizations are
encompassed and associated with a respective user in the User Master Record.
User authorizations are associated to users in the form of profiles only.
Profiles are of two types:Simple Profile and Composite Profile
March-2007

SIMPLE PROFILES- User Profiles match a user to their job function eg:- an accounts
receivable clerk requires access to specific authorization objects enabling him to process
the tasks required for his/her job.
Certain Standard Profiles are supplied by SAP by default. By changing the content of a
profile the 'authorizations' will affect all users using that profile.
March-2007

Composite Profiles- These are profiles consisting of one or more user or composite
profiles and the number of profiles is limitless. Generally Composite Profiles are used for
individuals who have variety of multi domain oriented tasks to perform.
10
March-2007

ROLES
Roles are just a grouping of activities (or tasks) a user has authorization to access and/or
perform.
Roles are based on the jobs that an particular user is authorized to conduct within the R/3
System. Eg:- A Purchase dept. clerk who is responsible for creating purchase requests need
not have access to tables storing invoice details. A role assigned to a user also determines
the list of transactions that are to be part of the customized user menu. Only the transaction,
reports and web addresses included within the assigned roles would be visible to the user.
11
March-2007

USERS
Users are the entities to whom profiles are assigned in the form of roles. A user is assigned
one or more profiles by the system administrator. These profiles define all of the user's
system authorizations.
12
March-2007
QUESTIONS???
13
March-2007
ELABORATE ON AUTHORIZATION
CONCEPTS,AUTHORIZATIONS,PROFILES & ROLES

ization
March-2007
SAP AUTH. CONCEPTS

Objectives
This will Present an Overview Of
SAP Authorization Concepts
Brief discussion on Roles, profiles, authorization data
15
March-2007
SAP AUTH. CONCEPTS (contd.)

TRANS A
AUTH OBJECT A
AUTH OBJECT B
AUTH 1 (User1)
AUTH 2
(User2)
Fld1- ACTVT (2)
Fld1- ACTVT (3)
Fld2- Company Code (X1)
Fld2- Company Code (X2)
USER1
USER PROFILE
USER PROFILE
COMP. PROFILES
ROLES
16
March-2007
AUTH. OBJECT CLASS

AUTHORIZATION OBJECT CLASS- Auth . Object class relates to a specific functional area
in SAP Application eg:- SD, FI, HR, Basis etc.
Each Authorization object present within the SAP System belongs to a single Authorization
Object Class Only.
Eg:- BC_A object class for Basis Administration
BC_C object class for Basis
17
March-2007
AUTH. OBJECT
Auth. Object is a collection of Fields and Field Values which comprises of the authorizations.
Each Object can contain a maximum of 10 fields depending upon the transaction and each
field can contain multiple values. Each combination of field values consists of an
authorization.
Authorization objects are primarily used for security level checks done on transaction prior to
execution. Whether the user has suitable authorizations for running the transaction is found
out by comparing field values present within the user Buffer and the allowable field value of
the object.
18
March-2007
AUTH. OBJECT FIELDS & FIELD VALUES

They are the attributes for the entity i.e the object.
Each individual Combination of Field Names with Field Values comprises of the
authorizations .
eg:- Object F_BKPF_BUK is an object belonging to the FI object class which has got two
fields namely :a) BUKRS (company Code)
b) ACTVT (Activity i.e view, change etc.)
19
March-2007
PROFILES
Profiles consist of user authorizations of multiple Authorization objects belonging to various
Authorization object classes. Since profiles are directly mapped into roles to which users are
associated in the user master record, it contains authorization data from various auth.
Objects belonging to different classes.
Authorization profiles give users access to the system. They contain authorizations, which
are identified using the name of an authorization object and the name of an authorization. If
a profile is specified in a user master record, the user is assigned all of the authorizations
defined in this profile.
Eg:
SAP_ALL
SAP_NEW
P_BAS_ALL
20
March-2007
PROFILES (Contd.)
Other S_xxx Profiles-- The profiles described in the following are simply models. In general,
the settings for the individual objects in these profiles must be restricted on a function basis.
They are as follows: S_A.SYSTEM
S_A.ADMIN
S_A.CUSTOMIZ
S_A.DEVELOP
S_A.DOKU
S_A.USER
S_ENT_IMG_GE
S_WF_ALL
21
March-2007
ROLES
ROLES
R/ System security is Role Based.
Roles are templates which contains authorizations and to which users are assigned so that the
user is able to execute all those transactions and reports detailed under that role.
Role-based security is a form of user-level security where the application doesn't focus on the
individual user's identity; but rather on a logical role they occupy.
The application can query these Groups (through the Authority Check process) and make security
decisions based on the group's Authorization Object settings. For example, if access to a particular
transaction is restricted to members of the HR Admin Role, a local group called HR_Admin can be
created to represent that role.
Describes the activities of a user and allows the display of user-specific menus in the SAP system.
Predefined or self-created roles can be assigned to any number of users. Roles also contain the
authorizations with which users can access the reports, Web-based applications that are contained
in the menu.
22
March-2007
ROLES (Contd..)
ROLES are also of two types:-
a) Simple Single role

b) Composite Collection of multiple simple and composite roles.
eg:- of roles- CS0075; DSP0095 etc.
23
March-2007
AUTHORIZATIONS
Authorizations are the key building blocks of SAP security. Authorization is the process of
assigning values to fields present in authorization objects. Sometimes users find that they
lack the necessary authorizations to perform a certain function in the system, in which case
the message: "You are not authorized..." is displayed at the bottom of the screen.
24
March-2007
AUTHORIZATIONS (Schematic representation)

P.O
AUTH 1
AUTH 2
BUKRS (Comp. Code) = 2
BUKRS (Comp. Code) = All
ACTVT = Create
ACTVT = View
PROFILE 1
COMPOSITE PROFILE
PROFILE 2
ROLE 2 (Containing only

profile 2)
ROLE 1 (Containing both

Authorizations)
25
March-2007
SAP AUTH. CONCEPTS
QUESTIONS???
26
March-2007
CONCEPT OF AUTHORIZATION CHECKS

ization
March-2007

Objectives
The participants will be able to
Know about the authorization checks which are applicable for SAP
Different Types of Authorization Checks
Different Tables and Authorization Objects involved
28
March-2007

R/3 enforces the authorization concept by performing authority checks. These
authorizations make sure that the user has the appropriate authorizations in
his/her own master record before allowing him/her to perform any action.
There are basically 4 types of Authority Checks present:
29
R/3 Start Transaction Authorization
Transaction specific Authorization
Authority Check at Program Level
Report Classes and Table Authorization Groups
March-2007

The SAP system performs the authorization checks every time a user starts a
transaction from the menu or by entering the TCODE. For more complex
transactions, which call other transactions, there are additional authorization
checks which checks the validity.
The system first checks whether the authorization object S_Tcode have the value
of the transaction as its field value in the field called TCD. If affirmative then it
proceeds to the next level or else exits.
Then check is made whether that the user has authorization for this authorization
object corresponding to the transaction being called. This mapping of authorization
objects and transaction code is stored in table TSTCA.
30
March-2007

With authorization checks, SAP R/3 Administrator can restrict users from viewing
confidential data on-screen or deny them access to certain transactions.
E.g.., Organization ABC has two departments, each supervised by a different manager. The
business process and company guidelines demand that the user of one department cannot
view the salary structure of the other. Also, the person running a cost report is shown only
the costs incurred as a result of activities performed in his or her own division and rest of the
data should not be visible to that person.
31
March-2007
QUESTIONS ???
32
March-2007
ELABORATE VIEW OF THE CONCEPT OF AUTHORIZATION

CHECK

ization
March-2007
ELABORATE VIEW OF THE CONCEPT OF

AUTHORIZATION CHECK
Objectives :The audience will be able get an overview of
Different types of Authority checks in SAP
Different Tables and Transactions involved
34
March-2007

AUTHORIZATION CHECK
Why are Auth Checks Required ?
When initiating a transaction, SAP application internally performs a series
of checks (Kernel level & ABAP Program level check) to ensure the user
is authorized who has initiated the transaction has got the authority to do
so or not.
Checks are done in a ordered manner as detailed below: The program checks whether the transaction code exists in table TSTC
The program checks whether the transaction code is locked by the
administrator (transaction code SM01).
The program checks whether the user has the authority to start the
transaction
35
March-2007

AUTHORIZATION CHECK
SAP Application performs Security oriented Authorization checks at two levels.
They are:
At the kernel level (Incorporated into the Application/System)
At the Runtime level (ABAP Program level Check)
The System level checks are performed at the initiation of a transaction while the
Program level check takes place only after the Kernel level checks are successful.
36
March-2007

AUTHORIZATION CHECK
(Contd..)
The authorization object S_TCODE (transaction start) contains the field TCD
(transaction code). The user must have an authorization with a value for the
selected transaction code.
If an additional authorization is entered using transaction SE93 for the transaction
to be started, the user also requires the suitable defined authorization object
(TSTA, table TSTCA).
If you create a transaction in transaction SE93, you can assign an additional
authorization to this transaction. This is useful, if you want to be able to protect a
transaction with a separate authorization. If this is not the case, you should
consider using other methods to protect the transaction (such as AUTHORITYCHECK at program level).
37
March-2007

AUTHORIZATION CHECK
(Contd..)
The check is not performed in the following cases:
The admin has deactivated the check of the authorization objects for the transaction (with transaction
SU24) using check indicators, that is, admin has removed an authorization object entered using
transaction SE93.
This can be useful, as a large number of authorization objects are often checked when transactions are
executed, since the transaction calls other work areas in the background. In order for these checks to
be executed successfully, the user in question must have the appropriate authorizations. This results in
some users having more authorization than they strictly need. It also leads to an increased maintenance
workload. You can therefore deactivate authorization checks of this type in a targeted manner using
transaction SU24.
They have globally deactivated authorization objects for all transactions with transaction SU24 or
transaction SU25.
So that the entries that admin has made with transactions SU24 and SU25 become effective, he must
set the profile parameter AUTH/NO_CHECK_IN_SOME_CASES to Y (using Trans SA38 and
selecting report RSPARAM).
38
March-2007

AUTHORIZATION CHECK (TRANS SU53)
39
March-2007

AUTHORIZATION CHECK
PROGRAM LEVEL CHECK
Authorization checks in programs are performed using the ABAP command authority-check
Whenever a transaction is initiated, the corresponding SAP program responsible for running
it performs the ABAP program level check. The programmers place the authority-check
statement/condition within this.
The following authorization checks are performed thru these check statements:
Authorization object for that transaction
Corresponding field values for each of the fields present within the object and only if
allowable combination of field values are found, then the transaction is allowed to run or
else it stops generating an error message.
40
March-2007

AUTHORIZATION CHECK
After the checks are performed, the System throws back a return code which should one out
of the following based on the result arrived at y the system.
0- User has got access to the auth object as well as to the right field values. So he/she
can continue to execute the transaction
4- User has the authorization for the auth object/objects required for executing the
transaction, but the field values do not match and the user can not continue further.
12- User does not have any kind of authorization for the object and therefore cannot be
allowed to run the transaction.
16- No profile mapped o the corresponding user can be found in the user master record.
41
March-2007

AUTHORIZATION CHECK
42
March-2007

AUTHORIZATION CHECK
QUESTIONS???
43
March-2007
ELABORATE AUTHORIZATION OBJECT S_TCODE

ization
March-2007
S_TCODE AUTHORIZATION OBJECT OVERVIEW

Objectives
Overview of S_Tcode Authorization Object
45
March-2007
S_TCODE AUTHORIZATION OBJECT OVERVIEW

INTRODUCTION
Q. What fundamental authorization object is to be used as the first line of defense in
checking authorization for a transaction code?
Ans:- S_TCode
S_tcode is the primary check for almost all SAP authorization checks. You can
limit a transaction from being accessed simply by removing the transaction code
from s_tcode in a role. Even if the other authorizations exist, the user will not have
access to the transaction.
When a transaction is run, SAP kernel checks the T Code as a value against the
authorization object S_Tcode.
46
March-2007
S_TCODE AUTHOIZATION OBJECT OVERVIEW - Contd..

Eg:- If a user has got authority to execute
Transaction PFCG, then the authorization
values would be as follows:Authorization: Profile Generator
47
FIELD
VALUE
TCD
PFCG
March-2007
S_TCODE AUTHOIZATION OBJECT OVERVIEW - Contd.

This authorization object determines the transactions that an administrator can assign to a
role, and the transactions for which he or she can assign transaction authorization (object
S_TCODE).
Note that a user can only maintain ranges of transactions for the S_TCODE authorization
object in the Profile Generator if he or she has full authorization for the S_USER_TCD
authorization object. Otherwise, he or she can only maintain individual values for the
S_TCODE object.
48
March-2007
S_TCODE AUTHOIZATION OBJECT OVERVIEW
QUESTIONS ???
49
March-2007
EXCEPTIONS TO S_TCODE AUTHORTY CHECK

ization
March-2007
EXCEPTIONS TO S_TCode
Objectives
Detailed discussion on the exceptions to S_Tcode
51
March-2007
The check is not performed in the following cases:
You have deactivated the check of the authorization objects for the transaction (with transaction
SU24) using check indicators, that is, you have removed an authorization object entered using
transaction SE93. You cannot deactivate the check for objects from the SAP Net Weaver and
HR areas.
This can be useful, as a large number of authorization objects are often checked when
transactions are executed, since the transaction calls other work areas in the background. In
order for these checks to be executed successfully, the user in question must have the
appropriate authorizations. This results in some users having more authorization than they
strictly need. It also leads to an increased maintenance workload. You can therefore deactivate
authorization checks of this type in a targeted manner using transaction SU24.
You have globally deactivated authorization objects for all transactions with transaction SU24 or
transaction SU25.
52
March-2007
In order the entries that have been made with transactions SU24 and SU25 to become
effective, you must set the profile parameter AUTH/NO_CHECK_IN_SOME_CASES to Y
(using transaction RZ10).
53
March-2007
QUESTIONS ???
54
March-2007

SAP Security - Day 1 2nd Half - Rakesh

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SAP Security - Day 1 2nd Half - Rakesh

Uploaded by

Copyright:

Available Formats

IBM Global Business Services

INTRODUCTION TO ELEMENTS OF AUTHORIZATION

SAP/Introduction to Elements Of Author

2007 IBM Corporation

IBM Global Business Services

INTRODUCTION TO ELEMENTS OF AUTHORIZATION

SAP/Introduction to Elements Of Authorization

2007 IBM Corporation

IBM Global Business Services

INTRODUCTION TO ELEMENTS OF AUTHORIZATION

Authorization object class

Authorization fields and Field Values

2007 IBM Corporation

IBM Global Business Services

INTRODUCTION TO ELEMENTS OF AUTHORIZATION

SAP/Introduction to Elements Of Authorization

2007 IBM Corporation

IBM Global Business Services

INTRODUCTION TO ELEMENTS OF AUTHORIZATION

Authorization object classes encompasses all the authorizations within it.

SAP/Introduction to Elements Of Authorization

2007 IBM Corporation

IBM Global Business Services

INTRODUCTION TO ELEMENTS OF AUTHORIZATION

SAP/Introduction to Elements Of Authorization

2007 IBM Corporation

IBM Global Business Services

INTRODUCTION TO ELEMENTS OF AUTHORIZATION

SAP/Introduction to Elements Of Authorization

2007 IBM Corporation

IBM Global Business Services

INTRODUCTION TO ELEMENTS OF AUTHORIZATION

SAP/Introduction to Elements Of Authorization

2007 IBM Corporation

IBM Global Business Services

INTRODUCTION TO ELEMENTS OF AUTHORIZATION

SAP/Introduction to Elements Of Authorization

2007 IBM Corporation

IBM Global Business Services

INTRODUCTION TO ELEMENTS OF AUTHORIZATION

SAP/Introduction to Elements Of Authorization

2007 IBM Corporation

IBM Global Business Services

INTRODUCTION TO ELEMENTS OF AUTHORIZATION

SAP/Introduction to Elements Of Authorization

2007 IBM Corporation

IBM Global Business Services

INTRODUCTION TO ELEMENTS OF AUTHORIZATION

SAP/Introduction to Elements Of Authorization

2007 IBM Corporation

IBM Global Business Services

INTRODUCTION TO ELEMENTS OF AUTHORIZATION

SAP/Introduction to Elements Of Authorization

2007 IBM Corporation

IBM Global Business Services

SAP/Introduction to Elements Of Author

2007 IBM Corporation

IBM Global Business Services

SAP AUTH. CONCEPTS

SAP/Introduction to Elements Of Authorization

2007 IBM Corporation

IBM Global Business Services

SAP AUTH. CONCEPTS (contd.)