Académique Documents
Professionnel Documents
Culture Documents
This session is intended to provide an introduction to SAP security for SAP R/3 (4.6c/4.7) and ECC (5.0/6.0) environments, with particular focus on the authorization concept and how it supports the structural framework used in defining user access requirements.
Overview of SAP Overview of SAP Security SAP Authorization Concept Details Profile Generator (PFCG)
Overview of SAP
Overview of SAP
What is SAP?
SAP integrates all business processing through one application Links operational results and the financial aspects of those results SAP can track financial results, procurement, sales, manufacturing, human resources and payroll SAP comprises of 18 - 20 modules in finance, logistics and HR One or more SAP modules can be implemented SAP is typically accessible by the entire business organization Most company information and transactions originate from SAP An order in SAP can automatically generate a inventory movement and purchase order without any human intervention
Overview of SAP
How SAP Works
Overview of SAP
SAP Modules
Financial Accounting
MM
Purchasing Goods receipt Inventory Control Invoice Verification
SD
Sales Distribution Invoicing
PP
Re-order control Production Planning & Control
FI
Accounts payable Accounts receivable General ledger Cash management Consolidation
IM
Inventory Management
BASIS
Application Security Segregation of Duties Change Control System Parameters
AM
Asset accounting
HR
Personnel Administration Payroll Accounting
CO
Cost Center / Profit Center Profitability Analysis
Human Resources
Controlling
Overview of SAP
SAP in Numbers Scope and role SAP plays in today's global economy: 85% of the Fortune 500 run SAP software 80% of Fortune 1,000 companies run SAP software 60% of Fortune 2,000 companies run SAP software 70% of the world economy's transactions in some shape or form touch an SAP system 2.5 billion utility bills are processed by SAP software each year 65% of all chocolate in the world is manufactured using SAP software
Overview of SAP
SAP in Numbers Based on software revenue, SAP is the number one business software supplier in every industry and solution segment SAP has developed and markets more than 25 industry-specific software solutions SAP has more the 82,000 customers across 120 countries Approximately 64,000 SAP customers are small businesses or midsize companies SAP is the first leading vendor to deliver a comprehensive suite of integrated SOA-based enterprise software solutions 43,000 systems currently run on the SOA-ready SAP NetWeaver platform 13,000 systems currently run on NetWeaver-based SAP ERP 6.0
Source: http://www.optimalsol.com/NE-Thought-SAP-Economic-Upturn-One.html
Profile
A Profile is a key ring that contains authorizations (cut keys) Authority Checks
Performed by SAP to ensure that a user ID has the correct authorization object and field value combination (cut key) to execute a particular task There may be multiple authority checks in one program (typically one at the start of the program as well as throughout the program)
An authorization object is a template for security that contains fields with blank values (an uncut key)
Authorization Object may be reused for many transactions Authorization Objects and Field Values are stored in two key SAP tables
> USOBX_C: Transaction-to-object relationships > USOBT_C: Transaction-to-object field value relationships
Both tables are maintained via transaction code SU24 and used by PFCG (Profile Generator)
Level 1:
User ID Access Login w/ UserID and Password Transaction Code Access Object: S_TCODE Examples: FB01, MM01 Authorization Access Examples: F_BKPF_BUK, M_MATE_BUK
Level 2:
Level 3:
in a specific context
EXAMPLE GENERIC BUILDING BLOCKS Object Field 1 Field 2 F_BKPF_BUK Activity (ACTVT) Company (BUKRS) User wants to change a posting for PwC
Keep in mind! In SAP, you can perform the same function with different transactions
MK01
Transaction FK01
XK01
Create Vendor
USOBX_C table
T-code Object Flag (N = No Check, C = Check, CM = Check Maintain)
> Ignore U since it is essentially the same as C
USOBT_C table
T-code Object Field Low High
Maintaining these tables is the key to increasing efficiency, consistency, and integrity of the role design and future design changes by avoiding manual and changed authorizations in the roles.
SAP Tables
USOBX_C
Object Flag
These tables are client independent. Modifications via transaction code SU24 modifications will affect all clients in an SAP system.
Why are These Tables Misused and Underutilized? Many companies do not even use transaction SU24 to maintain their customer tables (USOBX_C and USOBT_C) Others do some maintenance via transaction SU24, but do not fully understand the relationship between these underlying tables and the Profile Generator (PFCG) These tables are a key to reducing the maintenance and risk associated with roles!
N: No Check
We do not have the ability to turn on an object that is not checked by SAP, as that would require changes to the source code. However, we can bypass checks with the check indicator flags. To bypass a check, set the flag to No Check. This is useful for objects where we star every value in every instance the object is used. The object is not used for security control. We can only bypass authority checks by moving the check mark to No Check. Basis objects (S_*) cannot be disabled.
C: Check
SAP default An authority check is performed by SAP if the ABAP code calls it, but the Profile Generator (PFCG) will not include the object in any roles created with the tcode
U: Unmaintained
This check status is rarely used This status is very similar to the Check status. An authority check statement can still be called, and no object values will be maintained or entered into the Profile Generator.
Transaction Codes:
SU01
SU02
SU03
Simple
Composite
Profile Maintenance
Create Profile Change Profile Delete Profile Assign Authorizations
Authorization Maintenance
Create Authorization Change Authorization Delete Authorization
The profile generator is an automated tool (transaction code PFCG) used to assist in the design, capture and maintenance of profiles Simplifies the Authorization process Uses transaction codes to define access Based on the TRANSACTIONS selected SAP determines the related AUTHORIZATION OBJECTS and, where applicable, the FIELD VALUES from tables USOBX_C and USOBT_C The remaining FIELD VALUES for the selected AUTHORIZATION OBJECTS to create the AUTHORIZATIONS need to be filled in Role is therefore a collection of Authorizations When generated, a Role creates a corresponding Profile
PFCG uses the USOBX_C and USOBT_C tables to pre-fill the Authorizations tab of a role based on the transaction codes entered on the Menu tab of a role
PFCG will look up the objects with a Check/Maintain flag and populate the Authorizations tab
Simple Role Example: 1. Create a simple role and add t-code SE16 Data Browser to the Menu tab
Table (USOBT_C)
T-Code (PFCG)
Object status definitions Standard Auth object was inserted from USOBT_C, and all fields were filled in by default. (Nice, nothing to do) Maintained Auth object was inserted from USOBT_C, and the administrator filled in the blank fields, without changing the default values from USOBT_C. (Working with the table) Changed Auth object was inserted from USOBT_C, and the administrator changed a default field value from the recommended value in USOBT_C. (Fighting with the table) Manual Auth object was manually inserted into the role, and was not brought in by USOBT_C. This object is not related to any tcode on the Menu tab and will not be removed when the Menu tab changes. (Ignoring the table)
SAP Security
Questions
SAP Security
Contact Us
Cleberson R. Siansi
cleberson.r.siansi@us.pwc.com (248) 219 5394
Stephen F. Rose
stephen.f.rose@us.pwc.com (248) 312-8923