MINS 298C

SAP Configuration & Use: Security

Copyright 1996, 1997, 1998- James R. Mensching, Gail Corbitt
Contents of this file are for the exclusive use of the special
MINS 298C class dealing with SAP software at CSU Chico
for the Fall, 1998 semester. Any other use in either electronic
or hardcopy form is prohibited without the express written
permission of the author. This material is confidential.
Do not share it with anyone not enrolled in the class.

CSU Chico
02/14/98
SAP AG

Security Lecture
SAP Security Lecture

SAP Security
Purpose of Security:

Assign users rights to perform job tasks that they need to do.

Prohibit users from doing tasks that they are not supposed to do.

Objectives of presentation

Define key security concepts

Examine relationship between user and security concepts

Apply concepts to real situations

CSU Chico
02/14/98
SAP AG

SAP Security Lecture

SAP Security
Security is performed at the object level

30 + Object classes, such as Basis Administration, FI, MM Master

Data (View Objects within classes by using SU03)

About 500 + objects within the 30 + classes

SAP Security works on a pass-fail system. It checks

constraints until if finds a failure.
Levels of Setting:

Authorization Object in the form of authorization (test on an object)

Profile (sets of authorizations)

User ID

CSU Chico
02/14/98
SAP AG

SAP Security Lecture

SAP Security Framework

Object
Authorization

Functional
Profile
Job
Profile

Object
Authorization

User ID
Object
Authorization

Functional
Profile

USER

CSU Chico
02/14/98
SAP AG

SAP Security Lecture

SAP Security Framework

Functional
Profile

Class
Profile

Job
Profile

User ID
Functional
Profile

CSU Chico
SAP AG

USER

SAP Security Components

Authorization Object: something in the system that
potentially needs protecting (company code, document
type, etc.)
Fields: attributes that can be used to set protection (110 fields per object that vary with object)

Activity: such as create, update, delete, view..

Authorization Group: Values that the object needs

IDOC Type

Profile (set of authorizations)

User Master Record (all profiles for that user)

CSU Chico
02/14/98
SAP AG

SAP Security Lecture

SAP Security Components

Levels of Security Administration:
SAP Super User

User ID
Maintenance
User IDs

Activation
Administratio
n
Profiles

Authorization
Maintenance
Authorizations
(values of objects)

Program
Developer
Objects &
Classes

CSU Chico
02/14/98
SAP AG

SAP Security Lecture

SAP Security and Business Processes

Busines
s
Task
Busines
s
Task
Object
Authorization
Object
Authorization

CSU Chico
02/14/98
SAP AG

Functional
Profile
Functional
Profile
SAP Security Lecture

P
R
O
C
E
S
S

Job
Profile
User ID

User

SAP Security
Authorization: Set of specified values for fields in an
Authorization Object = test conditions for the object
Standard Authorizations provided by SAP

Object: F_BKPF_BED: Customer Account

Activity: *

Account Group: *

Never Change or Delete an SAP authorization

Custom Authorizations (should start with Z)

CSU Chico
02/14/98
SAP AG

SAP Security Lecture

SAP Security Example

Object Class: Financial Accounting
Authorization: ZS_D01
Authorization Object: F_BKPF_BED: Customer
Account
Activity: 01-03, 10 (create, change, print,post)
Account Group: CALF, HAW
SAP programs perform AUTHORITY-CHECK on objects
for values in fields

CSU Chico
02/14/98
SAP AG

SAP Security Lecture

SAP Security: Creating an Authorization

Create a name for the authorization

Start with the letter Z

Dont use underscore as second character

Example: ZS_D01

Use SU03 to create the authorization (Tools -->

Administration -->Maintain Users)

Create (first icon: sheet of paper)

Maintain values sets the values you want

Save

Activate

CSU Chico
02/14/98
SAP AG

SAP Security Lecture

10

SAP Security
Profile: Set of Authorization Objects
Simple Profile: 1 Authorization Object
Composite Profile: more than one authorization object
Can have a composite made up of composites

CSU Chico
02/14/98
SAP AG

SAP Security Lecture

11

SAP Security
User Master Record

Composite Profile

Simple
Profile

Profile

Composi
te
Profile

Authorization
Object

Authorizatio
n

Fields

CSU Chico
02/14/98
SAP AG

SAP Security Lecture

12

SAP Security
SAP Standard Profile: F_BKPF_KANZ (Display vendor
Accounts)
Custom Profile: AA:FIAR_M01
Create profile then activate
Copy from existing profile then rename
To look at, change or create profiles use SU02

CSU Chico
02/14/98
SAP AG

SAP Security Lecture

13

SAP Security
Standard Profiles common to all SAP installations

SAP_ALL (unlimited access to system)

SAP_NEW (allows older standard profiles to work in newer SAP

releases)

S_A_SYSTEM: System Administrator

S_A_SHOW: Display authorizations only

CSU Chico
02/14/98
SAP AG

SAP Security Lecture

14

SAP Security: Users

User Profiles assign profiles to specific user IDs
Users can belong to Group, I.e. ABAP Developers, C&I
Admin
Cant assign authorizations to groups only to individual
users
User Group is a field in some authorization objects
Groups useful to separate responsibility, I.e. more than
one security administrator, each responsible for a
group of users

CSU Chico
02/14/98
SAP AG

SAP Security Lecture

15

SAP Security: Users

Name the ID for the User
Set the password
Lock/unlock the account
Define time period for the ID
Set default printer and printing rights
Define PIDs (Parameters)
Define profiles

CSU Chico
02/14/98
SAP AG

SAP Security Lecture

16

SAP Security: Users

Rules for setting passwords:

Must be at least 3 characters

Can not begin with ! or ?

First 3 characters can not be a sequence of 3 characters in user ID.

I.e. if by user id is gcorbitt, my password can not contain orb, or cor.

First 3 characters can not be the same, I.e. ccc

Can not use pass or sap

CSU Chico
02/14/98
SAP AG

SAP Security Lecture

17

SAP Security: Users

PID :Parameter ID
Example of parameter:

default menu options, I.e. fast entry

default currency

posting period options

CSU Chico
02/14/98
SAP AG

SAP Security Lecture

18

SAP Security: Users

User types

Dialog

BDC: inbound interfaces (I.e. data coming in from a legacy system)

CPIC: machine to machine ID connect through UNIX (I.e. EDI

inbound or outbound)

BDC and CPIC do not have expiration dates on the passwords

CSU Chico
02/14/98
SAP AG

SAP Security Lecture

19

SAP Security: Transactions

SU01: Creates and maintains users
SU02: Creates and maintains profiles
SU53: Displays LAST authorization failure
ST01: Traces keystrokes
SU03: Lists objects and classes
SM04: Monitors user activity
SE16: Looks at specific tables in SAP (T003 = auth. group)
SA38: Looks at programs (AUTHORITY-CHECK)
SU12: Deletes all users (usually disabled)
SU10: Adds or deletes a profile to all users

CSU Chico
02/14/98
SAP AG

SAP Security Lecture

20

SAP Security: Coming Attractions

SAP Profile Generator (31.G, R4)

Makes it easier to track and maintain multiple profiles per user

Uses menu paths to create authorizations or profiles

Activity Groups similar to our functional profiles

Activity Group Maintenance (31.G)

Allows for profile updates, parameter settings by group instead of by

individual user

Hopefully allows for resetting expiration, start dates, printer options,

etc. by groups of users instead of one user at a time

CSU Chico
02/14/98
SAP AG

SAP Security Lecture

21

Application of SAP Security to Classroom

Activity
Define what jobs or roles we want the students to
have per class --functional profiles

Set up authorizations for each job or role - job profiles

Assign job profiles to users
Document existing authorizations for Display and
Create Activities for each application object
Create authorizations for Display and Create where
missing
Create a standard profile that any user could have
(view only to all modules)

CSU Chico
02/14/98
SAP AG

SAP Security Lecture

22