soundofheaven.info Environment ADM940 SAP AUTHORIZATION CONCEPT.PDF

Adm940 sap authorization concept.pdf

Monday, March 18, 2019 admin Comments(0)

Course announcements. In this course you gain knowledge about SAP authorization concept. Our Learner's Choice events are a hybrid of Classroom and. ADM SAP Authorization Concept mySAP Technology Date Training Center Instructors Education Website Instructor Handbook Course. ADM SAP AS ABAP - Authorization Concept course by New Horizons can help you reach your career goals.


Author: DYAN MOLININI
Language: English, Spanish, Dutch
Country: Finland
Genre: Academic & Education
Pages: 536
Published (Last): 26.02.2016
ISBN: 559-5-15351-291-2
ePub File Size: 23.71 MB
PDF File Size: 14.73 MB
Distribution: Free* [*Regsitration Required]
Downloads: 36272
Uploaded by: TASIA

/Q2 ADM Course Overview Course Goals This course will prepare you to: • Outline the elements, strategies, and tools of the SAP authorization concept. ADM ABAP AS Authorization Concept.. COURSE OUTLINE without the express permission of SAP SE or an SAP affiliate company. SAP and other SAP. Goals. Learn about the elements, strategies, and tools of the SAP authorization concept; Create and assign authorizations using the Profile Generator; Use the.

Determine task profiles based on the organization chart and a business process analysis. It should familiarize them with the basic functions of PFCG. User Buffer When a user signs on to an SAP system, a user buffer is built containing all authorizations for the user. Note that the authorization data for the role is not distributed together with the role. The members of the project team have the following tasks: The authorization data assigned in this way is combined into profiles and can be assigned indirectly to users through roles.

Transporting Authorization Components 15 Minutes Unit 7: At the start of the course, introduce the individual units and lessons. This provides the participants with an overview of the contents.

Customers usually come to the course with questions and want to ask these as soon as possible. If you introduce the content, they know that the desired topic is part of the course, and usually keep their questions to the appropriate time.

Mention the focus of this course. What are authorizations? This is the entry point into the topic of authorizations. The structure and implementation of an authorization is then described using a five phase model. This example will make it easier to build and structure an authorization concept.

Unit Overview This unit is the entry point into the topic of authorizations. Unit Objectives After completing this unit, you will be able to: What Are Authorizations?

Creating and Implementing an Authorization Concept It will also provide an introduction to the topic of authorizations and the role-based authorization concept, using a number of overview figures. Lesson Objectives After completing this lesson, you will be able to: After considering some general information, the security concept in the context of the SAP system is discussed. The role of the SAP authorization concept within the security concept is then explained.

Business Example Authorizations are used to control access at the application level. At this level, the term role is at the center of the SAP authorization concept. The system must also be protected at the operating system, database, network and front end levels in order to implement a comprehensive security concept. Figure 3: Target Group Notes to the User The training materials are not self-teach programs. There is space for you to write down additional information on the sheets.

Figure 4: Describe why authorizations exist in your own words. Use the bullet points after the next figure or your own experience as a consultant to choose the words for your explanation. Security Expectations Requirements for protecting sensitive data: These include, for example, data protection laws personal data, family status, illnesses, and so on , or employee protection. This applies both to data used externally and to data used internally.

Perfect security could only be achieved with cross-dimensional assignment of authorizations. However, the benefits achieved in this way are often not relative to the costs incurred. With some values, it is cheaper to replace a loss than to protect the data at great expense. A company should therefore concentrate on areas in which a clear benefit can be realized through this expenditure. This saves unnecessary investments of time and money. Therefore, a company must be able to weigh up the extraordinary risks of a threat against the costs of a security system.

A situation of this type is not favorable for the processes in a company. If this is not done, it is often difficult to remove undesired obstructions to business processes in complex, nested authorizations. Only with a transparent structure can this be avoided. If problems occur nevertheless, it is only in this way that the places to be maintained can be found. Use the next figure to discuss the questions that must be asked during the development of a security concept. Discuss the problems of the end users at this point.

If the users have no training or poor training, this could destroy more than they can absorb with one concept. What is to be protected? Which assets must be protected? To which categories do these assets belong for example: When assigning assets to categories, consider the consequences of losing these assets. When calculating the value of fixed assets, for example, you should take into account the loss of value due to depreciation, damage or theft. What dangers are there? Potential sources of danger are, for example, technology, the environment, or persons.

Important employees leaving the company, dissatisfied or inexperienced employees. Hackers with criminal intent. Processing errors caused by applications or operating systems , viruses, power supply interruption, hardware failure. Fire, flood, dust, earthquakes. Once you have identified your assets and the potential sources of danger, you can develop security mechanisms. You must determine an appropriate protective measure for each source of danger. These measures should also be assigned to different categories for example: Training, internal security policy, procedures, roles, responsibilities.

Inclusion of electronics for checks routers. Access authorizations for systems and data. The next figure provides a small overview of the different SAP security levels.

Describe the context of ADM briefly. Provide this information to the participants. Figure 6: This does not mean that SAP does not yet offer a course here. Courses on this topic are provided directly by operating system vendors. Explain this to the participants. Each level has its own protection mechanisms.

To avoid unauthorized system access, for example, system and data access control mechanisms are provided at the application level. When protecting an SAP system, you must consider the following: This course deals only with the security mechanisms at application level. If a user has access to a system, this certainly does not mean that he or she can run something in the system.

Figure 7: A user master record must be created in the system for each user. This user master record also contains the password that the system prompts the user to enter when logging on. There are numerous mechanisms for preventing unauthorized access to an SAP system that can raise the security level of a system if configured appropriately. These configurable settings include, for example, the minimum length and the expiry date of passwords.

To protect business data and functions against unauthorized access, SAP programs utilize authorization checks. In order to pass an authorization check of this type, a user needs the appropriate authorization. Authorizations are assigned using profiles in the form of roles, which are entered into the user master record. Authorizations in General ADM Use the next figure to describe that employees in companies perform roles in business scenarios.

These roles are assigned authorizations, since people can only perform certain activities that correspond to their position in the company. An activity, in turn, requires certain authorizations. A role consists of one or more activities. People are assigned one or more roles. The SAP term role-based authorization concept is introduced on the following pages.

Figure 8: Users, Roles, and Authorizations People perform roles that belong to business scenarios. A person can have multiple roles. A role is a group of activities performed within business scenarios. A role generally includes all activities that may occur in the respective scenario.

A single role can be involved in several scenarios. A single scenario may require the participation of multiple roles. Business scenarios are groups of activities performed by one or more employees in their respective roles.

Activities are associated with specific system functions that can only be accessed with the proper authorization. You can use the following two figures to highlight the contents of a role again. Roles are created using transaction PFCG, with the following content: Technical Implementation of Roles To implement roles technically, you must create roles or composite roles using the Profile Generator. A role consists of the following components: You can assign users using either the Profile Generator or user administration.

Customers can use these roles as templates and customize them to meet their individual requirements. Graphical representation of a role with menu in an SAP system. This menu can also be hidden. Figure When creating the roles, the system administrator specifies the required functions including their descriptions. The descriptive text can be changed, and is therefore freely definable. Once a user has been assigned a particular role with menu , the appropriate personal user menu is automatically displayed when the user logs on to the system.

The menu is based on the assigned activities. There are two ways to do this: If the user calls a transaction, the personal menu is hidden so that the entire screen can be used for transaction processing.

ADM - SAP Authorization Concept | SAP Training

If the user quits the transaction or opens a new session, the menu is shown in the foreground again. Authorizations in General ADM Facilitated Discussion You should prompt the participants to become involved in discussion to avoid the course becoming a monologue over three days.

This should relax the atmosphere between the instructor and the participants, which is usually reserved to begin with. There is a round of introductions in most SAP courses. However, not all participants appreciate this, since it takes up a lot of important course time. You should decide yourself whether you think this is useful. We recommend that you do not do this with large groups. However, to obtain a general impression about the previous knowledge of the participants, you can use additional questions during the discussion to find out about the knowledge and wishes of the participants.

Examples of questions are: Do you use these? Discussion Questions Use the following questions to engage the participants in the discussion. Feel free to use your own additional questions.

Why are authorizations used? What are the elements of a role? What does SAP mean by role-based authorization concept? Who already uses or is implementing this? What advantages does the use of roles provide? What is access control? Which steps are necessary for a user menu to be displayed for a user? Lesson Summary You should now be able to: The methodology used here to implement a role and authorization concept consists of five steps preparation, analysis and conception, implementation, quality assurance and test, and cutover , which will be described in more detail in this lesson.

User and authorization administration are defined, specified, and implemented in parallel to these five steps. When doing so, you should emphasize that it is not only the people who must create a new concept that are being addressed here.

In comparison to new customers, it is often much more difficult for those new to authorizations to understand an existing concept and to create their own method for their daily work.

Concepts that have developed over the course of years are often badly structured, and seldom comprehensible. Business Example Before going live, your company wants to implement an authorization concept. The steps required to realize the authorization concept must be planned in the context of the entire implementation process.

During the planning phase you want to estimate the time and personnel resources needed. It is therefore advantageous if you know the method and can describe the procedure with your own words. It is always very difficult for beginners to create a thread. They often do not know where and with what they should begin, or what the next step is. It is for exactly this reason that the VSAP method is used as the basis.

However, the basic idea behind the method is no less useful because of this. If a customer enquires about a successor product to VSAP, be careful to describe that the Solution Manager does not currently provide any comparable content. Implementation Methods and Authorizations The procedure used here is based on the principles of the SAP implementation method. Many consultancy companies use a similar model, usually with their own name. When combined, the individual steps of this method ensure quick and efficient implementation of the SAP system.

Authorizations in General ADM Setting up an authorization concept must be planned and implemented step-by-step using a project plan. In the example used here, the project was divided into five key points at the uppermost level these are often also called phases: The Business Blueprint is a visual representation of the status of the company which is to be realized in the SAP implementation.

All business processes are analyzed and described here.

Authorization Concept for SAP S/4HANA and SAP Business Suite

This is the basis for the later authorization concept. The business processes created and described in the previous phase are the starting point for the implementation of the roles. With the next figure, use keywords to outline the activities that are required to introduce a role and authorization concept. Explain also that user and authorization administration is defined in parallel to these activities. Call the URL www. Creating and Implementing an Authorization Concept Figure Role and Authorization Concept: Steps To fulfill a certain task, the employee responsible must normally use several applications.

The transactions and reports used for a business activity can be combined into roles. It is important that users can only process those tasks that they are authorized to perform, and are prevented from making unintentional or incorrect changes in system areas which are outside their competence. Since all SAP components use authorizations to control access to their functions, administrators only assign those authorizations to each role that are are necessary to perform the role-specific tasks.

Besides authorizations, a role comprises the user menu specifications. When a user logs on to an SAP system, the system displays a user-specific menu, with selected transactions, reports, and Internet links in the form of a tree structure.

This menu is based on the assigned role. Users can only access transactions and reports that they are authorized to use. This eliminates unnecessary functions from the navigation structure. When developing the role and authorization concept, the challenge is to coordinate business requirements at a cross-department level and protect sensitive data against potential dangers. This is why we recommend that you develop the role and authorization concept as a separate project.

You should follow the procedure explained in this training course and use the demonstrated method for orientation. Authorizations in General ADM It is important that you explain the importance of preparation to the participants with the next figure. ALL contacts from user departments should be informed about the project during the initial discussions. If cooperation is later required from a department that were not informed, they often create obstacles, and therefore slow down further implementation.

Step 1: Preparation Set up a team responsible for the specification and implementation of the user roles and the authorization concept. Identify the business areas affected and their special security requirements. Like the control mechanisms selected, these can vary from area to area. Normally, the security requirements of the Human Resources department are more demanding than those of other departments.

Therefore you must first determine the desired security level. Consider the different security requirements for production, test and development environments. Also bear in mind that user roles often need to access multiple systems and may therefore require different functions and authorizations depending on the system. Train the team for roles and authorizations with regard to specification and implementation topics. Creating and Implementing an Authorization Concept The team members must be familiar with the basic principles of the SAP authorization concept and the available control and administration tools such as central user administration.

The members responsible for implementation must be able to use the Profile Generator. Since the role and authorization project requires the cooperation of various business areas and departments, SAP recommends that you inform the responsible employees of the project targets set and establish communication channels at an early stage to ensure efficient handling.

Point out again that the complexity of an authorization concept requires teamwork.

Authorization concept.pdf sap adm940

Input from the user departments is required to define the roles. The members of the project team have the following tasks: Authorizations in General ADM When developing the role and authorization concept, the challenge is to coordinate business requirements at a cross-department level and protect sensitive data against potential dangers.

While user roles and the authorization concept are specified with the cooperation of the individual business areas, they are normally implemented by the IT department. This is why you must set up a cross-area and cross-department project team. The team members have the following tasks: To ensure that both the authorization concept and the procedures for user administration and authorization management comply with the control regulations of the company, the internal invoice verification department must be involved in the authorization project at an early stage.

Step 2: This is an internal note; do not pass this information on to the customers. However, it no longer provides any information for an authorization concept. It is no longer possible to create and use authorization lists.

Demonstrate to the participants how you can create a Microsoft Excel list for the authorization concept in the system itself. Determine task profiles based on the organization chart and a business process analysis.

Check if SAP role templates can be used. Make any required adjustments if role templates are used. Check the role and authorization concept. To detect any shortcomings in conception before actual implementation, SAP recommends that you create a prototype of the concept. Authorizations in General ADM Use the next figure to clarify the basic principles of the role-based authorization concept again.

Specification of the role and authorization concept: Technical Conception: Role Implementation 1 User roles are technically implemented using individual, composite, and derived roles. Based on the transactions and reports selected for each role, the Profile Generator automatically determines all authorization objects required for performing the functions specified, and creates the corresponding authorization profile.

Creating and Implementing an Authorization Concept Using individual, composite, and derived roles, you can model the role structure in two ways: If some functions are used unchanged in multiple roles, the associated transactions and reports are contained in several individual roles.

If general function modifications are required, this consequently affects several individual roles. In this case, the individual and derived roles represent activity blocks, that is, groups of interrelated functions for example: Since individual and derived roles contain encapsulated functions, they can be used in multiple or composite roles. The advantage of this approach is that multiple access to transactions used in several individual roles is avoided.

Therefore, organizational or process-related modifications that affect several user roles can be applied by adjusting a single role.

Use the next three figures to explain the development of a concept again. When creating the Business Blueprint, you determine which processes are to be implemented in the context of the implementation. The result of all used and mappable business processes in the SAP system is, in this example, saved as a Microsoft Excel list. The user roles are created and completed in this authorization list. A similar list can also be generated in the SAP system. In this case, the list is component-oriented, and not process-oriented as in our example.

Demonstrate for the participants the way in which you can generate a component-oriented list in the SAP system. Creating and Implementing an Authorization Concept SAP systems are delivered with a number of role templates in which the associated application functions transactions and reports , the user menu and the authorization data are predefined. These templates can be used as a basis for analyzing and developing the company-specific roles and the authorization concept.

They are only intended as templates with examples for the authorization setting. Complete User Roles 1 The authorization list is a Microsoft Excel table that helps the project team to model the user roles before they are implemented in the SAP system. Using this list, the roles can be developed before the system is installed.

Authorizations in General ADM In the authorization list, you create user roles and specify the associated transactions. In this example, it consists of two worksheets: Process View Roles Design - Scope The structure shows the business processes that were selected during the analysis and conception of the enterprise.

SAP Authorization Concept

The job roles and user roles are specified and linked with the processes here. Transaction Overview for each Role T Code for each Role You can generate an overview of the transaction assignments for each role in the transaction overview after the modeling on sheet 1.

You can see block formation of the role contents in the next figure. With this figure, remind the participants that the role formation does not depend on the repeatedly used transactions, but rather on the enterprise requirements. This is also described in the note under the figure. Creating and Implementing an Authorization Concept Modeling the role structure: Analyze the authorization list and determine the areas in which access to several transactions is needed.

Activity blocks such as this can be created as roles. To simplify implementation, you can subsequently modify roles during the technical conception phase, for example, by choosing additional functions to use activity blocks already defined.

Note that access to the same transactions and reports is not a sufficient criterion for the existence of an activity block.

You might also like: WHATSAPP SMILEY MEANING LIST PDF

Since authorizations may vary even at field level, you must implement the different variants of individual activity blocks as separate or derived roles. You can use the next figure to explain another approach. The composite role Roles can be technically implemented in composite roles such as job roles. Composite roles contain multiple single roles, which contain logically related transactions, known as activity blocks. To use single roles in the form of a building block principle.

In turn, these encapsulate functions in composite roles as reusable modules such as accounts payable accountant. Authorizations in General ADM During the first conception and implementation approach, individual functions are encapsulated in separate roles for example, the Basis authorizations of the end-users. From a technical point of view, all elements of the authorization concept must be assigned a unique identifier.

This is why you must define individual naming conventions for all role types. The following text addresses the naming conventions for roles for the first time. If you want to decentralize user and authorization management, the naming conventions are also required for administrative purposes. In this case, the access rights of the decentralized administrators should be limited to those composite roles that belong to a specific business area and thus apply only to a restricted namespace.

Since roles are divided into individual and derived roles, the user roles created in this step may be different from the original specification defined during the development phase. For example, the roles may contain more or fewer activities transactions and reports. This is why you must check that the roles have been properly defined before implementation.

SAP recommends that you carry out a test implementation of the user roles and authorization concept in order to check the technical conception. Step 3: Ask the participants: Do you know all of the authorization objects or authorization fields that are checked during the check for a particular transaction?

Implementation From a technical point of view, user roles job roles can be implemented as composite roles using the Profile Generator.

Composite roles consist of individual and composite roles that each contain the relevant authorizations and menu data. Authorizations specify the scope of access to data and functions. User menus use hierarchical structures to specify the access path to the transactions, reports and Internet pages released for a specific user.

An example of how you create user roles: Individual roles either describe higher-level functions that are independent of organizational or application-specific restrictions or are used as templates for creating derived roles that are not subject to any restrictions.

These contain the desired organizational or application-specific restrictions. For each responsibility area, you create a derived role from an existing individual role. Step 4: In addition, the responsible area manager must approve of the role and authorization concept implemented. The following should be checked during the tests see also the text below the figure: If the customers finish the implementation of the authorization concept before the end user training, this can be used to perform an additional test.

You should use predefined test scenarios that cover all business processes implemented. The test scenarios should include both positive and negative checks of the authorizations of the individual roles. The positive test checks whether the functions are executed as desired, while the negative test must confirm that all restrictions defined are observed. For example, a human resources administrator can display the users for a specific work center, but not the records for other work centers.

The test scenarios must cover all functions that are to be performed by a user role. If a function cannot be called during the test, you must correct the user roles and the authorization concept. Note that changes may affect several derived roles. In extreme cases, you must revise the entire role and authorization concept.

Creating and Implementing an Authorization Concept You may also be required to modify the user menus in order to simplify access to the functions. To ensure that the system becomes more user-friendly, the project team responsible should closely cooperate with the representatives of the relevant business areas. After fine-tuning the user roles, you must repeat the tests as often as necessary until the user roles implemented completely comply with the security and usability requirements.

Step 5: Cutover Before you create the production users, you must create the master records for user management in your production environment, and possibly configure central user management. The work of the administrators is not complete with cutover. There is a significant amount of work for them to do at this stage: Describe the tasks: Cutover To simplify the creation of the individual user master records, you first create model records.

These model records are used as copy templates for the records of the productive users. In the central system, create a user master record for each role specified in the company-wide role matrix authorization list. Authorizations in General ADM into several responsibility areas that are subject to organizational restrictions company code, cost center, plant, and so on or application-specific control mechanisms such as FI authorization groups , you must create a separate record for each responsibility area.

Maintain the additional data parameters, printers, and so on. After consulting the area managers data owners , define the roles for each user. Consider that some users may have several roles or different roles in various logical systems clients. Enter the assignments in a user and role matrix.

To create a master record for a user, you copy the model record for the relevant role and customize this record as required. Get the final approval of the area managers with regard to the users created and communicate all access-relevant data system, client, ID, and password to the end users. Implementing User and Authorization Administration Explain the decisions that are necessary for user and authorization administration: List advantages and disadvantages.

Users distributed in a far-reaching system landscape can be managed from within a central system: All users are initially created in a central logical system client and then distributed to the other clients of the entire installation.

Before you set up a central user management, you must determine which processes for example, assigning or locking roles can be run locally, and if modifications made in local systems for example, address changes should be passed on to the central system.

After the role and authorization concept is implemented, the members of the project team are normally no longer responsible for managing users and authorizations. Depending on how the tasks are distributed in the company, the users are managed either centrally for example, using a help desk or on a decentralized basis by local location or department administrators. You must assign and train employees for this purpose. Make the following basic statement: Mention the principles of dual and treble control.

Organization of User and Authorization Administration The tasks of the authorization administrators include creating, activating, changing, deleting, and transporting roles. User administrators deal with setting up, changing, deleting, locking, and monitoring users and assigning passwords and authorizations. The user and authorization management tasks should be distributed among several administrators for example, separate user, authorization data, and profile administrators.

By assigning the user maintenance tasks to local administrators that represent individual departments or locations, you can even further decentralize user and authorization management. Having an administrator on site can also be desirable since first-time users accessing the system often need to be introduced to their task-specific user role. In addition, decentralized administrators are useful for reporting since they know to whom the user IDs refer. From a technical point of view, decentralization is achieved by subdividing the users into user groups and limiting the rights of the local administrators with regard to the assignment of authorizations.

Decentralized administrators may only maintain the users of the group that has been assigned to them. In addition, decentralized administrators should only be allowed to assign authorizations that are required in their department or at their site in accordance with the naming conventions of user roles.

Creating and Implementing an Authorization Concept Before the participants start the exercises, you should briefly summarize and describe the tasks to be performed. To avoid errors during the exercise, demonstrate calling up the Microsoft Excel list. It is also important here that each group sets the macro security to low locally, and saves the file on their own computer.

To ensure that participants are aware of this, these notes are also included in the exercise description. Creating and Implementing an Authorization Concept 31 Exercise 1: A prepared Microsoft Excel list is provided for this purpose. It allows you to divide the user tasks into small reusable blocks roles. System Data System: These SAP systems change weekly. The training courses are held in the 8xx clients; training administration will provide you with the exact numbers.

One of the clients is set up as the central system. User ID: The IDs contain the course ID and a two-digit group number. For example, for the ADM course: The participants receive the required roles and authorizations for the exercises through the template. The instructor can set a uniform password for the users when creating them such as "ADM". Training administration will inform you of the instructor password for access to the system.

Set up instructions: Check the availability of the Microsoft Excel list for task 1 in the training system. No additional settings are required. XLS, which you can find in the Shared Folders, and answer the following questions. The Shared Folders are in the Business Workplace. Menu Path: Double click the Microsoft Excel file to open it. If a dialog box appears, choose Enable Macros.

Save your settings. Save the Microsoft Excel file on your hard disk for example, in the directory C: Close the file not Microsoft Excel. Which master data is used by the company at Scenario Level, and should be used in the job roles Level 3? Which business processes Level 5 should be taken into account for assigning authorizations and were included in the Microsoft Excel list? Which transaction codes were copied for the business process sales order processing? Creating and Implementing an Authorization Concept Task 2: Define roles for the enterprise areas: The accounts receivable accountant should also be able to maintain the accounting views of the accounts receivable master.

What does maintain mean? Discuss this term with your neighbor and consider opinions and points of view. SD Define a role for a Sales and Distribution clerk SDClerk, SD , and assign all transactions of the Sales Order Processing Standard business process as well as transactions for overall maintenance of the SD views of the accounts receivable master records to this role.

SD Define a role for the Sales and Distribution manager SDMan, SD , and assign all transactions of the Sales Order Processing Standard business process as well as transactions for overall maintenance of all accounting and sales and distribution views of the accounts receivable master to this role.

Assign the transactions of the Goods Receipt Processing business process to this role. Generate an overview of the transactions and roles by pressing the appropriate button. How many transactions were chosen for the individual roles: Now combine these transactions into meaningful roles to ensure that these single roles can be reused in several composite roles.

There are several ways to do this. Do not worry if your solution is not the same as your neighbor's. The solutions will vary from group to group. Go back to the first worksheet Roles Design. Combine several transactions into roles in such a way that these single roles can be reused in several composite roles.

To do this, you can color code the roles or draw a border around them. Give the roles meaningful names and enter the associated transactions in the following table. Compare the names that you have given the roles with the suggestions in the solution. Creating and Implementing an Authorization Concept Solution 1: Creating and Implementing an Authorization Concept Task 1: Creating and Implementing an Authorization Concept What does maintain mean?

Model solution as a sample authorization concept: See the next page or exercise 1 for the unit Working with the Profile Generator 1. Creating and Implementing an Authorization Concept Name of the Role Transactions for this Role a The following table shows the role names in accordance with the example authorization concept, which you will use in later exercises.

The example authorization concept is then shown graphically. It is divided into: At the end of this unit, every participant should have an image of the authorization concept, and be able to explain its meaning and use. To round off this knowledge, lesson 2 introduces the authorization check in the SAP system. Unit Overview This unit uses two lessons to provide an introduction to the basic terms of authorization and the main authorization check in the SAP system.

The relationships between the authorization terms are explained step-by-step and form a good basis for all subsequent units. Elements and Terminology of the Authorization Concept The classical terms, such as authorization object, authorization field, authorization, and so on are introduced first. After this, every participant should be able to correctly arrange the expressions used and to explain the relationships between them.

This knowledge is the basis for all other procedures. Business Example The SAP authorization concept prevents unauthorized access to the system and to data and objects within the system. Users that are to perform specific functions in the SAP system need a user master record with the relevant authorizations.

Try to use questions to the participants to draw up the figure together. An example could be: Authorization Object: Groups 1 to 10 authorization fields together. These fields are then checked simultaneously example: Application authorization.

Authorization field: An instance of an authorization object, that is, a combination of allowed values for each authorization field of an authorization object.

Authorization profile: Contains instances authorizations for different authorization objects. A role describes the activities of an SAP user. Used for logging on to SAP systems and grants restricted access to functions and objects of the SAP system based on authorization profiles. Naming conventions for customer developments see SAP Notes and They must not contain an underscore in the second position. Explain the definitions of the terms and clarify the presented terms using an example.

Authorization objects are called using the following menu path: Initial access is always made through the authorization object class. You can display the authorization fields by double clicking the authorization object names. Tools 2.

ABAP Workbench 3. Development 4. Other Tools 5. Authorization Objects 6. Authorization to edit documents for specific company codes. Authorization to maintain the accounts receivable master record for specific company codes. Why does this make sense? Each object has a specific number of allowed activities, which are described in the object documentation. Every customer can create their own authorization object classes, authorization objects, and authorization fields.

Since it is very important that all participants understand the relationships between instances, objects, profiles, roles, and so on, there is another example of two authorizations at this point. Think of an example of an authorization check. This means that the user can perform the create, change and display activities in company codes and , but can only perform the display activity in company code The next figure clarifies the difference between an authorization and an authorization profile.

Authorizations and Authorization Profiles You can define several different authorizations for an authorization object. This means that an authorization object has various instances. Authorized to create, change and display documents in company code Authorized to display documents in company code You can assign multiple authorizations to a work center. Grouped together, these authorizations are called an authorization profile. Work center 2 has the following authorization profile: Establish the relationships between all elements of a role.

These are defined using the Profile Generator. A role is a set of functions, also known as activities, describing a specific work area. In the role, you organize transactions, reports, or Web addresses in a role menu. For a user to be able to receive authorizations, you must first maintain authorization data. You can then generate the authorization profile, and the role is complete.

SAP strongly recommends the automatic creation of authorization profiles in the form of roles using the Profile Generator. You should only use manual authorization profiles in exceptional cases. A role can be assigned to any number of users. Through the role, you also assign the authorizations that users need to access the transactions, reports, and so on contained in the menu. This user menu appears when the user to which the authorization profile was assigned logs on to the SAP system.

A user menu consists of the role menus of the assigned roles. It contains the activities that are required by a group of users for their work area. We strongly recommend that customers do not create authorization profiles manually. An authorization profile is generated from these. The user menu created from multiple role menus contains only those transactions, reports and Web addresses needed by the users for their daily work processes. The user menus can be and are often created with the Profile Generator using composite roles.

You should also use an example of a user to show the participants a role and the corresponding profile. Explain the contents, and discuss the display. Use the jump points from the Info System and demonstrate similar queries to those in the exercises, before the participants perform these themselves.

Task 1: Display the master record of user ADM Are roles assigned to the user? If yes, which ones? Is an authorization profile assigned to the user? Double-click the profile name to go to the detail screen of the authorization profile.

Expand the tree structure of the authorization profile. Do you have authorizations for the following authorization objects? Field 1: Exit the transaction. Task 2: Display various authorization information in the Information System. In which transactions is the authorization object checked?

Choose the All Selections icon. Select the authorization object class from task What is controlled with this authorization object? The number of authorization objects is indicated at the end of the list. Expand the structure for the Roles node, and choose the report By Role Name. Display the transaction assignment for the role. How many transactions in total are assigned to the role?

The number of transactions is displayed at the end of the list. Elements and Terminology of the Authorization Concept Task 1: Authorization for authorization object: Create Change Display Lock, Unlock Delete Display Change Documents Include Users in Roles Archive Assign Transactions that administrators may assign to roles and for which they may assign authorization to start a transaction in the Profile Generator. Number of transactions: The number of transactions is indicated at the end of the list.

There are essentially two checks. The first check is performed by the system when transactions are called, and the second is then performed by checks in the program. The user buffer, which is also introduced, plays a vital role in the check. To say nothing of the check in the program. Many customers or users in user departments still believe that it is possible simply to check any values in next to no time.

However, to do this, it is necessary to change the program - and much more besides. Describe the false perceptions with examples from your experience. In this way, there is, for example, a mandatory kernel check for each transaction start. The main task, however, in the company, is to control the checks in programs. To do this, it is very important to understand the relationship between the buffer and the authorization check.

Each time a transaction is started, the kernel checks the transaction code TCD as a value against this authorization object. We recommend that you demonstrate and discuss the second check, which is connected to table TSTCA, only after the exercise. Authorization Checks at Transaction Start When starting a transaction, a system program executes a series of checks to ensure the user has the appropriate authorizations.

Check if the user is authorized to start the transaction. Check if an authorization object is assigned to the transaction code. If this is the case, the system checks if the user has an authorization for this authorization object. If any of the above steps fail, the transaction will not begin, and the user will receive a message. The ABAP statement authority-check is used to check the authorization object assigned to the transaction. The check is performed during transaction start by the ABAP program called by the transaction.

A program may contain any number of authorization checks. The following authorization is checked: The valid return codes for the authority-check command are: It will also provide an introduction to the topic of authorizations and the role-based authorization concept, using a number of overview figures. Lesson Objectives After completing this lesson, you will be able to: After considering some general information, the security concept in the context of the SAP system is discussed.

The role of the SAP authorization concept within the security concept is then explained. Business Example Authorizations are used to control access at the application level. At this level, the term role is at the center of the SAP autho- rization concept. The system must also be protected at the operating sys- tem, database, network and front end levels in order to implement a comprehensive security concept. June Material number: Trademarks Some software products marketed by SAP AG and its distributors may contain proprietary software components of other software vendors.

All other products and service names mentioned are the trademarks of their respective companies. Figure 2: Target Group Notes to the User The training materials are not self-teach programs. There is space for you to write down additional information on the sheets. Figure 4: Describe why authorizations exist in your own words. Use the bullet points after the next figure or your own experience as a consultant to choose the words for your explanation. Security Expectations Requirements for protecting sensitive data: These include, for example, data protection laws personal data, family status, illnesses, and so on , or employee protection.

This applies both to data used externally and to data used internally. Perfect security could only be achieved with cross-dimensional assignment of authorizations. However, the benefits achieved in this way are often not relative to the costs incurred. With some values, it is cheaper to replace a loss than to protect the data at great expense. A company should therefore concentrate on areas in which a clear benefit can be realized through this expenditure.

This saves unnecessary investments of time and money. Therefore, a company must be able to weigh up the extraordinary risks of a threat against the costs of a security system. A situation of this type is not favorable for the processes in a company. If this is not done, it is often difficult to remove undesired obstructions to business processes in complex, nested authorizations.

Only with a transparent structure can this be avoided. If problems occur nevertheless, it is only in this way that the places to be maintained can be found.

Use the next figure to discuss the questions that must be asked during the development of a security concept. Discuss the problems of the end users at this point. If the users have no training or poor training, this could destroy more than they can absorb with one concept. What is to be protected? Figure 5: Which assets must be protected? To which categories do these assets belong for example: When assigning assets to categories, consider the consequences of losing these assets.

When calculating the value of fixed assets, for example, you should take into account the loss of value due to depreciation, damage or theft. What dangers are there?

Potential sources of danger are, for example, technology, the environment, or persons. Important employees leaving the company, dissatisfied or inexperienced employees.

Hackers with criminal intent. Processing errors caused by applications or operating systems , viruses, power supply interruption, hardware failure. Fire, flood, dust, earthquakes. Authorizations in General ADM Once you have identified your assets and the potential sources of danger, you can develop security mechanisms.

You must determine an appropriate protective measure for each source of danger. These measures should also be assigned to different categories for example: Training, internal security policy, procedures, roles, responsibilities.

Inclusion of electronics for checks routers. Access authorizations for systems and data. The next figure provides a small overview of the different SAP security levels. Describe the context of ADM briefly. Provide this information to the participants. Figure 6: This does not mean that SAP does not yet offer a course here.

Courses on this topic are provided directly by operating system vendors. Explain this to the participants. SAP systems are made safe at a variety of levels. Each level has its own protection mechanisms. To avoid unauthorized system access, for example, system and data access control mechanisms are provided at the application level. When protecting an SAP system, you must consider the following: This course deals only with the security mechanisms at application level.

If a user has access to a system, this certainly does not mean that he or she can run something in the system. Figure 7: A user master record must be created in the system for each user.

This user master record also contains the password that the system prompts the user to enter when logging on. There are numerous mechanisms for preventing unauthorized access to an SAP system that can raise the security level of a system if configured appropriately.

These configurable settings include, for example, the minimum length and the expiry date of passwords. To protect business data and functions against unauthorized access, SAP programs utilize authorization checks. In order to pass an authorization check of this type, a user needs the appropriate authorization.

Authorizations are assigned using profiles in the form of roles, which are entered into the user master record. Use the next figure to describe that employees in companies perform roles in business scenarios. These roles are assigned authorizations, since people can only perform certain activities that correspond to their position in the company.

An activity, in turn, requires certain authorizations. A role consists of one or more activities. People are assigned one or more roles. The SAP term role-based authorization concept is introduced on the following pages. Figure 8: Users, Roles, and Authorizations People perform roles that belong to business scenarios. A person can have multiple roles. A role is a group of activities performed within business scenarios. A role generally includes all activities that may occur in the respective scenario.

A single role can be involved in several scenarios. A single scenario may require the participation of multiple roles. Business scenarios are groups of activities performed by one or more employees in their respective roles. Activities are associated with specific system functions that can only be accessed with the proper authorization. Authorizations in General ADM You can use the following two figures to highlight the contents of a role again.

Roles are created using transaction PFCG, with the following content: Figure 9: Technical Implementation of Roles To implement roles technically, you must create roles or composite roles using the Profile Generator.

A role consists of the following components: You can assign users using either the Profile Generator or user administration. Customers can use these roles as templates and customize them to meet their individual requirements.

Graphical representation of a role with menu in an SAP system. This menu can also be hidden. Figure Authorizations in General ADM When creating the roles, the system administrator specifies the required functions including their descriptions.

The descriptive text can be changed, and is therefore freely definable. Once a user has been assigned a particular role with menu , the appropriate personal user menu is automatically displayed when the user logs on to the system. The menu is based on the assigned activities. There are two ways to do this: If the user calls a transaction, the personal menu is hidden so that the entire screen can be used for transaction processing. If the user quits the transaction or opens a new session, the menu is shown in the foreground again.

Facilitated Discussion You should prompt the participants to become involved in discussion to avoid the course becoming a monologue over three days.

This should relax the atmosphere between the instructor and the participants, which is usually reserved to begin with. There is a round of introductions in most SAP courses. However, not all participants appreciate this, since it takes up a lot of important course time. You should decide yourself whether you think this is useful. We recommend that you do not do this with large groups. However, to obtain a general impression about the previous knowledge of the participants, you can use additional questions during the discussion to find out about the knowledge and wishes of the participants.

Examples of questions are: Do you use these? Discussion Questions Use the following questions to engage the participants in the discussion. Feel free to use your own additional questions. Why are authorizations used? What are the elements of a role?

What does SAP mean by role-based authorization concept? Who already uses or is implementing this? What advantages does the use of roles provide? What is access control? Which steps are necessary for a user menu to be displayed for a user? Creating and Implementing an Authorization Concept Lesson: The methodology used here to implement a role and authorization concept consists of five steps preparation, analysis and conception, implementation, quality assurance and test, and cutover , which will be described in more detail in this lesson.

User and authorization administration are defined, specified, and implemented in parallel to these five steps. When doing so, you should emphasize that it is not only the people who must create a new concept that are being addressed here.

In comparison to new customers, it is often much more difficult for those new to authorizations to understand an existing concept and to create their own method for their daily work. Concepts that have developed over the course of years are often badly structured, and seldom comprehensible. Business Example Before going live, your company wants to implement an authorization concept.

The steps required to realize the authorization concept must be planned in the context of the entire implementation process. During the planning phase you want to estimate the time and personnel resources needed. It is therefore advantageous if you know the method and can describe the procedure with your own words. It is always very difficult for beginners to create a thread.

They often do not know where and with what they should begin, or what the next step is. It is for exactly this reason that the VSAP method is used as the basis. However, the basic idea behind the method is no less useful because of this. If a customer enquires about a successor product to VSAP, be careful to describe that the Solution Manager does not currently provide any comparable content.

Implementation Methods and Authorizations The procedure used here is based on the principles of the SAP implementation method. Many consultancy companies use a similar model, usually with their own name. When combined, the individual steps of this method ensure quick and efficient implementation of the SAP system. Creating and Implementing an Authorization Concept Setting up an authorization concept must be planned and implemented step-by-step using a project plan.

In the example used here, the project was divided into five key points at the uppermost level these are often also called phases: The Business Blueprint is a visual representation of the status of the company which is to be realized in the SAP implementation.

Sap authorization concept.pdf adm940

All business processes are analyzed and described here. This is the basis for the later authorization concept. The business processes created and described in the previous phase are the starting point for the implementation of the roles. With the next figure, use keywords to outline the activities that are required to introduce a role and authorization concept. Explain also that user and authorization administration is defined in parallel to these activities.

Call the URL www. Role and Authorization Concept: Steps To fulfill a certain task, the employee responsible must normally use several applications.

The transactions and reports used for a business activity can be combined into roles. It is important that users can only process those tasks that they are authorized to perform, and are prevented from making unintentional or incorrect changes in system areas which are outside their competence.

Since all SAP components use authorizations to control access to their functions, administrators only assign those authorizations to each role that are are necessary to perform the role-specific tasks. Besides authorizations, a role comprises the user menu specifications. When a user logs on to an SAP system, the system displays a user-specific menu, with selected transactions, reports, and Internet links in the form of a tree structure.

This menu is based on the assigned role. Users can only access transactions and reports that they are authorized to use. This eliminates unnecessary functions from the navigation structure.

When developing the role and authorization concept, the challenge is to coordinate business requirements at a cross-department level and protect sensitive data against potential dangers. This is why we recommend that you develop the role and authorization concept as a separate project.

You should follow the procedure explained in this training course and use the demonstrated method for orientation. Creating and Implementing an Authorization Concept It is important that you explain the importance of preparation to the participants with the next figure.

ALL contacts from user departments should be informed about the project during the initial discussions. If cooperation is later required from a department that were not informed, they often create obstacles, and therefore slow down further implementation. Step 1: Preparation Set up a team responsible for the specification and implementation of the user roles and the authorization concept. Identify the business areas affected and their special security requirements.

Like the control mechanisms selected, these can vary from area to area. Normally, the security requirements of the Human Resources department are more demanding than those of other departments. Therefore you must first determine the desired security level. Consider the different security requirements for production, test and development environments.

Also bear in mind that user roles often need to access multiple systems and may therefore require different functions and authorizations depending on the system. Train the team for roles and authorizations with regard to specification and implementation topics. Authorizations in General ADM The team members must be familiar with the basic principles of the SAP authorization concept and the available control and administration tools such as central user administration.

The members responsible for implementation must be able to use the Profile Generator. Since the role and authorization project requires the cooperation of various business areas and departments, SAP recommends that you inform the responsible employees of the project targets set and establish communication channels at an early stage to ensure efficient handling.

Point out again that the complexity of an authorization concept requires teamwork. Input from the user departments is required to define the roles. The members of the project team have the following tasks: Creating and Implementing an Authorization Concept When developing the role and authorization concept, the challenge is to coordinate business requirements at a cross-department level and protect sensitive data against potential dangers.

While user roles and the authorization concept are specified with the cooperation of the individual business areas, they are normally implemented by the IT department. This is why you must set up a cross-area and cross-department project team.

The team members have the following tasks: To ensure that both the authorization concept and the procedures for user administration and authorization management comply with the control regulations of the company, the internal invoice verification department must be involved in the authorization project at an early stage.

Step 2: This is an internal note; do not pass this information on to the customers. However, it no longer provides any information for an authorization concept.

It is no longer possible to create and use authorization lists. Demonstrate to the participants how you can create a Microsoft Excel list for the authorization concept in the system itself. Determine task profiles based on the organization chart and a business process analysis.

Check if SAP role templates can be used. Make any required adjustments if role templates are used. Check the role and authorization concept.

To detect any shortcomings in conception before actual implementation, SAP recommends that you create a prototype of the concept. Creating and Implementing an Authorization Concept Use the next figure to clarify the basic principles of the role-based authorization concept again. Specification of the role and authorization concept: Technical Conception: Role Implementation 1 User roles are technically implemented using individual, composite, and derived roles.

Based on the transactions and reports selected for each role, the Profile Generator automatically determines all authorization objects required for performing the functions specified, and creates the corresponding authorization profile. Authorizations in General ADM Using individual, composite, and derived roles, you can model the role structure in two ways: If some functions are used unchanged in multiple roles, the associated transactions and reports are contained in several individual roles.

If general function modifications are required, this consequently affects several individual roles. In this case, the individual and derived roles represent activity blocks, that is, groups of interrelated functions for example: Since individual and derived roles contain encapsulated functions, they can be used in multiple or composite roles.

The advantage of this approach is that multiple access to transactions used in several individual roles is avoided. Therefore, organizational or process-related modifications that affect several user roles can be applied by adjusting a single role. Use the next three figures to explain the development of a concept again.

When creating the Business Blueprint, you determine which processes are to be implemented in the context of the implementation. The result of all used and mappable business processes in the SAP system is, in this example, saved as a Microsoft Excel list. The user roles are created and completed in this authorization list. A similar list can also be generated in the SAP system. In this case, the list is component-oriented, and not process-oriented as in our example.

Demonstrate for the participants the way in which you can generate a component-oriented list in the SAP system. These templates can be used as a basis for analyzing and developing the company-specific roles and the authorization concept. They are only intended as templates with examples for the authorization setting.

Complete User Roles 1 The authorization list is a Microsoft Excel table that helps the project team to model the user roles before they are implemented in the SAP system.

Using this list, the roles can be developed before the system is installed. In the authorization list, you create user roles and specify the associated transactions. In this example, it consists of two worksheets: Process View Roles Design - Scope The structure shows the business processes that were selected during the analysis and conception of the enterprise. The job roles and user roles are specified and linked with the processes here.

Transaction Overview for each Role T Code for each Role You can generate an overview of the transaction assignments for each role in the transaction overview after the modeling on sheet 1.

You can see block formation of the role contents in the next figure. With this figure, remind the participants that the role formation does not depend on the repeatedly used transactions, but rather on the enterprise requirements.

This is also described in the note under the figure. Creating and Implementing an Authorization Concept Figure Complete User Roles 2 Modeling the role structure: Analyze the authorization list and determine the areas in which access to several transactions is needed.

Activity blocks such as this can be created as roles. To simplify implementation, you can subsequently modify roles during the technical conception phase, for example, by choosing additional functions to use activity blocks already defined.

Authorization adm940 concept.pdf sap

Note that access to the same transactions and reports is not a sufficient criterion for the existence of an activity block. Since authorizations may vary even at field level, you must implement the different variants of individual activity blocks as separate or derived roles. You can use the next figure to explain another approach.

The composite role Roles can be technically implemented in composite roles such as job roles. Composite roles contain multiple single roles, which contain logically related transactions, known as activity blocks. To use single roles in the form of a building block principle.

In turn, these encapsulate functions in composite roles as reusable modules such as accounts payable accountant. Role Implementation 2 During the first conception and implementation approach, individual functions are encapsulated in separate roles for example, the Basis authorizations of the end-users. From a technical point of view, all elements of the authorization concept must be assigned a unique identifier. This is why you must define individual naming conventions for all role types.

The following text addresses the naming conventions for roles for the first time. If you want to decentralize user and authorization management, the naming conventions are also required for administrative purposes.

ADM940 SAP AS ABAP - Authorization Concept

In this case, the access rights of the decentralized administrators should be limited to those composite roles that belong to a specific business area and thus apply only to a restricted namespace. Creating and Implementing an Authorization Concept Since roles are divided into individual and derived roles, the user roles created in this step may be different from the original specification defined during the development phase.

For example, the roles may contain more or fewer activities transactions and reports. This is why you must check that the roles have been properly defined before implementation. SAP recommends that you carry out a test implementation of the user roles and authorization concept in order to check the technical conception. Step 3: Ask the participants: Do you know all of the authorization objects or authorization fields that are checked during the check for a particular transaction?

Implementation From a technical point of view, user roles job roles can be implemented as composite roles using the Profile Generator. Composite roles consist of individual and composite roles that each contain the relevant authorizations and menu data. Authorizations specify the scope of access to data and functions. User menus use hierarchical structures to specify the access path to the transactions, reports and Internet pages released for a specific user. Individual roles either describe higher-level functions that are independent of organizational or application-specific restrictions or are used as templates for creating derived roles that are not subject to any restrictions.

These contain the desired organizational or application-specific restrictions. For each responsibility area, you create a derived role from an existing individual role. Step 4: In addition, the responsible area manager must approve of the role and authorization concept implemented. Explain the need for testing again.

The following should be checked during the tests see also the text below the figure: If the customers finish the implementation of the authorization concept before the end user training, this can be used to perform an additional test.

You should use predefined test scenarios that cover all business processes implemented. The test scenarios should include both positive and negative checks of the authorizations of the individual roles.

The positive test checks whether the functions are executed as desired, while the negative test must confirm that all restrictions defined are observed. For example, a human resources administrator can display the users for a specific work center, but not the records for other work centers. The test scenarios must cover all functions that are to be performed by a user role.

If a function cannot be called during the test, you must correct the user roles and the authorization concept. Note that changes may affect several derived roles. In extreme cases, you must revise the entire role and authorization concept. You may also be required to modify the user menus in order to simplify access to the functions.

To ensure that the system becomes more user-friendly, the project team responsible should closely cooperate with the representatives of the relevant business areas. After fine-tuning the user roles, you must repeat the tests as often as necessary until the user roles implemented completely comply with the security and usability requirements.

Step 5: