Presentation on theme: "APM Detailed Technical Overview. APM Contents APM – PFCG Overview APM – Role Management Authorization Trace Role Maintenance/Derived Roles Mass Changes."— Presentation transcript:
APM Detailed Technical Overview
APM Contents APM – PFCG Overview APM – Role Management Authorization Trace Role Maintenance/Derived Roles Mass Changes APM – Risk Management Risk and Process Definition Pro-active Risk and Process Analysis Risk and Process Analysis Reports
APM Contents APM – Basis Configuration Special User Monitor Batch-Job Monitor APM – References Online Tutorial Support Forum Contact Information
APM Overview Created by a team of experience consultants and clients inputs to provide an effective and efficient way to manage authorizations. The process oriented approach creates a minimum authorizations necessary to perform a business process. Role management features reduce administration cost. Risk management features provide a clear view of Segregation of Duties.
APM – PFCG Overview Authorization Trace FunctionAPMPFCGNote: Launching an authorization traceYes AMP has a function used to launch and stop an authorization trace. The profile generator does not have this function, which is available only via Transaction ST01. Retrieving authorization trace to workspace for role generationYesNo The profile generator allows only the manual addition of data from the authorization trace. Simplified user interface to launch authorization traceYesNo APM automatically adjusts all settings required for an authorization trace. Except for two texts and user to be recorded, no additional information is necessary.
APM – PFCG Overview Mass Change Function within a Role FunctionAPMPFCGNote: Mass change for ORG fieldsYes Mass change for non-ORG fieldsYesNo Mass change across a version (several fields)YesNo A "normal" mass change always consists of changing the mass of one field. A mass change across a version can be performed for numerous fields. Example: The company code 0001 always has the chart of accounts INT, always the sales organization 0001, always the plants 001 and 002, etc. If such statements are possible, then such chains can be saved as versions (onetime procedure) and can then be utilized for mass changes via numerous fields.
APM – PFCG Overview Upload/Download FunctionAPMPFCGNote: Authorizations of roles without menuYesNo Authorizations of roles with menuNoYes Authorizations of profiles (not assigned to any role)YesNo Authorizations of an authorization traceYesNo
APM – PFCG Overview General Workspace Information FunctionAPMPFCGNote: Workspace with Undo/Redo functionYesNo APM has a Undo/Redo functions similar to the one offered by MS Word or Excel Consistency check when retrieving roles, profiles, authorizations, traces, and transactionsYesNo APM checks and verifies the following when retrieving authorizations: - Missing entry in check table for objects with field activity – Missing entry in the original table of profiles (USR* tables) – Missing entry in the performance tables of profiles (UST* tables). If the retrieved authorization is invalid or flawed (e.g., if the SAP_NEW profile is flawed or defective in the K_ABC authorization object, a value is missing in one field in this case), APM indicates this flaw or defect by displaying a warning bell symbol. The following are possible defects or flaws: A value was not assigned to a field, incorrect technical field name, etc.
APM – PFCG Overview General Workspace Information FunctionAPMPFCGNote: Assigning full authorization * to empty fieldsYes In APM, the affected range for this function can be selected by marking authorizations. Assigning full authorization * to all fieldsYesNo In APM, the affected range for this function can be selected by marking authorizations. Additional save options for authorizations in addition to download and generationYesNo APM has additional save options for authorizations, namely the lists. Authorization data is saved to a separate database table, which can be read by APM. Subsequent verification of critical authorizations/objectsYes In APM, roles can be monitored using risk and process analyses. Report RSUSR002 of the profile generator is one method of monitoring. Verification of critical authorizations/ objects during role creationYesNo Risk analyses can be added to the work screen. If an authorization/object is added that appears in the risk analysis, this authorization/object is marked with a red or yellow traffic light. The user thus has the opportunity to respond to critical authorizations/objects as early as during role creation.
APM – PFCG Overview Role Creation via Transactions FunctionAPMPFCGNote: Transaction synchronization when adding transactions to role menuYes Transaction synchronization when deleting transactions from role menu ("Activity" authorization field was not changed manually)Yes Transaction synchronization when deleting transactions from role menu ("Activity" authorization field was changed manually)YesNo The delete routine of the profile generator is no longer effective as soon as the "Activity" field was manually changed. Objects can then be deleted only manually. Importing to the role menu the transaction code added to the workspaceYesNo APM adds all transactions added to the APM list screen to the role menu in an unstructured format. A folder is created where all new transactions are added one below the other.
APM – PFCG Overview Role Creation via Transactions FunctionAPMPFCGNote: Deleting from the role menu transactions added to the workspaceYesNo If transactions are removed from the APM workspace, APM automatically deletes these transactions and empty folders from the role menu. This is a purely manual task when using the profile generator. Synchronization function for transaction code also in workspaceYesNo APM not only synchronizes transactions with roles based on menu changes but this function is also available from the workspace. Is it possible to forego inactive authorizations meant as protection during the transaction synchronization?YesNo APM does not require any inactive authorization objects with a protective function during the transaction synchronization.
APM – PFCG Overview Role Creation via Transactions FunctionAPMPFCGNote: Is it possible to compress authorizations?Yes Is it practical to compress authorizations?YesNo Compression is generally advisable since this reduces the number of authorizations. However, when using the profile generator, compression can lead to additional authorizations being added during the next transaction synchronization due to the compression. APM does not have this problem. Assign ownership to RoleYesNo Assigning an owner to a role during Generation assists the security administrator to identify who to contact for approval.
APM – PFCG Overview Analysis Options FunctionAPMPFCGNote: Are analysis options available for individual authorization objects or authorizations?Yes Are analysis options available for numerous authorization objects or authorizations?YesNo Only individual objects/ authorizations can be queried in the SAP analysis report (e.g., RSUSR002). APM offers the option of assigning and evaluating diverse fields to a risk version. Are analysis options available for authorization chains with up to three authorizations?Yes Are analysis options available for authorization chains with more than three authorizations?YesNo Reports are only able to evaluate process chains with up to three authorizations. APM's process analyses are not restricted in this respect.
APM - Role Management Authorization Trace Defined from the SAP point of view in cooperation with the user departments. No need to learn how SAP-System trace is handled. Easily troubleshoot and resolve authorization issues. The logged authorizations represent the minimum specifications. Retrieve to workspace for role generation or add to existing role.
APM - Role Management Authorization Trace When entering a trace for multiple users, please make sure that this trace can be activated and deactivated for all users, only. APM user traces must be deactivated and deleted via APM. APM users must always log in the defined application server.
APM - Role Management Authorization Trace A non-observance of this prescription may lead to the following problems: You cannot start or end a user trace via APM anymore. This may happen when an APM user trace has been stopped via SAP-Standard. In this case, it is absolutely mandatory to terminate the trace via SAP- Standard (Transaction ST01). Only thereafter, all functions are available again. You cannot import or delete a user trace and you will get the message that this user trace on operating system level does no longer exist. This may happen when an APM user trace has been deleted via SAP- Standard instead of via APM. In this case, use the menu item Utilities – Reconciliation of tables.
APM - Role Management List Functions Authorization list is the working platform of APM where authorizations and authorization objects can be entered, deleted, or changed. When saving a list, no change documents are created. Inactive authorization no longer necessary. Compress List (Merger) will not create new authorization. Mass authorization change. Undo and redo.
APM - Role Management PFCG - Inactive Authorization Remove value “01, 06, 24”
APM - Role Management PFCG - Inactive Authorization New authorization is inserted
APM - Role Management PFCG - Inactive Authorization Best practice is to create a copy, inactive, and make changes to copied authorization
APM - Role Management PFCG - Inactive Authorization When standard transaction is deleted the changed authorization remains
APM - Role Management APM - Inactive Authorization APM will not insert “New” authorization. Notice that there are no status within APM.
APM - Role Management APM - Inactive Authorization APM will delete all “Standard and Changed” authorization.
APM - Role Management PFCG – Derived Role
APM - Role Management APM – Derived Role
APM - Role Management APM – Derived Role Deviation Folder All inherited field value from the master role can be modified. Deviations can be field-related or object-related. All deviation folders can be used for the automatic mass change. Extension Folder Add additional authorization to dependent role. Always use “After Mass Change”.
APM - Role Management Mass Authorization Change Mass change multiple fields value via Deviation Folder. Manually mass change single field.
APM - Risk Management Risk Analysis A collection of critical authorization objects. Pro-actively identify Risks during Role maintenance. Exclusion objects are inactive in role. Risk analysis discovers weaknesses and security gaps within the authorizations and enable a direct elimination of these risks.
APM - Risk Management Document Risk Version Risk Analysis
APM - Risk Management Risk can be defined as: Object Single occurrence Risk Analysis
APM - Risk Management Process Analysis A collection of critical combination of authorization objects. Pro-actively identify Process Analysis during Role maintenance. Unlimited business process chain per Version.
APM – Risk Management Multiple Process Chains per Version Process Analysis
APM – Risk Management Process Analysis Transaction combinations can be defined in set
APM – Risk Management Process Analysis Report Process to User or Role Report
APM – Risk Management Process Analysis Report Report can be executed for User(s) or User Group
APM – Risk Management Process Analysis Report Users to Process Chains
APM – Risk Management Process Analysis Report Process Chains to Users
APM - Basis Configuration APM Trace setting
APM - Basis Configuration Expert mode Verify if Transaction is valid before generation
APM - Basis Configuration Always check Menu…-Delete and Create to prevent direct modification of S_TCODE Activate Role ownership
APM - Basis Configuration Set Proactive Risk or Process Authorization Analysis Sequence Analysis: Object then Single Occurrence
APM - Basis Configuration Always select “Confirm all automatically”
APM – Basis Configuration Standard APM functions for List, Deviation, and Mass Changes
APM - Basis Special Users Emergency or Special user are defined for supervision. 3-Level Security Concept Every login of a safety-relevant special user causes a system log message to be written, and can be evaluated. All activities of a safety-relevant special user are recorded on transaction- and/or program level, and can be evaluated. All activities of safety-relevant special users are recorded within transactions or programs down to the used function, and can be evaluated.
APM - Basis Batch-Job-Monitor Automatic supervision of jobs in the SAP environment. The monitoring is planned periodically, and the monitoring tools optionally send mails and/or express mails, or prints error messages on the printer as soon as erroneous jobs are detected within a defined period of time (cycle). This method enables to optimize error handling through in-time reporting to the responsible person(s).
APM - Basis Directory Viewer SAP-Explorer – enables a direct administration of directories and files of the SAP-Server without having to go to the operating system. In addition to the display, copy, and delete file functions, the SAP-Explorer also supports the Upload and Download of files.
APM – Next Steps Many new functionalities have been added… More will be implemented by Q4/05 and Q1/06 Please give us the opportunity to learn more about your requirement and show your basis/security team a brief online demonstration of APM’s powerful functionalities. Schedule a presentation at: or