Presentation is loading. Please wait.

Presentation is loading. Please wait.

How to Properly Maintain Security using Profile Generator.

Similar presentations


Presentation on theme: "How to Properly Maintain Security using Profile Generator."— Presentation transcript:

1 How to Properly Maintain Security using Profile Generator

2 Objective SAP Security Overview Profile Generator Best Practice Summary

3 SAP Security Overview USER ID, e.g. TTSAN Security Role 1 Security Role 2 Security Role 3 User

4 SAP Security Overview Security Role, e.g. Security Administrator Profile 1Profile 2Profile 3

5 SAP Security Overview Profile (Contain up to 150 Authorizations) Authorization 1 Authorization 2 Authorization 150

6 SAP Security Overview Authorization Object 1, e.g. S_TCODE Field (TCD) Value (SU01)

7 SAP Security Overview Authorization Object 2, e.g. S_USR_GRP Field (ACTV)Value (01, 02, 03, 06) Field (CLASS)Value (Customer Define)

8 SAP Security Overview Authorization Object 2, e.g. S_USR_GRP Field (ACTV)Value (01, 02, 06) Field (CLASS)Value (HOUSTON)

9 SAP Security Overview Authorization Object 2, e.g. S_USR_GRP Field (ACTV)Value (03) Field (CLASS)Value (*)

10 SAP Security Overview Execute “SU01” – Change User AUTHORITY-CHECK “Authorization1” Object 1 = “S_TCODE” TCD = “SU01”

11 SAP Security Overview ACTV = “02” Object 2 = “S_USR_GRP” CLASS = “HOUSTON” Execute “SU01” – Change User AUTHORITY-CHECK “Authorization2”

12 Profile Generator Transaction

13 Profile Generator Change authorization data

14 Profile Generator Expert mode for profile generation

15 Profile Generator Delete and recreate profile and authorizations

16 Profile Generator Edit old status

17 Profile Generator Read old status and merge with new data

18 SAP Security Overview Missing Organization Value $BURKS

19 Profile Generator Organizational Level

20 Profile Generator Missing Customer Define Value

21 Profile Generator No open field

22 Profile Generator Authorization Status

23 Profile Generator STANDARD - SAP Standard Value MAINTAIN - Customer Maintained Value CHANGED - SAP Standard Value maintained by Customer Authorization Status MANUALLY – Manually inserted Value

24 Profile Generator S_USR_GRP 01, 02, 03, 05, 06, 08, 24 Removing Authorization Value

25 Profile Generator Status = Changed Removing Authorization Value

26 Profile Generator New Authorization Common Security Issue

27 Profile Generator Make Copy Inactive Original Best Practice

28 Profile Generator Make changes to copy Best Practice

29 Profile Generator Best Practice Changed Authorization without Inactive Standard

30 Profile Generator Best Practice Double-click to add comment

31 Profile Generator M_MATE_MAT (01, 02) Does making changes to Copied Authorization Applies to all situation?

32 Profile Generator Where-Used Icon

33 Profile Generator Where-used MM01 = 01

34 Profile Generator Adding Authorization Value What if you want to add value 03?

35 Profile Generator SU53 Errors What if SU53 indicates that MM01 requires an Activity of 24?

36 Profile Generator Static Value vs. Dynamic Value Static Value – a value that is required by a transaction no matter who execute it. Dynamic Value – a customer-defined value such as company code.

37 Profile Generator MM01 always requires an Activity of 01? Static Value

38 Profile Generator Company Code value may vary from user to user depending on business restriction. Dynamic Value

39 Profile Generator Static Value vs. Dynamic Value Static Value – add to USOBT using transaction SU24. Dynamic Value – add directly to the Authorization or Org. Data.

40 Profile Generator Reorganize & Generate Authorization counter = 1

41 Profile Generator Reorganize & Generate Reorganize

42 Profile Generator Reorganize & Generate Authorization counter = 0

43 USOBT – SU24 Overview

44 Profile Generator 1.NEVER modify S_TCODE unless the Role is built manually. 2.Modify Standard delivered authorization: a.Only modify when there’s a request to REMOVE authorization and IF AND ONLY IF no other transaction is linked to that value. Otherwise, by removing the transaction, it will remove the value. Summary of Rules and Restrictions

45 Profile Generator 2.Modify Standard delivered authorization (CONT’D): b.Always make a copy of the authorization and make changes. c.Inactive the original authorization. d.Modify the copied authorization and the status become Changed. e.Double-click on description of the authorization to document the reason. The same applies to manually inserted authorization. Summary of Rules and Restrictions

46 Profile Generator 3.If a Changed authorization exists without an Inactived Standard authorization, delete the Changed authorization. 4.Bogus SU53 check most of the time: a.S_ADMI_FCD (SM02). b.S_CTS_ADMI. c.S_LAYO_ALV (023). Summary of Rules and Restriction

47 Profile Generator Question?

48 Profile Generator Contact Information Thomas Tsan SAP Security Architect TK Consultants, Inc. Phone: (281)

49 Thank you for attending! Please remember to complete and return your evaluation form following this session. Session Code: [801]


Download ppt "How to Properly Maintain Security using Profile Generator."

Similar presentations


Ads by Google