Presentation on theme: "How to Properly Maintain Security using Profile Generator"— Presentation transcript:
1How to Properly Maintain Security using Profile Generator
2Profile Generator Best Practice Summary ObjectiveSAP Security OverviewProfile Generator Best PracticeSummaryThe objective today is to provide a brief overview of SAP Security and to discuss the best practice of PFCG.
3SAP Security Overview USER ID, e.g. TTSAN Security Role 1 In SAP, a User ID is assigned with one or more Security Role based on his/her Job Role. SAP’s documentation calls it Role, but I prefer to use the term Security Role to differentiate it from Job Role. For those who are using pre-profile generator sap system, an ID is assigned with one or more profiles. Is there anyone here who is still on 3.0? I feel your pain in creating a profile. However, I find that those who have experience with the manual method tends to have a better understanding of how SAP Security works.User
4Security Role, e.g. Security Administrator SAP Security OverviewSecurity Role, e.g. Security AdministratorProfile 1Profile 2Profile 3With the advent of Profile Generator, a Security Role may have one or more Profile and each profile may contain up to 150 authorizations.
5Profile (Contain up to 150 Authorizations) SAP Security OverviewProfile (Contain up to 150 Authorizations)Authorization1Authorization2Authorization150If you create a role that has 450 authorizations, then Profile Generator will create 3 profiles.
6Authorization Object 1, e.g. S_TCODE SAP Security OverviewAuthorization Object 1, e.g. S_TCODEField (TCD)Value (SU01)You might wonder what’s the difference between Authorization Object and Authorization?AO has one or more fields and is the foundation of all SAP Security program checks. When you add value or combination of values to the field, it becomes an authorization. One AO can be used to create one or more Auth. For example, S_TCODE has only one field and therefore you can only create one Standard authorization per Security Role.
7Authorization Object 2, e.g. S_USR_GRP SAP Security OverviewAuthorization Object 2, e.g. S_USR_GRPField (ACTV)Value (01, 02, 03, 06)However, with S_USR_GRP it has two fields. Therefore you may create multiple authorizations using different combination to satisfy your business requirement.Field (CLASS)Value (Customer Define)
8Authorization Object 2, e.g. S_USR_GRP SAP Security OverviewAuthorization Object 2, e.g. S_USR_GRPField (ACTV)Value (01, 02, 06)Let’s say that you are creating a security helpdesk role that has the ability to create, change, & delete only users from the Houston region and display access to all users. The first authorization would contain object S_USR_GRP and the Activity would have 01, 02, 06 and User Group value would be Houston.Field (CLASS)Value (HOUSTON)
9Authorization Object 2, e.g. S_USR_GRP SAP Security OverviewAuthorization Object 2, e.g. S_USR_GRPField (ACTV)Value (03)The second authorization using the same object would have 03 for Activity and * for Class. As a result you now have 2 authorizations.Field (CLASS)Value (*)
10Execute “SU01” – Change User AUTHORITY-CHECK “Authorization1” SAP Security OverviewExecute “SU01” – Change UserAUTHORITY-CHECK “Authorization1”Object 1 = “S_TCODE”Now that we have an understanding of how an ID is linked to a Role and the Role to Profile & Authorization, let’s discuss the mechanic of SAP’s Authority-Check. When a user logs in to SAP, his authorizations are loaded into the User Buffer. When he execute SU01 to maintain user, the program perform an A-C against the authorization in the buffer to see if it contain the object S_TCODE. If yes, it then performs the next check against the field TCD for value “SU01”.TCD = “SU01”
11Execute “SU01” – Change User AUTHORITY-CHECK “Authorization2” SAP Security OverviewExecute “SU01” – Change UserAUTHORITY-CHECK “Authorization2”Object 2 = “S_USR_GRP”ACTV = “02”Then it checks the next authorization for objects S_USR_GRP. Once the program verifies all the necessary auth, it will allow you to perform the task. Any question before we discuss the Profile Generator Best Practice?CLASS = “HOUSTON”
12Profile Generator Transaction After you assign tcode to a role from the Menu tab, the first option available is “Change Authorization Data”…the little pencil. If this is a new role and also the first time you select this option, Profile Generator will retrieve all necessary authorization objects from USOBT table. USOBT is a table that contains all transactions and each tcode is supposedly associated with the proper AO and values. If this is not the first time you select this option, PFCG will not reread and compare data from USOBT table to your existing Authorizations. Therefore this option is the same as “Edit old Status”.
13Change authorization data Profile GeneratorChange authorization dataAfter you assign tcode to a role from the Menu tab, the first option available is “Change Authorization Data”…the little pencil. If this is a new role or you have added additional tcode to the existing role, using this option will cause Profile Generator will retrieve all necessary authorization objects from USOBT table. USOBT is a table that contains all transactions and each tcode is supposedly associated with the proper AO and values. If this is not a new role or you have not add any new transaction, this option will not reread and compare data from USOBT table to your existing Authorizations. Therefore this option is the same as “Edit old Status”.
14Expert mode for profile generation Profile GeneratorExpert mode for profile generationThe next option is “Expert mode for profile generation” which has three options. I always use this option.
15Delete and recreate profile and authorizations Profile GeneratorThe first option means that all maintained authorization will be deleted and it will rescan the USBOT to create new authorization.Delete and recreate profile and authorizations
16Profile Generator Edit old status This option allows you to maintain the authorization without rescanning the USOBT table. It is the same as “Change Authorization Data”Edit old status
17Read old status and merge with new data Profile GeneratorThe last option is “Read old”. I recommend that we ALWAYS use the option unless you need to “Delete and recreate”. In next couple of slides, I will explain why I always use this optionRead old status and merge with new data
18SAP Security Overview Missing Organization Value $BURKS As you can see there are several stop lights. The red stop light means that your role is missing an org value. If any field that has a value beginning with $, then it’s an org value.Missing Organization Value
19Profile Generator Organizational Level Do not make changes directly to that authorization unless you must. Always use the Org. Level button to maintain your value.
20Profile Generator Missing Customer Define Value The yellow light means that you may define value based on your business restriction.Missing Customer Define Value
23Profile Generator Authorization Status STANDARD - SAP Standard Value MAINTAIN - Customer Maintained ValueCHANGED - SAP Standard Value maintained by CustomerMANUALLY – Manually inserted Value
24Removing Authorization Value Profile GeneratorRemoving Authorization ValueS_USR_GRP01, 02, 03, 05, 06, 08, 24The default auth. of this role is Because I only want this role to have 02, 03, 05, and 08, I remove the value from the SAP Standard authorization. The status would then become “Changed”.
25Removing Authorization Value Profile GeneratorRemoving Authorization ValueStatus = ChangedIf you use the “Edit old status” option you would not see the new Std.
26Profile Generator Common Security Issue New Authorization However, if you add a new tcode or happens to use “Read old and Merge” then the new would come back. A few Admins I know would inactive the new and delete. The next time they perform “Read old and Merge”, it would come back…this becomes a vicious cycle.
27Profile Generator Best Practice Make Copy Inactive Original The best way would be to make a copy, inactive the original, and make changes to the copy.
28Profile Generator Best Practice Make changes to copy If you have a Std and a Change, the “Read old and Merge” will not insert a new auth.
29Changed Authorization without Inactive Standard Profile GeneratorBest PracticeChanged Authorization without Inactive StandardIf you review your authorization and you see that there’s a Changed Auth without Inactive Std, you may delete it.
30Double-click to add comment Profile GeneratorBest PracticeDouble-click to add commentIf you add auth, manually always document why.
31Does making changes to Copied Authorization Applies to all situation? Profile GeneratorDoes making changes to Copied Authorization Applies to all situation?M_MATE_MAT(01, 02)The answer is NO. Let’s say that you do not want to give 01 for MM: Material.The rule is if you need to remove value from an existing Std like above, you must make sure that there is not a transaction linked to the value you’re trying to remove. For example, if you have an object that control Material Movement type M_MATE_STA with Activity value 01, 02 and you don’t want them to have the ability to create do you remove it? No, because there’s a tcode associated with 01…ie MM01. If you remove MM01, it would remove the value 01.
32Profile Generator Where-Used Icon To find out if there’s a value, click the Where-used icon to see if there’s a tcode associated with that value.
33Profile Generator Where-used MM01 = 01 This show that 01 is associate with MM01. When you remove transaction MM01 from the menu, it will remove the value.If you do not have that option because all of S_USR_GRP is controlled by SU01, you would then make a copy.What if you need to add additional value to S_USR_GRP. First you have to determine if it’s a require SAP value or customer value. I liken SAP Value to static value because no matter who execute SU01 to create user, the check would always require you to have value 01. As for Customer value, I like to call it dynamic value because it varies from user to user. An Admin for the Houston User would need the value H and so on a so forth.
34Profile Generator Adding Authorization Value What if you want to add value 03?Again determine if there’s a transaction that satisfy the required value. Since there’s MM01 & MM02, most likely there’s MM03. So by adding MM03 you add the value 03.
35What if SU53 indicates that MM01 requires an Activity of 24? Profile GeneratorSU53 ErrorsWhat if SU53 indicates that MM01 requires an Activity of 24?Here is where you must determine whether to add it to USOBT or to the Authorization.
36Static Value vs. Dynamic Value Profile GeneratorStatic Value vs. Dynamic ValueStatic Value – a value that is required by a transaction no matter who execute it.Dynamic Value – a customer-defined value such as company code.To determine what to do you must determine whether or the required value is a Static Value or a Dynamic Value.
37MM01 always requires an Activity of 01? Profile GeneratorStatic ValueMM01 always requires an Activity of 01?For example MM01 will always requires object M_MATE_MAT to have value 01. Therefore it’s a static value
38Profile Generator Dynamic Value Company Code value may vary from user to user depending on business restriction.Because you have to option to restrict which user can update what company code, therefore it is a dynanic value
39Static Value vs. Dynamic Value Profile GeneratorStatic Value vs. Dynamic ValueStatic Value – add to USOBT using transaction SU24.Dynamic Value – add directly to the Authorization or Org. Data.
40Authorization counter = 1 Profile GeneratorReorganize & GenerateAuthorization counter = 1The counter is increased by 1
42Authorization counter = 0 Profile GeneratorReorganize & GenerateAuthorization counter = 0The counter is reset to 0
43USOBT – SU24OverviewTo maintain USBOT, use transaction SU24. USOBT is a table that contain all the authorization check against a transaction.
44Summary of Rules and Restrictions Profile GeneratorSummary of Rules and RestrictionsNEVER modify S_TCODE unless the Role is built manually.Modify Standard delivered authorization:Only modify when there’s a request to REMOVE authorization and IF AND ONLY IF no other transaction is linked to that value. Otherwise, by removing the transaction, it will remove the value.
45Summary of Rules and Restrictions Profile GeneratorSummary of Rules and RestrictionsModify Standard delivered authorization (CONT’D):Always make a copy of the authorization and make changes.Inactive the original authorization.Modify the copied authorization and the status become Changed.Double-click on description of the authorization to document the reason. The same applies to manually inserted authorization.
46Summary of Rules and Restriction Profile GeneratorSummary of Rules and RestrictionIf a Changed authorization exists without an Inactived Standard authorization, delete the Changed authorization.Bogus SU53 check most of the time:S_ADMI_FCD (SM02).S_CTS_ADMI.S_LAYO_ALV (023).