Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authorizations in SAP.

Published byElijah Dalton Modified over 8 years ago

Similar presentations

Presentation on theme: "Authorizations in SAP."— Presentation transcript:

1 Authorizations in SAP

2 Agenda Governance, Risk and Compliance SAP Authorization Concept
User Management Role documentation Troubleshooting Tools SAP Standard Compliance Tools

3 Governance, Risk and Compliance
“The relevance of data, or the risk group to which the data belongs, is often unknown. That is why data remains unprotected.“ (SAP Security and Authorizations - SAP Press)

4 Key Risk Areas Insufficient functional separation of tasks
Missing or partially completed documentation Risks not identified, or inadequately identified Authorization design does not meet requirements User Management incomplete No integrated system dedicated to the management of users and authorizations

5 Key Consideration for GRC
Risk strategy Identification of activities that could lead to harm, danger, or loss Governance strategy "In simple terms Governance is the Set of Processes that keeps the organization alive, and regulating the internal information flows and decision processes that ensure that its responses are timely and appropriate“ (Vikas Chauhan, SAP) Compliance strategy “Compliance is the mechanism that makes governance work. It is compliance with the organizations own required procedures that enables management of the risks that endanger the entity. Monitoring and supporting compliance is not just a matter of keeping the regulators happy; it is the way that the organization monitors and maintains its health. “(Vikas Chauhan, SAP)

6 Risk Governance and Compliance
Recognise and analyse vulnerabilities Evaluate data, processes, and systems and need for protection Address differences between actual state and target objectives Definite user authorizations for data, transactions, and systems with segregation of responsibilities Define administrative processes for managing users and authorisations Implement effective change management to provide controlled management of users and authorizations Define monitoring, quality assurance processes and internal controls

7 Defining Authorizations
Establish a reliable authorization plan Define the user roles that allow you to perform specific tasks in the SAP System. Develop a stable and reliable authorization plan. Define procedures for creating and assigning authorizations Ongoing Definition Regularly review the authorization plan to make sure that it continually applies to your needs.

8 SAP authorization Concept

9 Authorization Checks All access in SAP is based on the authorization objects that are assigned to the User who logs on to the system Transactions, reports, data tables, programs and activities are protected by means of authorization checks In many SAP modules, transactions are the fundamental building blocks of the authorization concept. SAP HCM is slightly different, as although transaction provide access to the user interface, data access is controlled via ‘infotypes’ As well as protecting transactions and their data, transactional authorizations also restrict organizational and functional elements Transaction: Create Material Transaction code: MM01 Organizational Restriction: Company Code

10 Technical Information
There is an ABAP program behind every transaction Authorization checks are built into the program code Programmers commonly use the AUTHORITY-CHECK statement which checks a specific authorization object at a specific point in the program. Authorization objects are used to assign authorizations or restrict access to transaction codes, activities and data To successfully run the program a positive result has to be achieved when the program is in use SAP Systems only allow users to execute transactions or programs if they have explicitly defined authorizations for the activity.

11 HR Authorizations HR authorizations are built largely around the ‘infotype’ data concept Infotypes are data storage areas for HR data One transaction potentially gives access to all HR master data (PA30). Unlike other modules, however, access to the transaction does not grant access to the database P_ORGIN – authorizations for HR Master Data in PA P_ORGINCON – context sensitive authorizations for PA data PLOG – authorizations for HR Master Data in PD P_PCLX – authorizations for data stored in clusters P_PERNR – Personnel Number Check

12 Structural Authorisations
Structural Authorizations Assigned to Users in addition to their Role Restrict Users to parts of the Organisation Structure Optional Structural Authorization with Context Required where a user has several roles with the Organisation Example: Time Administrator – updates absence details for own team Training Administrator – updates training records for whole company

13 SAP Role Concept

14 Role Concept The Purpose of Roles
Allow groups of users with similar access rights to be assigned to the same role, Contains screens / transactions and reports in a User Menu Contains authorization objects that relate to data that users are permitted to access The number of Roles defined in an Organisation will depend on: Functionality implemented Segregation of duties requirements Other Governance, Risk and Compliance considerations Examples Payroll Control HR Administrator Financial Controller Audit

15 Combining Roles When creating composite roles, SAP will always give the user the highest authorisation available Example: Role 1: Read only access to Salary Role 2: Maintain access to Salary Result: User has Maintain access to Salary Combining roles can lead to Segregation of Duties issues. Before adding a role to a user, be sure to understand the implications of the combination.

16 Composite Roles Composite roles allow you to group together ‘approved’ role combinations. Administrators can therefore assign role combinations without having to worry about whether this will violate the Organisation’s security policy Assignment of a number of individual roles also results in the user having multiple role menu. Composite Roles can have their own role menus, allowing consolidation / removal of duplicates.

17 Derived Roles The concept of ‘Derived Roles’ allows you to have several variations of the same role A ‘parent’ role is created and ‘child’ roles can then be ‘derived’ from that role with slight variations for ‘Organization level’ objects A common example is for a finance role to be created with several variations at the Company Code Organization level Or An HR role created with several variations at the Personnel Area Organizational level Changed to the parent role are inherited by the child roles, except for Organizational level objects, or objects that have been directly changed in the child role

18 Role Description The description tab should provide a summary of what the Role is used for, and a summary of what access is granted

19 Role Menu The Menu tab shows the transactions that have been allocated to the Role. CAUTION: Adding a transaction here will affect values in the ‘Authorizations’ tab.

20 Role Authorizations The Authorizations tab shows a summary of the Authorization detail for the role, including the Profile Name allocated to the role. Clicking on the icons in the ‘Maintain’ area give access to the authorization detail

21 Authorization Profile
The values in this area are what control access to transactions and data. Authorization objects are divided into Application areas Restrictions are set according to objects and activities

22 User The ‘User’ tab shows all users that have been allocated this role. Note: If users are shown in this tab, and the traffic light shows ‘red’, you must conduct a ‘User Comparison’

23 User Comparison This function runs program PFCG_TIME_DEPENDENCY which ensures that authorization profiles are in alignment with user master records Profiles that are no longer current are removed from the user master records, and the current profiles are entered. User comparison should be carried out If the traffic light on the ‘User Comparison’ button is red. To carry out user comparison, click on the button. You can compare the user master records automatically when you save the role. To do this, choose Utilities -> Settings and choose the option to compare the user master records automatically when you save the role.

24 Structural Authorisations
Assigned to Users in addition to their Role Restrict Users to parts of the Organisation Structure Optional

25 Structural Profile Set-up (Transaction OOSP)

26 Use of Function Modules
Function modules dynamically determines a root object at runtime. No entry needs to be made in the Object ID field in this case. Standard Function Modules: RH_GET_MANAGER_ASSIGNMENT This function module determines as the root object the organizational unit to which the user is assigned as manager via relationship A012 (is manager of). RH_GET_ORG_ASSIGNMENT This function module determines as the root object the organizational unit to which the user is assigned organizationally. Customers can define their own function modules which can dynamically determine the root object.

27 Structural Authorization Profile Maintenance
In the example above, the root object ID is specified as Commonly used objects in Structural Authorisations: O – Organization Unit S – Position P – Person Structural authorizations can be used to control any PD hierarchy i.e. training and events, appraisals etc.

28 Assigning Structural Authorizations (transaction OOSB)

29 User Management

30 User Master Record User Master Record Contains
Required to logon to SAP Contains Password Validity Default settings for date formats, etc. User Parameters Roles Profiles Groups Personalization

31 User Parameters User Parameters
Parameters can be set for users which control default values, screen layout, and sometimes even access in some transactions UGR: HR User Group Controls screen layout, Menu layout, Personnel Actions list CRT: Currency Default currency CAC: Controlling Area Default Controlling Area BUK: Company Code Default Company Code

32 Logon and Password Parameters
All of the following are controlled using system settings: Minimum password length (e.g. minimum 8 characters) Minimum number of digits/letters/special characters in password (e.g. password must contain at least one digit) Password expiry time (e.g. 30 days) Rules for unsuccessful logon attempts (e.g. lock-out after 3 failed attempts) Impermissible passwords (e.g. ‘password’) Password re-use (e.g. cannot re-use the last five passwords) Validity of new passwords Validity of reset passwords

33 Rules for Users Logging off Inactive Users
There are logout settings against each SAP system e.g. SAP R/3 Portal Solution Manager There area also logout settings for individual services

34 Special Users in SAP What are Special Users? Why use Special Users?
Special users are used to allow a greater level of system This may be due to a specific trouble-shooting requirement that requires more access that would normally be granted May be needed to suspend normal segregation of duties under exceptional circumstances Why use Special Users? Allocation of Special users can be closely time controlled Easier to track / audit use of special users than to track the addition of authorisation rights to an existing user

35 SAP_ALL SAP_ALL is not a role, it is a Authorization Profile
No ‘normal’ user should have SAP_ALL in a Production environment. Roles with similar access to ‘SAP_ALL’ are commonly created for ‘special’ users that can be allocated in emergencies

36 SAP_NEW SAP_NEW, like SAP_ALL, is an Authorization Profile rather than a role A new SAP_NEW profile is provided for each release Contains full authorization for any new authorisation check introduced by SAP in the upgrade Commonly assigned to all users after upgrade to ensure that new functionality can be accessed Ideally, however, the authorisations contained in the SAP_NEW single profile should be distributed to roles and profiles that are used productively Once new authorization objects have been distributed, the profile assignment for SAP_NEW and the SAP_NEW profile can be deleted

37 Role Assignment Direct Assignment Role assigned to User ID
Changes are manual Indirect Assignment Role assigned to position, job or organisation unit Changes are automatic

38 Indirect Role Assignment I
Roles are assigned to positions or ‘Jobs’ using infotype 1001 relationship: Position / Job > is described by > Role (object type AG) Structural Authorisations are assigned to positions or ‘Jobs’ using the ‘PD Profiles’ infotype (infotype 1017) Program RHPROFL0 assigns roles to individuals according to the position that a user occupies (scheduled background job). Result: The user receives authorisations according to the position they occupy.

39 Indirect Role Assignment II
New Hire / Org Reassignment User Name (infotype 0105) Position / Job Assignment Details Role Structural Authorisation Person Program RHPROFL0 User name Position / job and role assignments

40 RHPROFL0

41 Role Documentation

42 Role Definition The first step in the process is to define the different business roles within the Organisation. These business roles will help define the system access required Examples: Financial Controller HR Administrator Payroll Manager Each of these roles will have different system access and segregation of duties requirements Roles will also be required for implementation and for support SAP System Administrator User/Role Administrator Emergency Access

43 Role Definition Document (RDD)
Each role requires a written description of the activities & functions that users with this role will perform. This should contain: Owners Purpose and business processes Included access and specific exclusions Sign-off The document should be non-technical to allow end users to understand the purpose of the role and the access that it grants. The document should give the information necessary for the technical build, role testing and role assignment Documents should be version controlled to allow role changes to be tracked

44 Role Definition – Technical Detail
Authorisation Object Access e.g. spool list, batch input Role Menu / Transaction Access Infotype Access e.g. read only, maintain Organization Object Access e.g. Company Code, Personnel Area, Employee Group

45 SAP Troubleshooting tools

46 SU53 Standard mechanism for investigating authorization failures
An administrator can run the transaction for any user Output will usually show which authorization object caused the failure Limitations: Shows the most recent authorization check, so must be run immediately after the authorization failure Only shows the authorization object that caused the failure. Does not show all the authorizations that would have failed, so it can be laborious working through failures one by one Can give misleading results, depending on the type of failure

47 ST01 Trace Setting the Trace
Restrict the trace to ‘Authorization Check’ Add a filter to restrict the trace to a specific user Click on the ‘Trace On’ button Click on ‘Trace off’ when the trace is completed (the system trace affects system performance) Trace Analysis Ensure that the ‘From’ and ‘To’ fields encompass the time that the activity was carried out

48 Trace Display Detail In the example, authorization object S_CTS_ADMI was checked. RC=0 indicates that the return code was 0 i.e. the authorization check was successful If the RC value is any value other than 0, the authorization check was unsuccessful i.e. the user did not have the necessary authorizations to carry out the activity

49 Transaction SUIM

50 Role Comparison (RSRUSR050)

51 SAP Standard Compliance tools
51

52 Critical Authorizations

53 Maintaining Rules Maintain critical authorizations
If you enter a transaction name, the values of the authorization object entered in transaction maintenance are automatically transferred to the authorization data of the selected ID Maintain Critical Combinations Enter critical combinations of the authorizations you have defined in the ‘critical authorizations’ area

54 Running the Report The result lists differ depending on the type of the selection variant: For Critical Authorizations The selected users are grouped by the IDs of critical authorizations. To check which critical data is represented by an ID, click on the name of the ID. To analyze the authorization data of a user master record, select the user by double-clicking it. You can use the Profiles and Roles buttons to display lists of profiles and roles assigned to the selected users. For Critical Combinations The selected users are grouped by critical combinations. If you select a combination name, the corresponding critical data is displayed. The other functions correspond to those for critical authorizations.

Download ppt "Authorizations in SAP."

Similar presentations

Radiopharmaceutical Production

Radiopharmaceutical Production
Creating and Submitting a Necessary Wayleave Application

Creating and Submitting a Necessary Wayleave Application
GALVESTON COUNTY, TX P-CARD TRAINING GALVESTON COUNTY.

GALVESTON COUNTY, TX P-CARD TRAINING GALVESTON COUNTY.
Software Quality Assurance Plan

Software Quality Assurance Plan
Understand Database Security Concepts

Understand Database Security Concepts
Introduction to the ABAP Data Dictionary

Introduction to the ABAP Data Dictionary
Monitoring Security With Standard SAP Tools Session Code 805 Sandi McKinney.

Monitoring Security With Standard SAP Tools Session Code 805 Sandi McKinney.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
SAP Basics for Auditing Change Management and Security September 8, 2014 Presenter: Linda Yates Consultant, Risk Advisory Services.

SAP Basics for Auditing Change Management and Security September 8, 2014 Presenter: Linda Yates Consultant, Risk Advisory Services.
10/25/2001Database Management -- R. Larson Data Administration and Database Administration University of California, Berkeley School of Information Management.

10/25/2001Database Management -- R. Larson Data Administration and Database Administration University of California, Berkeley School of Information Management.
Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.

Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.
 SAP AG CSU Chico 102/14/981SAP Security Lecture MINS 298C SAP Configuration & Use: Security Copyright 1996, 1997, 1998- James R. Mensching, Gail Corbitt.

 SAP AG CSU Chico 102/14/981SAP Security Lecture MINS 298C SAP Configuration & Use: Security Copyright 1996, 1997, James R. Mensching, Gail Corbitt.
Chapter 9 Describing Process Specifications and Structured Decisions

Chapter 9 Describing Process Specifications and Structured Decisions
Chapter 3: System design. System design Creating system components Three primary components – designing data structure and content – create software –

Chapter 3: System design. System design Creating system components Three primary components – designing data structure and content – create software –
Physical design. Stage 6 - Physical Design Retrieve the target physical environment Create physical data design Create function component implementation.

Physical design. Stage 6 - Physical Design Retrieve the target physical environment Create physical data design Create function component implementation.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Service Definer Roles NHS e-Referral Service

Service Definer Roles NHS e-Referral Service
SAP An Introduction October 2012.

SAP An Introduction October 2012.
Database Administration Chapter 16. Need for Databases  Data is used by different people, in different departments, for different reasons  Interpretation.

Database Administration Chapter 16. Need for Databases  Data is used by different people, in different departments, for different reasons  Interpretation.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

Similar presentations

Ads by Google