Presentation is loading. Please wait.

Presentation is loading. Please wait.

How to Properly Maintain Security using Profile Generator

Published byMilo Tarbox Modified over 9 years ago

Similar presentations

Presentation on theme: "How to Properly Maintain Security using Profile Generator"— Presentation transcript:

1 How to Properly Maintain Security using Profile Generator

2 Profile Generator Best Practice Summary
Objective SAP Security Overview Profile Generator Best Practice Summary The objective today is to provide a brief overview of SAP Security and to discuss the best practice of PFCG.

3 SAP Security Overview USER ID, e.g. TTSAN Security Role 1
In SAP, a User ID is assigned with one or more Security Role based on his/her Job Role. SAP’s documentation calls it Role, but I prefer to use the term Security Role to differentiate it from Job Role. For those who are using pre-profile generator sap system, an ID is assigned with one or more profiles. Is there anyone here who is still on 3.0? I feel your pain in creating a profile. However, I find that those who have experience with the manual method tends to have a better understanding of how SAP Security works. User

4 Security Role, e.g. Security Administrator
SAP Security Overview Security Role, e.g. Security Administrator Profile 1 Profile 2 Profile 3 With the advent of Profile Generator, a Security Role may have one or more Profile and each profile may contain up to 150 authorizations.

5 Profile (Contain up to 150 Authorizations)
SAP Security Overview Profile (Contain up to 150 Authorizations) Authorization1 Authorization2 Authorization150 If you create a role that has 450 authorizations, then Profile Generator will create 3 profiles.

6 Authorization Object 1, e.g. S_TCODE
SAP Security Overview Authorization Object 1, e.g. S_TCODE Field (TCD) Value (SU01) You might wonder what’s the difference between Authorization Object and Authorization? AO has one or more fields and is the foundation of all SAP Security program checks. When you add value or combination of values to the field, it becomes an authorization. One AO can be used to create one or more Auth. For example, S_TCODE has only one field and therefore you can only create one Standard authorization per Security Role.

7 Authorization Object 2, e.g. S_USR_GRP
SAP Security Overview Authorization Object 2, e.g. S_USR_GRP Field (ACTV) Value (01, 02, 03, 06) However, with S_USR_GRP it has two fields. Therefore you may create multiple authorizations using different combination to satisfy your business requirement. Field (CLASS) Value (Customer Define)

8 Authorization Object 2, e.g. S_USR_GRP
SAP Security Overview Authorization Object 2, e.g. S_USR_GRP Field (ACTV) Value (01, 02, 06) Let’s say that you are creating a security helpdesk role that has the ability to create, change, & delete only users from the Houston region and display access to all users. The first authorization would contain object S_USR_GRP and the Activity would have 01, 02, 06 and User Group value would be Houston. Field (CLASS) Value (HOUSTON)

9 Authorization Object 2, e.g. S_USR_GRP
SAP Security Overview Authorization Object 2, e.g. S_USR_GRP Field (ACTV) Value (03) The second authorization using the same object would have 03 for Activity and * for Class. As a result you now have 2 authorizations. Field (CLASS) Value (*)

10 Execute “SU01” – Change User AUTHORITY-CHECK “Authorization1”
SAP Security Overview Execute “SU01” – Change User AUTHORITY-CHECK “Authorization1” Object 1 = “S_TCODE” Now that we have an understanding of how an ID is linked to a Role and the Role to Profile & Authorization, let’s discuss the mechanic of SAP’s Authority-Check. When a user logs in to SAP, his authorizations are loaded into the User Buffer. When he execute SU01 to maintain user, the program perform an A-C against the authorization in the buffer to see if it contain the object S_TCODE. If yes, it then performs the next check against the field TCD for value “SU01”. TCD = “SU01”

11 Execute “SU01” – Change User AUTHORITY-CHECK “Authorization2”
SAP Security Overview Execute “SU01” – Change User AUTHORITY-CHECK “Authorization2” Object 2 = “S_USR_GRP” ACTV = “02” Then it checks the next authorization for objects S_USR_GRP. Once the program verifies all the necessary auth, it will allow you to perform the task. Any question before we discuss the Profile Generator Best Practice? CLASS = “HOUSTON”

12 Profile Generator Transaction
After you assign tcode to a role from the Menu tab, the first option available is “Change Authorization Data”…the little pencil. If this is a new role and also the first time you select this option, Profile Generator will retrieve all necessary authorization objects from USOBT table. USOBT is a table that contains all transactions and each tcode is supposedly associated with the proper AO and values. If this is not the first time you select this option, PFCG will not reread and compare data from USOBT table to your existing Authorizations. Therefore this option is the same as “Edit old Status”.

13 Change authorization data
Profile Generator Change authorization data After you assign tcode to a role from the Menu tab, the first option available is “Change Authorization Data”…the little pencil. If this is a new role or you have added additional tcode to the existing role, using this option will cause Profile Generator will retrieve all necessary authorization objects from USOBT table. USOBT is a table that contains all transactions and each tcode is supposedly associated with the proper AO and values. If this is not a new role or you have not add any new transaction, this option will not reread and compare data from USOBT table to your existing Authorizations. Therefore this option is the same as “Edit old Status”.

14 Expert mode for profile generation
Profile Generator Expert mode for profile generation The next option is “Expert mode for profile generation” which has three options. I always use this option.

15 Delete and recreate profile and authorizations
Profile Generator The first option means that all maintained authorization will be deleted and it will rescan the USBOT to create new authorization. Delete and recreate profile and authorizations

16 Profile Generator Edit old status
This option allows you to maintain the authorization without rescanning the USOBT table. It is the same as “Change Authorization Data” Edit old status

17 Read old status and merge with new data
Profile Generator The last option is “Read old”. I recommend that we ALWAYS use the option unless you need to “Delete and recreate”. In next couple of slides, I will explain why I always use this option Read old status and merge with new data

18 SAP Security Overview Missing Organization Value $BURKS
As you can see there are several stop lights. The red stop light means that your role is missing an org value. If any field that has a value beginning with $, then it’s an org value. Missing Organization Value

19 Profile Generator Organizational Level
Do not make changes directly to that authorization unless you must. Always use the Org. Level button to maintain your value.

20 Profile Generator Missing Customer Define Value
The yellow light means that you may define value based on your business restriction. Missing Customer Define Value

21 Profile Generator No open field

22 Profile Generator Authorization Status

23 Profile Generator Authorization Status STANDARD - SAP Standard Value
MAINTAIN - Customer Maintained Value CHANGED - SAP Standard Value maintained by Customer MANUALLY – Manually inserted Value

24 Removing Authorization Value
Profile Generator Removing Authorization Value S_USR_GRP 01, 02, 03, 05, 06, 08, 24 The default auth. of this role is Because I only want this role to have 02, 03, 05, and 08, I remove the value from the SAP Standard authorization. The status would then become “Changed”.

25 Removing Authorization Value
Profile Generator Removing Authorization Value Status = Changed If you use the “Edit old status” option you would not see the new Std.

26 Profile Generator Common Security Issue New Authorization
However, if you add a new tcode or happens to use “Read old and Merge” then the new would come back. A few Admins I know would inactive the new and delete. The next time they perform “Read old and Merge”, it would come back…this becomes a vicious cycle.

27 Profile Generator Best Practice Make Copy Inactive Original
The best way would be to make a copy, inactive the original, and make changes to the copy.

28 Profile Generator Best Practice Make changes to copy
If you have a Std and a Change, the “Read old and Merge” will not insert a new auth.

29 Changed Authorization without Inactive Standard
Profile Generator Best Practice Changed Authorization without Inactive Standard If you review your authorization and you see that there’s a Changed Auth without Inactive Std, you may delete it.

30 Double-click to add comment
Profile Generator Best Practice Double-click to add comment If you add auth, manually always document why.

31 Does making changes to Copied Authorization Applies to all situation?
Profile Generator Does making changes to Copied Authorization Applies to all situation? M_MATE_MAT (01, 02) The answer is NO. Let’s say that you do not want to give 01 for MM: Material. The rule is if you need to remove value from an existing Std like above, you must make sure that there is not a transaction linked to the value you’re trying to remove. For example, if you have an object that control Material Movement type M_MATE_STA with Activity value 01, 02 and you don’t want them to have the ability to create do you remove it? No, because there’s a tcode associated with 01…ie MM01. If you remove MM01, it would remove the value 01.

32 Profile Generator Where-Used Icon
To find out if there’s a value, click the Where-used icon to see if there’s a tcode associated with that value.

33 Profile Generator Where-used MM01 = 01
This show that 01 is associate with MM01. When you remove transaction MM01 from the menu, it will remove the value. If you do not have that option because all of S_USR_GRP is controlled by SU01, you would then make a copy. What if you need to add additional value to S_USR_GRP. First you have to determine if it’s a require SAP value or customer value. I liken SAP Value to static value because no matter who execute SU01 to create user, the check would always require you to have value 01. As for Customer value, I like to call it dynamic value because it varies from user to user. An Admin for the Houston User would need the value H and so on a so forth.

34 Profile Generator Adding Authorization Value
What if you want to add value 03? Again determine if there’s a transaction that satisfy the required value. Since there’s MM01 & MM02, most likely there’s MM03. So by adding MM03 you add the value 03.

35 What if SU53 indicates that MM01 requires an Activity of 24?
Profile Generator SU53 Errors What if SU53 indicates that MM01 requires an Activity of 24? Here is where you must determine whether to add it to USOBT or to the Authorization.

36 Static Value vs. Dynamic Value
Profile Generator Static Value vs. Dynamic Value Static Value – a value that is required by a transaction no matter who execute it. Dynamic Value – a customer-defined value such as company code. To determine what to do you must determine whether or the required value is a Static Value or a Dynamic Value.

37 MM01 always requires an Activity of 01?
Profile Generator Static Value MM01 always requires an Activity of 01? For example MM01 will always requires object M_MATE_MAT to have value 01. Therefore it’s a static value

38 Profile Generator Dynamic Value
Company Code value may vary from user to user depending on business restriction. Because you have to option to restrict which user can update what company code, therefore it is a dynanic value

39 Static Value vs. Dynamic Value
Profile Generator Static Value vs. Dynamic Value Static Value – add to USOBT using transaction SU24. Dynamic Value – add directly to the Authorization or Org. Data.

40 Authorization counter = 1
Profile Generator Reorganize & Generate Authorization counter = 1 The counter is increased by 1

41 Profile Generator Reorganize & Generate Reorganize

42 Authorization counter = 0
Profile Generator Reorganize & Generate Authorization counter = 0 The counter is reset to 0

43 USOBT – SU24 Overview To maintain USBOT, use transaction SU24. USOBT is a table that contain all the authorization check against a transaction.

44 Summary of Rules and Restrictions
Profile Generator Summary of Rules and Restrictions NEVER modify S_TCODE unless the Role is built manually. Modify Standard delivered authorization: Only modify when there’s a request to REMOVE authorization and IF AND ONLY IF no other transaction is linked to that value. Otherwise, by removing the transaction, it will remove the value.

45 Summary of Rules and Restrictions
Profile Generator Summary of Rules and Restrictions Modify Standard delivered authorization (CONT’D): Always make a copy of the authorization and make changes. Inactive the original authorization. Modify the copied authorization and the status become Changed. Double-click on description of the authorization to document the reason. The same applies to manually inserted authorization.

46 Summary of Rules and Restriction
Profile Generator Summary of Rules and Restriction If a Changed authorization exists without an Inactived Standard authorization, delete the Changed authorization. Bogus SU53 check most of the time: S_ADMI_FCD (SM02). S_CTS_ADMI. S_LAYO_ALV (023).

47 Profile Generator Question?

48 Profile Generator Contact Information Thomas Tsan SAP Security Architect TK Consultants, Inc. Phone: (281)

49 Thank you for attending!
Please remember to complete and return your evaluation form following this session. Session Code: [801]

Download ppt "How to Properly Maintain Security using Profile Generator"

Similar presentations

RP Designs Semi-Custom e-Commerce Package. Overview RP Designs semi- custom e-commerce package is a complete website solution. Visitors can browse a catalog.

RP Designs Semi-Custom e-Commerce Package. Overview RP Designs semi- custom e-commerce package is a complete website solution. Visitors can browse a catalog.
Introduction to Ledgers

Introduction to Ledgers
CREDO online is a new portal for RGU staff which allows you to view your research and knowledge transfer online. This presentation provides guidance on.

CREDO online is a new portal for RGU staff which allows you to view your research and knowledge transfer online. This presentation provides guidance on.
Unicenter© ServicePlus Service Desk How to manage helpdesk tickets

Unicenter© ServicePlus Service Desk How to manage helpdesk tickets
Booking Rules SLCM_AD_315. Course Content This course is designed to teach users how to view, add, and remove restrictions on courses and course sections.

Booking Rules SLCM_AD_315. Course Content This course is designed to teach users how to view, add, and remove restrictions on courses and course sections.
HP Support Agreement Manager Tools Support Contract Assistant (SCA) Quick Reference Guide September 2006.

HP Support Agreement Manager Tools Support Contract Assistant (SCA) Quick Reference Guide September 2006.
Unit Visit Tracking System Enhancements. Unit Visit Tracking System NEW! Unit Visit Tracking (UVTS) has a new look, better navigation, and improved features.

Unit Visit Tracking System Enhancements. Unit Visit Tracking System NEW! Unit Visit Tracking (UVTS) has a new look, better navigation, and improved features.
Advanced Order Copy with Online Availability Checking An Enhancement For iSeries 400 DMAS from  Copyright I/O International, 2005 Skip Intro.

Advanced Order Copy with Online Availability Checking An Enhancement For iSeries 400 DMAS from  Copyright I/O International, 2005 Skip Intro.
Ordering Textbooks Using the KIMRC On-Line Ordering System Reminder: The KIMRC is unable to purchase workbooks.

Ordering Textbooks Using the KIMRC On-Line Ordering System Reminder: The KIMRC is unable to purchase workbooks.
PantherSoft Financials Smart Internal Billing. Agenda  Benefits  Security and User Roles  Definitions  Workflow  Defining/Modifying Items  Creating.

PantherSoft Financials Smart Internal Billing. Agenda  Benefits  Security and User Roles  Definitions  Workflow  Defining/Modifying Items  Creating.
CSO’s 2014 Training & Networking Conference | Austin, TX | Copyright © 2014 CSO Research, Inc. Wonderful World of Data Cleanup Keenan & Mona.

CSO’s 2014 Training & Networking Conference | Austin, TX | Copyright © 2014 CSO Research, Inc. Wonderful World of Data Cleanup Keenan & Mona.
What’s New in Accounting?

What’s New in Accounting?
Biller Direct Getting Started

Biller Direct Getting Started
Workflow & Event Derivation Workshop

Workflow & Event Derivation Workshop
Copyright © 2003 Americas’ SAP Users’ Group Custom Archiving 101 Session Code 108 Karin Tillotson Sr. Basis Administrator Tuesday, May 20 th, 2003.

Copyright © 2003 Americas’ SAP Users’ Group Custom Archiving 101 Session Code 108 Karin Tillotson Sr. Basis Administrator Tuesday, May 20 th, 2003.
Monitoring Security With Standard SAP Tools Session Code 805 Sandi McKinney.

Monitoring Security With Standard SAP Tools Session Code 805 Sandi McKinney.
Copyright © 2003 Americas’ SAP Users’ Group Simple Document Management in Project Systems Kent Bettisworth BETTISWORTH & ASSOCIATES, INC. Tuesday, May.

Copyright © 2003 Americas’ SAP Users’ Group Simple Document Management in Project Systems Kent Bettisworth BETTISWORTH & ASSOCIATES, INC. Tuesday, May.
SAP Preventive Maintenance An Overview

SAP Preventive Maintenance An Overview
#4502 – Streamlining the Physical Inventory Process Using a Custom Solution.

#4502 – Streamlining the Physical Inventory Process Using a Custom Solution.
Subsequent Creation/Deletion of Depreciation Areas A step-by-step guide Tom Michael - Michael Management Corp. Eddie Luther - Motorola.

Subsequent Creation/Deletion of Depreciation Areas A step-by-step guide Tom Michael - Michael Management Corp. Eddie Luther - Motorola.

Similar presentations

Ads by Google