December 4, 2013


Security (Part-1) :-

We have two parts of security
I. User administration
II. Role administration (role of a particular user)
    Create / Change / Delete  ->  Any one role has to be given to an user.

User Types :-

Permanent user   
Temporary user   
Contractor user   

User administration (SU10)
This is user for creation of user accounts and other functions besides creation, delete, change, display, copy, lock/unlock and password reset.

The most common tickets
1. creation\deletion of user accounts
2. locking and unlocking accounts
3. password  reset

user naming convention should be alpha numeric. First character should be there in the beginning.

Steps to create User Accounts
1.Enter the user and press create button.
2.In address tab only field we need to mention LAST NAME
3.In Logon data UserType: By default Dialog A

• With user type Dialog we can login into SAP system
• To create a user we need to maintain the validity of the user.
• For permanent user valid through 31-12-9999 and for Temp and Contract user validity through date will  be given in the ticket.
• Any request in security should have approval from a manager.
• By default approval comes in the form of an email in some cases a third party tool is used. It can contain an approval form. For example. BSSR (Business Security Service Request)
• Default user group is SUPER. Based on the region or department we assign the user groups.

Sample Ticket
UID             Mgr ID:
UName        Mgr Dept:
Position        Status
SAP Requirements

Default Values

Default Language: ENG & GER
Decimal Notation: Is divided as 2 parts
1) Germany
2) Rest of the world.

Default Date Format: DD-MM-YYYY

Output Device….. By default it will be Empty

By default based on the roles, parameter values are assigned.
Eg: ESS roles i.e related with Time sheets

Is where we assign the roles.

Note: Always assign the role first and not the profile. Every role by default has its own system defined profile.
We can set the Role Validity from …. To. Default value is 31-12-9999

Do not enter any profile directly instead it will be pulled automatically once it’s assigned in roles tab.

Already maintained in Logon Data

Set of Transaction Codes to work

Main T-Code :-

LICENSE – User License
PFCG    – Roll administration
SU10    – Mass user administration
SE16    – Table view
SUIM    – User info management
SU24    – Maintained authorization check
EWZ5    – Mass lock and unlock
SU53     – Missing authorization error
ST01     – System trace/authorization trace

Basic Terminology of Authorization
Overview of elements of SAP Authorization Concept

Authorization Object Class:
Logical grouping of authorization objects

Authorization Object:
Group of 1-10 authorization fields together form an object.

Authorization Field: Smallest unit against which a check should run.

Authorization: An instance of an authorization object i.e. a combination of allowed values for each Authorization field of an Authorization object.

Authorization Profile: Contains instances (Auth) for different Auth objects.

Role: Is generated using profile generator (PFCG) and allows automatic generation of an authorization profile.

Note: A role describes activities of a user.

User / User Master Record:
This is used for logging on to SAP system and grants restricted access to functions and object of SAP system based on SAP profiles.

Authorization and authorization profiles are customizing objects.
Authorization classes, objects and fields are development objects.

Q) Where do all possible activities are stored?
A) In the table TACT

Q) Where do valid activities for each authorization Objects are stored?
A) In the table TACTZ

Q) How do I identify pre-defined roles and what is their use?
A) Pre-defined roles begin with the prefix “SAP_”. These roles are used as templates for creating customized roles.

Q) Can we assign pre-defined roles to a user? If so, how?
A) No, never assign a role to a user. If at all you want to, then first make a copy of pre-defined role and then add the user to the role.

Q) Is a role without Auth-profile considered as complete or not?
A) No

Q) What are the types of roles?
A) Roles are 2 types 1) Parental Role 2) Derived / Base Role

Q) What is the relationship between parent and derived roles?
A) In Parent role we maintain the list of Transaction Codes whereas in derived role we assign the parent role name so that an inheritance hierarchy is being maintained and hence the transactions are automatically pulled into derived roles.

As per SAP recommendations never generate a Parent Role. Always generate derived roles and maintain the field values as well as organizational values in derived values only.

Q) What are the total numbers of activities?
A) As per 4.7 total number of activities=168
01 – 99 = Activities
A1 – VF = 69

Will update soon... Check next post...

No comments:

Post a Comment