Security (Part-2) :-
STEPS to CREATE a ROLE (PFCG)
Creation of parental Role: Any customized role should start with Z or Y.
Enter the role name and select role name button.
Enter a valid description.
Go to Menu tab to add the transactions
Click on Save
Select add transaction
Note: Default transaction to be added for every user of SAP SU53
Assign Transaction and Save the Role
Creation of Child / Derived Role:
Select the derived role name and
Under Transaction Inheritance in Derive from Role and Click on “Yes”
1) In derive role we can’t make any changes under menu tab. Eg: Adding transaction, report, Deletion
2) Relationship between Parent and Derived role is 1:n
3) First time creation of role, always go to export mode.
Go to Authorization tab to generate the derived role.
List of Tabs:-
Manually: Adding authorization objects manually to a role.
Open: To view all open fields, i.e. the fields in which the values are not maintained (Represented by color yellow)
Changed: To view the changed authorization objects.
Maintained: It will show the fields of the authorization objects for which the missing values are maintained.
Organization Levels: This field is used to maintain organizational hierarchy like Plant, warehouse, comp code and call center.
1) Always maintain a value in the open field
2) If any standard value is changed, then automatically the status is changed from standard to changed.
3) By default all the auth objects the type will be standard.
4) Always maintain the organization values using organizational levels button only.
Hierarchy in a Role:-
Role Name: Blue
Class = Orange
Auth Object = Green
Authorization = Yellow
Fields = White
Q) What is the default authorization object which is used to check for any role ?
1) We cannot edit S_TCODE object in a Role. The only way to add a transaction code is in parent role.
2) First time while creation of a new role, if any functional related Transactions are added in a role, and then we have to maintain organization level in a popup.
3) Red color indicates missing organizational values
4) Yellow indicates missing field values and not organizational values.
All roles will be created in development system. Any modifications will be done in Dev system only. The developed changes are then transported to quality and get tested and approved in Quality and then only moved to production.
Q) Why should we not add organizational values directly in a role without using org levels button?
A) Value maintenance using directly no longer changes values i.e. whenever we try to add a new value and generate, an empty field appears i.e. when adjusting derived roles authorization value is overwritten.
Rules to be followed in editing the standard Objects:
1) Copy the standard object
2) Inactivate the standard, i.e. the first one.
3) Make the changes only in the copied one.
1) Once we make changes in the copied one, the status changed to maintained.
2) If we do not follow the above steps, then during the regeneration of a role next time, a new open field appears. Hence, in order to avoid the duplication of fields we need to follow the above rule/procedure.
3) If we make any changes to a parent role like add, delete or Transaction Code, we have to generate all the child roles under the parent role.
4) Whenever we generate a derived role, always choose maintenance as read old status and merge with the new data.
5) If we choose edit old status then it will not reflect in any open fields even though they are present.
6) Never try to select delete and recreate profile.
7) Once the role is generated then we have to assign the role to a user using SU01 (or) Add a user to a role using PFCG -> User tab
8) Always assign only derived roles to a user whenever add a user in a Role always compare with user compare.
9) In order to refresh user buffer with new values we have to always go for user compare.
Compare User Master Record:
Comparing user master record can be done in 2 ways
1) A default background job i.e. Report called “pfcg_time_dependency” is executed before start of the business day, but after mid night, meaning that the authorization profile the user master record always have the most up to date in the morning.
2) Using transaction pfud (User master record reconciliation). As an admin, we should regularly execute this transaction, in this way we can manually process errors that have occurred.
Authorization Troubleshooting for a User
Whenever a user tries to execute a Transaction which is not assigned or tries to perform an activity which is not defined for existing Transaction, then the user gets “Not Authorized To” error.
In such a case ask the user for SU53 screenshot for any authorization issues.
SU53 has 2 parts
1) Authorization check failed: It captures actual cause of the error.
2) Users authorization data: It captures the existing access to the users
Note: In order to check SU53 analyses of other users go to SU53, click on display for different users authorization object.
Analysis using SUIM
Scenario 1: User is having access to plant 1000 in MM01, now he is trying to create for plant 0001 and he got the error no authorization to the plant 0001.
Solution: Request for SU53 screenshot. Once you receive the screenshot
Go to SUIM
In SUIM check the roles which are having access to plant 0001.
SUIM -> Go to Roles -> Roles by complex selection criteria and deselect the user.
Go to Authorization Object 1 from SU53 screenshot and select entry values button
Enter the values as per SU53 under the authorization Object and select Execute button.
Double click on the role on which we want to assign.
It will automatically take us to PFCG transaction.
Go to Authorization tab -> Select Display authorization data.
Go to Find Button (Cntrl +F)
Enter the authorization object in authorization field and clicks enter on Find Object.
Go to Utilities and select Technical names on
Second Method of Role Maintenance
1) Create a parent role and Add Transaction codes in menu tabs and generate the role.
2) Create child roles and assign the parent and generate the child nodes.
Note: The generation of child roles/derived is always done from the parent role.
Go to Authorization
Edit Read old/merge with data.
Make changes in parent role
Finally generate derived roles button (or) select Auth -> Just Derived -> Generate derived roles
This will generate automatically all the derived roles from the parent role.
Note: In this method org values cannot be maintained using parent role, we have to individually maintain org values in the derived roles.
Mass Generation of Derived Roles:
Copy all the derived roles into a notepad
Goto PFCG -> Go to utilities -> Select mass generation -> In mass generation screen
Select all roles under presentation
Select Display data when created and changed
Click on Role -> Multiple Selection
Go to notepad, select all and copy
Come back to multiple role selection and select upload from click board button
Select check entries button
And select copy button & select execute button.
Deletion of a Role:-
Before deletion of any role first add to a role to transport and proceed with deletion.
Q) Why do I need to add a role to transport?
A) All the changes to the roles are done in development box and move to production. If I delete a role in dev box, the same role has to be deleted in prod because these roles are finally used by the users in prod box only. Hence the deleted role needs to be transported.
Go to PFCG select the role to be deleted. Keep the role in a transport by selecting transport role button.
1) In choose objects options never check user assignment. Assignments of users to a role are done only in production box.
2) Changes done using SU24 is of type work bench
3) Changes using PFCG is type customizing.
SUIM change documents:-
1) In order to find when the user is created, deleted as well as password reset and user lock/unlock information. Besides this we can track info regarding the roles like when the roles are added and deleted and who has performed this action/date of action.
Q) Unlock a user or track why the user is being locked ?
A) Go to SU01 -> Enter the user ID -> Log on data and check the user is locked.
Go to SUIM -> Change docs for user -> Enter the user name and execute
Note: Locks are of 2 types
1) Locked due to incorrect log on
2) Locked by admin
If the lock is of type Admin lock, then we need to contact the admin for the reason for locking hence never unlock directly.
If lock is due to incorrect logon then go to SU01. Select the user and press unlock button.
Scenario 2: Mass user locking during upgrade:
1) Go to SU01, select * under user column
2) This will give entire list of user in my system
3) Copy the usernames in a notepad
4) Got to SU10, copy/paste the users and select the lock
Note: In SU10 we cannot set the password for all the users
Reference User is for internet purpose.
Note: Assignment of reference user
Go to SU01 -> Under roles tab -> ref user for additional rights where we enter ref username.
Process steps followed in security - Requests coming in form of CR / Templates
1) Request comes in form of Approved CR form (Unique ID = CR Name)
2) Login to DEV and perform the action as per CR form requirement
3) Put the completed task in DEV under a TP ( CUST/WORKBENCH)
4) Transport / Move the TP to QAS for testing
5) Create a test id in QAS with the above changes and send the test id details to the CR Owner.
6) Once testing is completed in QAS the CR Owner will send an approval regarding the test results
a) If test results are positive then move to PR13 else rectify the changes needed.
b) Rectification of changes is done again in development.
c) The rectified change has to be kept in a new TP with description of above CR Name and moved to QAS.
7) Based on approval, we move the changes to production.
8) Once changes are in production, the CR owner or the end user tests and confirms the final status.
9) Once we get the final confirmation i.e 2nd approval in PRD then we can close the CR.
Will update soon... Check next post...