23495144 sap basis introductory training program day 7
TRANSCRIPT
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
1/65
CONFIDENTIAL
SAP BASIS Introductory Training
ProgramDAY 7 Security and Authorizations Concepts
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
2/65
22 April 2012
Day 7 : Agenda
09:00 AM - 11:00 AM User Master & Authorization Object
AS ABAP
11:00 AM - 11:15 AM Break
11:15 AM - 01:00 PM Role Management AS ABAP
01:00 PM - 02:00 PM Lunch Break
02:00 PM - 03:00 PM User Information & Troubleshooting AS ABAP
03:00 PM - 03:30 PM Concepts of User & Authorization AS JAVA
03:30 PM - 03:45 PM Break
03:45 PM - 05:00 PM User and Role Management - AS JAVA
05:00 PM - 06:00 PM Exercise & Break Out Session
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
3/65
22 April 2012
User Master &
Authorization Object Concept
AS ABAP
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
4/65
22 April 2012
Overview of Security & Authorizations
Concept of Roles in AS ABAP Concept of Authorization Objects
User & Role Management in AS ABAP
Troubleshooting Authorization issues
Concept of UME in AS JAVA
Concept of Roles in AS JAVA User and Role Management in AS JAVA
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
5/65
22 April 2012
User Concept
Every SAP user requires a unique user ID to login into the system
The user can login with the user ID only in the SAP application. The user does notgain access to the underlying database instance or the Operating system
Users and Authorization Data are client-dependent
Therefore every user in SAP will have a unique user master record
In the system there is an authorization check every time any transaction is called or
certain functions within the transaction are called
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
6/65
22 April 2012
Types of SAP Users
Dialog Users
A normal dialog user is used for all logon types by just one person. During a dialog logon,
the system checks for expired/initial passwords, and the user has the opportunity tochange his or her own password. Multiple dialog logons are checked and, if appropriate,logged.
System Users
Use the System user type for dialog-free communication within a system or forbackground processing within a system, or also for RFC users for various applications,
such as ALE, Workflow, Transport Management System, Central User Administration. It isnot possible to use this type of user for a dialog logon. Users of this type are exceptedfrom the usual settings for the validity period of a password. Only user administrators canchange the password.
Communication Users
Use the communication user type for dialog-free communication between systems. It is
not possible to use this type of user for a dialog logon. The usual settings for the validityperiod of a password apply to users of this type.
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
7/65
22 April 2012
Types of SAP Users - Contd.
Service User
A user of the type Service is a dialog user that is available to a larger, anonymous group
of users. In general, you should only assign highly restricted authorizations to users of thistype. Service users are used, for example, for anonymous system accesses using an ITSor ICF service. The system does not check for expired/initial passwords during logon. Onlythe user administrator can change the password. Multiple logons are permitted.
Reference User
Like the service user, a reference user is a general non-person-related user. You cannot
use a reference user to log on. A reference user is used only to assign additionalauthorizations. You can specify a reference user for a dialog user for additionalauthorization on the Roles tab page.
SAPGUI compatibility with different user types
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
8/65
22 April 2012
User Creation using SU01 Transaction
You can create a new user master record by copying an existing user master record orcreating a completely new one. The user master record contains all data and settings that
are required to log on to a client of the SAP system. This data is divided into the followingtab pages:
Address: Address data
Logon data: Password and validity period of the user, and user type. For furtherinformation about the password rules for special users, refer to SAP Note 622464
Defaults: Default values for a default printer, the logon language
Parameters: User-specific values for standard fields in SAP systems
Roles and Profiles: Roles and profiles that are assigned to the user
Groups: For the grouping of users for mass maintenance.
You must maintain at least the following input fields when creating a user: Last name onthe Address tab page, initial password and identical repetition of password on the LogonData tab page.
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
9/65
22 April 2012
SU01 Tabs
Address
Tab
Logon
DataTab
DefaultsTab
RolesTab
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
10/65
22 April 2012
Adding Roles to a User in SU01
You can explicitly add roles to a user and save it as shown below. You should be inchange mode when you add the roles
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
11/65
22 April 2012
Managing a User Account
You can lock and unlock a user in SU01. Once the user is locked the person is unable tologin into the system , unless the system administrator explicitly unlocks the user ID
LOCK
UNLOCK
It is possible to reset the password in case the user has forgotten the password
PASSWORD
RESET
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
12/65
22 April 2012
Authorization Concept
The authorizations for users are created using roles and profiles. Administrators create theroles, and the system supports them in creating the associated authorizations
Authorizations in SAP are built on the concept of Authorization Objects
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
13/65
22 April 2012
Details on Authorization Objects
Actions and the access to data are protected by authorization objects in the SAP system.To provide a better overview, authorization objects are divided into various object classes.
Authorization objects allow complex checks that involve multiple conditions that allow auser to perform an action. The conditions are specified in authorization fields for theauthorization objects and are AND linked for the check.
Authorization objects and their fields have descriptive and technical names. In theexample in the earlier slide, the authorization object "User master maintenance: UserGroups" (technical name: S_USER_GRP) contains the two fields "Activity (technical
name ACTVT) and User Group in User Master (technical name: CLASS). Theauthorization object S_USER_GRP protects the user master record.
An authorization object can include up to ten authorization fields. An authorization isalways associated with exactly one authorization object and contains the value for thefields for the authorization object. An authorization is a permission to perform a certainaction in the SAP system. The action is defined on the basis of the values for theindividual fields of an authorization object. Example: Authorization B in the graphic for theauthorization object S_USER_GRP allows the display of all user master records that arenot assigned to the user group SUPER. Authorization A, however, allows records for thisuser group to be displayed.
There can be multiple authorizations for one authorization object. Some authorizations aredelivered by SAP, but the majority are created specifically for the customer'srequirements.
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
14/65
22 April 2012
Authorization Check Graphic
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
15/65
22 April 2012
Authorization Check Details
When a user logs on to a client of an SAP system, his or her authorizations are loaded in the usercontext. The user context is in the user buffer (in the main memory, query using transaction code SU56)
of the application server.
When the user calls a transaction, the system checks whether the user has an authorization in the usercontext that allows him or her to call the selected transaction. Authorization checks use theauthorizations in the user context. If you assign new authorizations to the user, it may be necessary forthis user to log on to the SAP system again to be able to use these new authorizations (for moreinformation, see SAP Note 452904 and the documentation for the parameter auth/new buffering).
If the authorization check for calling a transaction was successful, the system displays the initial screenof the transaction. Depending on the transaction, the user can create data or select actions. When theuser completes his or her dialog step, the data is sent to the dispatcher, which passes it to a dialogwork process for processing. Authority checks (AUTHORITY-CHECK) that are checked during runtimein the work process are built into the coding by the ABAP developers for data and actions that are to beprotected. If the user context contains all required authorizations for the checks (return code = 0), thedata and actions are processed and the user receives the next screen. If one authorization is missing,
the data and actions are not processed and the user receives a message that his or her authorizationsare insufficient. This is controlled by the evaluation of the return code. In this case, it is not equal to 0.
All authorizations are permissions. There are no authorizations for prohibiting. Everything that is notexplicitly allowed is forbidden. This can be described as a "positive authorization concept".
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
16/65
22 April 2012
Maintaining Authorization Objects SU24
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
17/65
22 April 2012
Maintaining Authorization Objects SU24
Field values forS_DEVELOP
Check Indicator toactivate/deactivatethe authorizationcheck for aparticular object
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
18/65
22 April 2012
BREAK
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
19/65
22 April 2012
Specifying Authorization Object Values
The transaction SU24 is used to set authorization check status for individual transactions.
Each transaction has underlying set of authorization objects
Each object has a set of fields and values which permit certain functions.
For example in transaction SE11 , the underlying object S_DEVELOP governs the rightsof changes in table structure. When ACTVT field value is set to 1 , the user is able tomodify the table structure.
Note that changing the default values for fields in SU24 will result in changes which willaffect all transactions that use the particular authorization object.
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
20/65
22 April 2012
Role Management
AS ABAP
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
21/65
22 April 2012
Role Management using PFCG Role Maintenance (transaction PFCG, previously also called Profile Generator or activity
groups) simplifies the creation of authorizations and their assignment to users. In rolemaintenance, transactions that belong together from the company's point of view areselected. Role maintenance creates authorizations with the required field values for theauthorization objects that are checked in the selected transactions.
A role can be assigned to various users. Changes to a role therefore have an effect onmultiple users. Users can be assigned various roles. The user menu comprises the rolemenu(s) and contains the entries (transactions,URLs, reports, and so on) that areassigned to the user through the roles.
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
22/65
22 April 2012
Usage of PFCG
Taking the example of the role TCS_PP_ALL , the next screens will indicate the structure
of a role and the underlying authorization objects.
Tab Authorizations is
where the object valuesneed to be maintained
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
23/65
22 April 2012
Usage of PFCG
Authorizations arecategorized on the basis ofthe SAP Functional areas.
Take the example of
Production Planning
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
24/65
22 April 2012
Usage of PFCG
Authorization Objects Authorization Field
Names
Authorization Field Values
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
25/65
22 April 2012
Interpretation of Authorization Field Values In this specific example of Production Planning
, the C_AFRU_AWK object has the fieldsactivity , Order Type and Plant.
The field values for activity shows that the fullrange of functions are permitted.
Now since Order Type and Plant values are *
, this means that the user who has beenassigned the role TCS_PP_ALL willautomatically be able to process allconfirmations for all order types and all plants
in the SAP System.
In order to restrict the user to processconfirmations for a particular plant , the BASISadministrator must specify explicitly the plantnames or order types in PFCG change mode.
Example shown below :
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
26/65
22 April 2012
Assigning Users to a Role
Using the Tab User , you can explicitly add
users to a role
After adding , youmust perform a usercomparison , so thatthe user masterrecords are updated
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
27/65
22 April 2012
User Master Comparison
The user comparisonbutton should be ingreen.
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
28/65
22 April 2012
Authorization Profiles Concept
After making changes in the role , you have to generate the profile for the role as
well as the authorization profiles for the objects The Role and Profile are two different concepts. The role is a collection of
authorization objects grouped by functional areas
The profile is a specific compiled version of either the role as a whole or theauthorization object
In ECC 6.0 , you should not assign profiles to a user , as both SU01 and PFCG
automatically determine the required profiles In ECC 6.0 , you must assign ONLY roles to users
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
29/65
22 April 2012
Hierarchy of Users , Roles and Objects
SE11SP01SU53
MM01VA02VA01
SAP ROLE 1 TRANSACTIONSASSIGNED TO
THE ROLE
AUTHORIZATIONOBJECTS
VA01 VA02 MM01
SU53 SP01 SE11
Objects Fields Value
S_USER_GROUP
ACTVT
CLASS
03
S_DEVELOP
ACTVT
DEVCLASS
01,02,03
Y* , Z*
.. .. ..
USER 1
USERS WHOHAVE BEENGRANTED THISROLE
Z_SD_COMP1
SAP ROLE 2
FBLN F-05 .
. .. .
Z_FI_COMP1
USER 2
USER 3
UNDERLYINGAUTHORIZATIONOBJECTS
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
30/65
22 April 2012
Managing User Logon Parameters
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
31/65
22 April 2012
Managing User Logon Parameters
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
32/65
22 April 2012
LUNCHBREAK
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
33/65
22 April 2012
SAP Standard Users
Essentially, there are two types of standard users: those created by installing the SAPsystem and those created when you copy clients.
During the installation of the SAP system, the clients 000 and 066 are created (the client001 is not always created during an SAP installation; it is also created, for example, duringan SAP ECC installation). Standard users are predefined in the clients. Since there arestandard names and standard passwords for these users, which are known to otherpeople, you must protect them against unauthorized access.
The SAP system standard user, SAP* SAP* is the only user in the SAP system for which no user master record is required,
since it is defined in the system code. SAP* has, by default, the password PASS, andunrestricted access authorizations for the system.
When you install the SAP system, a user master record is created automatically for SAP*in client 000 (and in 001 if it exists). At first, this still has the initial password 06071992.
The administrator is required to reset the password during installation. The installation cancontinue only after the password has been changed correctly. The master record createdhere deactivates the special properties of SAP*, so that only the authorizations andpassword defined in the user master record now apply.
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
34/65
22 April 2012
SAP Standard Users Contd.
The DDIC user
This user is responsible for maintaining the ABAP Dictionary and the software logistics.
When you install the SAP system, a user master record is automatically created in client000 [001] for the user DDIC. With this user too, you are requested to change the standardpassword of 19920706 during the installation (similar to the user SAP*). Certainauthorizations are predefined in the system code for the DDIC user, meaning that it is, forexample, the only user that can log on to the SAP system during the installation of a newrelease.
Caution: To protect the system against unauthorized access, SAP recommends that youassign these users to the user group SUPER in the client 000 [001]. This user group isonly assigned to superusers.
The EarlyWatch user
The EarlyWatch user is delivered in client 066 and is protected with the password
SUPPORT. The EarlyWatch experts at SAP work with this user. This user should not bedeleted or the password changed. This user should only be used for EarlyWatch functions(monitoring and performance).
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
35/65
22 April 2012
SAP* User Special Features
If you copy a client, the user SAP* is always available. This user does not have a usermaster record, and is programmed into the system code. To protect your system against
unauthorized access, you should create a user master record for this standard user.Create a superuser with full authorization.
If you now delete the user master record SAP* from the database SQL prompt, the initialpassword PASS with the following properties becomes valid again:
The user has full authorization since no authorization checks are made.
The standard password PASS cannot be changed.
How can you counter this problem to protect the system against misuse? You can deactivate the special properties of SAP*. To do this, you must set the system
profile parameter login/no_automatic_user_sapstar to a value greater than zero. If theparameter is active, SAP* no longer has any special properties. If the user master recordSAP* is deleted, the logon with PASS no longer works.
If you want to reinstate the old behavior of SAP*, you must first reset the parameter and
restart the system.
NOTE : The user master record in SAP is in the database table : USR02
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
36/65
22 April 2012
Initial Passwords for Standard Users
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
37/65
22 April 2012
User Information
Management &Troubleshooting
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
38/65
22 April 2012
User Information System Transaction SUIM
You can obtain an overview of user master records, authorizations, profiles, roles, changedates, and so on using the information system.
You can display lists that answer very varied questions. For example:
Which users have been locked in the system by administrators or failed logon
attempts? When did a user last log on to the system?
What changes were made in the authorization profile of a user?
In which roles is a certain transaction contained?
Which authorization objects are assigned to roles
Who has made the last changes in a users master record ?
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
39/65
22 April 2012
Using SUIM
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
40/65
22 April 2012
Looking up all Roles for a Transaction
For maintaining strict standards of security compliance , the SUIM transaction is extremelyimportant
For example , some SAP roles such as SAP_ALL and SAP_NEW should not be grantedto any users
Granting access to SE11 and SE38 in production systems can cause inadvertent changesto programs or tables
Example of all roles for transaction SE11
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
41/65
22 April 2012
Troubleshooting Authorization Issues SU53
The SU53 transaction is a trace transaction , which provides comprehensive informationon the errors encountered during an authorization check.
The SU53 transaction must be immediately run in the same user session following theauthorization error
Below example shows how the user encountered an authorization error , and how theinformation was obtained from SU53. User tried to execute SE11. In the same session ,the user executes SU53 (see next slide)
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
42/65
22 April 2012
SU53 Error Report
The SU53 report shows that the transaction SE11 has not been assigned to any of theroles that has been granted to the TEST USER.
The solution would be explicitly add the authorization object , known as S_TCODE withvalue SE11 in any one of the roles assigned to TEST USER.
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
43/65
22 April 2012
User & Authorization
Concepts
AS JAVA
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
44/65
22 April 2012
User & Authorization Concept AS JAVA
AS Java provides an open architecture supported by service providers for the storage ofuser and group data. The AS Java is supplied with the following service providers whichare also referred to as a user store:
DBMS provider: storage in the system database
UDDI provider: storage via external service providers (Universal Description, Discoveryand Integration)
UME provider: Connection of the integrated User Management Engine
The DBMS and UDDI providers implement standards and therefore ensure that AS Java isJ2EE-compliant. When AS Java is installed, SAP's own User Management Engine (UME)is always set up as the user store and is the correct choice for most SAP customers. TheUME is the only way to flexibly set up and operate user and authorization concepts.
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
45/65
22 April 2012
Important Features of the UME
The UME has its own administration console for administering users. It allows the
administrator to perform the routine tasks of user administration,such as creating usersand groups, role assignment, and other actions.
Security settings can be used to define password policies, such as minimum passwordlength and the number of incorrect logon attempts before a user is locked.
The UME provides different self-service scenarios that can be used by applications. Forexample, a user can change his or her data, or register as a new user. Newly-createdusers can be approved using a workflow.
User data can be exchanged with other (AS Java or external) systems using anexport/import mechanism.
The UME logs important security events, such as a user's successful logons or incorrectlogon attempts, and changes to user data, groups, and roles.
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
46/65
22 April 2012
UME Architecture
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
47/65
22 April 2012
UME Architecture Details
The UME is a Java application which runs on SAP NetWeaver AS Java and which coversthe following functional areas:
UME Core Layer: Provides persistence managers between the application programminginterface and the user management data sources - these control where user data such asusers, user accounts, groups, roles and their assignments are read from or written to, withthe result that applications which use the API do not have to know where the usermanagement data is stored.
UME API Layer: This layer provides programming interfaces (APIs) not just for UMEdevelopers but also for customers and partners. This means that you can access the UMEfunctions with the Java programs which you develop yourself.
UME services: The UME provides the following services to higher-level software layers:
Log-on procedure and Single Sign-On (log-on to AS Java is taken over for othersystems and vice versa)
Provisioning processes via user master data Authorization Concept
UME UI: The UME is responsible for the user interface which, in some log-on procedures,appears in the Web browser, as well as for the UME Administration Console
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
48/65
22 April 2012
BREAK
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
49/65
22 April 2012
Tools for UME Configuration
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
50/65
22 April 2012
User & Role Management
AS JAVA
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
51/65
22 April 2012
User & Group Administration
In the UME environment, the term Principle designates the following central "objects":
The figure on the right hand sideshows how principles are assigned
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
52/65
22 April 2012
Assigning Roles
It is also possible to assign roles to users directly. The Principle group supportshierarchies of groups. A group may also possess superordinate and subordinate groups.Users actually possess the roles which
are directly assigned to them
are assigned to the groups to which they belong
are assigned to the superordinate group of the groups to which they belong
When performing a search in the UME Administration Console, you must check theSearch Recursively field if you want to see indirectly assigned principles.
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
53/65
22 April 2012
Special features of the ABAP Data Source
If you use a client of the ABAP system as the data source , then UME behaves as follows
The ABAP users are visible in AS Java and can log onto AS Java with their ABAPpasswords.
The ABAP roles are depicted in AS Java as UME groups of the same name.
In AS Java, the assignment of ABAP users to ABAP (composite) roles appears as theassignment of UME users to UME groups.
S
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
54/65
22 April 2012
Using ABAP as a Data Source
The reason for this group administration concept is the shared authorization
administration for applications that have both ABAP and Java components.
Applications such as PI, for example, are made of both ABAP and Javacomponents. The ABAP authorizations are mapped with PFCG roles. The J2EE
authorizations are realized using UME roles. A user should be assigned a PFCG
role in the ABAP system and a UME role on the Java side for the user to have
both ABAP and Java authorizations. To avoid this, the PFCG roles are visible as
groups in the UME. The PFCG role (a group) can be assigned a UME role in
the UME. If a user is assigned the PFCG role in the ABAP system, he or sheautomatically also receives the authorizations from the UME role. Assigning
authorizations therefore becomes simpler.
The connection between the UME in an AS Java and user management in an AS ABAP isestablished via the Java Connector (JCo). A communication user existing in ABAP isstored as a UME parameter (this usually has SAPJSF in its name). This communicationuser's ABAP authorization determines whether it is possible to modify ABAP user masterrecords using UME resources.
The role SAP_BC_JSF_COMMUNICATION_RO gives the UME read access to theuser data in the AS ABAP.
The role SAP_BC_JSF_COMMUNICATION gives the UME write access to the userdata in the AS ABAP
UME Ad i i i C l
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
55/65
22 April 2012
UME Administration Console
U T i AS JAVA
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
56/65
22 April 2012
User Types in AS JAVA
A th i ti C t i AS JAVA
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
57/65
22 April 2012
Authorization Concept in AS JAVA
You can use authorizations to control which users can access a Java applications,andwhich users are permitted for a user. Authorizations are combined as roles and thenassigned to a user or a user group by an administrator. The UME administration console
and Visual Administrator tools are used to assign authorizations.Authorization checks arebuilt into a Java application. You must distinguish between the following authorizationchecks:
J2EE security roles UME roles
With both types of authorization check, the developer needs to define the authorizations
query in the application. The developer decides which type of authorization check is to beused. This means in practice that whether J2EE security roles or UME roles are useddepends on the application.
J2EE security roles are part of the J2EE standard. UME roles are an (SAP) extension ofthe J2EE security roles. You can define the same authorization checks with J2EE securityroles and UME roles. However, it is easier and more precise to assign authorizations withUME roles. A J2EE security role comprises one object and UME roles many authorization
objects (known as actions). This means that many J2EE security roles but perhaps onlyone UME role need to be assigned for the same authorizations. It is recommended thatyou always use UME roles, except in cases in which J2EE security roles are sufficient.
Note: A role in the ABAP environment is roughly equivalent to a UME role. Anauthorization object in the ABAP environment can be compared to a security role.
St t f J2EE S it R l
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
58/65
22 April 2012
Structure of a J2EE Security Role
The figure shows theOrder application as anexample. For thisapplication, a developercreates objects such asCreate order, Approveorder, and so on. If youare using J2EE securityroles, a security role mustbe created for eachobject. The role is definedin the deployment
descriptor (XML file) of aspecific application.If theapplication is madeavailable on the J2EEserver, the administratormust add user names oruser groups to each ofthese security roles forthe users that are to
use this application. Theadministrator must assigneach singleauthorization/J2EEsecurity role individuallyto a user or a group.
U i Vi l Ad i t i it l
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
59/65
22 April 2012
Using Visual Admin to assign a security role
You can use the Visual Administrator to assign security role to a user or group. TheSecurity Provider service of SAP NetWeaver AS Java must be running, and the userthat wants to make the assignment must have administration authorizations.
A J2EE security role can be assigned either directly to users and/or groups or as a so-called reference role to precisely one J2EE security role in the component
SAP-J2EE-Engine To assign security roles, proceed as follows:1. Start the Visual Administrator (\usr\sap\\\j2ee\admin\go).2. Navigate to Server Services Security Provider Runtime Policy
Configurations.3. In the Components area, select the application (or service).4. Choose the Security Roles tab page.5. In the Security Roles area, select the security role that you want to assign.6. Switch to change mode if necessary.7. Depending on the type of J2EE security role, you either
perform assignment directly to users and/or groups perform assignment to a reference security role
U i UME C l t i l
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
60/65
22 April 2012
Using UME Console to assign roles
C i f A th i ti C t ABAP/JAVA
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
61/65
22 April 2012
Comparison of Authorization Concept ABAP/JAVA
S i l U i AS JAVA
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
62/65
22 April 2012
Special Users in AS JAVA
Special Administration User
You define the password for the administration userwhen installing an AS Java. After the installation,you can, of course, create other users with thesame authorizations. However, the one and onlyadministration user is special because this is notonly used by the administrator in person but is alsoused for deployment via the SDM server
Emergency User
You need to activate an emergency user for the UMEif the user management has been incorrectlyconfigured and no one can log on to an application, orall administration users are locked. This emergencyuser is called SAP* and can log on to any applicationand to the configuration tools. The SAP* user has fulladministration authorizations and, for securityreasons, does not have a default password. You setthe password as part of emergency user activation.
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
63/65
22 April 2012
BREAKOUTSESSION
Exercise
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
64/65
22 April 2012
Exercise
EXERCISE
Special Note : Instructions for instructor Set Check/Maintain on all
authorization objects for MM01 using SU24
Login into the system with the userid/password provided by your
instructor
Start transaction SU01 , and create a test user TESTGRP(x). Start transaction PFCG , and open the role TCS_FI_ALL
Create a copy of this role with the name TCS_FI_ALL_Group(X)
Open the role , and with the help of the instructor , insert the
authorization object S_TCODE. For field value , enter MM01
Assign your test user to this role , and do user comparison Login with the new user and password , and run transaction MM01
Try and create a new material. Check for any authorization errors.
Run SU53 immediately and analyze the report
Q&A Session
-
8/3/2019 23495144 SAP BASIS Introductory Training Program Day 7
65/65
Q&A Session