Download - SAP Security - Day 2 1st Half_Radha Krishna
![Page 1: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/1.jpg)
IBM Global Business Services
User Administration March-2007 © 2007 IBM Corporation
User Administration
![Page 2: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/2.jpg)
IBM Global Business Services
© 2007 IBM Corporation2 March-2007User Administration
Objectives
The participants will be able to: Know what are the responsibilities of a user administrator
What are the components of User master
What are the different user types
How to maintain users in SU01
![Page 3: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/3.jpg)
IBM Global Business Services
© 2007 IBM Corporation3 March-2007User Administration
User Administration :
Maintaining User Master records
Giving authorization by adding roles or profiles (SAP Profiles)
Display authorization and profiles
Maintain Roles
Generate Authorization Profiles
![Page 4: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/4.jpg)
IBM Global Business Services
© 2007 IBM Corporation4 March-2007User Administration
ProfilesParameters Roles Groups Personalization License Data
Personal data, Communication data, Company address
Logon DataAddress Defaults
User group, user type, validity period
Start menu, logon language, default printer
Default values for parameter IDs
Assignment of roles
Assignment of profiles
Assignment of user groups
Assignment of personalization
Assignment of license data
Components of the User Master Record:
![Page 5: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/5.jpg)
IBM Global Business Services
© 2007 IBM Corporation5 March-2007User Administration
SAP User Type:
Dialog user Logon with SAPGUI is possible. The user is therefore interaction-capable with the
SAPGUI. Expired or initial passwords are checked. Users have the option of changing their own passwords. Multiple logon is checked.
System User Logon with SAPGUI is not possible. The user is therefore not interaction-capable with the SAPGUI. The passwords are not subject to the password change requirement, that is, they cannot be initial or expired. Only an administrator user can change the password. Multiple logon is permitted.
![Page 6: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/6.jpg)
IBM Global Business Services
© 2007 IBM Corporation6 March-2007User Administration
Service User Logon with SAPGUI is possible. The user is therefore interaction-capable with the
SAPGUI. The passwords are not subject to the password change requirement, that is, they
cannot be initial or expired. Only a user administrator can change the password. Multiple logon is permitted.
Communication User Logon with SAPGUI is not possible. The user is therefore not interaction-capable
with the SAPGUI. Expired or initial passwords are checked but the conversion of the password
change requirement that applies in principle to all users depends on the caller (interactive/not interactive). (*)
Users have the option of changing their own passwords.
SAP User Type Cont………
![Page 7: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/7.jpg)
IBM Global Business Services
© 2007 IBM Corporation7 March-2007User Administration
Reference User
No logon possible. Reference users are used for authorization assignment to other users
SAP User Type Cont………
![Page 8: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/8.jpg)
IBM Global Business Services
© 2007 IBM Corporation8 March-2007User Administration
User Maintenance:
![Page 9: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/9.jpg)
IBM Global Business Services
© 2007 IBM Corporation9 March-2007User Administration
User Maintenance contd..
![Page 10: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/10.jpg)
IBM Global Business Services
© 2007 IBM Corporation10 March-2007User Administration
User Maintenance contd..
![Page 11: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/11.jpg)
IBM Global Business Services
© 2007 IBM Corporation11 March-2007User Administration
User Maintenance contd..
![Page 12: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/12.jpg)
IBM Global Business Services
© 2007 IBM Corporation12 March-2007User Administration
User Maintenance contd..
![Page 13: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/13.jpg)
IBM Global Business Services
© 2007 IBM Corporation13 March-2007User Administration
User Maintenance contd..
![Page 14: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/14.jpg)
IBM Global Business Services
© 2007 IBM Corporation14 March-2007User Administration
User Maintenance contd..
![Page 15: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/15.jpg)
IBM Global Business Services
© 2007 IBM Corporation15 March-2007User Administration
User Maintenance contd..
![Page 16: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/16.jpg)
IBM Global Business Services
© 2007 IBM Corporation16 March-2007User Administration
User Maintenance contd..
![Page 17: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/17.jpg)
IBM Global Business Services
© 2007 IBM Corporation17 March-2007User Administration
User Maintenance contd..
![Page 18: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/18.jpg)
IBM Global Business Services
© 2007 IBM Corporation18 March-2007User Administration
Questions ?
![Page 19: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/19.jpg)
IBM Global Business Services
User Administration March-2007 © 2007 IBM Corporation
Address Field in User wrt Address Management
![Page 20: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/20.jpg)
IBM Global Business Services
© 2007 IBM Corporation20 March-2007User Administration
Objectives
The participants will be able to: Recognize what is company address
How company address can be created
How a user can be assigned to a company address
![Page 21: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/21.jpg)
IBM Global Business Services
© 2007 IBM Corporation21 March-2007User Administration
You can create, maintain and display Company address using the tcode SUCOMP
Company Address – Creation of Company
![Page 22: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/22.jpg)
IBM Global Business Services
© 2007 IBM Corporation22 March-2007User Administration
You need to enter the above information and click on save
Company Address – Creation of Company
![Page 23: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/23.jpg)
IBM Global Business Services
© 2007 IBM Corporation23 March-2007User Administration
The very first company need to be created in SUCOMP. After that all the newly created users have the default company address automatically assigned to them. To demonstrate the concept we need to have a look at the SU01 screen.
Company Address –
![Page 24: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/24.jpg)
IBM Global Business Services
© 2007 IBM Corporation24 March-2007User Administration
Create a user in SU01
Creation of User
![Page 25: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/25.jpg)
IBM Global Business Services
© 2007 IBM Corporation25 March-2007User Administration
The user is automatically assigned to the default company address
Assign Company Address
![Page 26: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/26.jpg)
IBM Global Business Services
© 2007 IBM Corporation26 March-2007User Administration
You can assign this user to any of the existing company address using the button Assign other company address
Assign other Company Address
![Page 27: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/27.jpg)
IBM Global Business Services
© 2007 IBM Corporation27 March-2007User Administration
From here you can also create a new company address
Assign Company Address
![Page 28: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/28.jpg)
IBM Global Business Services
© 2007 IBM Corporation28 March-2007User Administration
You need to enter the new company name what you do in SUCOMP
Company Address contd..
![Page 29: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/29.jpg)
IBM Global Business Services
© 2007 IBM Corporation29 March-2007User Administration
The same screen like SUCOMP and the same steps are required to be performed.
Company Address –
![Page 30: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/30.jpg)
IBM Global Business Services
© 2007 IBM Corporation30 March-2007User Administration
Questions ?
![Page 31: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/31.jpg)
IBM Global Business Services
User Administration March-2007 © 2007 IBM Corporation
User Groups
![Page 32: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/32.jpg)
IBM Global Business Services
© 2007 IBM Corporation32 March-2007User Administration
Objectives
The participants will be able to: The concept of user group
Specify the group for a user
Realize the importance of user groups in the context of user administration
![Page 33: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/33.jpg)
IBM Global Business Services
© 2007 IBM Corporation33 March-2007User Administration
User Group:
User group can be used for different purpose and in different way in an SAP environment -
One of the Primary uses of user groups is to sort users into logical groups.
This allows users to be categorized in a method that is not dependent on roles, Responsibilities & Profiles etc. User Groups also allow segregation of user maintenance, this is especially useful in a large organization as you can control who your user admin team can maintain - an example would be giving a team leader the authority to change passwords for users in their team.
![Page 34: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/34.jpg)
IBM Global Business Services
© 2007 IBM Corporation34 March-2007User Administration
In the latest versions of SAP, actually two types of user group exist
The authorization user group (exist in Logon data tab in the user master record)
The general user groups (exist in Group tab in the user master record)
The authorization user group is used in conjunction with S_USER_GROUP authorization object. It allows to create security management authorization by user group. e.g. you can have a local security administrator only able to manage users in his groups, Help-Desk to reset password for all users except users in group SUPER, etc.. The general user group can be used in conjunction with SUIM and SU10, to select all the users in a specific group. User can only be member of one authorization user group but several general user group.
User Group –
![Page 35: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/35.jpg)
IBM Global Business Services
© 2007 IBM Corporation35 March-2007User Administration
User Group (SUGR):
![Page 36: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/36.jpg)
IBM Global Business Services
© 2007 IBM Corporation36 March-2007User Administration
User Group –
![Page 37: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/37.jpg)
IBM Global Business Services
© 2007 IBM Corporation37 March-2007User Administration
User Group –
![Page 38: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/38.jpg)
IBM Global Business Services
© 2007 IBM Corporation38 March-2007User Administration
User Group –
![Page 39: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/39.jpg)
IBM Global Business Services
© 2007 IBM Corporation39 March-2007User Administration
USER GROUPS for authorization Check are used for access control to transactions and tables based on user group assignment for a particular user and to which respective group he/she belongs and the tables and transactions and reports that group has access.
Groups tab on SU01 Transaction is used for logical grouping of users based on similar functionalities and for mass operations of same type for multiple users.
User Group –
![Page 40: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/40.jpg)
IBM Global Business Services
© 2007 IBM Corporation40 March-2007User Administration
Questions ?
![Page 41: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/41.jpg)
IBM Global Business Services
User Administration March-2007 © 2007 IBM Corporation
Mass Change for users
![Page 42: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/42.jpg)
IBM Global Business Services
© 2007 IBM Corporation42 March-2007User Administration
Objectives
The participants will be able to: Use SU10 as a mass user maintenance tool
Display the log once the mass changes are done.
![Page 43: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/43.jpg)
IBM Global Business Services
© 2007 IBM Corporation43 March-2007User Administration
Mass Changes (Su10)
Defaults
Logon data
Passwords
ParametersProfiles
Roles
Mass changes:
![Page 44: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/44.jpg)
IBM Global Business Services
© 2007 IBM Corporation44 March-2007User Administration
Authorization DataAddress Data
Mass Changes (SU10):
![Page 45: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/45.jpg)
IBM Global Business Services
© 2007 IBM Corporation45 March-2007User Administration
Mass Changes (SU10):
Please check the change check box – other wise changes will not take place
![Page 46: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/46.jpg)
IBM Global Business Services
© 2007 IBM Corporation46 March-2007User Administration
Mass Changes Log:
![Page 47: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/47.jpg)
IBM Global Business Services
© 2007 IBM Corporation47 March-2007User Administration
Questions?
![Page 48: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/48.jpg)
IBM Global Business Services
User Administration March-2007 © 2007 IBM Corporation
Authorization objects S_USER_GRP…………..
![Page 49: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/49.jpg)
IBM Global Business Services
© 2007 IBM Corporation49 March-2007User Administration
Objectives
The participants will be able to:
Understand the importance of different authorization objects related to user administration
Divide the administrative power among various roles to be used by administrator.
![Page 50: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/50.jpg)
IBM Global Business Services
© 2007 IBM Corporation50 March-2007User Administration
Authorization objects for Maintaining User master record:
S_USER_GRP - User Master Maintenance: User Groups
S_USER_PRO - User Master Maintenance: Authorization Profile
S_USER_AUTH - User Master Maintenance: Authorizations
S_USER_AGR - Authorizations: Role Check
S_USER_TCD - Authorizations: Transactions in Roles
S_USER_VAL - Authorizations: Field Values in Roles
![Page 51: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/51.jpg)
IBM Global Business Services
© 2007 IBM Corporation51 March-2007User Administration
S_USER_GRP Auth. Object
CLASS
ACTVT
Field
Field
01: Create02: Change03: Display05: Lock, unlock06: Delete08: Display change documents22: Add users to activity groups24: Archive78: Assign68: Model users and assign to systems or activity groups in user management. The models are used later as templates for the actual assignments.
Authorization objects for Maintaining User master record:
![Page 52: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/52.jpg)
IBM Global Business Services
© 2007 IBM Corporation52 March-2007User Administration
S_USER_PRO Auth. Object
Profile
ACTVT
Field
Field
01: Create02: Change03: Display06: Delete07: Activate08: Display change documents22: Assign profile to users / remove assignment24: Archive
Authorization objects for Maintaining User master record:
![Page 53: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/53.jpg)
IBM Global Business Services
© 2007 IBM Corporation53 March-2007User Administration
S_USER_AUTH Auth. Object
Authorization object
Activity
Field
Field
01 = create02 = change03 = display06 = delete07 = activate08 = display change documents22 = assign authorization profiles24 = archive
Authorization name
Field
Authorization objects for Maintaining User master record:
![Page 54: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/54.jpg)
IBM Global Business Services
© 2007 IBM Corporation54 March-2007User Administration
S_USER_AGR Auth. Object
ACT_GOUP
Activity
Field
Field
Authorization objects for Maintaining User master record:
![Page 55: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/55.jpg)
IBM Global Business Services
© 2007 IBM Corporation55 March-2007User Administration
01 Create roles02 Change roles03 Display roles06 Delete roles22 Compare role user master recordsThe profiles generated in the Profile Generator are transferred into the user master record for the relevant role users. 36 This activity is not yet used. It is planned for use for additional objects that can be maintained from the roles.21 Transport role59 Distribute roles to another system using RFC64 Generate authorization profiles from the role68 Modeling: Assigning roles to systems or users in user management using models. The actual assignments can be derived from these models later.78 Assignment of roles to systems or user groups in the central system when using Central User Administration.79 Assignment of individual roles to composite roles.DL Download Save roles to a fileUL Upload Upload roles from a file
Authorization objects for Maintaining User master record:
![Page 56: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/56.jpg)
IBM Global Business Services
© 2007 IBM Corporation56 March-2007User Administration
S_USER_VAL Auth. Object
OBJECT
AUTH_VALUE
Field
FieldAUTH_FIELD
Field
S_USER_TCD Auth. Object
TCD Field
T-Code
Authorization objects for Maintaining User master record:
![Page 57: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/57.jpg)
IBM Global Business Services
© 2007 IBM Corporation57 March-2007User Administration
Authorization Objects for User Administration:
S_USER_GRP
ACTVT
CLASS
S_USER_SYS
ACTVT
SUBSYSTEM
![Page 58: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/58.jpg)
IBM Global Business Services
© 2007 IBM Corporation58 March-2007User Administration
Authorization Objects for Role Administration:
S_USER_AGR
ACTVT
ACT_GROUP
S_USER_TCD
TCD
S_USER_VAL
OBJECT
AUTH_FIELD
AUTH_VALUE
![Page 59: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/59.jpg)
IBM Global Business Services
© 2007 IBM Corporation59 March-2007User Administration
S_USER_PRO
ACTVT
PROFILE
Authorization Object for Profiles & Authorizations Administration:
S_USER_AUT
OBJECT
OBJECT
ACTVT
![Page 60: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/60.jpg)
IBM Global Business Services
© 2007 IBM Corporation60 March-2007User Administration
Questions?
![Page 61: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/61.jpg)
IBM Global Business Services
User Administration March-2007 © 2007 IBM Corporation
User Buffer introduction
![Page 62: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/62.jpg)
IBM Global Business Services
© 2007 IBM Corporation62 March-2007User Administration
Objectives
The participants will be able to:
Realize the concept of User Buffer.
To view the user buffer.
![Page 63: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/63.jpg)
IBM Global Business Services
© 2007 IBM Corporation63 March-2007User Administration
User Buffer:
When a user logon to the SAP, the authorizations present in his/her user master record are copied in memory area called User Buffer. Each user has his or her own user buffer.
When the users try to perform activities in the SAP environment, authorizations are checked in the user buffer. If the required authorization is in the user buffer, he/she will perform the activity successfully otherwise system will show the pop up “You are not authorized”
![Page 64: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/64.jpg)
IBM Global Business Services
© 2007 IBM Corporation64 March-2007User Administration
A user would fail an authorization check if:
The authorization object does not exist in the user buffer.
The values checked by the application are not assigned to the authorization object in the user buffer
The user buffer contains too many entries and has overflowed. The number of entries in the user buffer can be controlled using the system profile parameter auth/number_in_userbuffer.
User Buffer:
![Page 65: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/65.jpg)
IBM Global Business Services
© 2007 IBM Corporation65 March-2007User Administration
User can display his/her own user buffer using the transaction SU56
User Buffer:
![Page 66: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/66.jpg)
IBM Global Business Services
© 2007 IBM Corporation66 March-2007User Administration
Authorization update in the User Buffer:
Any change in authorizations in the user master record should be updated in the user buffer. This update can happen two ways
User has to logoff and re-login to get the effect of authorizations change.
The parameter auth/new_buffering set to be 4. So that authorization changes take place immediately and no need to logoff from the system.
![Page 67: SAP Security - Day 2 1st Half_Radha Krishna](https://reader035.vdocuments.site/reader035/viewer/2022062323/55cf8589550346484b8f1f2a/html5/thumbnails/67.jpg)
IBM Global Business Services
© 2007 IBM Corporation67 March-2007User Administration
Questions ?