how to properly maintain security using profile generator
DESCRIPTION
How to Properly Maintain Security using Profile Generator. Objective. SAP Security Overview Profile Generator Best Practice Summary. SAP Security Overview. USER ID , e.g. TTSAN. Security Role 1. Security Role 2. Security Role 3. User. SAP Security Overview. - PowerPoint PPT PresentationTRANSCRIPT
How to Properly Maintain Security using Profile Generator
Objective
• SAP Security Overview
• Profile Generator Best Practice
• Summary
SAP Security Overview
USER ID, e.g. TTSAN
Security Role
1
Security Role
2
Security Role
3
User
SAP Security Overview
Security Role, e.g. Security Administrator
Profile 1 Profile 2 Profile 3
SAP Security Overview
Profile (Contain up to 150 Authorizations)
Authorization1
Authorization2
Authorization150
SAP Security Overview
Authorization Object 1, e.g. S_TCODE
Field (TCD)
Value (SU01)
SAP Security Overview
Authorization Object 2, e.g. S_USR_GRP
Field (ACTV)
Value (01, 02, 03, 06)
Field (CLASS)
Value (Customer Define)
SAP Security Overview
Authorization Object 2, e.g. S_USR_GRP
Field (ACTV)
Value (01, 02, 06)
Field (CLASS)
Value (HOUSTON)
SAP Security Overview
Authorization Object 2, e.g. S_USR_GRP
Field (ACTV)
Value (03)
Field (CLASS)
Value (*)
SAP Security Overview
Execute “SU01” – Change UserAUTHORITY-CHECK “Authorization1”
Object 1 = “S_TCODE
”
TCD = “SU01”
SAP Security Overview
ACTV = “02”
Object 2 = “S_USR_GRP
”
CLASS = “HOUSTO
N”
Execute “SU01” – Change UserAUTHORITY-CHECK “Authorization2”
Profile Generator
Transaction
Profile Generator
Change authorization data
Profile Generator
Expert mode for profile generation
Profile Generator
Delete and recreate profile and authorizations
Profile Generator
Edit old status
Profile Generator
Read old status and merge with new data
SAP Security Overview
Missing Organization Value
$BURKS
Profile Generator
Organizational Level
Profile Generator
Missing Customer Define Value
Profile Generator
No open field
Profile Generator
Authorization Status
Profile Generator
STANDARD - SAP Standard Value
MAINTAIN - Customer Maintained ValueCHANGED - SAP Standard Value maintained by Customer
Authorization Status
MANUALLY – Manually inserted Value
Profile Generator
S_USR_GRP 01, 02, 03, 05, 06, 08, 24
Removing Authorization Value
Profile Generator
Status = Changed
Removing Authorization Value
Profile Generator
New Authorization
Common Security Issue
Profile Generator
Make Copy
Inactive Original
Best Practice
Profile Generator
Make changes to copy
Best Practice
Profile Generator
Best Practice
Changed Authorization without Inactive
Standard
Profile Generator
Best Practice
Double-click to add comment
Profile Generator
M_MATE_MAT(01, 02)
Does making changes to Copied Authorization Applies to all situation?
Profile Generator
Where-Used Icon
Profile Generator
Where-used
MM01 = 01
Profile Generator
Adding Authorization Value
What if you want to add value 03?
Profile Generator
SU53 Errors
What if SU53 indicates that MM01 requires an Activity
of 24?
Profile Generator
Static Value vs. Dynamic Value
Static Value – a value that is required by a transaction no matter who execute it.
Dynamic Value – a customer-defined value such as company code.
Profile Generator
MM01 always requires an Activity
of 01?
Static Value
Profile Generator
Company Code value may vary
from user to user depending on
business restriction.
Dynamic Value
Profile Generator
Static Value vs. Dynamic Value
Static Value – add to USOBT using transaction SU24.
Dynamic Value – add directly to the Authorization or Org. Data.
Profile Generator
Reorganize & Generate
Authorization counter = 1
Profile Generator
Reorganize & Generate
Reorganize
Profile Generator
Reorganize & Generate
Authorization counter = 0
USOBT – SU24
Overview
Profile Generator
1. NEVER modify S_TCODE unless the Role is built manually.
2. Modify Standard delivered authorization:
a. Only modify when there’s a request to REMOVE authorization and IF AND ONLY IF no other transaction is linked to that value. Otherwise, by removing the transaction, it will remove the value.
Summary of Rules and Restrictions
Profile Generator
2. Modify Standard delivered authorization (CONT’D):
b. Always make a copy of the authorization and make changes.
c. Inactive the original authorization.
d. Modify the copied authorization and the status become Changed.
e. Double-click on description of the authorization to document the reason. The same applies to manually inserted authorization.
Summary of Rules and Restrictions
Profile Generator
3. If a Changed authorization exists without an Inactived Standard authorization, delete the Changed authorization.
4. Bogus SU53 check most of the time:
a. S_ADMI_FCD (SM02).
b. S_CTS_ADMI.
c. S_LAYO_ALV (023).
Summary of Rules and Restriction
Profile Generator
Question?
Profile Generator
Contact Information
Thomas TsanSAP Security ArchitectTK Consultants, Inc.Email: [email protected]: (281) 412-6800
Thank you for attending!Please remember to complete and return your evaluation form following this session.
Session Code: [801]