Juran - Beginners Guide to SAP Security and Authorizations

All rights reserved

1st Edition 2016, Gleichen

2016 Espresso Tutorials GmbH

URL: www.espresso-tutorials.com

All rights reserved. Neither this publication nor any part of it may be copied or reproduced in any form or by any means or translated into another language without the prior consent of Espresso Tutorials GmbH, Zum Gelenberg 11, 37130 Gleichen, Germany

Espresso Tutorials makes no warranties or representations with respects to the content hereof and specifically disclaims any implied warranties of merchantability or fitness for any particular purpose. Espresso Tutorials assumes no responsibility for any errors that may appear in this publication.

Feedback:
We greatly appreciate any kind of feedback you have concerning this book. Please mail us at .

Like a cup of espresso coffee, Espresso Tutorials SAP books are concise and effective. We know that your time is valuable and we deliver information in a succinct and straightforward manner. It only takes our readers a short amount of time to consume SAP concepts. Our books are well recognized in the industry for leveraging tutorial-style instruction and videos to show you step by step how to successfully work with SAP.

Check out our YouTube channel to watch our videos at
https://www.youtube.com/user/EspressoTutorials.

If you are interested in SAP Finance and Controlling, join us at http://www.fico-forum.com/forum2/ to get your SAP questions answered and contribute to discussions.

• Boris Rubarth: First Steps in ABAP
  http://5015.espresso-tutorials.com
• Sydnie McConnell, Martin Munzel: First Steps in SAP, 2nd edition
  http://5045.espresso-tutorials.com
• Antje Kunz: SAP Legacy System Migration Workbench (LSMW)
  http://5051.espresso-tutorials.com
• Darren Hague: Universal Worklist with SAP NetWeaver Portal
  http://5076.espresso-tutorials.com
• Micha Krawczyk: SAP SOA IntegrationEnterprise Service Monitoring
  http://5077.espresso-tutorials.com
• Ann Cacciottolli: First Steps in SAP Financial Accounting (FI)
  http://5095.espresso-tutorials.com
• Kathi Kones: SAP List Viewer (ALV)A Practical Guide for ABAP Developers
  http://5112.espresso-tutorials.com
• Jelena Perfiljeva: What on Earth is an SAP IDoc?
  http://5130.espresso-tutorials.com

For Alex and Tamara, whose enthusiasm is contagious, and for Merkel, who also caught the bug.

SAP has a wide range of built-in functionality to meet various security requirements, including network protection, data protection, and SAP authorizations. This book will focus on the application of SAP authorizations and how user access can be limited by transaction codes, organizational levels, field values, etc. SAP Security and Authorizations is designed so that the system must explicitly indicate what each user can do. This is done by assigning authorization roles, which are groupings of profiles comprised of authorizations.

The basic architecture of SAP Security and Authorizations is a 6-tiered approach:

1. User Master Record: Accounts for users to enable access to the SAP system; primarily used for user administration purposes.
2. Role: Compilation of transactions and permissions that are assigned to one or more user master records; usually includes commonality amongst a job role or job task.
3. Profile: Assigned when a role is generated and added to its corresponding user master record.
4. Authorization Object Class: Logical grouping of authorization objects by business area.
5. Authorization Object: Groupings of 1-10 authorization fields; configuration is performed against authority check statements written in the SAP code.
6. Authorization Field: Least-granular element in which values can be maintained to secure data and information.

Authorizations can be useful in limiting access to items such as: billing and vendor information, personnel and payroll information, key financial data, and critical system areas such as basis, configuration, development, and security. Users obtain their authorizations by being assigned to roles and users cannot start a transaction or complete a transaction without the proper authorization role assignment. In order to perform an action, a user may need several authorizations. For example, in order to create a sales order, the user will need access to the transaction, the create authorization, general authorization for the sales org, and the authorization for the specific sales document type. Therefore, the relationships required in order to meet user access requirements can become very complex.

The SAP authorization concept was created on the basis of authorization objects. Each authorization object is comprised of multiple authorization fields. A users permissions always refer to authorization objects, which can contain a single value or a range of values for each field. Both report and dialog transactions in SAP have predefined authorization checks imbedded in the program logic which protects the functions and information within them.

The basis of an organizations role design should always be the rule of least privilege, which is the SAP Security best practice of giving users exactly what they need to perform their job responsibilities, not much more, and not much less. Access creep is the adversary of this privilege as users may retain unnecessary access after a job function change or may receive unnecessary access as a result of the application of permissions or transactions to roles which are shared between users who have similar, but not identical, responsibilities. Ultimately, security is the gateway to the SAP system, but it can often be difficult to manage and understand. Information stored in SAP is a valued business asset, and SAP Security can aid an organization by increasing flexibility and customization at the user level and protecting critical information from unauthorized use.

This book includes SAP best practices for user and role maintenance and how to create an SAP Security design that is both low maintenance and scalable. You will learn how to use and interpret SAP authorizations and troubleshoot security and authorization issues. Lastly, you will discover some advanced topics surrounding SAP authorizations, including an overview on upgrading your SAP Security environment and reducing avoidable segregation of duties conflicts.

We have added a few icons to highlight important information. These include:

Tips

Tips highlight information concerning more details about the subject being described and/or additional background information.

Examples