Excerpt from new release Beginner`s Guide to SAP Security and Authorizations.
Introduction to SAP Security and Authorizations concept
SAP has a wide range of built-in functionality to meet various security requirements, including network protection, data protection, and SAP authorizations. This book will focus on the application of SAP authorizations and how user access can be limited by transaction codes, organizational levels, field values, etc. SAP Security and Authorizations is designed so that the system must explicitly indicate what each user can do. This is done by assigning authorization roles, which are groupings of
profiles comprised of authorizations.
The basic architecture of SAP Security and Authorizations is a 6-tiered
1. User Master Record: Accounts for users to enable access to the SAP system; primarily used for user administration purposes.
2. Role: Compilation of transactions and permissions that are assigned to one or more user master records; usually includes commonality amongst a job role or job task.
3. Profile: Assigned when a role is generated and added to its corresponding user master record.
4. Authorization Object Class: Logical grouping of authorization objects by business area.
5. Authorization Object: Groupings of 1-10 authorization fields; configuration is performed against authority check statements written in the SAP code.
6. Authorization Field: Least-granular element in which values can be maintained to secure data and information.
Authorizations can be useful in limiting access to items such as: billing and vendor information, personnel and payroll information, key financial data, and critical system areas such as basis, configuration, development, and security. Users obtain their authorizations by being assigned to roles and users cannot start a transaction or complete a transaction without the proper authorization role assignment. In order to perform an action, a user may need several authorizations. For example, in order to create a sales order, the user will need access to the transaction, the “create” authorization, general authorization for the sales org, and the authorization for the specific sales document type. Therefore, the relationships required in order to meet user access requirements can become very complex.
The SAP authorization concept was created on the basis of authorization objects. Each authorization object is comprised of multiple authorization fields. A user’s permissions always refer to authorization objects, which can contain a single value or a range of values for each field. Both report and dialog transactions in SAP have predefined “authorization checks” embedded in the program logic which protects the functions and information within them.
The basis of an organization’s role design should always be the rule of least privilege, which is the SAP Security best practice of giving users exactly what they need to perform their job responsibilities, not much more, and not much less. Access creep is the adversary of this privilege as users may retain unnecessary access after a job function change or may receive unnecessary access as a result of the application of permissions or transactions to roles which are shared between users who have similar, but not identical, responsibilities. Ultimately, security is the gateway
to the SAP system, but it can often be difficult to manage and understand. Information stored in SAP is a valued business asset, and SAP Security can aid an organization by increasing flexibility and customization at the user level and protecting critical information from unauthorized use.
This book includes SAP best practices for user and role maintenance and how to create an SAP Security design that is both low maintenance and scalable. You will learn how to use and interpret SAP authorizations and troubleshoot security and authorization issues. Lastly, you will discover some advanced topics surrounding SAP authorizations, including an overview on upgrading your SAP Security environment and reducing avoidable segregation of duties conflicts.
SAP has a wide range of built-in functionality to meet various security requirements, including network protection, data protection, and SAP authorizations. This book will focus on the application of SAP authorizations and how user access can be limited by transaction codes, organizational levels, field values, etc. Explore the basic architecture of SAP Security and Authorizations, including user master records, roles, profiles, authorization object classes, authorization objects, and authorization fields. Dive into how to create user profiles and assign roles. Get tips on leveraging the profile generator transaction, PFCG. Obtain valuable tools and tables for identifying user master records and role and authorization information. By using practical examples, tips, and screenshots, the author brings readers new to SAP Security and Authorizations up to speed.
– Basic architecture of SAP Security and Authorizations
– GRC Access Control introduction
– User profile creation and role assignments
– Common security and authorization pain point troubleshooting
Author Tracy Juran (Levine), CPIM, is a Managing Consultant at IBM as part of the Security Services Risk and Compliance practice. She has extensive experience in SAP Security and Authorizations; SAP Governance, Risk, and Compliance (GRC); and core cross-functional business processes. Tracy is a die-hard Ohio State Buckeyes fan and loves to plan parties with friends and travel the world; her favorite destinations include Thailand, Peru, and Israel. She resides in Cincinnati, Ohio with her husband, Josh, their dog, Markley, and cat, Misha. For more information please visit Tracy-Levine.com.Excerpt from new release: Beginner`s Guide to SAP Security and Authorizations