480 likes | 785 Views
APM Detailed Technical Overview . APM Contents. APM – PFCG Overview APM – Role Management Authorization Trace Role Maintenance/Derived Roles Mass Changes APM – Risk Management Risk and Process Definition Pro-active Risk and Process Analysis Risk and Process Analysis Reports.
E N D
APM Contents • APM – PFCG Overview • APM – Role Management • Authorization Trace • Role Maintenance/Derived Roles • Mass Changes • APM – Risk Management • Risk and Process Definition • Pro-active Risk and Process Analysis • Risk and Process Analysis Reports
APM Contents • APM – Basis • Configuration • Special User Monitor • Batch-Job Monitor • APM – References • Online Tutorial • Support Forum • Contact Information
APM Overview • Created by a team of experience consultants and clients inputs to provide an effective and efficient way to manage authorizations. • The process oriented approach creates a minimum authorizations necessary to perform a business process. • Role management features reduce administration cost. • Risk management features provide a clear view of Segregation of Duties.
APM - Role Management • Authorization Trace • Defined from the SAP point of view in cooperation with the user departments. • No need to learn how SAP-System trace is handled. • Easily troubleshoot and resolve authorization issues. • The logged authorizations represent the minimum specifications. • Retrieve to workspace for role generation or add to existing role.
APM - Role Management • Authorization Trace • When entering a trace for multiple users, please make sure that this trace can be activated and deactivated for all users, only. • APM user traces must be deactivated and deleted via APM. • APM users must always log in the defined application server.
APM - Role Management • Authorization Trace • A non-observance of this prescription may lead to the following problems: • You cannot start or end a user trace via APM anymore. This may happen when an APM user trace has been stopped via SAP-Standard. In this case, it is absolutely mandatory to terminate the trace via SAP-Standard (Transaction ST01). Only thereafter, all functions are available again. • You cannot import or delete a user trace and you will get the message that this user trace on operating system level does no longer exist. This may happen when an APM user trace has been deleted via SAP-Standard instead of via APM. In this case, use the menu item Utilities – Reconciliation of tables.
APM - Role Management • List Functions • Authorization list is the working platform of APM where authorizations and authorization objects can be entered, deleted, or changed. • When saving a list, no change documents are created. • Inactive authorization no longer necessary. • Compress List (Merger) will not create new authorization. • Mass authorization change. • Undo and redo.
APM - Role Management • PFCG - Inactive Authorization Remove value “01, 06, 24”
APM - Role Management • PFCG - Inactive Authorization New authorization is inserted
APM - Role Management • PFCG - Inactive Authorization Best practice is to create a copy, inactive, and make changes to copied authorization
APM - Role Management • PFCG - Inactive Authorization When standard transaction is deleted the changed authorization remains
APM - Role Management • APM - Inactive Authorization APM will not insert “New” authorization. Notice that there are no status within APM.
APM - Role Management • APM - Inactive Authorization APM will delete all “Standard and Changed” authorization.
APM - Role Management • PFCG – Derived Role
APM - Role Management • APM – Derived Role
APM - Role Management • APM – Derived Role • Deviation Folder • All inherited field value from the master role can be modified. • Deviations can be field-related or object-related. • All deviation folders can be used for the automatic mass change. • Extension Folder • Add additional authorization to dependent role. • Always use “After Mass Change”.
APM - Role Management • Mass Authorization Change • Mass change multiple fields value via Deviation Folder. • Manually mass change single field.
APM - Risk Management • Risk Analysis • A collection of critical authorization objects. • Pro-actively identify Risks during Role maintenance. • Exclusion objects are inactive in role. • Risk analysis discovers weaknesses and security gaps within the authorizations and enable a direct elimination of these risks.
APM - Risk Management • Risk Analysis Document Risk Version
APM - Risk Management • Risk Analysis Very critical Critical Inactive
APM - Risk Management • Risk Analysis Risk can be defined as: • Object • Single occurrence
APM - Risk Management • Process Analysis • A collection of critical combination of authorization objects. • Pro-actively identify Process Analysis during Role maintenance. • Unlimited business process chain per Version.
APM – Risk Management • Process Analysis Multiple Process Chains per Version
APM – Risk Management • Process Analysis Transaction combinations can be defined in set
APM – Risk Management • Process Analysis Report Process to User or Role Report
APM – Risk Management • Process Analysis Report Report can be executed for User(s) or User Group
APM – Risk Management • Process Analysis Report Users to Process Chains
APM – Risk Management • Process Analysis Report Process Chains to Users
APM - Basis Configuration APM Trace setting
APM - Basis Configuration Expert mode Verify if Transaction is valid before generation
APM - Basis Configuration Always check Menu…-Delete and Create to prevent direct modification of S_TCODE Activate Role ownership
APM - Basis Configuration Set Proactive Risk or Process Authorization Analysis Sequence Analysis: Object then Single Occurrence
APM - Basis Configuration Always select “Confirm all automatically”
APM – Basis Configuration Standard APM functions for List, Deviation, and Mass Changes
APM - Basis • Special Users • Emergency or Special user are defined for supervision. • 3-Level Security Concept • Every login of a safety-relevant special user causes a system log message to be written, and can be evaluated. • All activities of a safety-relevant special user are recorded on transaction- and/or program level, and can be evaluated. • All activities of safety-relevant special users are recorded within transactions or programs down to the used function, and can be evaluated.
APM - Basis • Batch-Job-Monitor • Automatic supervision of jobs in the SAP environment. • The monitoring is planned periodically, and the monitoring tools optionally send mails and/or express mails, or prints error messages on the printer as soon as erroneous jobs are detected within a defined period of time (cycle). • This method enables to optimize error handling through in-time reporting to the responsible person(s).
APM - Basis • Directory Viewer • SAP-Explorer – enables a direct administration of directories and files of the SAP-Server without having to go to the operating system. • In addition to the display, copy, and delete file functions, the SAP-Explorer also supports the Upload and Download of files.
APM – Next Steps Many new functionalities have been added… More will be implemented by Q4/05 and Q1/06 Please give us the opportunity to learn more about your requirement and show your basis/security team a brief online demonstration of APM’s powerful functionalities. Schedule a presentation at: 813-283-0070 or info@realtimenorthamerica.com