490 likes | 647 Views
How to Properly Maintain Security using Profile Generator. Objective. SAP Security Overview Profile Generator Best Practice Summary. SAP Security Overview. USER ID , e.g. TTSAN. Security Role 1. Security Role 2. Security Role 3. User. SAP Security Overview.
E N D
Objective • SAP Security Overview • Profile Generator Best Practice • Summary
SAP Security Overview USER ID, e.g. TTSAN Security Role 1 Security Role 2 Security Role 3 User
SAP Security Overview Security Role, e.g. Security Administrator Profile 1 Profile 2 Profile 3
SAP Security Overview Profile (Contain up to 150 Authorizations) Authorization150 Authorization1 Authorization2
SAP Security Overview Authorization Object 1, e.g. S_TCODE Field (TCD) Value (SU01)
SAP Security Overview Authorization Object 2, e.g. S_USR_GRP Field (ACTV) Value (01, 02, 03, 06) Field (CLASS) Value (Customer Define)
SAP Security Overview Authorization Object 2, e.g. S_USR_GRP Field (ACTV) Value (01, 02, 06) Field (CLASS) Value (HOUSTON)
SAP Security Overview Authorization Object 2, e.g. S_USR_GRP Field (ACTV) Value (03) Field (CLASS) Value (*)
SAP Security Overview Execute “SU01” – Change User AUTHORITY-CHECK “Authorization1” Object 1 = “S_TCODE” TCD = “SU01”
Execute “SU01” – Change User AUTHORITY-CHECK “Authorization2” SAP Security Overview Object 2 = “S_USR_GRP” ACTV = “02” CLASS = “HOUSTON”
Profile Generator Transaction
Profile Generator Change authorization data
Profile Generator Expert mode for profile generation
Profile Generator Delete and recreate profile and authorizations
Profile Generator Edit old status
Profile Generator Read old status and merge with new data
SAP Security Overview $BURKS Missing Organization Value
Profile Generator Organizational Level
Profile Generator Missing Customer Define Value
Profile Generator No open field
Profile Generator Authorization Status
Profile Generator Authorization Status STANDARD - SAP Standard Value MAINTAIN - Customer Maintained Value CHANGED - SAP Standard Value maintained by Customer MANUALLY – Manually inserted Value
Profile Generator Removing Authorization Value S_USR_GRP 01, 02, 03, 05, 06, 08, 24
Profile Generator Removing Authorization Value Status = Changed
Profile Generator Common Security Issue New Authorization
Profile Generator Best Practice Make Copy Inactive Original
Profile Generator Best Practice Make changes to copy
Profile Generator Best Practice Changed Authorization without Inactive Standard
Profile Generator Best Practice Double-click to add comment
Profile Generator Does making changes to Copied Authorization Applies to all situation? M_MATE_MAT (01, 02)
Profile Generator Where-Used Icon
Profile Generator Where-used MM01 = 01
Profile Generator Adding Authorization Value What if you want to add value 03?
Profile Generator SU53 Errors What if SU53 indicates that MM01 requires an Activity of 24?
Profile Generator Static Value vs. Dynamic Value Static Value – a value that is required by a transaction no matter who execute it. Dynamic Value – a customer-defined value such as company code.
Profile Generator Static Value MM01 always requires an Activity of 01?
Profile Generator Dynamic Value Company Code value may vary from user to user depending on business restriction.
Profile Generator Static Value vs. Dynamic Value Static Value – add to USOBT using transaction SU24. Dynamic Value – add directly to the Authorization or Org. Data.
Profile Generator Reorganize & Generate Authorization counter = 1
Profile Generator Reorganize & Generate Reorganize
Profile Generator Reorganize & Generate Authorization counter = 0
USOBT – SU24 Overview
Profile Generator Summary of Rules and Restrictions • NEVER modify S_TCODE unless the Role is built manually. • Modify Standard delivered authorization: • Only modify when there’s a request to REMOVE authorization and IF AND ONLY IF no other transaction is linked to that value. Otherwise, by removing the transaction, it will remove the value.
Profile Generator Summary of Rules and Restrictions • Modify Standard delivered authorization (CONT’D): • Always make a copy of the authorization and make changes. • Inactive the original authorization. • Modify the copied authorization and the status become Changed. • Double-click on description of the authorization to document the reason. The same applies to manually inserted authorization.
Profile Generator Summary of Rules and Restriction • If a Changed authorization exists without an Inactived Standard authorization, delete the Changed authorization. • Bogus SU53 check most of the time: • S_ADMI_FCD (SM02). • S_CTS_ADMI. • S_LAYO_ALV (023).
Profile Generator Question?
Profile Generator Contact Information Thomas Tsan SAP Security Architect TK Consultants, Inc. Email: ttsan@tkconsultants.com Phone: (281) 412-6800
Thank you for attending! Please remember to complete and return your evaluation form following this session. Session Code:[801]