How to Properly Maintain Security using Profile Generator

How to Properly Maintain Security using Profile Generator

Objective SAP Security Overview Profile Generator Best Practice Summary

SAP Security Overview USER ID, e.g. TTSAN User Securit Securit Securit y Role y Role y Role 1 2 3

SAP Security Overview Security Role, e.g. Security Administrato Profile 1 Profile 2 Profile 3

SAP Security Overview Profile (Contain up to 150 Authorizations Authorizat ion1 Authorizat ion2 Authorizati on150

SAP Security Overview Authorization Object 1, e.g. S TCODE Field (TCD) Value (SU01)

SAP Security Overview Authorization Object 2, e.g. S USR GRP Field (ACTV) Value (01, 02, 03, 06) Field (CLASS) Value (Customer Define)

SAP Security Overview Authorization Object 2, e.g. S USR GRP Field (ACTV) Value (01, 02, 06) Field (CLASS) Value (HOUSTON)

SAP Security Overview Authorization Object 2, e.g. S USR GRP Field (ACTV) Value (03) Field (CLASS) Value (*)

SAP Security Overview Execute “SU01” – Change User AUTHORITY-CHECK “Authorization1” Object 1 “S TCODE ” TCD “SU01”

SAP Security Overview Execute “SU01” – Change User AUTHORITY-CHECK “Authorization2” Object 2 “S USR GRP ” ACTV “02” CLASS “HOUSTO N”

Profile Generator Transaction

Profile Generator Change authorization data

Profile Generator Expert mode for profile generation

Profile Generator Delete and recreate profile and authorizations

Profile Generator Edit old status

Profile Generator Read old status and merge with new data

SAP Security Overview BURKS Missing Organization Value

Profile Generator Organizational Level

Profile Generator Missing Customer Define Value

Profile Generator No open field

Profile Generator Authorization Status

Profile Generator Authorization Status STANDARD - SAP Standard Value MAINTAIN - Customer Maintained Value CHANGED - SAP Standard Value maintained by Customer MANUALLY – Manually inserted Value

Profile Generator Removing Authorization Value S USR GRP 01, 02, 03, 05, 06, 08, 24

Profile Generator Removing Authorization Value Status Changed

Profile Generator Common Security Issue New Authorization

Profile Generator Best Practice Make Copy Inactive Original

Profile Generator Best Practice Make changes to copy

Profile Generator Best Practice Changed Authorization without Inactive Standard

Profile Generator Best Practice Double-click to add comment

Profile Generator Does making changes to Copied Authorization Applies to all situation? M MATE MAT (01, 02)

Profile Generator Where-Used Icon

Profile Generator Where-used MM01 01

Profile Generator Adding Authorization Value What if you want to add value 03?

Profile Generator SU53 Errors What if SU53 indicates that MM01 requires an Activity of 24?

Profile Generator Static Value vs. Dynamic Value Static Value – a value that is required by a transaction no matter who execute it. Dynamic Value – a customerdefined value such as company code.

Profile Generator Static Value MM01 always requires an Activity of 01?

Profile Generator Dynamic Value Company Code value may vary from user to user depending on business restriction.

Profile Generator Static Value vs. Dynamic Value Static Value – add to USOBT using transaction SU24. Dynamic Value – add directly to the Authorization or Org. Data.

Profile Generator Reorganize & Generate Authorization counter 1

Profile Generator Reorganize & Generate Reorganize

Profile Generator Reorganize & Generate Authorization counter 0

USOBT – SU24 Overview

Profile Generator Summary of Rules and Restrictions 1. NEVER modify S TCODE unless the Role is built manually. 2. Modify Standard delivered authorization: a. Only modify when there’s a request to REMOVE authorization and IF AND ONLY IF no other transaction is linked to that value. Otherwise, by removing the transaction, it will remove the value.

Profile Generator Summary of Rules and Restrictions 2. Modify Standard delivered authorization (CONT’D): b. Always make a copy of the authorization and make changes. c. Inactive the original authorization. d. Modify the copied authorization and the status become Changed. e. Double-click on description of the authorization to document the reason. The same applies to manually inserted authorization.

Profile Generator Summary of Rules and Restriction 3. If a Changed authorization exists without an Inactived Standard authorization, delete the Changed authorization. 4. Bogus SU53 check most of the time: a. S ADMI FCD (SM02). b. S CTS ADMI. c. S LAYO ALV (023).

Profile Generator Question?

Profile Generator Contact Information Thomas Tsan SAP Security Architect TK Consultants, Inc. Email: [email protected] Phone: (281) 412-6800

Thank you for attending! Please remember to complete and return your evaluation form following this session. Session Code: [801]