49 Slides1.14 MB
How to Properly Maintain Security using Profile Generator
Objective SAP Security Overview Profile Generator Best Practice Summary
SAP Security Overview USER ID, e.g. TTSAN User Securit Securit Securit y Role y Role y Role 1 2 3
SAP Security Overview Security Role, e.g. Security Administrato Profile 1 Profile 2 Profile 3
SAP Security Overview Profile (Contain up to 150 Authorizations Authorizat ion1 Authorizat ion2 Authorizati on150
SAP Security Overview Authorization Object 1, e.g. S TCODE Field (TCD) Value (SU01)
SAP Security Overview Authorization Object 2, e.g. S USR GRP Field (ACTV) Value (01, 02, 03, 06) Field (CLASS) Value (Customer Define)
SAP Security Overview Authorization Object 2, e.g. S USR GRP Field (ACTV) Value (01, 02, 06) Field (CLASS) Value (HOUSTON)
SAP Security Overview Authorization Object 2, e.g. S USR GRP Field (ACTV) Value (03) Field (CLASS) Value (*)
SAP Security Overview Execute “SU01” – Change User AUTHORITY-CHECK “Authorization1” Object 1 “S TCODE ” TCD “SU01”
SAP Security Overview Execute “SU01” – Change User AUTHORITY-CHECK “Authorization2” Object 2 “S USR GRP ” ACTV “02” CLASS “HOUSTO N”
Profile Generator Transaction
Profile Generator Change authorization data
Profile Generator Expert mode for profile generation
Profile Generator Delete and recreate profile and authorizations
Profile Generator Edit old status
Profile Generator Read old status and merge with new data
SAP Security Overview BURKS Missing Organization Value
Profile Generator Organizational Level
Profile Generator Missing Customer Define Value
Profile Generator No open field
Profile Generator Authorization Status
Profile Generator Authorization Status STANDARD - SAP Standard Value MAINTAIN - Customer Maintained Value CHANGED - SAP Standard Value maintained by Customer MANUALLY – Manually inserted Value
Profile Generator Removing Authorization Value S USR GRP 01, 02, 03, 05, 06, 08, 24
Profile Generator Removing Authorization Value Status Changed
Profile Generator Common Security Issue New Authorization
Profile Generator Best Practice Make Copy Inactive Original
Profile Generator Best Practice Make changes to copy
Profile Generator Best Practice Changed Authorization without Inactive Standard
Profile Generator Best Practice Double-click to add comment
Profile Generator Does making changes to Copied Authorization Applies to all situation? M MATE MAT (01, 02)
Profile Generator Where-Used Icon
Profile Generator Where-used MM01 01
Profile Generator Adding Authorization Value What if you want to add value 03?
Profile Generator SU53 Errors What if SU53 indicates that MM01 requires an Activity of 24?
Profile Generator Static Value vs. Dynamic Value Static Value – a value that is required by a transaction no matter who execute it. Dynamic Value – a customerdefined value such as company code.
Profile Generator Static Value MM01 always requires an Activity of 01?
Profile Generator Dynamic Value Company Code value may vary from user to user depending on business restriction.
Profile Generator Static Value vs. Dynamic Value Static Value – add to USOBT using transaction SU24. Dynamic Value – add directly to the Authorization or Org. Data.
Profile Generator Reorganize & Generate Authorization counter 1
Profile Generator Reorganize & Generate Reorganize
Profile Generator Reorganize & Generate Authorization counter 0
USOBT – SU24 Overview
Profile Generator Summary of Rules and Restrictions 1. NEVER modify S TCODE unless the Role is built manually. 2. Modify Standard delivered authorization: a. Only modify when there’s a request to REMOVE authorization and IF AND ONLY IF no other transaction is linked to that value. Otherwise, by removing the transaction, it will remove the value.
Profile Generator Summary of Rules and Restrictions 2. Modify Standard delivered authorization (CONT’D): b. Always make a copy of the authorization and make changes. c. Inactive the original authorization. d. Modify the copied authorization and the status become Changed. e. Double-click on description of the authorization to document the reason. The same applies to manually inserted authorization.
Profile Generator Summary of Rules and Restriction 3. If a Changed authorization exists without an Inactived Standard authorization, delete the Changed authorization. 4. Bogus SU53 check most of the time: a. S ADMI FCD (SM02). b. S CTS ADMI. c. S LAYO ALV (023).
Profile Generator Question?
Profile Generator Contact Information Thomas Tsan SAP Security Architect TK Consultants, Inc. Email: [email protected] Phone: (281) 412-6800
Thank you for attending! Please remember to complete and return your evaluation form following this session. Session Code: