1 / 49

How to Properly Maintain Security using Profile Generator

How to Properly Maintain Security using Profile Generator. Objective. SAP Security Overview Profile Generator Best Practice Summary. SAP Security Overview. USER ID , e.g. TTSAN. Security Role 1. Security Role 2. Security Role 3. User. SAP Security Overview.

becky
Télécharger la présentation

How to Properly Maintain Security using Profile Generator

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. How to Properly Maintain Security using Profile Generator

  2. Objective • SAP Security Overview • Profile Generator Best Practice • Summary

  3. SAP Security Overview USER ID, e.g. TTSAN Security Role 1 Security Role 2 Security Role 3 User

  4. SAP Security Overview Security Role, e.g. Security Administrator Profile 1 Profile 2 Profile 3

  5. SAP Security Overview Profile (Contain up to 150 Authorizations) Authorization150 Authorization1 Authorization2

  6. SAP Security Overview Authorization Object 1, e.g. S_TCODE Field (TCD) Value (SU01)

  7. SAP Security Overview Authorization Object 2, e.g. S_USR_GRP Field (ACTV) Value (01, 02, 03, 06) Field (CLASS) Value (Customer Define)

  8. SAP Security Overview Authorization Object 2, e.g. S_USR_GRP Field (ACTV) Value (01, 02, 06) Field (CLASS) Value (HOUSTON)

  9. SAP Security Overview Authorization Object 2, e.g. S_USR_GRP Field (ACTV) Value (03) Field (CLASS) Value (*)

  10. SAP Security Overview Execute “SU01” – Change User AUTHORITY-CHECK “Authorization1” Object 1 = “S_TCODE” TCD = “SU01”

  11. Execute “SU01” – Change User AUTHORITY-CHECK “Authorization2” SAP Security Overview Object 2 = “S_USR_GRP” ACTV = “02” CLASS = “HOUSTON”

  12. Profile Generator Transaction

  13. Profile Generator Change authorization data

  14. Profile Generator Expert mode for profile generation

  15. Profile Generator Delete and recreate profile and authorizations

  16. Profile Generator Edit old status

  17. Profile Generator Read old status and merge with new data

  18. SAP Security Overview $BURKS Missing Organization Value

  19. Profile Generator Organizational Level

  20. Profile Generator Missing Customer Define Value

  21. Profile Generator No open field

  22. Profile Generator Authorization Status

  23. Profile Generator Authorization Status STANDARD - SAP Standard Value MAINTAIN - Customer Maintained Value CHANGED - SAP Standard Value maintained by Customer MANUALLY – Manually inserted Value

  24. Profile Generator Removing Authorization Value S_USR_GRP 01, 02, 03, 05, 06, 08, 24

  25. Profile Generator Removing Authorization Value Status = Changed

  26. Profile Generator Common Security Issue New Authorization

  27. Profile Generator Best Practice Make Copy Inactive Original

  28. Profile Generator Best Practice Make changes to copy

  29. Profile Generator Best Practice Changed Authorization without Inactive Standard

  30. Profile Generator Best Practice Double-click to add comment

  31. Profile Generator Does making changes to Copied Authorization Applies to all situation? M_MATE_MAT (01, 02)

  32. Profile Generator Where-Used Icon

  33. Profile Generator Where-used MM01 = 01

  34. Profile Generator Adding Authorization Value What if you want to add value 03?

  35. Profile Generator SU53 Errors What if SU53 indicates that MM01 requires an Activity of 24?

  36. Profile Generator Static Value vs. Dynamic Value Static Value – a value that is required by a transaction no matter who execute it. Dynamic Value – a customer-defined value such as company code.

  37. Profile Generator Static Value MM01 always requires an Activity of 01?

  38. Profile Generator Dynamic Value Company Code value may vary from user to user depending on business restriction.

  39. Profile Generator Static Value vs. Dynamic Value Static Value – add to USOBT using transaction SU24. Dynamic Value – add directly to the Authorization or Org. Data.

  40. Profile Generator Reorganize & Generate Authorization counter = 1

  41. Profile Generator Reorganize & Generate Reorganize

  42. Profile Generator Reorganize & Generate Authorization counter = 0

  43. USOBT – SU24 Overview

  44. Profile Generator Summary of Rules and Restrictions • NEVER modify S_TCODE unless the Role is built manually. • Modify Standard delivered authorization: • Only modify when there’s a request to REMOVE authorization and IF AND ONLY IF no other transaction is linked to that value. Otherwise, by removing the transaction, it will remove the value.

  45. Profile Generator Summary of Rules and Restrictions • Modify Standard delivered authorization (CONT’D): • Always make a copy of the authorization and make changes. • Inactive the original authorization. • Modify the copied authorization and the status become Changed. • Double-click on description of the authorization to document the reason. The same applies to manually inserted authorization.

  46. Profile Generator Summary of Rules and Restriction • If a Changed authorization exists without an Inactived Standard authorization, delete the Changed authorization. • Bogus SU53 check most of the time: • S_ADMI_FCD (SM02). • S_CTS_ADMI. • S_LAYO_ALV (023).

  47. Profile Generator Question?

  48. Profile Generator Contact Information Thomas Tsan SAP Security Architect TK Consultants, Inc. Email: ttsan@tkconsultants.com Phone: (281) 412-6800

  49. Thank you for attending! Please remember to complete and return your evaluation form following this session. Session Code:[801]

More Related