Day 5 : SAP R/3 Application Authorization Concept ERP 系統維護 Enterprise Technology - SAP

Course Content Unit 6 Access Control and User Administration Unit 1 Introduction Unit 2 Conception with ASAP Methodology Unit 3 Elements of the R/3 Authorization Concept Unit 4 The User Master Unit 5 Working with the Profile Generator

Introduction

 Security Requirements  SAP Security Levels  SAP Access Control  Users, Roles and Authorizations  Technical Implementation of Roles Contents: Introduction

 Describe the SAP authorization concept as part of a comprehensive security concept  Explain the access control mechanisms  Explain how users, roles and authorizations are related  Describe the technical implementation of a role- based authorization concept At the conclusion of this unit, you will be able to: Introduction Unit Objectives

 Technology  Hardware Router  DB Backup  Password Rules  Authorizations  ...  Organi z ation  Procedures  Training  Environment  Fire Alarms  Water Detection  Technology  Disk Crash  Power Supply Interruption Threats Measures Assets  Persons  Incorrect Operation  Hackers  Environment  Floods  Earthquakes Security - Overview  Hardware  Software  Data  Persons

SAP Security Levels Security Considerations Access control, virus scanners, encryption Access control, packet filtering, encryption Layer Components GUI, Browser, PC SAProuter , Network, SNC Presentation Communication SAP users, password rules, authorizations Access to SAP tables, backup, consistency Access to SAP files, OS services Application modules, work processes, interfaces Relational database UNIX, Windows NT, OS/ 400, OS 390 Application Database Operating System Encryption, certificates, Single Sign-On ITS Web Connection

Data Data Functions Functions  System Access Control  Users must identify themselves in the system  Configuration of system access control (e.g. password rules)  Access Control  Access rights for functions and data must be granted explicity using authorizations  Authorization checks for  Transaction/report calls  Program execution SAP Access Control

Create Purchase Requisition (ME51) Order Purchase Requisition (ME58) Release Purchase Requisition (ME54) Employees have roles with specific functions and need authorizations for these functions Employees Employees have roles roles with specific functions functions and need authorizations authorizations for these functions Users, Roles, and Authorizations Karen Karen Susan Susan John John Procurement  Employee  Service Representative  Employee  Service Representative  Manager  Employee  Purchaser Authorization to create purchase requisitions Authorization to release purchase requisitions Authorization to create purchase orders

Role Professional Purchaser Role Professional Purchaser Technical Implementation of Roles  Role Menu  Accessible Transctions , Reports, Web Links  Structure of the Menus/Access Paths  Authorizations  Selective Access to Business Functions and Data  User

SAP Easy Access - User-Specific Menus M enu E dit F avorites E x tras S y stem H elp Other menu Create menu Assign users Role BC_USER_ADMIN Favorites SM51 List of SAP Systems User Administration SU01 - User Maintenance PFCG - Role Maintenance SU01D - Display User SU05 - Internet User Maintenance SU10 - User Mass Maintenance SUGR - Maintain User Groups

 Describe the SAP authorization concept as part of a comprehensive security concept  Explain the access control mechanisms  Explain how users, roles and authorizations are related  Describe the technical implementation of a role- based authorization concept You are now able to: Introduction: Unit Summary

Conception with ASAP Methodology

 ASAP methodology for creating an authorization concept  Project preparation  Analysis and design of the authorization concept  Implementation of the authorization concept  Testing and quality assurance  Cutover Contents: Conception with ASAP Methodology

 List the steps necessary to implement an authorization concept  Describe the activities to be performed in each step  Assign responsible persons to each activity  Use the ASAP procedure model for implementing an authorization concept for your own projects At the conclusion of this unit, you will be able to: Conception with ASAP Methodology: Unit Objectives

 Before going live, your company wants to implement an authorization concept.  The steps required to realize the authorization concept must be planned in the context of the entire implementation process.  During the planning phase you want to estimate the time and personnel resources needed. Conception with ASAP Methodology: Business Scenario

Role and Authorization Concept: Steps Preparation Preparation Analysis Analysis & & Conception Conception  A Role and Authorization Concept is Implemented in 5 Steps  Each Step Comprises Different Activities  Each Activity is Associated with a Responsible Person  User Administration and Authorization Management Organization is Parallel to User and Authorization Concept Implementation Implement- Implement- ation ation Quality Quality Assurance Assurance & Tests & Tests Cutover Cutover Determine User and Determine User and Authorization Administration Strategy Authorization Administration Strategy

Measures:  Set Up a Team for User Roles and Authorizations  Clarify Prerequisites for Authorization Assignment  Train the Team for User Roles and Authorizations  Trigger Role and Authorization Project Step 1: Preparation Preparation Preparation Implement- ation Analysis & Conception Quality Assurance & Tests Cutover

BASIS PP HR SD/ MM FI/ CO KU KU BC BC KU KU KU KU KU KU BC BC KU KU Team for User Roles and Authorizations KU = Key User BC = Basis User (technical authorization management)

 SAP AG 1999 Step 2: Analysis & Conception Preparation Implement- ation Quality Assurance & Tests Cutover Analysis Analysis & & Conception Conception Measures:  Determine User Roles  Complete Roles  Determine Framework for Implementing the Roles  Check Framework for Implementing the Roles

Authorization List - Role Design Business Processes Financial Accounting General Ledger Processing Closing Operations Profit and Loss Adjustment General ledger: Profit and Loss Adjustment General ledger: Update Balance Sheet Adj . General ledger: Post Balance Sheet Readj . General ledger: Balance Sheet Readj ., Log General ledger: B/S Readj ., Spec. Functions Accounts Payable Accounting Invoices and Credit Memos Parked Document Posting [Vendors] Post Parked Document Change Parked Document Display Parked Document Change Parked Doc. (Header) Document Changes: Parked Documents Reject Parked Document Vendor Account Analysis Balance Analysis Customer Account Analysis Vendor Account Balance Display Vendor Balances Vendor Line Items Correspondence with Vendors Correspondence with Vendors Correspondence: Print Requests Correspondence: Print Internal Docs. Correspondence: Delete Requests Correspondence: Maintain Requests Instruction... Enterprise area Role name Scope Scope Scope Analysis: Determine User Roles F.50 F.5D F.5E F.5F F.5G FBV0 FBV2 FBV3 FBV4 FBV5 FBV6 FD11 FK10 FK10N FBL1N F.61 F.62 F.63 F.64

FI_ Manag AP_ Manag AP_ Acc Authorization List - Role Design Business Processes Financial Accounting General Ledger Processing Closing Operations Profit and Loss Adjustment General ledger: Profit and Loss Adjustment General ledger: Update Balance Sheet Adj . General ledger: Post Balance Sheet Readj . General ledger: Balance Sheet Readj ., Log General ledger: B/S Readj ., Spec. Functions Accounts Payable Accounting Invoices and Credit Memos Parked Document Posting [Vendors] Post Parked Document Change Parked Document Display Parked Document Change Parked Doc. (Header) Document Changes: Parked Documents Reject Parked Document Vendor Account Analysis Balance Analysis Customer Account Analysis Vendor Account Balance Display Vendor Balances Vendor Line Items Correspondence with Vendors Correspondence with Vendors Correspondence: Print Requests Correspondence: Print Internal Docs. Correspondence: Delete Requests Correspondence: Maintain Requests Instruction... Enterprise area Rollenname Scope Scope Scope FI FI FI x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x Conception: Complete User Roles (1) F.50 F.5D F.5E F.5F F.5G FBV0 FBV2 FBV3 FBV4 FBV5 FBV6 FD11 FK10 FK10N FBL1N F.61 F.62 F.63 F.64

Balance Analysis Vendor Line Items Display Vendor Balances Maintain Account Balances G/L Document Maintenance Accounts Payable Accounting Manager Post Documents Change Documents ........ Activity Block (Group of Related Activities) Role Activities Transactions, Reports User Role Composite Role Accounts Payable Accountant User User Master Record Technical Conception: Role Implementation (1)

Balance Analysis Correspondence Accounts Payable Accounting Manager Accounts Payable Accountant Maintain Documents Maintain Documents Maintain Documents Closing Operations Balance Analysis Correspondence Financial Accounting Manager Technical Conception: Role Implementation (2) Maintain Documents Closing Operations

Step 3: Implementation Preparation Quality Assurance & Tests Cutover Analysis & Conception Implement- Implement- ation ation Measures:  Create Roles  Create Derived Roles  Create Composite Roles

Step 4: Quality Assurance & Tests Preparation Implement- ation Cutover Analysis & Conception Quality Quality Assurance Assurance & Tests & Tests Measures:  Test User Roles and Authorization Concept  Release Roles and Authorization Concept

Step 5: Cutover Preparation Implement- ation Quality Assurance & Tests Analysis & Conception Cutover Cutover Measures:  Set Up Productive Environment  Create User Master Records for Productive Users  Accept Role and Authorization Project

User and Authorization Administration Strategy Preparation Implement- ation Quality Assurance & Tests Cutover Analysis & Conception Determine User and Determine User and Authorization Administration Strategy Authorization Administration Strategy Measures :  Specify Technical User and Authorization Administration Strategy  Specify User and Authorization Administration Procedure  Train Users and Authorization Administrators

Development System User Administration System User and Authorization Administration Strategy System Administrator Authorization Data Administrator Create Role Authorization Profile Administrator User Administrator Maintain Users Assign Role Activate Profile Maintain Role

 List the steps necessary to implement an authorization concept  Describe the activities to be performed in each step  Assign responsible persons to each activity  Use the ASAP procedure model for implementing an authorization concept for your own projects You are now able to: Conception with ASAP Methodology: Unit Summary

Elements of SAP Authorization Concept

 The SAP R/3 authorization concept prevents unauthorized access to the system and to data and objects within the system. Users that are to perform specific functions in the SAP R/3 System need a user master record with the relevant authorizations. Elements of the SAP R/3 Authorization Concept: Business Scenario

Authorization object class Authorization object Authorization Profile - Role User Authorization field: Overview of the elements of the SAP R/3 authorization concept

Authorization Fields, Objects, Object Classes Authorization Fields Authorization Objects Authorization Object Classes BUKRS ACTVT WERKS BEGRU M_RECH_BUK F_BKPF_BUK F_KNA1_BUK C_KAPA_PLA C_ARPL_WRK M_MSEG_WWA V_KNA1_BRG C_DRAW_BGR MM_R FI PP MM_B SD CV

Authorization BUKRS 1000, 2000 ACTVT 01, 02, 03 1000 2000 3000 2000 3000 Authorization A Authorization A BUKRS ACTVT Create Change Display BUKRS 1000, 2000, 3000 ACTVT 03 1000 2000 3000 2000 3000 Authorization B Authorization B BUKRS ACTVT Create Change Display

Authorizations and Authorization Profiles Authorization Objects Work Center 1 Work Center 2 Work Center 3 F-22, F-27 FB02, FB03 F-43, F-41 FB02, FB03 01, 02, 03 1000 01, 02, 03 1000, 2000 01, 02, 03 A, D, S 01, 02, 03 K ....... ....... S_TCODE TCD F_BKPF_BUK ACTVT BUKRS F_BKPF_GSP ACTVT GSBER F_BKPF_KOA ACTVT KOART ....... 01, 02, 03 2000 Authorization Authorization Profile F-22, F-27 FB02, FB03 01, 02, 03 1000 01, 02, 03 2000 01, 02, 03 D ....... 03 1000

Authorization Check in the Program Change Accounting Document Transaction FB02 Program SAPMF05L .... AUTHORITY-CHECK OBJECT ´F_BKPF_BUK ´ ID ´ACTVT ´ FIELD ´02 ´ ID ´BUKRS ´ FIELD BUK. IF SY-SUBRC NE 0. MESSAGE E083 WITH BUK. ENDIF. ..... User Authorizations Object F_BKPF_BUK Authorization BUK 1000 Check Result Field Value ACTVT 02, 03 BUKRS 1000 Authorization BUK 1000 Authorization BUK 1000

Security Checks during Transaction Start Change Accounting Document System Program Authorization for transaction (Authorization Object S_TCODE)? Authorization for authorization object in table TSTCA? No No No No ABAP Program Authorization Checks Y Y E E S S Initial Screen Next Screen STOP STOP

Roles and Authorization Profiles Create Roles Using the Profile Generator (PFCG) Choose Activities (Transactions, Reports, Web links) Maintain Authorization Data (Define Authorization Objects) Generation User Menu Authorization Profile Authorization for Authorization Object xxx ....

Roles and the Easy Access Menu M enu E dit F avorites E x tras S y stem H elp Other menu Create menu Assign users Role SAP_BC_USER_ADMIN_AG Favorites SU01 User Maintenance User Administration SU01 - User Maintenance PFCG - Role Maintenance SU01D - Display User SU05 - Internet User Maintenance SU10 - User Mass Maintenace SUGR - Maintain User Groups

 Describe the elements of the authorization concept  Describe the process flow of an authorization check in the program  Describe the authorization checks during transaction start  Describe the differences between roles and authorization profiles  Explain what the relationship between roles and the Easy Access menu You are now able to: Elements of the SAP R/3 Authorization Concept: Unit Summary

User Master

 Identifying users by means of the user master record  SAP R/3 user types  Components of the user master record  User buffer  Change documentation Contents : The User Master Record

 List the different SAP R/3 user types  Distinguish between the components of the user master record  Create and change user master records  Evaluate change documents  Display and archive change documents  Analyze the user buffer  Understand the function of the user buffer and evaluate the buffered user authorizations At the conclusion of this unit , you will be able to: The User Master Record : Unit Objectives

 To access the SAP R/3 System and work with the data in the system , a user master record with appropriate authorizations is required . Other elements of the user master record make it easier to work with the SAP R/3 System. The User Master Record : Business Scenario

User Master Record Components Personal Personal Data Data , , Communication Communication Data Data , , Company Company Address Address User Group User Group , , User User Type, Type, Validity Period Validity Period Start Start Menu Menu , , Logon Logon Language Language , , Standard Printer Standard Printer Default Default Parameter Parameter IDs IDs Assignment of Assignment of Profiles Profiles Address Logon Data Defaults Parameters Roles Profiles Groups Display Display User User Saved User Last changed by Assignment of Assignment of User Groups User Groups Assignment of Assignment of Roles Roles

User Buffer User WolfMeier Role MY_FI_AR_DISPLAY_MASTER_DATA Authorization Profile T-T0030107 Logon to the SAP R/3 System User Buffer Object Authorization ........... F_BKPF_KOA T-T003010700 F_KNA1_AEN T-T003010700 F_KNA1_APP T-T003010700 F_KNA1_APP T-T003010701 F_KNA1_BED T-T003010700 F_KNA1_BUK T-T003010700 F_KNA1_GEN T-T003010700 F_KNA1_GEN T-T003010701 ...............

 List the different SAP R/3 user types  Distinguish between the components of the user master record  Create and change user master records  Evaluate change documents  Display and archive change documents  Analyze the user buffer  Understand the function of the user buffer and evaluate the buffered user authorizations You are now able to: The User Master Record : Unit Summary

Working with Profile Generator

 This unit describes how to design SAP Easy Access user menus for the various work centers (or roles) in your company and how to automatically generate authorization profiles for those menus.  The first part of this unit deals with simpler basic maintenance. The focus is placed on the creation of menus and the associated authorizations, profiles, and user assignments.  The second part deals with more advanced topics: The focus here is placed on derived and composite roles. Contents: Working with the Profile Generator

 Perform the steps involved in assigning authorizations with the Profile Generator  Copy, change, and create roles and determine their activities  Display and maintain authorizations that were generated automatically At the conclusion of this unit, you will be able to: Working with the Profile Generator: Unit Objectives

 When you create authorizations and authorization profiles for groups of users, you should use the Profile Generator. Based on selected menu functions, the Profile Generator automatically generates authorization data and offers it for postprocessing . Working with the Profile Generator: Business Scenario

The Profile Generator: Steps Role Profile Generator Work centre description : - Activity 1 - Activity 2 - ... Define Role Names • Define Activities • Design User Menus • Maintain Authorization Data • Generate Authorization Profile • Assign Users • Adjust User Master Records Description Menu Authorizations User

Profile Generator: Views Basic Maintenance: • Menu • Authorizations • Agents Overview: • Menu • Authorizations • Tasks • Agents • Organisational Management Role SAP_FI_AR_MASTER_DATA Description Accounts Payable Clerk Display Change Create Create Composite Role Simple Maintenance ( Workplace Menu Maintenance ) Basic Maintenance ( Menus , Profiles , Other Objects ) Overview ( Organisational Management and Workflow ) Information Simple Maintenance: • Menu • Agents Simple Maintenance: • Menu • Agents

 SAP AG 1999 Profile Generator: Steps Define Role Name Determine Activities Design User Menus Maintain Authorization Data Generate Authorizaion Profile Assign Users Adjust User Master Records

Role Description MY_ROLE FI: Accounts Payable Accountant Display Change Create Create Composite Role Information Role Descrption FI: AccountsPayable Accountant Description Menu Authorizations User Pers ... Information Other Role Beschreibung Menü Berechtigungen Benutzer Define Role Name and Description

Define Role Name Determine Activities Design User Menus Maintain Authorization Data Generate Authorizaion Profile Assign Users Adjust User Master Records Profil e G enerator: Steps

Determine Activities Description Menu Authorizations User Web Link Transaction TA1 Role 1 Role 2 Transaction TA1 ??? Transaction TA2 Report Report xyz xyz Transaction TA1 Web Link Report Report xyz xyz Report Report xyz xyz Transaction TA1 Web Link Transaction TA3 Transaction TA1 Transaction TA1 Report Report xyz xyz

Profile Generator: Steps Define Role Name Determine Activities Design User Menus Maintain Authorization Data Generate Authorizaion Profile Assign Users Adjust User Master Records

Design Menus Define Functions Customize Menu Structure Correspondence Closing Reporting Withholding Tax Information System Other Addresses From the SAP Menu From Other Role From Area Menu Import From File Translate Node Display Documentation Find in Docu . Role MY_ROLE Description FI: Accounts Payable Accountant - ( Template Copy ) Description Menu Authoirzations Users Pers .. URL - www . mysap . com URL - Route Planner SM04 - User List SE16 - Data Broswer Account Master Data FK01 - Create Vendor FK02 - Change Vendor FK03 - Display Vendor FK04 - Display Changes FK05 - Lock Vendor FK06 - Set Deletion Flag Confirmation of Change Compare Transaction Report Other All T70CLNT400 Distribute drag&drop Role Menu Description Menu Authorizations User Transaction TA3 Report Report xxx xxx Report Report zab zab Report Report xyz xyz Web Link Web Link Web Link Transaction TA2 Transaction TA1

Profile Generator: Steps Define Role Name Determine Activities Design User Menus Maintain Authorization Data Generate Authorizaion Profile Assign Users Adjust User Master Records

Profile Generator: Create Authorization Profiles MY_ROLE FI: Accounts Payable Accountant Maint : 0 Unmaint . Org levels , 7 Open Fields , Status: Saved Gepflegt Old Cross - Application Authorization Objects Gepflegt Old Asset Management Gepflegt New Basis - Administration Standard New Authorization for File Access Standard New Authorization for File Access Maintained Old SAPscript : Standard text Standard Old Basis - Development Environment Maintained New Basis - Central Functions Standard Old Materials Management - Procurement Aktivity Physical File Name ABAP Program Name Description Menu Authorizations User Role MY_ROLE Description FI: Accounts Payable Accountant - created from SAP template Description Menu Authorizations User Angelegt Letzte Änderung Informationen zum Berechtigungsprofil Maintain Authorization Data and Generate Profiles User MEYERS Date 16.01.2000 Time 13:22:12 Benutzer BENZ Datum 18.01.2000 Uhrzeit 17:50:59 Profile name T-K6840005 Profile text Profile for Role MY_ROLE Status Current Version Not Generated Change Authorization Data Expert Mode for Profile Generation

Profile Generator: Steps Define Role Name Determine Activities Design User Menus Maintain Authorization Data Generate Authorizaion Profile Assign Users Adjust User Master Records

Description Menu Authorizations User You can change the default profile name here Profie lname MY_ROLE_PF You will not be able to change this profile name later Text Profile for role MY_ROLE Assign Profile Name for Generated Authorization Profile Generate Authorization Profile MY_ROLE FI: Accounts Payable Accountant Maint .: 0 Unmaint . Org Levels , 7 Open Fields , Status: Saved Maintained Old Cross - Application Authorization Objects Maintained Old Asset Management Maintained New Basis - Administration Standard Old Basis - Development Environment Maintained New Basis - Central Functions Standard Old Materials Management - Procurement Activity Physical Filename ABAP Program Name Standard New Authorization for File Access Standard New Authorization for File Access Maintained Old SAPscript: Standardtext Generate

Define Role Name Determine Activities Design User Menus Maintain Authorization Data Generate Authorization Profile Assign Users Adjust User Master Records Profil e Generator : Steps

Role 4 Role 3 Assigning Users to Roles Role 1 Role 2

Profile Generator: Steps Define Role Name Determine Activities Design User Menus Maintain Authorization Data Generate Authorizaion Profile Assign Users Adjust User Master Records

Comparing the User Master Description Menu Authorizations User Description Menu Authorizations User Pers ... Selection User Compare Role Description MY_ROLE FI: Accounts Payable Accountant Other Role Information Last Comparison User Date Time Complete Adjustment User Date Time Information for user master comparison Status User authorization changed since last save Complete Compare Expert Mode for Compare Information Compare Role User Master Record

Derived Roles ( Reference ) Role Authorizations for : • Plant 1 • Company Code 0020 • Business Area 110 • ... Authorizations for : • Plant 1 • Company Code 0020 • Business Area * • ... Organisational Structure Organisational Structure Organisational Structure Derived Role 3 Authorizations for : • Plant 2 • Company Code 0001 • Business Area 100 • ... Derived Role 1 Derived Role 2

Menus of Derived Roles Reference Role Derived Role 1 Changes to the menu are only possible here Derived Role 2 Derived Role 3

Composite Roles Role 1 Role 2 Role 3 Role 4 Role 6 Role 5 Composite Role A Composite Role B Role 7

Menus of Composite Roles Role 1 Menu Role 1 Menu Role 2 Role 2 Menu Role 1 Menu Role 2 Composite Role Changes to the Entire Menu Are Possible !

 Perform the steps involved in assigning authorizations with the Profile Generator  Copy, change, and create roles and determine their activities  Display and maintain authorizations that were generated automatically You are now able to: Working with the Profile Generator: Unit Summary

Access Control and User Administration

Access Control and User Administration  Special Users  Administration Tasks in User and Authorization Administration  SAP Authorization Objects for Protection from Access to Administration Functions  Scenarios for Distributing Administration Tasks in the System Infrastructure Contents:

Access Control and User Administration: Unit Objectives  Protect special users in SAP R/3.  Describe tasks in user and authorization administration  List options for separating functions of user and authorization administration.  Describe options for decentralization of user administration.  Create user and authorization administrators with limited rights At the conclusion of this unit, you will be able to:

Access Control and User Administration: Business Scenario  In order to protect your SAP R/3 System against unauthorized access, you must define password rules, set the relevant profile parameters and protect special users.  You must also define areas of responsibility for user and authorization administration.  The organizational areas of responsibility must be clearly defined technically using authorizations.

Special Users Initial Logon Procedure in SAP Clients Client 000 001 066 Client (new) User SAP* DDIC EarlyWatch SAP* Initial password 06071992 19920706 support pass ! Since these users are generally known, they must be protected against unauthorized access.

User and Authorization Administration: Activities  Create, maintain, lock and unlock users, and change passwords  Create and Maintain Roles  Maintain Transaction Selections and Authorization Data in Roles  Generate Authorization Profiles  Assign Roles and Profiles  Transport Roles  Monitor Using the Information System  Archive Change Documents

 An administrator may not  Administer users and  Maintain authorizations and  Generate authorization profiles  Separation of functions  Principle of dual control  User administration  Authorization maintenance and generation  Principle of triple control  User administration  Authorization maintenance  Authorization generation Security Requirements

Separation of Functions User Administrator Authorization Data Administrator Authorization Profile Administrator  Maintain user master records  Assign roles to users  Assign profiles to users (only T...)  Display authorizations and profiles  Call "Information System Authorizations" Superuser  Maintain roles  Change transaction selection  Change authorization data  Call "Information System Authorizations"  Maintain roles  Create authorizations (only T-...)  Create profiles (only T-...)  Execute Transaction SUPC  Call "Information System Authorizations"

PP User Admin. MM User Admin. SD User Admin. CO User Admin. FI User Admin. Location 1 Location 2 Location 3 Location 4 User Administrator User Administrator User Administrator User Administrator Decentral User Administration

 Central user administration  One user administrator for all users  Unlimited authorizations for all user administration tasks of the user administrator  Central maintenance of roles and profiles  One administrator takes on both roles  Authorization data administrator  Authorization profile administrator  All authorizations for maintaining the roles and profiles  Principle of dual control Scenario 1

 Decentral user administration (production system)  One user administrator per application area (FI, MM)  Authorized to maintain a certain user group  Authorized to assign a certain number of roles and profiles  No other restrictions in the specific user administration tasks  Central maintenance of roles and profiles  Separation of responsibilities  One authorization data administrator  One authorization profile administrator  No other restrictions in the specific roles or profiles for both administrators  Principle of triple control Scenario 2

 Central creation and deletion for all users (prod.)  Decentral user administration (production system)  One user administrator per application area (FI, MM)  Authorized to maintain a certain user group  Authorized to assign a certain number of roles and profiles  Authorized for only certain user administration tasks (change, lock/unlock, reset password)  Central maintenance of roles and profiles  Separation of responsibilities  One authorization data administrator  One authorization profile administrator  No other restrictions in the specific roles or profiles for both administrators  Principle of triple control Scenario 3

 Change password rules with system profile parameters  Protect special users in the R/3 System.  Describe tasks in user and authorization administration  List options for separating functions of user and authorization administration  Describe options for decentralization of user administration  Create user and authorization administrators with limited rights You are now able to: Access Control and User Administration : Unit Summary