SlideShare a Scribd company logo

Sap security tasks

Siva Pradeep Bolisetti
Siva Pradeep Bolisetti

This helps to know on the step by step procedure of creating a role ,deleting a role and other Authorization concepts related to Tcode PFCG

Technology
1 of 11
Download to read offline
This page was exported from - SAP ADMIN Export date: Wed Jan 15 20:18:40 2014 / +0000 GMT SAP Security Tasks Creating a user role The easiest way to create a new user role is to copy an already existing user role, either one of your own or one of the ones provided to you in the installation of SAP. So let?s assume that you have none of your own and use one of the SAP role templates provided. It might assist you with picking one of these roles if you have someone dump the appropriate information into a spreadsheet containing the Role Name, Role Description, Transactions contained in the Role, and the Transaction description. The SQL query would be something like this: SELECT AGR_TEXTS.AGR_NAME, AGR_TEXTS.TEXT, AGR_TCODES.TCODE, TSTCT.TTEXT FROM AGR_TEXTS, AGR_TCODES, TSTCT WHERE AGR_TEXTS.MANDT = ?000? AND AGR_TEXTS.SPRAS = ?E? AND AGR_TEXTS.LINE = 0 AND AGR_TCODES.MANDT = ?000? AND AGR_TCODES.AGR_NAME = AGR_TEXTS.AGR_NAME AND TSTCT.SPRSL = ?E? AND TSTCT.TCODE = AGR_TCODES.TCODE ORDER BY AGR_TEXTS.AGR_NAME, AGR_TCODES.TCODE; This query should be changed based on the details of your SAP instance. Identify the roles(s) to be used as the source for your role copy. 1. Log on to client needing the role. 2. Go to transaction PFCG. 3. On the Role Maintenance screen, either type in the role name to be copied or select it from a dropdown. Press Enter to confirm that the role exists. 4. Click the Copy role button or press Shift+F11. 5. One the Query popup box, fill in the to role field with the name to be given the new role. Come up with a standard that everyone follows so the base original role is designated in some way so you don?t forget where you got the original. The name must begin with Z or Y. Most people will add a Z- in the first two characters of the role name. If you want to only select specific roles from a Composite role, you would click the Copy selectively button, otherwise click the Copy all button. 6. Once the role has been copied, you will be taken back to the original PFCG screen where you will see the name of your new role. Change you Role description and save the new role before working with it any further Output as PDF file has been powered by [ Universal Post Manager ] plugin from www.ProfProjects.com | Page 1/11 |
This page was exported from - SAP ADMIN Export date: Wed Jan 15 20:18:40 2014 / +0000 GMT Modifying a user role 1. Log on to client needing the role change. 2. Go to transaction PFCG. 3. On the Role Maintenance screen, either type in the role name to be changed or select it from a dropdown. Press Enter to confirm that the role is found. 4. Click the Change Role little yellow pencil button role button or press F6. 5. Click the Authorizations tab and then the Change Authorization Data button. 6. On the Change Role: Authorizations screen, expand and change the authorizations you need to adjust. When finished click first the Save button and then the Generate button ? looks like a little red and white beachball. 7. Back out to the Change Roles screen and click the User tab. Click on User Comparison and then Complete Comparison. Once the comparision is done, click Save one more time and you are done! Deleting a user role. 1. Log on to client needing the role deletion. 2. Go to transaction PFCG. 3. On the Role Maintenance screen, either type in the role name to be changed or select it from a dropdown. Press Enter to confirm that the role is found. 4. Click the Role Delete button or Shift+F2. 5. On the Delete Role popup, confirm that you wish to delete the deletion. If you get an Information popup, confirm it also. 6. Your deletion will return a successful message in the bottom status bar. (Transport System Method) Transporting user roles between clients Output as PDF file has been powered by [ Universal Post Manager ] plugin from www.ProfProjects.com | Page 2/11 |
This page was exported from - SAP ADMIN Export date: Wed Jan 15 20:18:40 2014 / +0000 GMT When a modification is made to a role in the 100 client, the roles must be transported to the 800 client. One role, several roles, or all roles can be done if needed. They can all be added to the same transport change request. After the roles have been moved to other clients, you will need to log on to each of those clients and do a user comparison. You will also need to do a text comparison in client 100 of the appropriate SAP system. 1. Log on to client 100 of the appropriate SAP system. 2. Go to transaction PFCG. 3. On the Role maintenance screen, type in the Role name of the first role to be transported. Click the Truck picture-icon. 4. You will see an Information popup. Click the green ? picture-icon. 5. In the Choose objects popup, unclick the ?s beside User assignment and Personalization. If you want to transport the users along with the role, profiles, and authorizations, you can ? the ? to the left of User assignment. Click the green ? picture-icon. 6. On the Prompt for Customizing request popup, click the blank page picture-icon to create a new change request. On the Create Request popup, fill in the Short description and click the Save picture-icon. You will be returned to the Prompt for Customizing request popup which contains the generated change request number for this system change. Click the green ? to continue. 7. You will see a Data entered in change request message in the status bar at the bottom of the screen. Now enter the name of the next role to be transported and click the Truck picture-icon. 8. You will see an Information popup. Click the green ? picture-icon. 9. In the Choose objects popup, unclick the ?s beside User assignment and Personalization. If you want to transport the users along with the role, profiles, and authorizations, you can ? the ? to the left of User assignment. Click the green ? picture-icon. 10. On the Prompt for Customizing request popup, continue to use the same transport you created in step 6. Click the green ? to continue. 11. Continue to perform steps 7 through 10 until all the roles you need to transport have been attached to the transport change request. 12. The generated transport can now be released and transported into the clients needing the modified roles. 13. You may now leave the PFCG transaction. Transporting User Roles between Clients (Upload/Download Method) Central User Administration distributes clients and their information to the other clients connected to the Distribution Model. It does not, however, do the same for roles and role authorizations. So when a modification is made to a role in the 100 client, the roles must be transported to the 800 client. One role, several roles, or all roles can be done if needed. They can all be added to the same Output as PDF file has been powered by [ Universal Post Manager ] plugin from www.ProfProjects.com | Page 3/11 |
This page was exported from - SAP ADMIN Export date: Wed Jan 15 20:18:40 2014 / +0000 GMT transport change request. After the roles have been moved to other clients, you will need to log on to each of those clients and do a user comparison. You will also need to do a text comparison in client 100 of the appropriate SAP system. 1. Log on to client 100 of the appropriate SAP system. 2. Go to transaction PFCG. 3. On the Role maintenance screen, type in the Role name of the first role to be transported. Click the Truck picture-icon. 4. You will see an Information popup. Click the green ? picture-icon. 5. In the Choose objects popup, unclick the ?s beside User assignment and Personalization. If you want to transport the users along with the role, profiles, and authorizations, you can ? the ? to the left of User assignment. Click the green ? picture-icon. 6. On the Prompt for Customizing request popup, click the blank page picture-icon to create a new change request. On the Create Request popup, fill in the Short description and click the Save picture-icon. You will be returned to the Prompt for Customizing request popup which contains the generated change request number for this system change. Click the green ? to continue. 7. You will see a Data entered in change request message in the status bar at the bottom of the screen. Now enter the name of the next role to be transported and click the Truck picture-icon. 8. You will see an Information popup. Click the green ? picture-icon. 9. In the Choose objects popup, unclick the ?s beside User assignment and Personalization. If you want to transport the users along with the role, profiles, and authorizations, you can ? the ? to the left of User assignment. Click the green ? picture-icon. 10. On the Prompt for Customizing request popup, continue to use the same transport you created in step 6. Click the green ? to continue. 11. Continue to perform steps 7 through 10 until all the roles you need to transport have been attached to the transport change request. 12. The generated transport can now be released and transported into the clients needing the modified roles. 13. You may now leave the PFCG transaction. Performing a User Comparison on the Modified Roles 1. Log on to client 100 of the appropriate SAP system. 2. Go to transaction PFCG. 3. On the Role maintenance screen, type in the Role name of the first role to be transported. Click the Change button. 4. On the Change Roles screen, click the User tab. Output as PDF file has been powered by [ Universal Post Manager ] plugin from www.ProfProjects.com | Page 4/11 |
This page was exported from - SAP ADMIN Export date: Wed Jan 15 20:18:40 2014 / +0000 GMT 5. On the User tab, click the User compare button. 6. On the Compare Role User Master Record popup, click the Complete compare button. 7. You will receive a User master record for role was adjusted message in the status bar at the bottom of the screen. You may now leave the PFCG transaction. Performing a Text Comparison to Refresh Role Selection Lists 1. Log on to client 100 of the appropriate SAP system. 2. Go to transaction SU01. 3. On the User Maintenance: Initial Screen screen, type in the user ?model_user?. Click the pencil picture-icon. 4. On the Maintain User screen, click the Text comparison from child Syst. button. 5. On the CUA: Text comparison from Child Systems screen, type ?LSDEV100? for the Receiving system and ?LSQAS800? for the to system. This is a range, and since LSPRD300 falls alphabetically between LSDEV100 and LSQAS800, all three systems will have the text comparison performed. Click the clock picture-icon. 6. On the CUA: Text comparison from Child Systems results screen, you will see a list of the systems compared and the compare results. Click the white arrow on green picture-icon 3 times, or until you have left the SU01 transaction. Users, Roles, and Authorizations SAP security is based on authorization objects and authorizations. An authorization object is used to indicate that a user can perform a certain activity. An authorization is used to limit the scope of that activity. For example, a profile contains the S_DEVELOP authorization object. This authorization object allows a user to perform ABAP workbench activities. Some users will need to do all ABAP activites while others will only need to perform a few. So S_DEVELOP has a selection of authorizations you can use: ACTVT, DEVCLASS, OBJNAME, OBJTYPE, and P_GROUP. The authorizations are set to the appropriate values as needed. A tree view of the S_DEVELOP authorization object can be seen below: S_DEVELOP ACTVT Output as PDF file has been powered by [ Universal Post Manager ] plugin from www.ProfProjects.com | Page 5/11 |
This page was exported from - SAP ADMIN Export date: Wed Jan 15 20:18:40 2014 / +0000 GMT Create or generate Change Display Delete Activate, generate Execute Create in DB Delete in DB Convert to DB Administer Copy All Functions Deactivate Mod. assistant DEVCLASS Single Value or Value Range OBJNAME Single Value or Value Range OBJTYPE Single Value or Value Range P_GROUP Single Value or Value Range The S_DEVELOP authorization object in a profile lets a user perform ABAP workbench activities. But having a S_DEVELOP authorization object with the ACTVT authorization value set to Display (03) means that the user is limited to display only in the ABAP workbench transactions. Thus we see that authorization objects grant while authorizations limit. It is important to remember, however, that a user with a profile having a S_DEVELOP with full authorizations still cannot access an ABAP workbench transaction until a matching S_TCODE (start up transaction code) has been added as well. In other words, a user may have the Output as PDF file has been powered by [ Universal Post Manager ] plugin from www.ProfProjects.com | Page 6/11 |
This page was exported from - SAP ADMIN Export date: Wed Jan 15 20:18:40 2014 / +0000 GMT rights to add, modify and delete ABAP programs but until an entry for SE38 has been added to the S_TCODE authorization object, he cannot access transaction SE38 which is the ABAP Editor. All authorization objects and authorizations are grouped into profiles before being attached to users. Profiles use a combination of authorization objects and their respective authorizations, and their creation can be complex as well as tedious. In order to simplify the creation of profiles, the Profile Generator (transaction PFCG) was created. Roles are created via a more user-friendly interface which generates profiles based on the information added via this interface. Manually creating profiles is the ?old? way of doing things. There are times, such as the start of a new SAP landscape where no roles exist, that the use of profiles is handy. But once the landscape has been completed all users, with the exception of the Basis team, should be attached to roles. There should never be a need to manually create a SAP new profile. To add a new role, the easiest method is to copy an existing role that matches your needs as closely as possible and make the changes you need for the new role. This documentation covers changing user security via both methods. Adding Authorization Objects and/or Authorizations to a Profile Remember that profiles are NOT the standard way to implement SAP security 1. Log on to the appropriate client in the appropriate SAP system. 2. Go to transaction SU02. 3. In the Manually edit authorization profiles section of the Profile: Initial Screen screen, enter the Profile you want to change. Make sure the Active only ? is checked. Click the Create work area for profiles button. 4. On the Profile List screen, double-click the profile to be changed. 5. A profile can contain authorization objects only (single profile) or one or more other profiles (collective profile). If the next screen is titled Maintain Profile, this is a single profile, and you should proceed to the next step. If the next screen is titled Collect Profiles, this is a collective profile and you should skip to step 13. 6. On the Maintain Profile screen, you must decide if you need to add a new authorization object and one or more of its authorizations, or add a new authorization to an authorization object already in the profile. If you need to add a new authorization to an authorization object already in the profile, skip to step 7. Otherwise, scroll down the Consisting of authorizations list until you find a blank line. Type the authorization object you need to add and press Enter. You will need to scroll through the list again until you find the authorization object you just added (it is was to find since the Authorizationcolumn should still be blank). Once you Output as PDF file has been powered by [ Universal Post Manager ] plugin from www.ProfProjects.com | Page 7/11 |
This page was exported from - SAP ADMIN Export date: Wed Jan 15 20:18:40 2014 / +0000 GMT find the new entry line, use the drop down to fill in the Authorization column. Click on the Save picture-icon. 7. If you need to add another authorization to an authorization object already in the profile list, click on the +Add authorization button. 8. From the Maintain Profiles: Object Classes screen, double-click the Object class of the authorization you are adding. 9. On the Maintain Profiles: List of Authorizations screen, select the authorization you need to add by double-clicking the appropriate line. This will return you to the Maintain Profile screen where you can see that your authorization has been added. 10. On the Maintain Profile screen, click the Save picture-icon. Then click the lit match picture-icon to activate the new profile changes. 11. On the Activate Profile: Execution Screen screen, click on the lit match picture-icon to complete the profile activation process. 12. You may now leave the SU02 transaction. 13. In order the change a profile collection, you must make the changes in one or more of the dependent profiles, save the changes in the dependent profile(s), activate the dependent profile(s), save the collection owner profile, and activate the collection owner profile. On the Collect Profiles screen, double-click on the profile you want to change. 14. You will be taken to the Maintain Profile screen. Perform steps 6 to 11. Then use the white arrow on green picture-icon to go back. 15. On the Collect Profiles screen, click the Save picture-icon. Then click the lit match picture-icon to activate the new profile changes. 16. On the Activate Profile: Execution Screen screen, click on the lit match picture-icon to complete the profile activation process. 17. You may now leave the SU02 transaction. Adding Authorization Objects and/or Authorizations to a Role 1. Log on to client 100 in the DEV SAP system. 2. Go to transaction PFCG. 3. On the Role Maintenance screen, enter the Role you want to change. Click the Change button. 4. On the Change Role screen, click the Authorizations tab and then click the pencil picture-icon. 5. If you are only adding a start up transaction to the role, skip to step 10. Otherwise, the assumption is that a new authorization object is to be added. On the Change role: Authorizations screen, click the +Manually button. Output as PDF file has been powered by [ Universal Post Manager ] plugin from www.ProfProjects.com | Page 8/11 |
This page was exported from - SAP ADMIN Export date: Wed Jan 15 20:18:40 2014 / +0000 GMT 6. On the Manual selection of authorizations popup, enter the authorizations objects that need to be added (ie S_DEVELOP, S_PROGRAM, etc.) Click the green ? when you are finished. 7. Back on the Change role: Authorizations screen, if all the displayed signal lights are green, skip to step 8. Otherwise, fully expand the lines that are yellow and/or red and supply the necessary information. All signal lights should be green before moving to the next step. 8. On the Change role: Authorizations screen, click the Save picture-icon. You will receive a Data saved confirmation message in the status bar at the bottom of the screen. 9. On the Change role: Authorizations screen, click the red-and-white beach ball picture-icon to generate a profile from the saved role. Reply affirmatively if any confirmation popups. You will receive a Profile(s) created message in the status bar at the bottom of the screen. If you do not need to add any start up transactions to the profile, you may now leave thePFCG transaction. 10. On the Change Role: Authorizations screen, expand the Cross-application Authorization Objects ? Authorization Check for Transaction Start ? Authorization Check for Transaction Start until you see the Transaction code entry line. Double-click on the entry portion of the Transaction code line. 11. In the Maintain Field Values popup, scroll down the list until you find a blank From and To line. Enter the transaction(s) to be added, and click the Save picture-icon when you have finished. 12. On the Change role: Authorizations screen, click the Save picture-icon. You will receive a Data saved confirmation message in the status bar at the bottom of the screen. 13. On the Change role: Authorizations screen, click the red-and-white beach ball picture-icon to generate a profile from the saved role. Reply affirmatively if any confirmation popups. You will receive a Profile(s) created message in the status bar at the bottom of the screen. 14. You may now leave the PFCG transaction. Granting Transaction access to a user via profile *** Since SAP R/3 4.5, this is not the standard for user authorizations. *** Granting Transaction Access to a User via Role 1. Log on to the applicable SAP instance and client. 2. Go to transaction SU01. Output as PDF file has been powered by [ Universal Post Manager ] plugin from www.ProfProjects.com | Page 9/11 |
This page was exported from - SAP ADMIN Export date: Wed Jan 15 20:18:40 2014 / +0000 GMT 3. On the User Maintenance: Initial Screen screen, fill in the User ID for the user you want to change, either by typing it in or choosing it from the drop down. Click the little yellow pencil Change button. 4. On the Maintain User screen, click on the Roles tab. Fill in the new role in the first available Role field. Press ENTER to confirm that the role exists. Click the Save button. 5. Make sure to use transaction PFCG to run a user comparion to rebuilt the role-to-user connections. 6. You may now leave the PFCG transaction. *** Since SAP R/3 4.5, this is not the standard for user authorizations. *** Revoking Authorizations from a User via Role Use the same procedure as Adding Authorization Objects and/or Authorizations to a Role Revoking Transaction Access from a User via Profile *** Remember that profiles are NOT the standard way to implement SAP security. *** Attaching a Profile to a User *** Since SAP R/3 4.5, this is not the standard for user authorizations. *** Attaching a Role to a User 1. Log on to the applicable SAP instance and client. 2. Go to transaction SU01. Output as PDF file has been powered by [ Universal Post Manager ] plugin from www.ProfProjects.com | Page 10/11 |
This page was exported from - SAP ADMIN Export date: Wed Jan 15 20:18:40 2014 / +0000 GMT 3. On the User Maintenance: Initial Screen screen, fill in the User ID for the user you want to change, either by typing it in or choosing it from the drop down. Click the little yellow pencil Change button. 4. On the Maintain User screen, click on the Roles tab. Fill in the new role in the first available Role field. Press ENTER to confirm that the role exists. Click the Save button. 5. Make sure to use transaction PFCG to run a user comparion to rebuilt the role-to-user connections. 6. You may now leave the PFCG transaction. Output as PDF file has been powered by [ Universal Post Manager ] plugin from www.ProfProjects.com | Page 11/11 |

Recommended

Introduction on sap security
Introduction on sap securityIntroduction on sap security
Introduction on sap security
yektek
 
SAP Security important Questions
SAP Security important QuestionsSAP Security important Questions
SAP Security important Questions
Ragu M
 
SAP BI 7 security concepts
SAP BI 7 security conceptsSAP BI 7 security concepts
SAP BI 7 security concepts
Siva Pradeep Bolisetti
 
Authorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.infoAuthorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.info
sapdocs. info
 
SAP Security & GRC Framework
SAP Security & GRC FrameworkSAP Security & GRC Framework
SAP Security & GRC Framework
Harish Sharma
 
165373293 sap-security-q
165373293 sap-security-q165373293 sap-security-q
165373293 sap-security-q
Anywhere Gondodza SAP.GRC.FI.B.COM.ACC.HONS (MSU)
 
Sap security interview question & answers
Sap security interview question & answersSap security interview question & answers
Sap security interview question & answers
Nancy Nelida
 
What is sap security
What is sap securityWhat is sap security
What is sap security
grconlinetraining
 

Recommended

Introduction on sap security
Introduction on sap securityIntroduction on sap security
Introduction on sap security
yektek
 
SAP Security important Questions
SAP Security important QuestionsSAP Security important Questions
SAP Security important Questions
Ragu M
 
SAP BI 7 security concepts
SAP BI 7 security conceptsSAP BI 7 security concepts
SAP BI 7 security concepts
Siva Pradeep Bolisetti
 
Authorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.infoAuthorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.info
sapdocs. info
 
SAP Security & GRC Framework
SAP Security & GRC FrameworkSAP Security & GRC Framework
SAP Security & GRC Framework
Harish Sharma
 
165373293 sap-security-q
165373293 sap-security-q165373293 sap-security-q
165373293 sap-security-q
Anywhere Gondodza SAP.GRC.FI.B.COM.ACC.HONS (MSU)
 
Sap security interview question & answers
Sap security interview question & answersSap security interview question & answers
Sap security interview question & answers
Nancy Nelida
 
What is sap security
What is sap securityWhat is sap security
What is sap security
grconlinetraining
 
sap security interview_questions
sap security interview_questionssap security interview_questions
sap security interview_questions
sumitmsn2
 
Anil kumar sap security & GRC
Anil kumar sap security & GRCAnil kumar sap security & GRC
Anil kumar sap security & GRC
Anil Kumar
 
Introduction to SAP Security
Introduction to SAP SecurityIntroduction to SAP Security
Introduction to SAP Security
Nasir Gondal
 
SU01 - Background and Instruction
SU01 - Background and InstructionSU01 - Background and Instruction
SU01 - Background and Instruction
Mart Leepin
 
SAP Security interview questions
SAP Security interview questionsSAP Security interview questions
SAP Security interview questions
Siva Pradeep Bolisetti
 
Sap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online trainingSap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online training
grconlinetraining
 
Authorisations in SAP: best practices
Authorisations in SAP: best practicesAuthorisations in SAP: best practices
Authorisations in SAP: best practices
Jonathan Eemans
 
SAP GRC 10 Access Control
SAP GRC 10 Access ControlSAP GRC 10 Access Control
SAP GRC 10 Access Control
Nasir Gondal
 
Derived master roles Configuration screenshots in SAP Security
Derived master roles Configuration screenshots in SAP Security Derived master roles Configuration screenshots in SAP Security
Derived master roles Configuration screenshots in SAP Security
Bharath Trainings
 
Cua setup procedure SAP security
Cua setup procedure SAP securityCua setup procedure SAP security
Cua setup procedure SAP security
Siva Pradeep Bolisetti
 
Sap Access Risks Procedures
Sap Access Risks ProceduresSap Access Risks Procedures
Sap Access Risks Procedures
Inprise Group
 
SAP SECURITY GRC
SAP SECURITY GRCSAP SECURITY GRC
SAP SECURITY GRC
techgurusuresh
 
Mass User Password Reset Using Lsmw
Mass User Password Reset Using LsmwMass User Password Reset Using Lsmw
Mass User Password Reset Using Lsmw
Ditto S Perumalsami
 
Sap Security Workshop
Sap Security WorkshopSap Security Workshop
Sap Security Workshop
larrymcc
 
081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grc081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grc
hkodali
 
Sap Security
Sap SecuritySap Security
Sap Security
techgurusuresh
 
Creating new users and roles in sap guide
Creating new users and roles in sap guideCreating new users and roles in sap guide
Creating new users and roles in sap guide
mehboobhafz
 
Sap security-administration
Sap security-administrationSap security-administration
Sap security-administration
nanda nanda
 
Day5 R3 Basis Security
Day5 R3 Basis SecurityDay5 R3 Basis Security
Day5 R3 Basis Security
Guang Ying Yuan
 
SAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsSAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM Workflows
Rohan Andrews
 
Step by step exercise for bw 365
Step by step exercise for bw 365Step by step exercise for bw 365
Step by step exercise for bw 365
Siva Pradeep Bolisetti
 
Governance Of Enterprise IT MIA
Governance Of Enterprise IT MIAGovernance Of Enterprise IT MIA
Governance Of Enterprise IT MIA
Troy DuMoulin
 

More Related Content

What's hot

sap security interview_questions
sap security interview_questionssap security interview_questions
sap security interview_questions
sumitmsn2
 
Sap Access Risks Procedures
Sap Access Risks ProceduresSap Access Risks Procedures
Sap Access Risks Procedures
Inprise Group
 
Mass User Password Reset Using Lsmw
Mass User Password Reset Using LsmwMass User Password Reset Using Lsmw
Mass User Password Reset Using Lsmw
Ditto S Perumalsami
 
081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grc081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grc
hkodali
 
Sap security-administration
Sap security-administrationSap security-administration
Sap security-administration
nanda nanda
 
SAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsSAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM Workflows
Rohan Andrews
 

What's hot (20)

sap security interview_questions
sap security interview_questionssap security interview_questions
sap security interview_questions
 
Anil kumar sap security & GRC
Anil kumar sap security & GRCAnil kumar sap security & GRC
Anil kumar sap security & GRC
 
Introduction to SAP Security
Introduction to SAP SecurityIntroduction to SAP Security
Introduction to SAP Security
 
SU01 - Background and Instruction
SU01 - Background and InstructionSU01 - Background and Instruction
SU01 - Background and Instruction
 
SAP Security interview questions
SAP Security interview questionsSAP Security interview questions
SAP Security interview questions
 
Sap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online trainingSap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online training
 
Authorisations in SAP: best practices
Authorisations in SAP: best practicesAuthorisations in SAP: best practices
Authorisations in SAP: best practices
 
SAP GRC 10 Access Control
SAP GRC 10 Access ControlSAP GRC 10 Access Control
SAP GRC 10 Access Control
 
Derived master roles Configuration screenshots in SAP Security
Derived master roles Configuration screenshots in SAP Security Derived master roles Configuration screenshots in SAP Security
Derived master roles Configuration screenshots in SAP Security
 
Cua setup procedure SAP security
Cua setup procedure SAP securityCua setup procedure SAP security
Cua setup procedure SAP security
 
Sap Access Risks Procedures
Sap Access Risks ProceduresSap Access Risks Procedures
Sap Access Risks Procedures
 
SAP SECURITY GRC
SAP SECURITY GRCSAP SECURITY GRC
SAP SECURITY GRC
 
Mass User Password Reset Using Lsmw
Mass User Password Reset Using LsmwMass User Password Reset Using Lsmw
Mass User Password Reset Using Lsmw
 
Sap Security Workshop
Sap Security WorkshopSap Security Workshop
Sap Security Workshop
 
081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grc081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grc
 
Sap Security
Sap SecuritySap Security
Sap Security
 
Creating new users and roles in sap guide
Creating new users and roles in sap guideCreating new users and roles in sap guide
Creating new users and roles in sap guide
 
Sap security-administration
Sap security-administrationSap security-administration
Sap security-administration
 
Day5 R3 Basis Security
Day5 R3 Basis SecurityDay5 R3 Basis Security
Day5 R3 Basis Security
 
SAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsSAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM Workflows
 

Viewers also liked

Governance Of Enterprise IT MIA
Governance Of Enterprise IT MIAGovernance Of Enterprise IT MIA
Governance Of Enterprise IT MIA
Troy DuMoulin
 
Bluetooth Technology -- detailed explanation
Bluetooth Technology -- detailed explanation Bluetooth Technology -- detailed explanation
Bluetooth Technology -- detailed explanation
Siva Pradeep Bolisetti
 
SAP Plaint Maintenance Training in Hyderabad,USA,UK,Canada,Austarlia
SAP Plaint Maintenance Training in Hyderabad,USA,UK,Canada,AustarliaSAP Plaint Maintenance Training in Hyderabad,USA,UK,Canada,Austarlia
SAP Plaint Maintenance Training in Hyderabad,USA,UK,Canada,Austarlia
online jobs
 
Bearing design for Turbo Generator- Internship at BHEL
Bearing design for Turbo Generator- Internship at BHELBearing design for Turbo Generator- Internship at BHEL
Bearing design for Turbo Generator- Internship at BHEL
Siva Pradeep Bolisetti
 
Business Driven Architecture for Strategic Transformation
Business Driven Architecture for Strategic TransformationBusiness Driven Architecture for Strategic Transformation
Business Driven Architecture for Strategic Transformation
David Baker
 
SAP BASED PLANT MAINTENANCE
SAP BASED PLANT MAINTENANCESAP BASED PLANT MAINTENANCE
SAP BASED PLANT MAINTENANCE
PANKAJ TIKEKAR
 
ProcessGene GRC Software Suite
ProcessGene GRC Software SuiteProcessGene GRC Software Suite
ProcessGene GRC Software Suite
ProcessGene Ltd
 

Viewers also liked (20)

Step by step exercise for bw 365
Step by step exercise for bw 365Step by step exercise for bw 365
Step by step exercise for bw 365
 
Governance Of Enterprise IT MIA
Governance Of Enterprise IT MIAGovernance Of Enterprise IT MIA
Governance Of Enterprise IT MIA
 
How to improve user experience via roles
How to improve user experience via rolesHow to improve user experience via roles
How to improve user experience via roles
 
Calculation of optimum cost of transportation of goods from godowns to differ...
Calculation of optimum cost of transportation of goods from godowns to differ...Calculation of optimum cost of transportation of goods from godowns to differ...
Calculation of optimum cost of transportation of goods from godowns to differ...
 
Bluetooth Technology -- detailed explanation
Bluetooth Technology -- detailed explanation Bluetooth Technology -- detailed explanation
Bluetooth Technology -- detailed explanation
 
Enterprise Risk Management Software
Enterprise Risk Management SoftwareEnterprise Risk Management Software
Enterprise Risk Management Software
 
Sappress sap governance risk and compliance
Sappress sap governance risk and complianceSappress sap governance risk and compliance
Sappress sap governance risk and compliance
 
Use of network scheduling technique
Use of network scheduling technique Use of network scheduling technique
Use of network scheduling technique
 
SAP Plaint Maintenance Training in Hyderabad,USA,UK,Canada,Austarlia
SAP Plaint Maintenance Training in Hyderabad,USA,UK,Canada,AustarliaSAP Plaint Maintenance Training in Hyderabad,USA,UK,Canada,Austarlia
SAP Plaint Maintenance Training in Hyderabad,USA,UK,Canada,Austarlia
 
Master data distribution in SAP: implementation guide
Master data distribution in SAP: implementation guideMaster data distribution in SAP: implementation guide
Master data distribution in SAP: implementation guide
 
Bearing design for Turbo Generator- Internship at BHEL
Bearing design for Turbo Generator- Internship at BHELBearing design for Turbo Generator- Internship at BHEL
Bearing design for Turbo Generator- Internship at BHEL
 
Simplifying SAP Plant Maintenance
Simplifying SAP Plant MaintenanceSimplifying SAP Plant Maintenance
Simplifying SAP Plant Maintenance
 
Best Practices for Managing a Global SuccessFactors Rollout
Best Practices for Managing a Global SuccessFactors Rollout Best Practices for Managing a Global SuccessFactors Rollout
Best Practices for Managing a Global SuccessFactors Rollout
 
Business Driven Architecture for Strategic Transformation
Business Driven Architecture for Strategic TransformationBusiness Driven Architecture for Strategic Transformation
Business Driven Architecture for Strategic Transformation
 
Solar refrigeration system
Solar refrigeration system Solar refrigeration system
Solar refrigeration system
 
SAP BASED PLANT MAINTENANCE
SAP BASED PLANT MAINTENANCESAP BASED PLANT MAINTENANCE
SAP BASED PLANT MAINTENANCE
 
ProcessGene GRC Software Suite
ProcessGene GRC Software SuiteProcessGene GRC Software Suite
ProcessGene GRC Software Suite
 
Welding and types
Welding and types Welding and types
Welding and types
 
SAP Plant Maintenance Training Material | www.sapdocs.info
SAP Plant Maintenance Training Material | www.sapdocs.infoSAP Plant Maintenance Training Material | www.sapdocs.info
SAP Plant Maintenance Training Material | www.sapdocs.info
 
Sap plant maintenance
Sap plant maintenanceSap plant maintenance
Sap plant maintenance
 

Similar to Sap security tasks

CRM WebClient UI for Interaction Center_C4H_CRM702_BB_ConfigGuide_EN_XX.doc
CRM WebClient UI for Interaction Center_C4H_CRM702_BB_ConfigGuide_EN_XX.docCRM WebClient UI for Interaction Center_C4H_CRM702_BB_ConfigGuide_EN_XX.doc
CRM WebClient UI for Interaction Center_C4H_CRM702_BB_ConfigGuide_EN_XX.doc
KrisStone4
 
S-Controls for Dummies
S-Controls for DummiesS-Controls for Dummies
S-Controls for Dummies
dreamforce2006
 
S-Controls for Dummies
S-Controls for DummiesS-Controls for Dummies
S-Controls for Dummies
dreamforce2006
 
Open ERP Version 7 Functional & Technical Overview
Open ERP Version 7 Functional & Technical OverviewOpen ERP Version 7 Functional & Technical Overview
Open ERP Version 7 Functional & Technical Overview
Pragmatic Techsoft
 
770_0629.pdf dump for oracle cloud interface
770_0629.pdf dump for oracle cloud interface770_0629.pdf dump for oracle cloud interface
770_0629.pdf dump for oracle cloud interface
lknam1982
 
Xml transformation-doc
Xml transformation-docXml transformation-doc
Xml transformation-doc
Amit Sharma
 

Similar to Sap security tasks (20)

Oracle BPM 11g Lesson 2
Oracle BPM 11g Lesson 2Oracle BPM 11g Lesson 2
Oracle BPM 11g Lesson 2
 
CRM WebClient UI for Interaction Center_C4H_CRM702_BB_ConfigGuide_EN_XX.doc
CRM WebClient UI for Interaction Center_C4H_CRM702_BB_ConfigGuide_EN_XX.docCRM WebClient UI for Interaction Center_C4H_CRM702_BB_ConfigGuide_EN_XX.doc
CRM WebClient UI for Interaction Center_C4H_CRM702_BB_ConfigGuide_EN_XX.doc
 
ORACLE FUSION FINANCIAL CLOUD FEATURES - CREATING IMPLEMENTATION USERS
ORACLE FUSION FINANCIAL CLOUD FEATURES - CREATING IMPLEMENTATION USERSORACLE FUSION FINANCIAL CLOUD FEATURES - CREATING IMPLEMENTATION USERS
ORACLE FUSION FINANCIAL CLOUD FEATURES - CREATING IMPLEMENTATION USERS
 
Oracle EBS Self service from A to Z
Oracle EBS Self service from A to ZOracle EBS Self service from A to Z
Oracle EBS Self service from A to Z
 
Winter24-Welly Release Overview - Stephen Stanley.pdf
Winter24-Welly Release Overview - Stephen Stanley.pdfWinter24-Welly Release Overview - Stephen Stanley.pdf
Winter24-Welly Release Overview - Stephen Stanley.pdf
 
]project-open[ Workflow Developer Tutorial Part 3
]project-open[ Workflow Developer Tutorial Part 3]project-open[ Workflow Developer Tutorial Part 3
]project-open[ Workflow Developer Tutorial Part 3
 
Q2 2018 (1805) Release Preview
Q2 2018 (1805) Release PreviewQ2 2018 (1805) Release Preview
Q2 2018 (1805) Release Preview
 
Creation of derive roles with secatt
Creation of derive roles with secattCreation of derive roles with secatt
Creation of derive roles with secatt
 
Salesforce crm projects
Salesforce crm projects Salesforce crm projects
Salesforce crm projects
 
S-Controls for Dummies
S-Controls for DummiesS-Controls for Dummies
S-Controls for Dummies
 
S-Controls for Dummies
S-Controls for DummiesS-Controls for Dummies
S-Controls for Dummies
 
Quick Preview: SuccessFactors Q3 - EC & Platform
Quick Preview: SuccessFactors Q3 - EC & PlatformQuick Preview: SuccessFactors Q3 - EC & Platform
Quick Preview: SuccessFactors Q3 - EC & Platform
 
Global_Payroll_Configuring_Payslips.pdf
Global_Payroll_Configuring_Payslips.pdfGlobal_Payroll_Configuring_Payslips.pdf
Global_Payroll_Configuring_Payslips.pdf
 
Human Resource Management in SugarCRM
Human Resource Management in SugarCRMHuman Resource Management in SugarCRM
Human Resource Management in SugarCRM
 
Mass Convert Leads in Salesforce using Standard Reports
Mass Convert Leads in Salesforce using Standard ReportsMass Convert Leads in Salesforce using Standard Reports
Mass Convert Leads in Salesforce using Standard Reports
 
Open ERP Version 7 Functional & Technical Overview
Open ERP Version 7 Functional & Technical OverviewOpen ERP Version 7 Functional & Technical Overview
Open ERP Version 7 Functional & Technical Overview
 
Top Tips for Getting the Best from SuccessFactors Q3 2016 Release Universal U...
Top Tips for Getting the Best from SuccessFactors Q3 2016 Release Universal U...Top Tips for Getting the Best from SuccessFactors Q3 2016 Release Universal U...
Top Tips for Getting the Best from SuccessFactors Q3 2016 Release Universal U...
 
770_0629.pdf dump for oracle cloud interface
770_0629.pdf dump for oracle cloud interface770_0629.pdf dump for oracle cloud interface
770_0629.pdf dump for oracle cloud interface
 
Xml transformation-doc
Xml transformation-docXml transformation-doc
Xml transformation-doc
 
iPad Application for Account Managers
iPad Application for Account ManagersiPad Application for Account Managers
iPad Application for Account Managers
 

Recently uploaded

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 

Recently uploaded (20)

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 

Sap security tasks

  • 1. This page was exported from - SAP ADMIN Export date: Wed Jan 15 20:18:40 2014 / +0000 GMT SAP Security Tasks Creating a user role The easiest way to create a new user role is to copy an already existing user role, either one of your own or one of the ones provided to you in the installation of SAP. So let?s assume that you have none of your own and use one of the SAP role templates provided. It might assist you with picking one of these roles if you have someone dump the appropriate information into a spreadsheet containing the Role Name, Role Description, Transactions contained in the Role, and the Transaction description. The SQL query would be something like this: SELECT AGR_TEXTS.AGR_NAME, AGR_TEXTS.TEXT, AGR_TCODES.TCODE, TSTCT.TTEXT FROM AGR_TEXTS, AGR_TCODES, TSTCT WHERE AGR_TEXTS.MANDT = ?000? AND AGR_TEXTS.SPRAS = ?E? AND AGR_TEXTS.LINE = 0 AND AGR_TCODES.MANDT = ?000? AND AGR_TCODES.AGR_NAME = AGR_TEXTS.AGR_NAME AND TSTCT.SPRSL = ?E? AND TSTCT.TCODE = AGR_TCODES.TCODE ORDER BY AGR_TEXTS.AGR_NAME, AGR_TCODES.TCODE; This query should be changed based on the details of your SAP instance. Identify the roles(s) to be used as the source for your role copy. 1. Log on to client needing the role. 2. Go to transaction PFCG. 3. On the Role Maintenance screen, either type in the role name to be copied or select it from a dropdown. Press Enter to confirm that the role exists. 4. Click the Copy role button or press Shift+F11. 5. One the Query popup box, fill in the to role field with the name to be given the new role. Come up with a standard that everyone follows so the base original role is designated in some way so you don?t forget where you got the original. The name must begin with Z or Y. Most people will add a Z- in the first two characters of the role name. If you want to only select specific roles from a Composite role, you would click the Copy selectively button, otherwise click the Copy all button. 6. Once the role has been copied, you will be taken back to the original PFCG screen where you will see the name of your new role. Change you Role description and save the new role before working with it any further Output as PDF file has been powered by [ Universal Post Manager ] plugin from www.ProfProjects.com | Page 1/11 |
  • 2. This page was exported from - SAP ADMIN Export date: Wed Jan 15 20:18:40 2014 / +0000 GMT Modifying a user role 1. Log on to client needing the role change. 2. Go to transaction PFCG. 3. On the Role Maintenance screen, either type in the role name to be changed or select it from a dropdown. Press Enter to confirm that the role is found. 4. Click the Change Role little yellow pencil button role button or press F6. 5. Click the Authorizations tab and then the Change Authorization Data button. 6. On the Change Role: Authorizations screen, expand and change the authorizations you need to adjust. When finished click first the Save button and then the Generate button ? looks like a little red and white beachball. 7. Back out to the Change Roles screen and click the User tab. Click on User Comparison and then Complete Comparison. Once the comparision is done, click Save one more time and you are done! Deleting a user role. 1. Log on to client needing the role deletion. 2. Go to transaction PFCG. 3. On the Role Maintenance screen, either type in the role name to be changed or select it from a dropdown. Press Enter to confirm that the role is found. 4. Click the Role Delete button or Shift+F2. 5. On the Delete Role popup, confirm that you wish to delete the deletion. If you get an Information popup, confirm it also. 6. Your deletion will return a successful message in the bottom status bar. (Transport System Method) Transporting user roles between clients Output as PDF file has been powered by [ Universal Post Manager ] plugin from www.ProfProjects.com | Page 2/11 |
  • 3. This page was exported from - SAP ADMIN Export date: Wed Jan 15 20:18:40 2014 / +0000 GMT When a modification is made to a role in the 100 client, the roles must be transported to the 800 client. One role, several roles, or all roles can be done if needed. They can all be added to the same transport change request. After the roles have been moved to other clients, you will need to log on to each of those clients and do a user comparison. You will also need to do a text comparison in client 100 of the appropriate SAP system. 1. Log on to client 100 of the appropriate SAP system. 2. Go to transaction PFCG. 3. On the Role maintenance screen, type in the Role name of the first role to be transported. Click the Truck picture-icon. 4. You will see an Information popup. Click the green ? picture-icon. 5. In the Choose objects popup, unclick the ?s beside User assignment and Personalization. If you want to transport the users along with the role, profiles, and authorizations, you can ? the ? to the left of User assignment. Click the green ? picture-icon. 6. On the Prompt for Customizing request popup, click the blank page picture-icon to create a new change request. On the Create Request popup, fill in the Short description and click the Save picture-icon. You will be returned to the Prompt for Customizing request popup which contains the generated change request number for this system change. Click the green ? to continue. 7. You will see a Data entered in change request message in the status bar at the bottom of the screen. Now enter the name of the next role to be transported and click the Truck picture-icon. 8. You will see an Information popup. Click the green ? picture-icon. 9. In the Choose objects popup, unclick the ?s beside User assignment and Personalization. If you want to transport the users along with the role, profiles, and authorizations, you can ? the ? to the left of User assignment. Click the green ? picture-icon. 10. On the Prompt for Customizing request popup, continue to use the same transport you created in step 6. Click the green ? to continue. 11. Continue to perform steps 7 through 10 until all the roles you need to transport have been attached to the transport change request. 12. The generated transport can now be released and transported into the clients needing the modified roles. 13. You may now leave the PFCG transaction. Transporting User Roles between Clients (Upload/Download Method) Central User Administration distributes clients and their information to the other clients connected to the Distribution Model. It does not, however, do the same for roles and role authorizations. So when a modification is made to a role in the 100 client, the roles must be transported to the 800 client. One role, several roles, or all roles can be done if needed. They can all be added to the same Output as PDF file has been powered by [ Universal Post Manager ] plugin from www.ProfProjects.com | Page 3/11 |
  • 4. This page was exported from - SAP ADMIN Export date: Wed Jan 15 20:18:40 2014 / +0000 GMT transport change request. After the roles have been moved to other clients, you will need to log on to each of those clients and do a user comparison. You will also need to do a text comparison in client 100 of the appropriate SAP system. 1. Log on to client 100 of the appropriate SAP system. 2. Go to transaction PFCG. 3. On the Role maintenance screen, type in the Role name of the first role to be transported. Click the Truck picture-icon. 4. You will see an Information popup. Click the green ? picture-icon. 5. In the Choose objects popup, unclick the ?s beside User assignment and Personalization. If you want to transport the users along with the role, profiles, and authorizations, you can ? the ? to the left of User assignment. Click the green ? picture-icon. 6. On the Prompt for Customizing request popup, click the blank page picture-icon to create a new change request. On the Create Request popup, fill in the Short description and click the Save picture-icon. You will be returned to the Prompt for Customizing request popup which contains the generated change request number for this system change. Click the green ? to continue. 7. You will see a Data entered in change request message in the status bar at the bottom of the screen. Now enter the name of the next role to be transported and click the Truck picture-icon. 8. You will see an Information popup. Click the green ? picture-icon. 9. In the Choose objects popup, unclick the ?s beside User assignment and Personalization. If you want to transport the users along with the role, profiles, and authorizations, you can ? the ? to the left of User assignment. Click the green ? picture-icon. 10. On the Prompt for Customizing request popup, continue to use the same transport you created in step 6. Click the green ? to continue. 11. Continue to perform steps 7 through 10 until all the roles you need to transport have been attached to the transport change request. 12. The generated transport can now be released and transported into the clients needing the modified roles. 13. You may now leave the PFCG transaction. Performing a User Comparison on the Modified Roles 1. Log on to client 100 of the appropriate SAP system. 2. Go to transaction PFCG. 3. On the Role maintenance screen, type in the Role name of the first role to be transported. Click the Change button. 4. On the Change Roles screen, click the User tab. Output as PDF file has been powered by [ Universal Post Manager ] plugin from www.ProfProjects.com | Page 4/11 |
  • 5. This page was exported from - SAP ADMIN Export date: Wed Jan 15 20:18:40 2014 / +0000 GMT 5. On the User tab, click the User compare button. 6. On the Compare Role User Master Record popup, click the Complete compare button. 7. You will receive a User master record for role was adjusted message in the status bar at the bottom of the screen. You may now leave the PFCG transaction. Performing a Text Comparison to Refresh Role Selection Lists 1. Log on to client 100 of the appropriate SAP system. 2. Go to transaction SU01. 3. On the User Maintenance: Initial Screen screen, type in the user ?model_user?. Click the pencil picture-icon. 4. On the Maintain User screen, click the Text comparison from child Syst. button. 5. On the CUA: Text comparison from Child Systems screen, type ?LSDEV100? for the Receiving system and ?LSQAS800? for the to system. This is a range, and since LSPRD300 falls alphabetically between LSDEV100 and LSQAS800, all three systems will have the text comparison performed. Click the clock picture-icon. 6. On the CUA: Text comparison from Child Systems results screen, you will see a list of the systems compared and the compare results. Click the white arrow on green picture-icon 3 times, or until you have left the SU01 transaction. Users, Roles, and Authorizations SAP security is based on authorization objects and authorizations. An authorization object is used to indicate that a user can perform a certain activity. An authorization is used to limit the scope of that activity. For example, a profile contains the S_DEVELOP authorization object. This authorization object allows a user to perform ABAP workbench activities. Some users will need to do all ABAP activites while others will only need to perform a few. So S_DEVELOP has a selection of authorizations you can use: ACTVT, DEVCLASS, OBJNAME, OBJTYPE, and P_GROUP. The authorizations are set to the appropriate values as needed. A tree view of the S_DEVELOP authorization object can be seen below: S_DEVELOP ACTVT Output as PDF file has been powered by [ Universal Post Manager ] plugin from www.ProfProjects.com | Page 5/11 |
  • 6. This page was exported from - SAP ADMIN Export date: Wed Jan 15 20:18:40 2014 / +0000 GMT Create or generate Change Display Delete Activate, generate Execute Create in DB Delete in DB Convert to DB Administer Copy All Functions Deactivate Mod. assistant DEVCLASS Single Value or Value Range OBJNAME Single Value or Value Range OBJTYPE Single Value or Value Range P_GROUP Single Value or Value Range The S_DEVELOP authorization object in a profile lets a user perform ABAP workbench activities. But having a S_DEVELOP authorization object with the ACTVT authorization value set to Display (03) means that the user is limited to display only in the ABAP workbench transactions. Thus we see that authorization objects grant while authorizations limit. It is important to remember, however, that a user with a profile having a S_DEVELOP with full authorizations still cannot access an ABAP workbench transaction until a matching S_TCODE (start up transaction code) has been added as well. In other words, a user may have the Output as PDF file has been powered by [ Universal Post Manager ] plugin from www.ProfProjects.com | Page 6/11 |
  • 7. This page was exported from - SAP ADMIN Export date: Wed Jan 15 20:18:40 2014 / +0000 GMT rights to add, modify and delete ABAP programs but until an entry for SE38 has been added to the S_TCODE authorization object, he cannot access transaction SE38 which is the ABAP Editor. All authorization objects and authorizations are grouped into profiles before being attached to users. Profiles use a combination of authorization objects and their respective authorizations, and their creation can be complex as well as tedious. In order to simplify the creation of profiles, the Profile Generator (transaction PFCG) was created. Roles are created via a more user-friendly interface which generates profiles based on the information added via this interface. Manually creating profiles is the ?old? way of doing things. There are times, such as the start of a new SAP landscape where no roles exist, that the use of profiles is handy. But once the landscape has been completed all users, with the exception of the Basis team, should be attached to roles. There should never be a need to manually create a SAP new profile. To add a new role, the easiest method is to copy an existing role that matches your needs as closely as possible and make the changes you need for the new role. This documentation covers changing user security via both methods. Adding Authorization Objects and/or Authorizations to a Profile Remember that profiles are NOT the standard way to implement SAP security 1. Log on to the appropriate client in the appropriate SAP system. 2. Go to transaction SU02. 3. In the Manually edit authorization profiles section of the Profile: Initial Screen screen, enter the Profile you want to change. Make sure the Active only ? is checked. Click the Create work area for profiles button. 4. On the Profile List screen, double-click the profile to be changed. 5. A profile can contain authorization objects only (single profile) or one or more other profiles (collective profile). If the next screen is titled Maintain Profile, this is a single profile, and you should proceed to the next step. If the next screen is titled Collect Profiles, this is a collective profile and you should skip to step 13. 6. On the Maintain Profile screen, you must decide if you need to add a new authorization object and one or more of its authorizations, or add a new authorization to an authorization object already in the profile. If you need to add a new authorization to an authorization object already in the profile, skip to step 7. Otherwise, scroll down the Consisting of authorizations list until you find a blank line. Type the authorization object you need to add and press Enter. You will need to scroll through the list again until you find the authorization object you just added (it is was to find since the Authorizationcolumn should still be blank). Once you Output as PDF file has been powered by [ Universal Post Manager ] plugin from www.ProfProjects.com | Page 7/11 |
  • 8. This page was exported from - SAP ADMIN Export date: Wed Jan 15 20:18:40 2014 / +0000 GMT find the new entry line, use the drop down to fill in the Authorization column. Click on the Save picture-icon. 7. If you need to add another authorization to an authorization object already in the profile list, click on the +Add authorization button. 8. From the Maintain Profiles: Object Classes screen, double-click the Object class of the authorization you are adding. 9. On the Maintain Profiles: List of Authorizations screen, select the authorization you need to add by double-clicking the appropriate line. This will return you to the Maintain Profile screen where you can see that your authorization has been added. 10. On the Maintain Profile screen, click the Save picture-icon. Then click the lit match picture-icon to activate the new profile changes. 11. On the Activate Profile: Execution Screen screen, click on the lit match picture-icon to complete the profile activation process. 12. You may now leave the SU02 transaction. 13. In order the change a profile collection, you must make the changes in one or more of the dependent profiles, save the changes in the dependent profile(s), activate the dependent profile(s), save the collection owner profile, and activate the collection owner profile. On the Collect Profiles screen, double-click on the profile you want to change. 14. You will be taken to the Maintain Profile screen. Perform steps 6 to 11. Then use the white arrow on green picture-icon to go back. 15. On the Collect Profiles screen, click the Save picture-icon. Then click the lit match picture-icon to activate the new profile changes. 16. On the Activate Profile: Execution Screen screen, click on the lit match picture-icon to complete the profile activation process. 17. You may now leave the SU02 transaction. Adding Authorization Objects and/or Authorizations to a Role 1. Log on to client 100 in the DEV SAP system. 2. Go to transaction PFCG. 3. On the Role Maintenance screen, enter the Role you want to change. Click the Change button. 4. On the Change Role screen, click the Authorizations tab and then click the pencil picture-icon. 5. If you are only adding a start up transaction to the role, skip to step 10. Otherwise, the assumption is that a new authorization object is to be added. On the Change role: Authorizations screen, click the +Manually button. Output as PDF file has been powered by [ Universal Post Manager ] plugin from www.ProfProjects.com | Page 8/11 |
  • 9. This page was exported from - SAP ADMIN Export date: Wed Jan 15 20:18:40 2014 / +0000 GMT 6. On the Manual selection of authorizations popup, enter the authorizations objects that need to be added (ie S_DEVELOP, S_PROGRAM, etc.) Click the green ? when you are finished. 7. Back on the Change role: Authorizations screen, if all the displayed signal lights are green, skip to step 8. Otherwise, fully expand the lines that are yellow and/or red and supply the necessary information. All signal lights should be green before moving to the next step. 8. On the Change role: Authorizations screen, click the Save picture-icon. You will receive a Data saved confirmation message in the status bar at the bottom of the screen. 9. On the Change role: Authorizations screen, click the red-and-white beach ball picture-icon to generate a profile from the saved role. Reply affirmatively if any confirmation popups. You will receive a Profile(s) created message in the status bar at the bottom of the screen. If you do not need to add any start up transactions to the profile, you may now leave thePFCG transaction. 10. On the Change Role: Authorizations screen, expand the Cross-application Authorization Objects ? Authorization Check for Transaction Start ? Authorization Check for Transaction Start until you see the Transaction code entry line. Double-click on the entry portion of the Transaction code line. 11. In the Maintain Field Values popup, scroll down the list until you find a blank From and To line. Enter the transaction(s) to be added, and click the Save picture-icon when you have finished. 12. On the Change role: Authorizations screen, click the Save picture-icon. You will receive a Data saved confirmation message in the status bar at the bottom of the screen. 13. On the Change role: Authorizations screen, click the red-and-white beach ball picture-icon to generate a profile from the saved role. Reply affirmatively if any confirmation popups. You will receive a Profile(s) created message in the status bar at the bottom of the screen. 14. You may now leave the PFCG transaction. Granting Transaction access to a user via profile *** Since SAP R/3 4.5, this is not the standard for user authorizations. *** Granting Transaction Access to a User via Role 1. Log on to the applicable SAP instance and client. 2. Go to transaction SU01. Output as PDF file has been powered by [ Universal Post Manager ] plugin from www.ProfProjects.com | Page 9/11 |
  • 10. This page was exported from - SAP ADMIN Export date: Wed Jan 15 20:18:40 2014 / +0000 GMT 3. On the User Maintenance: Initial Screen screen, fill in the User ID for the user you want to change, either by typing it in or choosing it from the drop down. Click the little yellow pencil Change button. 4. On the Maintain User screen, click on the Roles tab. Fill in the new role in the first available Role field. Press ENTER to confirm that the role exists. Click the Save button. 5. Make sure to use transaction PFCG to run a user comparion to rebuilt the role-to-user connections. 6. You may now leave the PFCG transaction. *** Since SAP R/3 4.5, this is not the standard for user authorizations. *** Revoking Authorizations from a User via Role Use the same procedure as Adding Authorization Objects and/or Authorizations to a Role Revoking Transaction Access from a User via Profile *** Remember that profiles are NOT the standard way to implement SAP security. *** Attaching a Profile to a User *** Since SAP R/3 4.5, this is not the standard for user authorizations. *** Attaching a Role to a User 1. Log on to the applicable SAP instance and client. 2. Go to transaction SU01. Output as PDF file has been powered by [ Universal Post Manager ] plugin from www.ProfProjects.com | Page 10/11 |
  • 11. This page was exported from - SAP ADMIN Export date: Wed Jan 15 20:18:40 2014 / +0000 GMT 3. On the User Maintenance: Initial Screen screen, fill in the User ID for the user you want to change, either by typing it in or choosing it from the drop down. Click the little yellow pencil Change button. 4. On the Maintain User screen, click on the Roles tab. Fill in the new role in the first available Role field. Press ENTER to confirm that the role exists. Click the Save button. 5. Make sure to use transaction PFCG to run a user comparion to rebuilt the role-to-user connections. 6. You may now leave the PFCG transaction. Output as PDF file has been powered by [ Universal Post Manager ] plugin from www.ProfProjects.com | Page 11/11 |