CSI tools, profile picture
Uploaded byCSI tools
PDF, PPTX1,355 views

CSI tools SAP Authorization Presentation TROOPERS 2014

The document discusses SAP authorizations and access management. It notes that while SAP systems have over 150,000 transaction codes, access is actually managed through around 1,000 authorization objects. If a user has access to a core authorization object, they have potential access to many transactions and functions. The document advocates simplifying authorizations by grouping them based on the types of master data, like vendor, customer, or material, rather than individual transactions. This allows for more flexibility in defining access policies at the data level rather than the transaction level. It also warns that authority checks can be disabled, leaving the system vulnerable.

Embed presentation

Download as PDF, PPTX
SAP Authorizations: Is it now difficult or easy? Johan Hermans CEO johan.hermans@csi-tools.com SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
©CSItools.AllRightsReserved. 2 Johan Hermans Licentiate commercial and financial sciences, 1992, EHSAL, specialization accountancy Certified Information Systems Auditor (CISA), 1997 Certified BBP mySAP.com Consultant, 2000 Certified SAP NetWeaver Security Consultant, 2004 Certified Information Security Manager (CISM), 2005 Certified in Risk and Information System Control (CRISC) 2011 Founder of CSI tools in 1997 Assisted over 400 companies and organizations to improve the access rights in SAP environments
©CSItools.AllRightsReserved. 3 SAP authorizations The basics of SAP authorizations are not understood People make it way to complex Let us start with some eye-openers
©CSItools.AllRightsReserved. 4 Demonstration in SAP R/3 Parameter Transactions
©CSItools.AllRightsReserved. 5 Demonstration in SAP R/3 You can post an A/P document with an A/R transaction
©CSItools.AllRightsReserved. 6 Also with Enjoy transactions You can post an A/P document with an A/R transaction
©CSItools.AllRightsReserved. 7 Report Tree Transactions Give Access OB52: C FI Maintain Table T001B S_ALR_87003642: IMG Activity: SIMG_CFMENUORFBOB52 PFCG: Role Maintenance S_ALR_87003541: IMG Activity: ORIP_SU01 S_ALR_87003755: IMG Activity: SIMG_CFMENUORK1PFCG S_ALR_87005766: IMG Activity: SIMG_CFMENUORKEPFCG S_BCE_68000373: IMG Activity: PROF_GEN_PFCG …
©CSItools.AllRightsReserved. 8 Start transaction code SE37 Execute function module ‘SUPRN_INS_OR_DEL_PROFILE ‘ Enter user-id, profile (here SAP_ALL) to add and action Required Authorizations or S_TCODE = SE37 S_DEVELOP ACTVT = 03, 16 OBJTYPE = FUGR OBJNAME = SUPRN Demonstration in SAP R/3
©CSItools.AllRightsReserved. 9 Execute any ABAP, function module, … via SM37 Start transaction SM37 Select a Job Select a Step Select a Program GoTo Program Other Object (Shift + F5) Test (F8)
©CSItools.AllRightsReserved. 10 Demonstration in SAP R/3 using RFC you can download all table content without SE16
©CSItools.AllRightsReserved. 11 Two Core Elements in SAP Application Security Key questions: Transaction codes Authorization Objects How many … exist in an SAP ECC 6.0 system? Purpose? Transaction codes Authorization Objects Typical reply by security administrators 20.000 A multiple of 20k Purpose? To manage access rights To restrict on organizational levels Transaction codes Authorization Objects Reality + 150.000 1.000 for “R/3” functionality Purpose! Only first line of defense To manage access rights
©CSItools.AllRightsReserved. 12 Manage with +1 000 SAP authorization objects and not +150.000 transactions 9 for posting FI documents  F_BKPF_... 9 for vendor master data  F_LFA1_... 9 for customer master data  F_KNA1_... 24 for material master data  M_MATE_... 2 for payments  F_REGU_... _____________________________________________ 1.000 objects are grouped into  300 example: company code: BUKRS your authorizations requirements can be simplified into 300 one-liners
©CSItools.AllRightsReserved. 13 + 150 000 transaction codes: nobody can know them all, which is THE risk TSTCA check S_TCODE: transaction code check !! only once !! authority check on authorization objects command field DATA tables transaction code menu ABAP programs
©CSItools.AllRightsReserved. 14 Most applications audit only on +500 transaction codes with a path defined Data to be protected User interface Database server Application ServerF-22 Program SAPMF05A Authority Check F_BKPF_ ACTVT = 01 ! FB01 Program SAPMF05ATOP 150.000 possible entries 300 kind of objects Million combinations
©CSItools.AllRightsReserved. 15 Authority checks are sequential: you cannot tell which path will be followed!
©CSItools.AllRightsReserved. 16 reveal inconsistencies: who has access to the data, who can start transaction Data to be protected User interface Database server Application ServerF-22 Program SAPMF05A Authority Check F_BKPF_ ACTVT = 01 ! FB01 Program SAPMF05ATOP 150.000 possible entries 300 kind of objects Million combinations
©CSItools.AllRightsReserved. 17 find inconsistencies in what people can do, did and can almost do command field DATA tables transaction code menu ABAP programs Confidentiality Integrity Availability Authorizations ? F_BKPF_* FB01 F-22 ABAD F-91 F.43 F.18 FB60 FB75 … ……
©CSItools.AllRightsReserved. 18 Role Concept Challenges Multiple Users need Multiple Transactions Users need only access to Specific Data in Display or Maintenance mode. They use Transactions to get there. SAP has some 100.000 Transactions The Number of Users can Vary from 20 to 1.000.000 Average number of Used Transactions within a Company Can Vary Over Time from 2000 to 8000 600 users 3000 tcodes Let’s make a case …
©CSItools.AllRightsReserved. 19 Possible Scenarios : Extreme Cases 600 Users 3000 Transactions Organizational Technical 600 Roles 3000 Roles what where 12000 Roles what where what 1 role / transaction
©CSItools.AllRightsReserved. 20 Possible Scenarios : 1 Role per User Advantages Disadvantages Technical Easy to Build : Group Transactions and Create Role Cannot Separate “create for company code 1000” and “display for company code 3000” without breaking PFCG best practices Functional Nice Overview of all Transactions per User • Complex and often long interviewing cycles • Nightmare from change management perspective • unclear ownership (access to multiple (sub)processes and organizational data in one the role) • SoD Rules Changes have major impact on the roles 600 Users 600 Roles
©CSItools.AllRightsReserved. 21 Possible Scenarios : 1 Role per Transaction Advantage Disadvantage Technical Very Easy to build: put each transaction in separate role • Huge Amount of Roles to initially create and to maintain after data restriction changes • User cannot have not more than 300 assigned roles (*) Functional Very Transparent ; all is at user assignment level • Heavy User Request Procedure: user needs to request 300 to 400 roles and does not have this knowledge (*) Simplified: real limit is 312 profiles in user-id 3000 Transactions 3000 Master Roles
©CSItools.AllRightsReserved. 22 Possible Scenarios : Solution in Between 600 Users 3000 Transactions Organizational Technical 600 Roles 3000 Roles what where 12000 Roles what where what 1 role / transaction what where
©CSItools.AllRightsReserved. 23 Possible Scenarios : Intermediate Conclusion A SAP role concept is built based on the technical view Grouping of transactions is needed A SAP role concept is built based on the organizational view Roles should be transparent for business, easy-to-manage and flexible Intelligent grouping of transactions and authorizations is needed
©CSItools.AllRightsReserved. 24 Try to Group 2 Transaction Codes in 1 Role FK01 FB03 F_LFA1_APP ACTVT 01 F_LFA1_APP APPKZ F F_LFA1_BUK ACTVT 01 F_LFA1_BUK BUKRS $BUKRS F_LFA1_GEN ACTVT 01 F_LFA1_GRP ACTVT 01 F_LFA1_GRP F_BKPF_BUK ACTVT 03 F_BKPF_BUK BUKRS $BUKRS F_BKPF_KOA ACTVT 03 F_BKPF_KOA KOART K F_LFA1_APP ACTVT 01 F_LFA1_APP APPKZ F F_LFA1_BUK ACTVT 01 F_LFA1_BUK BUKRS $BUKRS F_LFA1_GEN ACTVT 01 F_LFA1_GRP ACTVT 01 F_LFA1_GRP F_BKPF_BUK ACTVT 03 F_BKPF_BUK BUKRS $BUKRS F_BKPF_KOA ACTVT 03 F_BKPF_KOA KOART K FK01 and FB03 $BUKRS = 1000 $BUKRS = * $BUKRS = ???? technical issue: * vs 1000 create vendor for company code 1000 display all A/P postings create vendor for company code 1000 and display all A/P postings what where Different Business Processes use Same Master Data: so process based grouping is NOT the Solution
©CSItools.AllRightsReserved. 25 Possible Scenarios : Data Level Based ! 9 for posting FI documents  F_BKPF_... 9 for vendor master data  F_LFA1_... 9 for customer master data  F_KNA1_... 24 for material master data  M_MATE_... 2 for payments  F_REGU_... _____________________________________________ 1.000 objects are grouped into  300 example: company code BUKRS your authorizations requirements need to be simplified into 300 one-liners
©CSItools.AllRightsReserved. 26 Possible Scenarios : Data Level Based ? post FI docs: FB01 F_BKPF_... ACTVT 01 BUKRS 1000 display vendor master data F_LFA1_... ACTVT 03 BUKRS * update customer master data F_KNA1_... ACTVT 02 BUKRS 2000 display material master M_MATE_... ACTVT 03 WERKS 3000 Full Flexibility on and andwhat where
©CSItools.AllRightsReserved. 27 Conclusion Identify who can do what is extremely difficult: Million ABAPs, +150k transaction codes, RFC and web dynpro’s … nobody knows all possibilities! SAP authorizations is extremely easy: If you have the core authorization, you have potential access If you should not have access, remove the core authorization And do not forget that authority checks is a complete different story ! Use applications that focus on authorizations and not on transaction codes
©CSItools.AllRightsReserved. 28 Small last remark Do not forget that you can disable authority checks!
Thank you! Any Questions? Johan Hermans CEO johan.hermans@csi-tools.com

More Related Content

PPT
Day5 R3 Basis Security
byGuang Ying Yuan
 
PDF
Introduction to SAP Security
byNasir Gondal
 
PPTX
SAP Security & GRC Framework
byHarish Sharma
 
DOCX
What is sap security
bygrconlinetraining
 
PPTX
Sap security interview question & answers
byNancy Nelida
 
PPT
Introduction on sap security
byyektek
 
DOC
Sap Access Risks Procedures
byInprise Group
 
PPT
SU01 - Background and Instruction
byMart Leepin
 
Day5 R3 Basis Security
byGuang Ying Yuan
 
Introduction to SAP Security
byNasir Gondal
 
SAP Security & GRC Framework
byHarish Sharma
 
What is sap security
bygrconlinetraining
 
Sap security interview question & answers
byNancy Nelida
 
Introduction on sap security
byyektek
 
Sap Access Risks Procedures
byInprise Group
 
SU01 - Background and Instruction
byMart Leepin
 

What's hot

DOCX
SAP Security important Questions
byRagu M
 
PDF
Anil kumar sap security & GRC
byAnil Kumar
 
PPTX
Sap grc process control 10.0
byLatha Kamal
 
PPT
Sap Security Workshop
bylarrymcc
 
DOCX
SAP Security interview questions
bySiva Pradeep Bolisetti
 
DOCX
How to perform critical authorizations and so d checks in sap systems
byTL Technologies - Thoughts Become Things
 
PDF
Sap GRC Basic Information | GRC 12 online training
bygrconlinetraining
 
PDF
Authorisations in SAP: best practices
byJonathan Eemans
 
PDF
Grc 10 training
bysuresh
 
PDF
081712 isaca-atl-auditing sap-grc
byhkodali
 
PDF
Iia los angeles sap security presentation
byhkodali
 
DOC
Cua setup procedure SAP security
bySiva Pradeep Bolisetti
 
PPT
SAP BI 7 security concepts
bySiva Pradeep Bolisetti
 
PDF
An expert guide to new sap bi security features
byShazia_Sultana
 
PDF
SAP GRC 10 Access Control
byNasir Gondal
 
DOC
sap security interview_questions
bysumitmsn2
 
PPTX
PART I of III: Advanced Authorization for SAP Global Deployments: September ...
byNextLabs, Inc.
 
PPT
Sap Security Assessment V3 English
byguest5bd7a1
 
DOCX
A emmanuel-sap-grc- consultant ( ac,pc,rm) resume-sf
byEmmanuel A
 
PDF
SAP security made easy
byERPScan
 
SAP Security important Questions
byRagu M
 
Anil kumar sap security & GRC
byAnil Kumar
 
Sap grc process control 10.0
byLatha Kamal
 
Sap Security Workshop
bylarrymcc
 
SAP Security interview questions
bySiva Pradeep Bolisetti
 
How to perform critical authorizations and so d checks in sap systems
byTL Technologies - Thoughts Become Things
 
Sap GRC Basic Information | GRC 12 online training
bygrconlinetraining
 
Authorisations in SAP: best practices
byJonathan Eemans
 
Grc 10 training
bysuresh
 
081712 isaca-atl-auditing sap-grc
byhkodali
 
Iia los angeles sap security presentation
byhkodali
 
Cua setup procedure SAP security
bySiva Pradeep Bolisetti
 
SAP BI 7 security concepts
bySiva Pradeep Bolisetti
 
An expert guide to new sap bi security features
byShazia_Sultana
 
SAP GRC 10 Access Control
byNasir Gondal
 
sap security interview_questions
bysumitmsn2
 
PART I of III: Advanced Authorization for SAP Global Deployments: September ...
byNextLabs, Inc.
 
Sap Security Assessment V3 English
byguest5bd7a1
 
A emmanuel-sap-grc- consultant ( ac,pc,rm) resume-sf
byEmmanuel A
 
SAP security made easy
byERPScan
 

Viewers also liked

PPTX
Custom security effective implementation
bylog2srini
 
PDF
Pensum adm
byAdhemar Vargas
 
PPTX
Part III of III: SAP Advanced Authorization for SAP Global Deployments: Octo...
byNextLabs, Inc.
 
PDF
Authorization objects a simple guide
byAlbert Shumov
 
PDF
Profiling for SAP - Compliance Management, Access Control and Segregation of ...
byTransWare AG
 
PPT
Basic settings Of SAP Fi
byLav Kumar
 
PPTX
Summarisation levels in SAP COPA
byRajesh Shanbhag
 
PPTX
SAP HCM authorisations: streamline processes and improve HR data security
bySven Ringling
 
PPT
Co product costing detailed trng
byVenkat Reddy
 
DOC
Authorisation Concept In SAP | http://sapdocs.info
bysapdocs. info
 
PDF
Practical guide for sap security
bySiva Pradeep Bolisetti
 
DOC
Copa implementation
bysuryanarayana tata
 
PDF
MAHESH SAP FI NOTES
bygarry1890
 
PDF
Copa configuration
byMithun Roy
 
PDF
SAP SECURITY GRC
bytechgurusuresh
 
PDF
Co product costing config ecc6
byAbhishek Mittal
 
PPTX
Product costing ppt
bySujay Kumar
 
DOC
SAP CO Configuration Guide - Exclusive Document
bysapdocs. info
 
Custom security effective implementation
bylog2srini
 
Pensum adm
byAdhemar Vargas
 
Part III of III: SAP Advanced Authorization for SAP Global Deployments: Octo...
byNextLabs, Inc.
 
Authorization objects a simple guide
byAlbert Shumov
 
Profiling for SAP - Compliance Management, Access Control and Segregation of ...
byTransWare AG
 
Basic settings Of SAP Fi
byLav Kumar
 
Summarisation levels in SAP COPA
byRajesh Shanbhag
 
SAP HCM authorisations: streamline processes and improve HR data security
bySven Ringling
 
Co product costing detailed trng
byVenkat Reddy
 
Authorisation Concept In SAP | http://sapdocs.info
bysapdocs. info
 
Practical guide for sap security
bySiva Pradeep Bolisetti
 
Copa implementation
bysuryanarayana tata
 
MAHESH SAP FI NOTES
bygarry1890
 
Copa configuration
byMithun Roy
 
SAP SECURITY GRC
bytechgurusuresh
 
Co product costing config ecc6
byAbhishek Mittal
 
Product costing ppt
bySujay Kumar
 
SAP CO Configuration Guide - Exclusive Document
bysapdocs. info
 

Similar to CSI tools SAP Authorization Presentation TROOPERS 2014

PDF
Authorization objects a simple guide.doc (1)
byVikram Polinati
 
PDF
SAP MM Authorization Matrix and User roles.pdf
byAmanKumarSaksena
 
PDF
Sap fico-fi-notes
byManningham.m Gowda
 
PDF
SAP BI Security Features
bydw_anil
 
PDF
Sap basis and_security_administration
byAnil Kumar Reddy Cheppalli
 
PPT
6 7-users-authorization
bysanganiraju
 
PDF
1ux2y54tcwomq2gtx7pd
byJuanfe1978
 
DOC
TP Security CV
byvtprasad
 
PDF
SAP_Security_ISACA.pdf
byssuser2e0e7a
 
PPTX
WELCOME_To_SAP_overview_Presentation.pptx
bysiva777686
 
PPTX
WELCOME_To_SAP_overview_Presentation.pptx
bysiva777686
 
PPT
sap overview 1.1
byumarfakih
 
PPT
SAP Basics
byGanesh Kedari
 
PPT
Day1 Sap Basis Overview V1 1
byGuang Ying Yuan
 
PDF
Sap security for audit seminar1
byAmit Gupta
 
PDF
Sap security for audit seminar
byAmit Gupta
 
PDF
Sample structual authorization
byWahed Mohammed
 
PPTX
WELCOME_To_SAP_overview_Presentation.pptx
byRajiv kumar singh
 
PDF
Hovitaga authorization concept and setup guide
byHovitaga Kft.
 
PDF
165373293 sap-security-q
byAnywhere Gondodza
 
Authorization objects a simple guide.doc (1)
byVikram Polinati
 
SAP MM Authorization Matrix and User roles.pdf
byAmanKumarSaksena
 
Sap fico-fi-notes
byManningham.m Gowda
 
SAP BI Security Features
bydw_anil
 
Sap basis and_security_administration
byAnil Kumar Reddy Cheppalli
 
6 7-users-authorization
bysanganiraju
 
1ux2y54tcwomq2gtx7pd
byJuanfe1978
 
TP Security CV
byvtprasad
 
SAP_Security_ISACA.pdf
byssuser2e0e7a
 
WELCOME_To_SAP_overview_Presentation.pptx
bysiva777686
 
WELCOME_To_SAP_overview_Presentation.pptx
bysiva777686
 
sap overview 1.1
byumarfakih
 
SAP Basics
byGanesh Kedari
 
Day1 Sap Basis Overview V1 1
byGuang Ying Yuan
 
Sap security for audit seminar1
byAmit Gupta
 
Sap security for audit seminar
byAmit Gupta
 
Sample structual authorization
byWahed Mohammed
 
WELCOME_To_SAP_overview_Presentation.pptx
byRajiv kumar singh
 
Hovitaga authorization concept and setup guide
byHovitaga Kft.
 
165373293 sap-security-q
byAnywhere Gondodza
 

More from CSI tools

PDF
CSI tools company introduction
byCSI tools
 
PDF
CSI Role Build & Manage 2014
byCSI tools
 
PDF
CSI Integrate & Collaborate 2014
byCSI tools
 
PDF
CSI Automated Request Engine 2014
byCSI tools
 
PDF
CSI Authorization Auditor 2014
byCSI tools
 
PDF
CSI Authorization Auditor 2014 Brochure
byCSI tools
 
CSI tools company introduction
byCSI tools
 
CSI Role Build & Manage 2014
byCSI tools
 
CSI Integrate & Collaborate 2014
byCSI tools
 
CSI Automated Request Engine 2014
byCSI tools
 
CSI Authorization Auditor 2014
byCSI tools
 
CSI Authorization Auditor 2014 Brochure
byCSI tools
 

CSI tools SAP Authorization Presentation TROOPERS 2014

  • 1.
    SAP Authorizations: Is itnow difficult or easy? Johan Hermans CEO johan.hermans@csi-tools.com SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
  • 2.
    ©CSItools.AllRightsReserved. 2 Johan Hermans Licentiate commercialand financial sciences, 1992, EHSAL, specialization accountancy Certified Information Systems Auditor (CISA), 1997 Certified BBP mySAP.com Consultant, 2000 Certified SAP NetWeaver Security Consultant, 2004 Certified Information Security Manager (CISM), 2005 Certified in Risk and Information System Control (CRISC) 2011 Founder of CSI tools in 1997 Assisted over 400 companies and organizations to improve the access rights in SAP environments
  • 3.
    ©CSItools.AllRightsReserved. 3 SAP authorizations The basicsof SAP authorizations are not understood People make it way to complex Let us start with some eye-openers
  • 4.
  • 5.
    ©CSItools.AllRightsReserved. 5 Demonstration in SAPR/3 You can post an A/P document with an A/R transaction
  • 6.
    ©CSItools.AllRightsReserved. 6 Also with Enjoytransactions You can post an A/P document with an A/R transaction
  • 7.
    ©CSItools.AllRightsReserved. 7 Report Tree Transactions GiveAccess OB52: C FI Maintain Table T001B S_ALR_87003642: IMG Activity: SIMG_CFMENUORFBOB52 PFCG: Role Maintenance S_ALR_87003541: IMG Activity: ORIP_SU01 S_ALR_87003755: IMG Activity: SIMG_CFMENUORK1PFCG S_ALR_87005766: IMG Activity: SIMG_CFMENUORKEPFCG S_BCE_68000373: IMG Activity: PROF_GEN_PFCG …
  • 8.
    ©CSItools.AllRightsReserved. 8 Start transaction codeSE37 Execute function module ‘SUPRN_INS_OR_DEL_PROFILE ‘ Enter user-id, profile (here SAP_ALL) to add and action Required Authorizations or S_TCODE = SE37 S_DEVELOP ACTVT = 03, 16 OBJTYPE = FUGR OBJNAME = SUPRN Demonstration in SAP R/3
  • 9.
    ©CSItools.AllRightsReserved. 9 Execute any ABAP,function module, … via SM37 Start transaction SM37 Select a Job Select a Step Select a Program GoTo Program Other Object (Shift + F5) Test (F8)
  • 10.
    ©CSItools.AllRightsReserved. 10 Demonstration in SAPR/3 using RFC you can download all table content without SE16
  • 11.
    ©CSItools.AllRightsReserved. 11 Two Core Elementsin SAP Application Security Key questions: Transaction codes Authorization Objects How many … exist in an SAP ECC 6.0 system? Purpose? Transaction codes Authorization Objects Typical reply by security administrators 20.000 A multiple of 20k Purpose? To manage access rights To restrict on organizational levels Transaction codes Authorization Objects Reality + 150.000 1.000 for “R/3” functionality Purpose! Only first line of defense To manage access rights
  • 12.
    ©CSItools.AllRightsReserved. 12 Manage with +1000 SAP authorization objects and not +150.000 transactions 9 for posting FI documents  F_BKPF_... 9 for vendor master data  F_LFA1_... 9 for customer master data  F_KNA1_... 24 for material master data  M_MATE_... 2 for payments  F_REGU_... _____________________________________________ 1.000 objects are grouped into  300 example: company code: BUKRS your authorizations requirements can be simplified into 300 one-liners
  • 13.
    ©CSItools.AllRightsReserved. 13 + 150 000transaction codes: nobody can know them all, which is THE risk TSTCA check S_TCODE: transaction code check !! only once !! authority check on authorization objects command field DATA tables transaction code menu ABAP programs
  • 14.
    ©CSItools.AllRightsReserved. 14 Most applications auditonly on +500 transaction codes with a path defined Data to be protected User interface Database server Application ServerF-22 Program SAPMF05A Authority Check F_BKPF_ ACTVT = 01 ! FB01 Program SAPMF05ATOP 150.000 possible entries 300 kind of objects Million combinations
  • 15.
    ©CSItools.AllRightsReserved. 15 Authority checks aresequential: you cannot tell which path will be followed!
  • 16.
    ©CSItools.AllRightsReserved. 16 reveal inconsistencies: whohas access to the data, who can start transaction Data to be protected User interface Database server Application ServerF-22 Program SAPMF05A Authority Check F_BKPF_ ACTVT = 01 ! FB01 Program SAPMF05ATOP 150.000 possible entries 300 kind of objects Million combinations
  • 17.
    ©CSItools.AllRightsReserved. 17 find inconsistencies inwhat people can do, did and can almost do command field DATA tables transaction code menu ABAP programs Confidentiality Integrity Availability Authorizations ? F_BKPF_* FB01 F-22 ABAD F-91 F.43 F.18 FB60 FB75 … ……
  • 18.
    ©CSItools.AllRightsReserved. 18 Role Concept Challenges Multiple Users need Multiple Transactions Usersneed only access to Specific Data in Display or Maintenance mode. They use Transactions to get there. SAP has some 100.000 Transactions The Number of Users can Vary from 20 to 1.000.000 Average number of Used Transactions within a Company Can Vary Over Time from 2000 to 8000 600 users 3000 tcodes Let’s make a case …
  • 19.
    ©CSItools.AllRightsReserved. 19 Possible Scenarios :Extreme Cases 600 Users 3000 Transactions Organizational Technical 600 Roles 3000 Roles what where 12000 Roles what where what 1 role / transaction
  • 20.
    ©CSItools.AllRightsReserved. 20 Possible Scenarios :1 Role per User Advantages Disadvantages Technical Easy to Build : Group Transactions and Create Role Cannot Separate “create for company code 1000” and “display for company code 3000” without breaking PFCG best practices Functional Nice Overview of all Transactions per User • Complex and often long interviewing cycles • Nightmare from change management perspective • unclear ownership (access to multiple (sub)processes and organizational data in one the role) • SoD Rules Changes have major impact on the roles 600 Users 600 Roles
  • 21.
    ©CSItools.AllRightsReserved. 21 Possible Scenarios :1 Role per Transaction Advantage Disadvantage Technical Very Easy to build: put each transaction in separate role • Huge Amount of Roles to initially create and to maintain after data restriction changes • User cannot have not more than 300 assigned roles (*) Functional Very Transparent ; all is at user assignment level • Heavy User Request Procedure: user needs to request 300 to 400 roles and does not have this knowledge (*) Simplified: real limit is 312 profiles in user-id 3000 Transactions 3000 Master Roles
  • 22.
    ©CSItools.AllRightsReserved. 22 Possible Scenarios :Solution in Between 600 Users 3000 Transactions Organizational Technical 600 Roles 3000 Roles what where 12000 Roles what where what 1 role / transaction what where
  • 23.
    ©CSItools.AllRightsReserved. 23 Possible Scenarios : IntermediateConclusion A SAP role concept is built based on the technical view Grouping of transactions is needed A SAP role concept is built based on the organizational view Roles should be transparent for business, easy-to-manage and flexible Intelligent grouping of transactions and authorizations is needed
  • 24.
    ©CSItools.AllRightsReserved. 24 Try to Group2 Transaction Codes in 1 Role FK01 FB03 F_LFA1_APP ACTVT 01 F_LFA1_APP APPKZ F F_LFA1_BUK ACTVT 01 F_LFA1_BUK BUKRS $BUKRS F_LFA1_GEN ACTVT 01 F_LFA1_GRP ACTVT 01 F_LFA1_GRP F_BKPF_BUK ACTVT 03 F_BKPF_BUK BUKRS $BUKRS F_BKPF_KOA ACTVT 03 F_BKPF_KOA KOART K F_LFA1_APP ACTVT 01 F_LFA1_APP APPKZ F F_LFA1_BUK ACTVT 01 F_LFA1_BUK BUKRS $BUKRS F_LFA1_GEN ACTVT 01 F_LFA1_GRP ACTVT 01 F_LFA1_GRP F_BKPF_BUK ACTVT 03 F_BKPF_BUK BUKRS $BUKRS F_BKPF_KOA ACTVT 03 F_BKPF_KOA KOART K FK01 and FB03 $BUKRS = 1000 $BUKRS = * $BUKRS = ???? technical issue: * vs 1000 create vendor for company code 1000 display all A/P postings create vendor for company code 1000 and display all A/P postings what where Different Business Processes use Same Master Data: so process based grouping is NOT the Solution
  • 25.
    ©CSItools.AllRightsReserved. 25 Possible Scenarios :Data Level Based ! 9 for posting FI documents  F_BKPF_... 9 for vendor master data  F_LFA1_... 9 for customer master data  F_KNA1_... 24 for material master data  M_MATE_... 2 for payments  F_REGU_... _____________________________________________ 1.000 objects are grouped into  300 example: company code BUKRS your authorizations requirements need to be simplified into 300 one-liners
  • 26.
    ©CSItools.AllRightsReserved. 26 Possible Scenarios :Data Level Based ? post FI docs: FB01 F_BKPF_... ACTVT 01 BUKRS 1000 display vendor master data F_LFA1_... ACTVT 03 BUKRS * update customer master data F_KNA1_... ACTVT 02 BUKRS 2000 display material master M_MATE_... ACTVT 03 WERKS 3000 Full Flexibility on and andwhat where
  • 27.
    ©CSItools.AllRightsReserved. 27 Conclusion Identify who cando what is extremely difficult: Million ABAPs, +150k transaction codes, RFC and web dynpro’s … nobody knows all possibilities! SAP authorizations is extremely easy: If you have the core authorization, you have potential access If you should not have access, remove the core authorization And do not forget that authority checks is a complete different story ! Use applications that focus on authorizations and not on transaction codes
  • 28.
    ©CSItools.AllRightsReserved. 28 Small last remark Donot forget that you can disable authority checks!
  • 29.
    Thank you! Any Questions? JohanHermans CEO johan.hermans@csi-tools.com