SAP Security Online - SAP Authorization


	R/3 Security
	BW Security
	Enterprise Portal
	CUA
	Single Sign On
	SOX/ SoD
	OSS
	HR Security
	Other SAP Apps
	Solution Manager
	Interview Questions

Implementing Authorizations

Proper implementation of authorizations is a critical ingredient for the maintenance of security in an R/3 system. Accordingly, it demands an appropriate formalised process. A preferred approach involves the following steps:

Defining organizational roles.
Identification of the R/3 functions (menu options) associated with each role.
Identification of the authorizations required for each function.
Designing authorizations and profiles.
Creating authorizations and profiles in the development system.
Testing authorizations and profiles in the quality assurance system.
Transporting authorizations and profiles to the production system.
Assigning profiles to user master records.

Steps 1 and 2 are best accomplished using a security model documented in the form of a table. The R/3 functions (menu options) associated with each role should also show the Transaction Code assigned to each function. For example, the Transaction Code for creating a general ledger master record is FS01. Transaction codes are ‘short-cuts’ to menu options and are the link to the authorizations required for each function. R/3 table USOBT contains a list of authorization objects and field values required for each Transaction Code. User-defined (additional to SAP-defined) objects are documented in table TOBJ.

Steps 3 to 5 may be performed as summarised above. Alternatively, from release 3.1G authorizations may be implemented using the Profile Generator. This software uses a graphical interface to identify and assign field values to authorizations. Activity groups (similar to profiles) are defined and permitted menu options (Transaction codes) are selected. Field values for authorizations are proposed by the software or can be entered. Activity groups are assigned to users as with profiles.

Prefined activity groups or roles are available in SAP. These can be used to created developer and basis role. Some modification may be needed. For functional role it is better to create role from scratch.

SECURITY CONSIDERATIONS

Authorisations where a ‘*‘ value has been given should be reviewed to establish if appropriate. Where possible ‘*’ values should be limited and be replaced with specific values.
As with access to all user administration functionality, access to role maintenance activities should be controlled. Access should be restricted to the following transactions which provide users with access to role and profile maintenance activities:

Security Tcode Name Description
PFCG Profile Generator Tool for maintenance of roles and profiles.
SU01    Maintain User Used for the creation and maintenance of User Master Records including password resetting by system administrators.
SU02    Profile Maintenance Tool for the direct maintenance of profiles (not recommended in version 4.0A or above, should be performed in the profile generator).
SU03    Authorisation Tool for the direct maintenance of authorizations Maintenance (not recommended in version 4.0A or above).

Access to role administration should be tightly controlled and restricted to only relevant user administration staff. Access to the following transactions should be restricted:

These transactions all allow direct access to profile maintenance
OY21, GCE2, O002, OBZ8, OD03, OIBP, OMDM, OMEI, OMM0, OMSO, OMWG, OOPR, OP15, OPCB, OPE9, OPJ1

SAP Help | SAP Service Market Place | SAP SDN