SAP Authorization Objects PDF

Summary

This document provides a list of SAP transaction codes, objects, and roles. It details general authorization objects for ABAP Workbench and powerful authorization objects. It also covers user maintenance and related functionalities within the SAP system.

Full Transcript

OBJECT
S_TCODE Starting transactions
S_START Starting Web Dynpro applications
S_PROGRAM Starting reports
S_RFC Calling RFC function modules
S_TABU_DIS Generic table access
S_TABU_NAM Table access (specific)
P_TCODE Human Resources transactions
Q_TCODE Quality Maintenance transactions
I_TCODE Plant Maintenance transactions
L_TCODE Warehouse Management transactions
B_EM_TCODE Logistics transaction codes
D_SD_TCODE Direct store delivery transactions
V_SO_TCODE Vehicle space optimization transactions
S_DEVELOP General authorization object for ABAP
Workbench objects. Used to grant access
authorization for all ABAP Workbench
components.
S_RS_COMP Powerful authorization object that enables you
to make choices on how to secure.
Authorization for using different components
for the query definition.
S_RS_COMP1 Authorization for queries from specific owner
S_RS_FOLD Display authorization for InfoAreas folder
S_RS_MPRO Authorization for Multiproviders
S_GUI Authorization for GUI activities
S_BDS_DS Authorization for document set
S_USER_AGR Authorization for role check
S_USER_TCD Transactions in role
S_RS_ADMWB Auithorization for working with individual
objects of Data Warehousing workbench
S_RS_AUTH Authorization for maintaining analysis
authorization
S_BTCH_JOB Authorization for processing a job

TCode
SU01 User maintenance
SU10 Mass user maintenance
SU01D User Maintenance Display
Pfcg Role maintenance / Profile Generator to create
roles and assign authorizations
SU24 Authorization check indicator
Maintain all the objects
SE16 Data Browser
SE16D General Table Display
 SE17 General Table Display (simplified)
SM30/SM31 Table Maintenance Views
SE11/SE12 ABAP Dictionary
RSCSAUTH Assign authorization to all executable
programs or individual programs or groups.
Transaction code makikita lahat ng auth group
para sa specific program
SA38 Used to run reports
SU25 The SAP-provided tools for security upgrades
are accessed using this transaction code
PFUD Compare user assignment
SM01 Transaction codes lock/unlock
SM04 Determine list of users accessing the system
SU21 Maintain authorization objects
SU20 create, change, display auth field
SU1 (maintain user profile) Address
SU2 (maintain user profile) Address and Parameters
SU3 (maintain user profile) Address, Defaults, and Parameters
SUGR Create user group
SUPC Mass generation of profiles
SE54 Generate table maintenance dialog
SU02 (old tcode) Create auth profiles manually
SU03 (old tcode) Maintain authorizations and profiles
SUUM – Global User Manager (old tcode) Similar to SU02
SECR – Audit Information System (old tcode) Assist in auditing both technical and business
controls in SAP system
SU53 Display Authorization Failure
ST01 System trace / usually used when SU53 isn’t
enough to debug the authorization error
SU56 User authorization buffer
SLG1 Analyze Application Logs / pang check
SUIM Popular transaction in SAP / for investigations
User information system
RSA1 Display the BW admin workbench
RSD1 InfoObject Maintenance
RSECADMIN Troubleshoot; create analysis authorization
RRMX Display all queries in excel form
/N/UI2/FLP Tcode to open SAP Fiori
/N/UI2/FLPD_CONF To access launchpad designer / all clients
/N/UI2/FLPD_CUST To access launchpad designer / client specific
PFCGMASSVAL Tcode for mass maintenance of authorization
values
SUPO Maintain org levels
SCC4 Used to define the client
SE06 Can set up workbench organizer correction &
transport system
 SE38 Can perform development related functions in
the production system
SM12 Remove the lock entries when two processes
are searching the same source.
ST03 Workload and performance statistics

TABLES

USOBT_C Contains the authorization proposal flags
which defines the authorization objects
relevant for a transaction or application
USOBX_C Contains all objects maintained within an
application regardless of its proposal
TDDAT Mapping is performed. Maps the auth group to
a list of tables
USR01 User Master Table: Contains information we
provide in SU01 / log time data
USR02 Logon Data, Lock status, password in
encrypted format / manage user group
USR03 User Address data as we see in SU01
USR04 Profiles assigned to user
USR05 Parameters assigned to users
USRSTAMP Last modification time to user
USREFUS Table to get a reference assigned to a user
AGR_1251 List of authorization object inside a role
AGR_1252 Organizational elements for authorizations
AGR_DEFINE Role definition and also includes parent-
derived role mapping
AGR_USERS Roles assigned to users
AGR_AGRS Roles in composite role
TOBJ Authorization objects
USOBT Relation transaction > authorization object
USOBX Check table for table USOBT
UST04 User profiles
USR10 Authorization profiles
USR12 Authorization values
USR40 Table for illegal passwords
USGRP User groups
USH02 Change history for logon data
USER_ADDR Address data for users
AGR_HIER2 Menu structure information – Customer
AGR_PROF Profile name for role
AGR_TEXTS File structure for hierarchical menu
AGR_TIME Time stamp for role: including profile
RSDCHA Characteristics catalog
 RSDCUBE Directory of infocubes / infoprovider
RSECVAL Authorization value status
RSRREPDIR Directory of all reports
RSZELTDIR Directory of the reporting component elements

What is SAP?

- Systems, Applications, and Products in Data Processing. A multinational software
corporation that provides enterprise resource planning (ERP) software to manage business
operations and customer relations. SAP software helps companies manage their financials,
logistics, supply chain, human resources, and other business functions.

Transactions > Roles > User

User > User Master Record > Sap Role > Authorizations > Auth object > auth field > auth value

User Master Record – contains all information about the corresponding user, including
authorizations.

SAP Role - Contains the authorization data and the logon menu for the user.

Authorization - Combination of permissible values in each authorization field of an authorization
object that enables user to perform a particular activity in the SAP system.

Authorization Object – The one being checked along with the values set to it during Authorization
Check.

Authorization Field – Contains the value that you defined.

USER TYPES

- Dialog (A)
- System (B)
- Communication (C)
- Service (S)
- Reference (L)

STANDARD USERS

- SAP*
- DDIC
- EARLYWATCH
- SAPCPIC
- TMSADM

ELEMENTS OF ROLE

- Role Menu
- Authorizations

SAP_ALL – contains all SAP authorizations
SAP_NEW – profile that is assigned to system users temporarily during an upgrade.

Profile - Collection of settings for access rights. The security profile determines the actions
(viewing, creating, editing) that a user can perform on various resources.

TYPE OF PROFILES

- Generated Authorization Profile
- Manual Authorization Profile
- Composite Profile

Role – Buckets or containers that hold transaction codes, auth values and other data. Grouping of
privileges.

TYPE OF ROLES

- Single role (assign transactions)
- Composite role (bucket of single role / collection of single roles)

TYPE OF SINGLE ROLES

- Reference Role (Parent or Master Role / used as reference or template for authorization
data restriction/separation)
- Derived Role (Child Role / inherits the menu structure and the functions included of its
reference role)

PROFILE PARAMETERS

- Logon
- Password

TRANSACTION CODES

- XXX1 (Create)
- XXX2 (Change)
- XXX3 (Display)

System trace - system wide trace/ track auth issue based on auth log

System Trace

- RC = 0 (authorization passed)
- RC = 4 (user has the authorization object but with insufficient field values)
- RC = 12 (Both authorization and fields are not in the user buffer)

Complex Selection Criteria – option in suim that includes additional filters to the selection

SAP BW (Business Warehouse) – end-to-end data warehousing product designed to jump start an
implementation of data analysis thru SAP R/3 or ERP.

SAP BW or SAP BI (Business Intelligence)
OLTP – Transaction-based security

OLAP – Analysis-based security

InfoProviders – refer to all data objects that are present in the SAP BW systems. It is the source of
data for reports.

MUltiproviders / Multicubes – are logical structures and so not contain data. Provides access to
data from several InfoCubes and makes the data available for reporting and analysis.

Data Store Object (DSO) – formerly ODS, is a dataset which is formed as a result of merging data
from one or more InfoSources.

InfoArea – serves like a folder where InfoCubes, InfoObjects, DSO, Multiproviders are grouped
together. (groups of infocubes)

InfoObjects – are the fundamental building blocks and the smallest information modules or fields
in BW. (field)

Key Figures – operational attributes, which indicates numerical measures.

Characteristics – Descriptive attributes used to describe the entities.

InfoCubes – are multidimensional data storage containers for reporting and analysis of data.
(actual data)

Data Sources – a source that is sending data to a particular info source on BW.

Info Source – describes the quantity of all data available for a business transactions.

Difference between DSO and InfoCube – in DSO data is stored in flat tables or two dimentional
and InfoCube is multidimentional

AUTHORIZATION CONCEPT

- User
- User Role
- InfoAreas
- InfoCubes
- Queries
- InfoObjects (key figures)
- InfoObjects (Characteristic Values)

0BI_ALL – just like SAP_ALL, it grants authorizations to all

3 default object in aa

- activity in aa
- auth for infoprovider
- validity of authorization
BW specific object values

- colon (:) enable summary data to be reported for characteristic levels
- Pound (#) when data is loaded into SAP BW, some fields may be marked as “no value
assigned”

SAP Business Explorer (BEx) – it is the SAP Business information Warehouse reporting tool used to
work with data in the BW database.

Bex Designer – create reports

SAP BTP (SAP Business Technology Platform) - Business Technology Platform
- Integrated offering comprised of four tech portfolio
- Database and data management
- application development and integration
- analytics
- intelligent technologies

SAP BTP history - NetWeaver Cloud; NetWeaver On-Demand (Neo)
- Renamed to SAP HANA Cloud Platform
- Renamed to SAP Cloud Platform
- ABAP Environment added to the SAP Cloud Platform
- Kyma Environment added to the SAP Cloud Platform
- Renamed to SAP BTP

Global Account - reflection of a contract with SAP
Sub Accounts - has 3 environments
- Cloud Foundry
- Kyma Environment
- ABAP Environment

User Management - Global Account Administrator: Creates the SubAccounts
- SubAccount Administrator: Creates the other SubAccounts and Business users

Role Collections - consist of individual roles with combine authorizations for services and
resources

SAP ID Service - default IdP in SAP BTP
- pre-configured standard SAP Public IdP that is shared by all customers
- place where S-Users, P-Users and D-Users are managed

SAP Cloud Identity Services - two services: Identity Authentication and Identity Provisioning
Identity Authentication - responsible for authentication and SSO
- previously known as SAP Cloud ID service

Identity Provisioning - takes care of identity lifecycle management for users and group
- for cloud and on-premise business applications

SAP Authorization and Trust Management Service - also called XSUAA
- handles authorization flow
- UUA: open sources component that handles authentication and
authorization.

App Router - used to provide single entry point
- a node.js based app
- based on a config file called xs-app.json: defines routes served by app router and which
XSUAA service instance is bounded

SAP Fiori – New user experience (UX) for SAP software and applications. Provides a vast range of
role-based applications like finance and human resources, sales etc. Provides a consistent and
holistic user experience

SAP Fiori Design Principles

- Role-based
- Coherent
- Simple
- Adaptive
- Delightful

SAP Fiori Launchpad – end user’s view

SAP Fiori Launchpad Designer (FLPD) – front end

To access launchpad designer:

- /n/ui2/flpd/conf - all clients
- /n/ui2/flpd/cust - client specific

SAP GUI/PFCG – back end

Diff of Fiori launchpad, launchpad designer:

- fiori launchpad is app that can be configured, navigated, embedded/ user can view and run tiles
- launchpad designer is used as a designer to manage catalog, groups and tiles

Tile – used to launch an application from the homepage

Catalog – set of applications a user can use and add to his homepage

Group – predefined set of tiles a user sees on his homepage

TYPES OF FIORI APPLICATION

- Transactional apps (transactional tasks / end user perform here)
- Fact sheets (display contextual info)
- Analytical apps (more on graphs)

FIORI LIBRARY- metadata repository, has the data for activating app.

Security Admin Tool

- User admin
- Role admin

2 SAP Fiori Impementation or Deployment

- Central hub
- On-premises/embedded

AUTH for SAP Fiori

- Catalog id
- Catalog group
- Role

Authentication

- User Authentication and Single Sign-ON (SSO)

Single Sign-on (SSO) – signing in without using password

SAML 2.0 - ang kalimitang ginagamit / SSO mechanisms for SAP Fiori apps

Security Roles

- Front-end roles (configuration)
- Back-end roles (authorizations and range of data)

SAP HANA - on premise; cloud; hybrid
- report and data analysis
- Integrated offering comprised of platform services
- Database and data management
- application development and integration
- analytics
- intelligent technologies
Key Capabilities

- Database Services
- Analytics Processing
- App Development
- Data Access
- Administration
- Security

Importance of SAP HANA - Innovate with confidence
- Protecting corporate information

SAP HANA Studio - eclipsed based IDE
- create and manage user authorization to create or modify existing models
- access local or remote HANA system
- Administration Console - runtime security configuration
- Development/Modeler - design time security definition

SAP HANA WEB-BASED TOOLS

- SANA HANA Cockpit: single point of access of tools
- SAN HANA Web-based Development Workbench (WEB IDE): user and role editors for XS
applications
- XS Administration tool: tool for XS specific security configuration and application specific
runtime security config

User Types

- Database Users: restricted to create user and create restricted user statement
- Standard Users: create objects with their own schema and read data in the system views
- Restricted Users: initially no privileges
: intended for provisioning users who access SAP HANA
- Technical Database Users: used for administrative task such as creating objects and
granting privileges for application
: corresponds to real people and technical database users

System User

- database superuser
- does not use SYSTEM for day to day activity

Database Role - collection of privileges that can be granted to either a database user or another
role in runtime
Role Structure

- System privileges: general system authorization
- Object privileges: CRUD on database objects
- Analytic privileges: SAN HANA information models
- Package privileges: repository packages
- Application privileges: enabling access to SAP HANA

_SYS_REPO - owner of all objects in the repository

SAP S/4 HANA - SAP Business Suite 4 SAP HANA
- 4th version of SAP Business Suite
- run only on SAP HANA in-memory database
- easier to use and administer while to solve complex problems
- on-premises; cloud; hybrid deployments
- uses SAP Fiori UI and traditional SAP GUI
- HANA: database system designed fully in memory
- S/4 HANA: replaces both ERP and BI and real time analytics and major
reduction in data footprint

Benefits of SAP S/4 Hana

- gain flexibility
- boost roi
- lower risk
- transform the field
- decide in real-time
- scale on demand

SAP S/4 HANA Implementation

- Greenfield Approach: also known as greenfield migration
: enables complete re-engineering and process simplification
: predefine migration objects
: lowers Time-to-Value and TCO and facilities faster adoption
and innovation
- Brownfield Approach: also known as system conversion
: enables migration w/o re-implementation and disruption
to existing business processes
:reevaluation of customization of existing process flows

Importane of SAP S/4 Hana Security - class 3-tier arhcitecture
- database layer only accessible via ECC layer

User Management

- Dialog Users: used for SAP Gui
 - Internet users: used for SAP Web Apps
- Technical Users
- Service Users: are dialog users available for large set of anonymous user
- Communication users: for dialog-free communication between systems
- Background Users: used for processing in the background

User License Types - SAP S/4 Hana Enterprice Management for Developer Use
- SAP S/4 Hana Enterprice Management for Productivity Use
- SAP S/4 Hana Enterprice Management for Functionality Use
- SAP S/4 Hana Enterprice Management for Professional Use

SAP MARKETPLACE

OSS (Online Service System) NOTES
- is an online SAP service which is accessed via SAP service portal.
- provide updates on patches involving various SAP modules and up-to-date information on SAP
notes.

SAP NOTES
- are corrective instructions for bugs or issues found in standard SAP programs and components.
- provide collection of correction notes for SAP objects considering the versions and release dates.

SAP PORTAL
- aka SAP Service Marketplace
- SAP's collaboration website for all SAP customers and partners that provides access to support
tools, services and applications, as well as relevant documentation.

S-USER ID
-is used to login to SAP Support Portal.

Security's scope in SAP Marketplace
- Manage users
- View incidents
- request keys

SAP Community Network
- is the official user community of SAP SE
- to get help, share ideas, learn, innovate and connect with others.

SAP Software Change Registration
- is a procedure which registers all manual changes to SAP sources and SAP Dictionary objects.
- DEVELOPER KEY - to register a particular user as a developer
- AND OBJECT KEY - to allow changes to SAP sources or SAP dictionary objects.
SAP CUSTOMER MESSAGES/OSS MESSAGE
- are the tickets we raise to SAP when we require their support concerning SAP implementation,
SAP standard bug fixes or defects involving their products.

GRC PC
- SETUP CONTROLS
- provide comprehensive, end-to-end management of compliance and controls.

DOCUMENT
- maintain your compliance and control structures, which includes setting up organizations,
business processes, risks and controls

REPORT
- use embedded analytics and reports to provide continuous insight into the status of compliance
and controls based upon reliable, audible data.

MONITOR
- leverage process control automation and backend-integration to track

EVALUATE
- schedule end-to-end, workflow-driven tests, assessments, and monitoring activities and issue
closure.

SCOPE
- perform materiality analysis risks to determine in-scope organization and processes.

SAP RISK MANAGEMENT
-INTERNAL AND EXTERNAL RISK, GUIDE

RISK RESPONSE
- IN THIS RISK MANAGEMENT PHASE, DOCUMENT RESPONSE MEASURE, AND CURRENT STATUS,
ALLOWS INTERNAL CONTROLS

RISK PLANNING
- DEFINE AND CONSOLIDATE ALL MANAGEMENT FRAMEWORK DEFINE HIERARCHY
CONTINUOUS MONITORING
- PROCESSS CONTROL THAT PROVIDES INFRA THAT ENABLES AUTOMATION OF COMPLIACE
TESTING AND MONITORING WHILE ADD MONITORING TOOLS CAN BE ADDED

MASTER DATA
- CONTAIN ELEMENTS REPRESENT COMPANY ORG

TYPES OF MASTER DATA

- Central (Applies to the entire company)
- Local (applies to data within each Organization)

BUSINESS RULE
- provides a scalable, but easy to use interface that can support various automated monitoring
processes, such as configurable rule, programmed rule, SOD for Access control, SAP Query, BI
Query and so on.

DATA SOURCE
- plays a key role in enabling Business rule
- the connection between the technical and business side

SCHEDULER
- where compliance continuous monitoring tests are scheduled

1st level - when first level authorization is active, the users assigned to the business user role
(SAP_GRC_FN_BUSINESS_USER) are the users available for any entity-user-role assignment. Once
a user is assigned to an entity user-role, the user assigned to the entity inherits the authorizations
associated with the corresponding application role, as configured in PFCG

2nd level - the users available for an entity-user-role assignment are restricted to those users who
have that specific application role assigned to their user profile. This allows the pool of business
users to be segmented into different entity-user-role groups

Security Audit – an independent review and examination of a system’s records and activities to
determine the adequacy of system controls.

IT General Controls (ITGC) – ensures the appropriate development and implementation of
applications and the integrity of program, data files and computer operations.

Most common ITGC:
 - Creating administrator accounts
- Software lifecycle management
- Patch management
- Access control
- Audit logs

Common weaknesses found in ITGC:

- Inadequate user provisioning and de-provisioning
- Inadequate patch management and IT change management
- Insufficient audit logs
- Deficient software development controls
- Insufficient configuration monitoring

User Provisioning / Deprovisioning – involves the process of creating, updating and deleting user
account in an application or system.

Examples of Critical SAP Standard Profile:

- SAP_ALL
- SAP_NEW
- S_A.SYSTEM
- S_A.ADMIN

GRC – provide reasonable assurance regarding the achievement of objectives in the following
categories:

- Effectiveness and Efficiency of operations
- Reliability of financial reporting
- compliance with laws and regulations

COSO FRAMEWORK

- Developed by the committee of Sponsoring Organizations of the Tread way Commission
(COSO)
- SEC refers to the COSO framework for the definition of internal controls

Multi Compliance Framework

- Enables you to manage multiple compliance initiatives more efficiently.

Assessment Surveys in Process Control

- Control Design Assessment
- Sub-process Design Assessment
- Self-assessment
- Indirect Entity-level Control Assessment

Types of Effectiveness Tests
 - Control test of effectiveness
- Indirect Entity-level control test

ARM (ACCESS REQUEST MANAGEMENT)

ARM - Access request management: provides a standard and centralized framework to request
user access and to review and manage those requests

SAP Access Control application allows you create access requests to obtain access to systems
and authorization to perform tasks.

To initiate access request creation:
End User Logon
NWBC logon
Fiori launchpad

Standard Access Request - contains all the information needed for a user request to be properly
evaluated

Simplified Access Request - allows more flexibility of the access request from layout

Template Based Request Form - template created for access request

copy request - allows an authorized user to quickly replicate details from an existing request

model user - allows for an access request to be created based on reference to existing end user

Access request approval
: review access requests
: analyzing access risks
: managing risks
: approving requests

work inbox simplified - alt way of displaying access requests

approval delegation - feature that enables user to delegate his/her responsibilities to other user for
specific time.

EAM (EMERGENCY ACCESS MANAGEMENT)

emergency access management - enables user to perform activities to solve the crisis of business
access without compromising extra privileges
GRC system - ECC 6.0, R3, ABAP

firefighter - user of the FFID
firefighter ID - the ID with the elevated access
owner - handles the firefighter ID and assignment of who are the controllers and firefighters

controller - reviews the logs of what the firefighter accessed

ID based firefighter application - assigned to user in GRC system, manually or compliant user
provisioning

Role based firefighter application - assigned to user in GRC system

centralized firefighter - GRAC_EAM: logon different system
decentralized - /GRCPI/GRIA_EAM: continue to use even GRC system is not available

Reporting:
- STAD files stored in CDHDR & CDPOS

Tasks of controller:

- Repository object Synch - synchronize the user, role, and profile data
- Firefighter log synch - synchronize firefighter logs from target system
- Firefighter workflow synch - generate request for the FFID
- EAM master data synch - synchronize the master data on the plug-in system to the AC
repository

SOD (Segregation of Duties) - having the ability to perform two or more conflict function

Sap.support.com (link for SAP support portal)

Authorization check – verify that the user is authorize

Identity management – a tool used to manage the full identity life cycle of user

Password expired and dialog free... what user type can change password aside from dialog user? –
communication

grc ac used for synchronization of information into the repository -
grac_pfcg_authorization_synch, grc repository object synch, grac role usage synch, grac action
synch

GRAC_PFCG_AUTHORIZATION_SYNCH: This job synchronizes the PFCG (Profile Generator)
master data (SU24 values) from the backend system to the GRC system. It ensures that any
changes in authorizations are reflected in the GRC system.
GRAC_REPOSITORY_OBJECT_SYNCH: This job synchronizes users, roles, and profile data from
the backend systems to the GRC repository. It can be run in full mode weekly or incrementally
hourly to keep the data up-to-date.

GRAC_ROLE_USAGE_SYNCH: This job retrieves role usage information from the backend system
and updates the GRC repository. It's important for features like User Access Review (UAR), which
helps in auditing and managing user access.

GRAC_ACTION_SYNCH: This job retrieves executed transactions and usage data from the backend
system

risk - this is opportunity for physical law, fraud, that disrupt business operation that occurs when
individuals in ac functional are the main components of risk

action - activity performed in the system in order to fulfill a specific function.

permission - authorization that allow user to perform particular activity

business processes - categories to report risk analysis

access risk analysis - web-based, fully automated security audit and SOD analysis application