day5 r3 basis security

Day 5 :SAP R/3 Application Authorization Concept

ERP 系統維護 Enterprise Technology - SAP

Course Content

Unit 6 Access Control and UserAdministration

Unit 1 Introduction

Unit 2 Conception withASAP Methodology

Unit 3 Elements of the R/3Authorization Concept

Unit 4 The User Master

Unit 5 Working with the ProfileGenerator

IntroductionIntroduction

Security Requirements

SAP Security Levels

SAP Access Control

Users, Roles and Authorizations

Technical Implementation of Roles

Contents:

Introduction

Describe the SAP authorization concept as part ofa comprehensive security concept

Explain the access control mechanisms

Explain how users, roles and authorizations arerelated

Describe the technical implementation of a role-based authorization concept

At the conclusion of this unit, you will be able to:

Introduction Unit Objectives

Technology

Hardware Router

DB Backup

Password Rules

Authorizations

...

Organization

Procedures

Training

Environment

Fire Alarms

Water Detection

Technology

Disk Crash

Power SupplyInterruptionThreats

Measures

Assets

Persons

Incorrect Operation

Hackers

Environment Floods

Earthquakes

Security - Overview

Hardware

Software

Data

Persons

Security Considerations

Access control, virus scanners, encryption

Access control, packetfiltering, encryption

Layer Components

GUI,Browser,PC

SAProuter ,Network,SNC

Presentation

Communication

SAP users, passwordrules, authorizations

Access to SAP tables, backup, consistency

Access to SAP files, OS services

Application modules, work processes, interfaces

Relational database

UNIX,Windows NT,OS/ 400, OS 390

Application

Database

Operating System

Encryption, certificates, Single Sign-On

ITSWeb Connection

SAP Security Levels

DataData

FunctionsFunctions

System Access Control

Users must identify themselvesin the system

Configuration of system accesscontrol (e.g. password rules)

Access Control

Access rights for functions anddata must be granted explicityusing authorizations

Authorization checks for

Transaction/report calls

Program execution

SAP Access Control

CreatePurchaseRequisition(ME51)

OrderPurchaseRequisition(ME58)

ReleasePurchaseRequisition(ME54)

Employees have roles with specific functions and need authorizations for these functions Employees Employees have roles roles with specific functions functions and need authorizations authorizations for these functions

Users, Roles, and Authorizations

KarenKaren

SusanSusan

JohnJohn

Pro

curem

ent

EmployeeService

Representative

EmployeeService

RepresentativeManager

EmployeePurchaser

Authorization to createpurchase requisitions

Authorization to releasepurchase requisitions

Authorization to createpurchase orders

RoleProfessional Purchaser

RoleProfessional Purchaser

Technical Implementation of Roles

Role Menu

Accessible Transctions, Reports,Web Links

Structure of the Menus/AccessPaths

Authorizations

Selective Access to BusinessFunctions and Data

User

SAP Easy Access - User-Specific Menus

Menu Edit Favorites Extras System Help

Other menu Create menu Assign users

Role BC_USER_ADMIN

Favorites

SM51 List of SAP Systems

User Administration

SU01 - User Maintenance

PFCG - Role Maintenance

SU01D - Display User

SU05 - Internet User Maintenance

SU10 - User Mass Maintenance

SUGR - Maintain User Groups

Describe the SAP authorization concept as part ofa comprehensive security concept

Explain the access control mechanisms

Explain how users, roles and authorizations arerelated

Describe the technical implementation of a role-based authorization concept

You are now able to:

Introduction: Unit Summary

Conception with ASAP Methodology


ASAP methodology for creating an authorization concept

Project preparation

Analysis and design of the authorization concept

Implementation of the authorization concept

Testing and quality assurance

Cutover

Contents:


List the steps necessary to implement anauthorization concept

Describe the activities to be performed in eachstep

Assign responsible persons to each activity

Use the ASAP procedure model for implementingan authorization concept for your own projects


Conception with ASAP Methodology: Unit Objectives

Before going live, your company wants toimplement an authorization concept.

The steps required to realize the authorizationconcept must be planned in the context of theentire implementation process.

During the planning phase you want to estimatethe time and personnel resources needed.

Conception with ASAP Methodology: BusinessScenario

Role and Authorization Concept: Steps

PreparationPreparation AnalysisAnalysis

& & Conception Conception

A Role and Authorization Concept is Implemented in 5 Steps

Each Step Comprises Different Activities

Each Activity is Associated with a Responsible Person

User Administration and Authorization ManagementOrganization is Parallel to User and Authorization ConceptImplementation

Implement-Implement- ationation

QualityQuality Assurance Assurance

& Tests& Tests CutoverCutover

Determine User andDetermine User and Authorization Administration StrategyAuthorization Administration Strategy

Measures:

Set Up a Team for User Roles and Authorizations

Clarify Prerequisites for Authorization Assignment

Train the Team for User Roles and Authorizations

Trigger Role and Authorization Project

Step 1: Preparation

PreparationPreparation Implement-

ation

Analysis &

Conception

Quality Assurance

& Tests Cutover

BASISPP

HRSD/ MM

FI/ CO KUKU

BCBC

KUKUKUKU

KUKU

BCBC

KUKU

Team for User Roles and Authorizations

KU = Key User BC = Basis User (technical

authorization management)

SAP AG 1999

Step 2: Analysis & Conception

Preparation Implement-

ation

Quality Assurance

& Tests Cutover

AnalysisAnalysis & &

Conception Conception

Measures:

Determine User Roles

Complete Roles

Determine Framework for Implementing the Roles

Check Framework for Implementing the Roles

Authorization List - Role Design

Business Processes

Financial Accounting

General Ledger Processing

Closing Operations

Profit and Loss Adjustment

General ledger: Profit and Loss Adjustment

General ledger: Update Balance Sheet Adj.

General ledger: Post Balance Sheet Readj.

General ledger: Balance Sheet Readj., Log

General ledger: B/S Readj., Spec. Functions

Accounts Payable Accounting

Invoices and Credit Memos

Parked Document Posting [Vendors]

Post Parked Document

Change Parked Document

Display Parked Document

Change Parked Doc. (Header)

Document Changes: Parked Documents

Reject Parked Document

Vendor Account Analysis

Balance Analysis

Customer Account Analysis

Vendor Account Balance

Display Vendor Balances

Vendor Line Items

Correspondence with Vendors


Correspondence: Print Requests

Correspondence: Print Internal Docs.

Correspondence: Delete Requests

Correspondence: Maintain Requests

Instruction...

Enterprise area

Role name

Scope Scope Scope

Analysis: Determine User Roles

F.50

F.5D

F.5E

F.5F

F.5G

FBV0

FBV2

FBV3

FBV4

FBV5

FBV6

FD11

FK10

FK10N

FBL1N

F.61

F.62

F.63

F.64

FI_Manag AP_Manag AP_AccAuthorization List - Role Design

Business Processes

Financial Accounting

General Ledger Processing

Closing Operations

Profit and Loss Adjustment

General ledger: Profit and Loss Adjustment

General ledger: Update Balance Sheet Adj.

General ledger: Post Balance Sheet Readj.

General ledger: Balance Sheet Readj., Log

General ledger: B/S Readj., Spec. Functions

Accounts Payable Accounting

Invoices and Credit Memos

Parked Document Posting [Vendors]

Post Parked Document

Change Parked Document

Display Parked Document

Change Parked Doc. (Header)

Document Changes: Parked Documents

Reject Parked Document

Vendor Account Analysis

Balance Analysis

Customer Account Analysis

Vendor Account Balance

Display Vendor Balances

Vendor Line Items



Correspondence: Print Requests

Correspondence: Print Internal Docs.

Correspondence: Delete Requests

Correspondence: Maintain Requests

Instruction...

Enterprise area

Rollenname

Scope Scope Scope

FI FI FI

xxxx

x

x x xx x xx x xx x xx x xx x x

x x x x

x x x x

Conception: Complete User Roles (1)

F.50

F.5D

F.5E

F.5F

F.5G

FBV0

FBV2

FBV3

FBV4

FBV5

FBV6

FD11

FK10

FK10N

FBL1N

F.61

F.62

F.63

F.64

Balance Analysis

Vendor LineItems

DisplayVendor

Balances

MaintainAccountBalances

G/L DocumentMaintenance

Accounts PayableAccounting Manager

PostDocuments

ChangeDocuments

........

Activity Block(Group of RelatedActivities)Role

ActivitiesTransactions,Reports

User RoleComposite Role

Accounts Payable Accountant

UserUser Master Record

Technical Conception: Role Implementation (1)

BalanceAnalysis

Correspondence

Accounts Payable Accounting Manager

Accounts Payable Accountant

MaintainDocuments

MaintainDocuments

MaintainDocuments

ClosingOperations

BalanceAnalysis

Correspondence

MaintainDocuments

ClosingOperations

Financial Accounting Manager

Technical Conception: Role Implementation (2)

Step 3: Implementation

Preparation Quality

Assurance & Tests

Cutover Analysis

& Conception

Implement-Implement- ationation

Measures:

Create Roles

Create Derived Roles

Create Composite Roles

Step 4: Quality Assurance & Tests


ation Cutover

Analysis &

Conception

QualityQuality Assurance Assurance

& Tests& Tests

Measures:

Test User Roles and Authorization Concept

Release Roles and Authorization Concept

Step 5: Cutover


ation

Quality Assurance

& Tests

Analysis &

Conception CutoverCutover

Measures:

Set Up Productive Environment

Create User Master Records for Productive Users

Accept Role and Authorization Project

User and Authorization Administration Strategy


ation

Quality Assurance

& Tests Cutover

Analysis &

Conception

Determine User andDetermine User and Authorization Administration StrategyAuthorization Administration Strategy

Measures:

Specify Technical User and Authorization Administration

Strategy

Specify User and Authorization Administration Procedure

Train Users and Authorization Administrators

Development System User Administration System

User and Authorization Administration Strategy

System Administrator

Authorization DataAdministrator

CreateRole

ActivateProfile

MaintainRole

Authorization ProfileAdministrator

UserAdministrator

MaintainUsers

AssignRole

List the steps necessary to implement anauthorization concept

Describe the activities to be performed in eachstep

Assign responsible persons to each activity

Use the ASAP procedure model for implementingan authorization concept for your own projects


Conception with ASAP Methodology: Unit Summary

Elements of SAP Authorization Concept

Elements of SAP Authorization Concept

The SAP R/3 authorization concept preventsunauthorized access to the system and to data andobjects within the system. Users that are toperform specific functions in the SAP R/3 Systemneed a user master record with the relevantauthorizations.

Elements of the SAP R/3 Authorization Concept:Business Scenario

Authorizationobject class

Authorizationobject

Authorization Profile - Role

User

Authorization field:

Overview of the elements of the SAP R/3authorization concept

Authorization Fields, Objects, Object Classes

Authorization Fields Authorization Objects AuthorizationObject Classes

BUKRS

ACTVT

WERKS

BEGRU

M_RECH_BUK

F_BKPF_BUK

F_KNA1_BUK

C_KAPA_PLA

C_ARPL_WRK

M_MSEG_WWA

V_KNA1_BRG

C_DRAW_BGR

MM_R

FI

PP

MM_B

SD

CV

Authorization

BUKRS 1000, 2000ACTVT 01, 02, 03 1000 2000 3000 2000 3000

Authorization AAuthorization A

BUKRS

ACTVT

CreateChangeDisplay

BUKRS 1000, 2000, 3000ACTVT 03 1000 2000 3000 2000 3000

Authorization BAuthorization B

BUKRS

ACTVT

CreateChangeDisplay

Authorizations and Authorization Profiles

AuthorizationObjects

WorkCenter 1

WorkCenter 2

WorkCenter 3

F-22, F-27FB02, FB03

F-43, F-41FB02, FB03

01, 02, 031000

01, 02, 031000, 2000

01, 02, 03A, D, S 01, 02, 03

K.......

.......

S_TCODETCD

F_BKPF_BUKACTVTBUKRS

F_BKPF_GSPACTVTGSBER

F_BKPF_KOAACTVTKOART.......

01, 02, 032000

Authorization

AuthorizationProfile

F-22, F-27FB02, FB03

01, 02, 031000

01, 02, 032000

01, 02, 03D.......

031000

Authorization Check in the Program

ChangeAccountingDocument

Transaction FB02Program SAPMF05L

....

AUTHORITY-CHECKOBJECT ´F_BKPF_BUKÍD ÁCTVT´ FIELD ´02ÍD ´BUKRS´ FIELD BUK.

IF SY-SUBRC NE 0.MESSAGE E083 WITH BUK.

ENDIF......

UserAuthorizations

Object F_BKPF_BUK

Authorization BUK

1000

Check

Result

Field ValueACTVT 02, 03BUKRS 1000

Authorization BUK 1000Authorization BUK 1000

Security Checks during Transaction Start

ChangeAccountingDocument

System Program

Authorization for transaction (Authorization ObjectS_TCODE)?

Authorization for authorization object in table TSTCA?

NoNo

NoNo

ABAP ProgramAuthorization Checks

STOPSTOP

YYEESS

Initial Screen

Next Screen

Roles and Authorization Profiles

Create Roles Using the Profile Generator (PFCG)

Choose Activities(Transactions, Reports, Web links)

Maintain AuthorizationData (Define Authorization Objects) Generation

User Menu

Authorization Profile

Authorization forAuthorization Object xxx....

Roles and the Easy Access Menu

Menu Edit Favorites Extras System Help

Other menu Create menu Assign users

Role SAP_BC_USER_ADMIN_AG

Favorites

SU01 User Maintenance

User Administration

SU01 - User Maintenance

PFCG - Role Maintenance

SU01D - Display User

SU05 - Internet User Maintenance

SU10 - User Mass Maintenace

SUGR - Maintain User Groups

Describe the elements of the authorizationconcept

Describe the process flow of an authorizationcheck in the program

Describe the authorization checks duringtransaction start

Describe the differences between roles andauthorization profiles

Explain what the relationship between roles andthe Easy Access menu


Elements of the SAP R/3 Authorization Concept: UnitSummary

User Master User Master

Identifying users by means of the user master record

SAP R/3 user types

Components of the user master record

User buffer

Change documentation

Contents:

The User Master Record

List the different SAP R/3 user types

Distinguish between the components of the usermaster record

Create and change user master records

Evaluate change documents

Display and archive change documents

Analyze the user buffer

Understand the function of the user buffer andevaluate the buffered user authorizations


The User Master Record: Unit Objectives

To access the SAP R/3 System and work with thedata in the system, a user master record withappropriate authorizations is required. Otherelements of the user master record make it easierto work with the SAP R/3 System.

The User Master Record: Business Scenario

User Master Record Components

Personal Personal DataData,,CommunicationCommunicationDataData, , CompanyCompany

AddressAddress

User GroupUser Group,,User User Type,Type,

Validity PeriodValidity Period

Start Start MenuMenu,,LogonLogon LanguageLanguage,,Standard PrinterStandard Printer

Default Default Parameter Parameter IDsIDs

Assignment of Assignment of RolesRoles

Assignment of Assignment of ProfilesProfiles

Address Logon Data Defaults Parameters Roles Profiles Groups

Display Display UserUser

Saved

User

Last changed by

Assignment ofAssignment ofUser GroupsUser Groups

User Buffer

UserWolfMeier

RoleMY_FI_AR_DISPLAY_MASTER_DATA

Authorization ProfileT-T0030107

Logon to the SAP R/3 System

User BufferObject Authorization...........F_BKPF_KOA T-T003010700F_KNA1_AEN T-T003010700F_KNA1_APP T-T003010700F_KNA1_APP T-T003010701F_KNA1_BED T-T003010700F_KNA1_BUK T-T003010700F_KNA1_GEN T-T003010700F_KNA1_GEN T-T003010701...............

List the different SAP R/3 user types

Distinguish between the components of the usermaster record

Create and change user master records

Evaluate change documents

Display and archive change documents

Analyze the user buffer

Understand the function of the user buffer andevaluate the buffered user authorizations


The User Master Record: Unit Summary

Working with Profile GeneratorWorking with Profile Generator

This unit describes how to design SAP Easy Accessuser menus for the various work centers (or roles) inyour company and how to automatically generateauthorization profiles for those menus.

The first part of this unit deals with simpler basicmaintenance. The focus is placed on the creation ofmenus and the associated authorizations, profiles, anduser assignments.

The second part deals with more advanced topics:The focus here is placed on derived and compositeroles.

Contents:

Working with the Profile Generator

Perform the steps involved in assigningauthorizations with the Profile Generator

Copy, change, and create roles and determinetheir activities

Display and maintain authorizations that weregenerated automatically


Working with the Profile Generator: Unit Objectives

When you create authorizations and authorizationprofiles for groups of users, you should use theProfile Generator. Based on selected menufunctions, the Profile Generator automaticallygenerates authorization data and offers it forpostprocessing.

Working with the Profile Generator:Business Scenario

The Profile Generator: Steps

Role

ProfileGenerator

Work centre

description:

- Activity 1

- Activity 2

- ...

Description Menu Authorizations User

Define Role Names

• Define Activities• Design User Menus

• MaintainAuthorization Data• GenerateAuthorization Profile

• Assign Users• Adjust User Master Records

Profile Generator: Views

Basic Maintenance: • Menu• Authorizations• Agents

Overview:• Menu• Authorizations• Tasks• Agents• Organisational Management

Role SAP_FI_AR_MASTER_DATA

Description Accounts Payable Clerk

Display Change Create Create Composite Role

Simple Maintenance (Workplace Menu Maintenance)

Basic Maintenance (Menus, Profiles, Other Objects)

Overview (Organisational Management and Workflow)

Information

Simple Maintenance: • Menu• Agents

Simple Maintenance: • Menu• Agents

SAP AG 1999

Profile Generator: Steps

Define Role Name

Determine Activities

Design User Menus

Maintain Authorization Data

Generate Authorizaion Profile

Assign Users

Adjust User Master Records

Role

Description

MY_ROLE

FI: Accounts Payable Accountant

Display Change Create Create Composite Role

Information

Role

Descrption FI: AccountsPayable Accountant

Description Menu Authorizations User Pers...

Information Other Role

Beschreibung Menü Berechtigungen Benutzer

Define Role Name and Description

Define Role Name


Design User Menus



Assign Users




WebLink

TransactionTA1

Role 1

Role 2

TransactionTA1

???

TransactionTA2

ReportReportxyzxyz

TransactionTA1 Web

LinkReportReport

xyzxyz

ReportReportxyzxyz

TransactionTA1

WebLinkTransaction

TA3

TransactionTA1

TransactionTA1

ReportReportxyzxyz



Define Role Name


Design User Menus



Assign Users


Design Menus

TransactionTA3

Define Functions

ReportReportxxxxxx

ReportReportzabzab

ReportReportxyzxyz

WebLink

WebLink

WebLink

CustomizeMenuStructure

TransactionTA2

TransactionTA1

Correspondence

Closing

Reporting

Withholding Tax

Information System

Other

Addresses

From the SAP Menu

From Other Role

From Area Menu

Import From File

Translate Node

Display Documentation

Find in Docu.

Role MY_ROLE

Description FI: Accounts Payable Accountant - (Template Copy)

Description Menu Authoirzations Users Pers..

URL - www.mysap.com

URL - Route Planner

SM04 - User ListSE16 - Data BroswerAccount Master Data

FK01 - Create VendorFK02 - Change VendorFK03 - Display VendorFK04 - Display ChangesFK05 - Lock Vendor

FK06 - Set Deletion Flag

Confirmation of ChangeCompare

Transaction Report Other All

T70CLNT400

Distribute

drag&drop

Role Menu



Define Role Name


Design User Menus



Assign Users


Profile Generator: Create Authorization Profiles

Role MY_ROLE

Description FI: Accounts Payable Accountant - created from SAP template


Angelegt Letzte Änderung

Informationen zum Berechtigungsprofil

Maintain Authorization Data and Generate Profiles

User MEYERS

Date 16.01.2000

Time 13:22:12

Benutzer BENZ

Datum 18.01.2000

Uhrzeit 17:50:59

Profile name T-K6840005

Profile text Profile for Role MY_ROLE

Status Current Version Not Generated

Change Authorization Data

Expert Mode for Profile Generation

MY_ROLE FI: Accounts Payable Accountant

Maint: 0 Unmaint. Org levels, 7 Open Fields , Status: Saved

Gepflegt Old Cross-Application Authorization ObjectsGepflegt Old Asset ManagementGepflegt New Basis - Administration

Standard New Authorization for File Access


Maintained Old SAPscript: Standard text

Standard Old Basis - Development EnvironmentMaintained New Basis - Central FunctionsStandard Old Materials Management - Procurement

AktivityPhysical File NameABAP Program Name



Define Role Name


Design User Menus



Assign Users


MY_ROLE FI: Accounts Payable Accountant

Maint.: 0 Unmaint. Org Levels, 7 Open Fields, Status: Saved

Maintained Old Cross-Application Authorization ObjectsMaintained Old Asset ManagementMaintained New Basis - Administration

Standard Old Basis - Development EnvironmentMaintained New Basis - Central FunctionsStandard Old Materials Management - Procurement

ActivityPhysical FilenameABAP Program Name



Maintained Old SAPscript: Standardtext

Generate


You can change the default profile name here

Profie lname MY_ROLE_PF

You will not be able to change this profile name laterText Profile for role MY_ROLE

Assign Profile Name for Generated Authorization Profile

Generate Authorization Profile

Define Role Name


Design User Menus


Generate Authorization Profile

Assign Users


Profile Generator : Steps

Role 4Role 3

Assigning Users to Roles

Role 1

Role 2


Define Role Name


Design User Menus



Assign Users


Comparing the User Master

Description Menu Authorizations User Pers...

Selection User Compare

Role

Description

MY_ROLE

FI: Accounts Payable Accountant

Other Role Information

Last Comparison

User

Date

Time

Complete Adjustment

User

Date

Time

Information for user master comparison

Status User authorization changed since last save

Complete Compare Expert Mode for Compare Information

Compare Role User Master Record


Derived Roles

(Reference)Role

Authorizations for:

• Plant 1• Company Code 0020• Business Area 110•...

Authorizations for:

• Plant 1• Company Code 0020• Business Area *•...

OrganisationalStructure



DerivedRole 3

Authorizations for:

• Plant 2• Company Code 0001• Business Area 100• ...

DerivedRole 1

DerivedRole 2

Menus of Derived Roles

ReferenceRole

DerivedRole 1

Changes to the menuare only possible here

DerivedRole 2

DerivedRole 3

Composite Roles

Role 1

Role 2

Role 3Role 4

Role 6

Role 5

CompositeRole A

CompositeRole B

Role 7

Menus of Composite Roles

Role 1

MenuRole 1

MenuRole 2

Role 2

MenuRole 1

MenuRole 2

Composite Role

Changes to the Entire Menu ArePossible!

Perform the steps involved in assigningauthorizations with the Profile Generator

Copy, change, and create roles and determinetheir activities

Display and maintain authorizations that weregenerated automatically


Working with the Profile Generator: Unit Summary

Access Control and User Administration



Special Users

Administration Tasks in User and AuthorizationAdministration

SAP Authorization Objects for Protection from Accessto Administration Functions

Scenarios for Distributing Administration Tasks in theSystem Infrastructure

Contents:

Access Control and User Administration:Unit Objectives

Protect special users in SAP R/3.

Describe tasks in user and authorizationadministration

List options for separating functions of user andauthorization administration.

Describe options for decentralization of useradministration.

Create user and authorization administrators withlimited rights


Access Control and User Administration:Business Scenario

In order to protect your SAP R/3 System againstunauthorized access, you must define passwordrules, set the relevant profile parameters andprotect special users.

You must also define areas of responsibility foruser and authorization administration.

The organizational areas of responsibility must beclearly defined technically using authorizations.

Special Users

Initial Logon Procedure in SAP Clients

Client 000 001 066 Client (new)

User SAP* DDIC EarlyWatch SAP*

Initialpassword 06071992 19920706 support pass

! Since these users are generally known, they must beprotected against unauthorized access.

User and Authorization Administration: Activities

Create, maintain, lock and unlockusers, and change passwords

Create and Maintain Roles

Maintain Transaction Selections andAuthorization Data in Roles

Generate Authorization Profiles

Assign Roles and Profiles

Transport Roles

Monitor Using the Information System

Archive Change Documents

An administrator may not

Administer users and

Maintain authorizations and

Generate authorization profiles

Separation of functions

Principle of dual control

User administration

Authorization maintenance and generation

Principle of triple control

User administration

Authorization maintenance

Authorization generation

Security Requirements

Separation of Functions

User Administrator

Authorization DataAdministrator

Authorization ProfileAdministrator Maintain user master records

Assign roles to users Assign profiles to users (only T...) Display authorizations and profiles Call "Information System Authorizations"

Superuser

Maintain roles Change transaction selection Change authorization data

Call "Information System Authorizations"

Maintain roles Create authorizations (only T-...) Create profiles (only T-...)

Execute Transaction SUPC Call "Information System Authorizations"

PP

UserAdmin.

MM

UserAdmin.

SD

UserAdmin.

CO

UserAdmin.

FI

UserAdmin.

Location 1

Location 2

Location 3

Location 4

User Administrator

User Administrator

User Administrator

User Administrator

Decentral User Administration

Central user administration

One user administrator for all users

Unlimited authorizations for all user administration tasks of theuser administrator

Central maintenance of roles and profiles

One administrator takes on both roles

Authorization data administrator

Authorization profile administrator

All authorizations for maintaining the roles and profiles

Principle of dual control

Scenario 1

Decentral user administration (production system)

One user administrator per application area (FI, MM)

Authorized to maintain a certain user group

Authorized to assign a certain number of roles and profiles

No other restrictions in the specific user administrationtasks


Separation of responsibilities

One authorization data administrator

One authorization profile administrator

No other restrictions in the specific roles or profiles for bothadministrators


Scenario 2

Central creation and deletion for all users (prod.)

Decentral user administration (production system)

One user administrator per application area (FI, MM)

Authorized to maintain a certain user group

Authorized to assign a certain number of roles and profiles

Authorized for only certain user administration tasks(change, lock/unlock, reset password)


Separation of responsibilities

One authorization data administrator

One authorization profile administrator

No other restrictions in the specific roles or profiles for bothadministrators


Scenario 3

Change password rules with system profileparameters

Protect special users in the R/3 System.

Describe tasks in user and authorizationadministration

List options for separating functions of user andauthorization administration

Describe options for decentralization of useradministration

Create user and authorization administrators withlimited rights


Access Control and User Administration:Unit Summary