Authorization Concept
-
Upload
zoom2sunil -
Category
Documents
-
view
374 -
download
19
Transcript of Authorization Concept
IB - Projectmanagement - Prof.Dr.Reusch 1
Establish User Role and
Authorization Concept
presented by Mareike Kallweit
IB - Projectmanagement - Prof.Dr.Reusch 2
Establish User Role and Authorization Concept
IB - Projectmanagement - Prof.Dr.Reusch 3
Establish User Role and Authorization Concept
Start
IB - Projectmanagement - Prof.Dr.Reusch 4
Establish User Role and Authorization Concept
http
://w
ww
.mit.
edu/
afs/
athe
na/p
roje
ct/it
s-al
ive/
sap-
docs
/R3-
Sec
Gui
de-V
ol1.
IB - Projectmanagement - Prof.Dr.Reusch 5
Establish User Role and Authorization Concept
Create Authorization Detailed Design Review Company Security Philosophy Document Transactions Associated with Job Functions Conduct Authorization Interview with Data Owners Identify General Information access and Service Use Create Authorization Management ProceduresImplement Authorization Concept Create Activity Groups Generate Authorization Profile Create User Master Models for Job Roles Test User Master Models Validate Authorization Concept Identify Activity Group for Individual Users Create User Master Validate User Masters for Job Functions Refine Authorization Design Sign Off Authorization Design
Authorization List
Complete developed authorization environment
Realization Phase: Tasks of Establishing User Role and Authorization Concept
User Master Records for all Users
IB - Projectmanagement - Prof.Dr.Reusch 6
Establish User Role and Authorization ConceptWhat are User Roles and Authorization ?
To access or execute SAP transactions a
user requires corresponding authorization
A User Role defines the user’s authorization
Requirement of maximum security and
sufficient privileges for end users to
fulfill their job duties
Why are User Roles and an Authorization Concept necessary?
Company Security philosophy: protection from unauthorized access
IB - Projectmanagement - Prof.Dr.Reusch 7
Establish User Role and Authorization Concept
FLEXIBLE AUTHORIZATION CONCEPT protects applications and data from unauthorized access provides users with the necessary authorization for individual
application
Main tool to create, implement and validate authorization concept is the
Profile Generator
IB - Projectmanagement - Prof.Dr.Reusch 8
Establish User Role and Authorization Concept
Responsibilities for processes and functions already defined in Business Blueprint phase:
These responsibility definitions are used in authorization design
Company Security Philosophy • Security policy of organization to be checked
• Security requirements in each department to be checked
• Level of Security to be recorded
• each application area must supply roles (Authorization List)
• a role is a task or activity, or combination of tasks and activities
• authorizations are based on selection of activities grouped in activity groups
IB - Projectmanagement - Prof.Dr.Reusch 9
Establish User Role and Authorization Concept
Authorization Management Procedures
To create, change and monitor activity groups, profiles, authorizations and users
• Authorization data administrator: creates activity groups, chooses transactions
and maintains the authorization data,
NOT allowed to generate profiles
• Authorization profile administrator: displays mode to check data created by
authorization data administrator, if data is
correct administrator generates profiles
• User administrator: assigns activity group to users, authorization
profile is then added to user master record
IB - Projectmanagement - Prof.Dr.Reusch 10
Establish User Role and Authorization Concept
END-USER
Authorization
ProfileActivity Group/
User Role
Job functions?
Authorization
Automatically generated with Profile Generator
User Master Record
Roles are assigned to an End User
IB - Projectmanagement - Prof.Dr.Reusch 11
Establish User Role and Authorization ConceptCreate Activity Groups / User Roles
Activity group/User Role:
- Based on the organizational plan of the company
- covers a specific work area / job function
-includes transactions, reports, links (user menu)
- Single Roles, Derived Roles, Composite Roles
Standard User Roles
IB - Projectmanagement - Prof.Dr.Reusch 12
Establish User Role and Authorization Concept Generate Authorization Profiles Authorizations are defined as set of permitted values for the fields of an
authorization object
Authorization profile:
- Authorizations are combined in profiles
- contains all individual authorizations for
User Roles
SAP transaction
CREATING SALES ORDER
Sales Organization
Distribution Channel
Division
fields
Activity=object
IB - Projectmanagement - Prof.Dr.Reusch 13
Establish User Role and Authorization Concept
Role 1 Role 3Role 2Assigning Users to Roles
Derived Role 1
Composite Role A
Role 4
• Job description and related activity group and profile must be
identified for each end user
• employees of same department are often grouped in one end user group
User Masters as complete list of activity groups (User Roles) and profiles to assign to each end user
IB - Projectmanagement - Prof.Dr.Reusch 14
Establish User Role and Authorization Concept
Creating User Master Models for Job Roles• Samples User Master Records are developed and tested for all user roles• User Master Records are client-specific
User Master Record:
- determines which activities contain in user menu
- allows access to functions and objects (authorization)
- enables user to log onto SAP system / password
- contains all user parameters
- work within limits of specified authorization profile possible
- definition of start menus
IB - Projectmanagement - Prof.Dr.Reusch 15
Establish User Role and Authorization ConceptTest User Masters for Job Functions
Test for users to ensure that all necessary activities and transactions can be executed and accessed
Each User Master Record (activity group and generated authorization profile) must be tested
Test if optimum data security has been achieved
Final step before productive operation:
Sign Off Authorization Design
IB - Projectmanagement - Prof.Dr.Reusch 16
Establish User Role and Authorization Concept
for your attention !
Reference: various pages of help.sap.com