SAP Security - Day 2 1st Half_Radha Krishna
-
Upload
kishore-venigalla -
Category
Documents
-
view
15 -
download
1
description
Transcript of SAP Security - Day 2 1st Half_Radha Krishna
IBM Global Business Services
User Administration March-2007 © 2007 IBM Corporation
User Administration
IBM Global Business Services
© 2007 IBM Corporation2 March-2007User Administration
Objectives
The participants will be able to: Know what are the responsibilities of a user administrator
What are the components of User master
What are the different user types
How to maintain users in SU01
IBM Global Business Services
© 2007 IBM Corporation3 March-2007User Administration
User Administration :
Maintaining User Master records
Giving authorization by adding roles or profiles (SAP Profiles)
Display authorization and profiles
Maintain Roles
Generate Authorization Profiles
IBM Global Business Services
© 2007 IBM Corporation4 March-2007User Administration
ProfilesParameters Roles Groups Personalization License Data
Personal data, Communication data, Company address
Logon DataAddress Defaults
User group, user type, validity period
Start menu, logon language, default printer
Default values for parameter IDs
Assignment of roles
Assignment of profiles
Assignment of user groups
Assignment of personalization
Assignment of license data
Components of the User Master Record:
IBM Global Business Services
© 2007 IBM Corporation5 March-2007User Administration
SAP User Type:
Dialog user Logon with SAPGUI is possible. The user is therefore interaction-capable with the
SAPGUI. Expired or initial passwords are checked. Users have the option of changing their own passwords. Multiple logon is checked.
System User Logon with SAPGUI is not possible. The user is therefore not interaction-capable with the SAPGUI. The passwords are not subject to the password change requirement, that is, they cannot be initial or expired. Only an administrator user can change the password. Multiple logon is permitted.
IBM Global Business Services
© 2007 IBM Corporation6 March-2007User Administration
Service User Logon with SAPGUI is possible. The user is therefore interaction-capable with the
SAPGUI. The passwords are not subject to the password change requirement, that is, they
cannot be initial or expired. Only a user administrator can change the password. Multiple logon is permitted.
Communication User Logon with SAPGUI is not possible. The user is therefore not interaction-capable
with the SAPGUI. Expired or initial passwords are checked but the conversion of the password
change requirement that applies in principle to all users depends on the caller (interactive/not interactive). (*)
Users have the option of changing their own passwords.
SAP User Type Cont………
IBM Global Business Services
© 2007 IBM Corporation7 March-2007User Administration
Reference User
No logon possible. Reference users are used for authorization assignment to other users
SAP User Type Cont………
IBM Global Business Services
© 2007 IBM Corporation8 March-2007User Administration
User Maintenance:
IBM Global Business Services
© 2007 IBM Corporation9 March-2007User Administration
User Maintenance contd..
IBM Global Business Services
© 2007 IBM Corporation10 March-2007User Administration
User Maintenance contd..
IBM Global Business Services
© 2007 IBM Corporation11 March-2007User Administration
User Maintenance contd..
IBM Global Business Services
© 2007 IBM Corporation12 March-2007User Administration
User Maintenance contd..
IBM Global Business Services
© 2007 IBM Corporation13 March-2007User Administration
User Maintenance contd..
IBM Global Business Services
© 2007 IBM Corporation14 March-2007User Administration
User Maintenance contd..
IBM Global Business Services
© 2007 IBM Corporation15 March-2007User Administration
User Maintenance contd..
IBM Global Business Services
© 2007 IBM Corporation16 March-2007User Administration
User Maintenance contd..
IBM Global Business Services
© 2007 IBM Corporation17 March-2007User Administration
User Maintenance contd..
IBM Global Business Services
© 2007 IBM Corporation18 March-2007User Administration
Questions ?
IBM Global Business Services
User Administration March-2007 © 2007 IBM Corporation
Address Field in User wrt Address Management
IBM Global Business Services
© 2007 IBM Corporation20 March-2007User Administration
Objectives
The participants will be able to: Recognize what is company address
How company address can be created
How a user can be assigned to a company address
IBM Global Business Services
© 2007 IBM Corporation21 March-2007User Administration
You can create, maintain and display Company address using the tcode SUCOMP
Company Address – Creation of Company
IBM Global Business Services
© 2007 IBM Corporation22 March-2007User Administration
You need to enter the above information and click on save
Company Address – Creation of Company
IBM Global Business Services
© 2007 IBM Corporation23 March-2007User Administration
The very first company need to be created in SUCOMP. After that all the newly created users have the default company address automatically assigned to them. To demonstrate the concept we need to have a look at the SU01 screen.
Company Address –
IBM Global Business Services
© 2007 IBM Corporation24 March-2007User Administration
Create a user in SU01
Creation of User
IBM Global Business Services
© 2007 IBM Corporation25 March-2007User Administration
The user is automatically assigned to the default company address
Assign Company Address
IBM Global Business Services
© 2007 IBM Corporation26 March-2007User Administration
You can assign this user to any of the existing company address using the button Assign other company address
Assign other Company Address
IBM Global Business Services
© 2007 IBM Corporation27 March-2007User Administration
From here you can also create a new company address
Assign Company Address
IBM Global Business Services
© 2007 IBM Corporation28 March-2007User Administration
You need to enter the new company name what you do in SUCOMP
Company Address contd..
IBM Global Business Services
© 2007 IBM Corporation29 March-2007User Administration
The same screen like SUCOMP and the same steps are required to be performed.
Company Address –
IBM Global Business Services
© 2007 IBM Corporation30 March-2007User Administration
Questions ?
IBM Global Business Services
User Administration March-2007 © 2007 IBM Corporation
User Groups
IBM Global Business Services
© 2007 IBM Corporation32 March-2007User Administration
Objectives
The participants will be able to: The concept of user group
Specify the group for a user
Realize the importance of user groups in the context of user administration
IBM Global Business Services
© 2007 IBM Corporation33 March-2007User Administration
User Group:
User group can be used for different purpose and in different way in an SAP environment -
One of the Primary uses of user groups is to sort users into logical groups.
This allows users to be categorized in a method that is not dependent on roles, Responsibilities & Profiles etc. User Groups also allow segregation of user maintenance, this is especially useful in a large organization as you can control who your user admin team can maintain - an example would be giving a team leader the authority to change passwords for users in their team.
IBM Global Business Services
© 2007 IBM Corporation34 March-2007User Administration
In the latest versions of SAP, actually two types of user group exist
The authorization user group (exist in Logon data tab in the user master record)
The general user groups (exist in Group tab in the user master record)
The authorization user group is used in conjunction with S_USER_GROUP authorization object. It allows to create security management authorization by user group. e.g. you can have a local security administrator only able to manage users in his groups, Help-Desk to reset password for all users except users in group SUPER, etc.. The general user group can be used in conjunction with SUIM and SU10, to select all the users in a specific group. User can only be member of one authorization user group but several general user group.
User Group –
IBM Global Business Services
© 2007 IBM Corporation35 March-2007User Administration
User Group (SUGR):
IBM Global Business Services
© 2007 IBM Corporation36 March-2007User Administration
User Group –
IBM Global Business Services
© 2007 IBM Corporation37 March-2007User Administration
User Group –
IBM Global Business Services
© 2007 IBM Corporation38 March-2007User Administration
User Group –
IBM Global Business Services
© 2007 IBM Corporation39 March-2007User Administration
USER GROUPS for authorization Check are used for access control to transactions and tables based on user group assignment for a particular user and to which respective group he/she belongs and the tables and transactions and reports that group has access.
Groups tab on SU01 Transaction is used for logical grouping of users based on similar functionalities and for mass operations of same type for multiple users.
User Group –
IBM Global Business Services
© 2007 IBM Corporation40 March-2007User Administration
Questions ?
IBM Global Business Services
User Administration March-2007 © 2007 IBM Corporation
Mass Change for users
IBM Global Business Services
© 2007 IBM Corporation42 March-2007User Administration
Objectives
The participants will be able to: Use SU10 as a mass user maintenance tool
Display the log once the mass changes are done.
IBM Global Business Services
© 2007 IBM Corporation43 March-2007User Administration
Mass Changes (Su10)
Defaults
Logon data
Passwords
ParametersProfiles
Roles
Mass changes:
IBM Global Business Services
© 2007 IBM Corporation44 March-2007User Administration
Authorization DataAddress Data
Mass Changes (SU10):
IBM Global Business Services
© 2007 IBM Corporation45 March-2007User Administration
Mass Changes (SU10):
Please check the change check box – other wise changes will not take place
IBM Global Business Services
© 2007 IBM Corporation46 March-2007User Administration
Mass Changes Log:
IBM Global Business Services
© 2007 IBM Corporation47 March-2007User Administration
Questions?
IBM Global Business Services
User Administration March-2007 © 2007 IBM Corporation
Authorization objects S_USER_GRP…………..
IBM Global Business Services
© 2007 IBM Corporation49 March-2007User Administration
Objectives
The participants will be able to:
Understand the importance of different authorization objects related to user administration
Divide the administrative power among various roles to be used by administrator.
IBM Global Business Services
© 2007 IBM Corporation50 March-2007User Administration
Authorization objects for Maintaining User master record:
S_USER_GRP - User Master Maintenance: User Groups
S_USER_PRO - User Master Maintenance: Authorization Profile
S_USER_AUTH - User Master Maintenance: Authorizations
S_USER_AGR - Authorizations: Role Check
S_USER_TCD - Authorizations: Transactions in Roles
S_USER_VAL - Authorizations: Field Values in Roles
IBM Global Business Services
© 2007 IBM Corporation51 March-2007User Administration
S_USER_GRP Auth. Object
CLASS
ACTVT
Field
Field
01: Create02: Change03: Display05: Lock, unlock06: Delete08: Display change documents22: Add users to activity groups24: Archive78: Assign68: Model users and assign to systems or activity groups in user management. The models are used later as templates for the actual assignments.
Authorization objects for Maintaining User master record:
IBM Global Business Services
© 2007 IBM Corporation52 March-2007User Administration
S_USER_PRO Auth. Object
Profile
ACTVT
Field
Field
01: Create02: Change03: Display06: Delete07: Activate08: Display change documents22: Assign profile to users / remove assignment24: Archive
Authorization objects for Maintaining User master record:
IBM Global Business Services
© 2007 IBM Corporation53 March-2007User Administration
S_USER_AUTH Auth. Object
Authorization object
Activity
Field
Field
01 = create02 = change03 = display06 = delete07 = activate08 = display change documents22 = assign authorization profiles24 = archive
Authorization name
Field
Authorization objects for Maintaining User master record:
IBM Global Business Services
© 2007 IBM Corporation54 March-2007User Administration
S_USER_AGR Auth. Object
ACT_GOUP
Activity
Field
Field
Authorization objects for Maintaining User master record:
IBM Global Business Services
© 2007 IBM Corporation55 March-2007User Administration
01 Create roles02 Change roles03 Display roles06 Delete roles22 Compare role user master recordsThe profiles generated in the Profile Generator are transferred into the user master record for the relevant role users. 36 This activity is not yet used. It is planned for use for additional objects that can be maintained from the roles.21 Transport role59 Distribute roles to another system using RFC64 Generate authorization profiles from the role68 Modeling: Assigning roles to systems or users in user management using models. The actual assignments can be derived from these models later.78 Assignment of roles to systems or user groups in the central system when using Central User Administration.79 Assignment of individual roles to composite roles.DL Download Save roles to a fileUL Upload Upload roles from a file
Authorization objects for Maintaining User master record:
IBM Global Business Services
© 2007 IBM Corporation56 March-2007User Administration
S_USER_VAL Auth. Object
OBJECT
AUTH_VALUE
Field
FieldAUTH_FIELD
Field
S_USER_TCD Auth. Object
TCD Field
T-Code
Authorization objects for Maintaining User master record:
IBM Global Business Services
© 2007 IBM Corporation57 March-2007User Administration
Authorization Objects for User Administration:
S_USER_GRP
ACTVT
CLASS
S_USER_SYS
ACTVT
SUBSYSTEM
IBM Global Business Services
© 2007 IBM Corporation58 March-2007User Administration
Authorization Objects for Role Administration:
S_USER_AGR
ACTVT
ACT_GROUP
S_USER_TCD
TCD
S_USER_VAL
OBJECT
AUTH_FIELD
AUTH_VALUE
IBM Global Business Services
© 2007 IBM Corporation59 March-2007User Administration
S_USER_PRO
ACTVT
PROFILE
Authorization Object for Profiles & Authorizations Administration:
S_USER_AUT
OBJECT
OBJECT
ACTVT
IBM Global Business Services
© 2007 IBM Corporation60 March-2007User Administration
Questions?
IBM Global Business Services
User Administration March-2007 © 2007 IBM Corporation
User Buffer introduction
IBM Global Business Services
© 2007 IBM Corporation62 March-2007User Administration
Objectives
The participants will be able to:
Realize the concept of User Buffer.
To view the user buffer.
IBM Global Business Services
© 2007 IBM Corporation63 March-2007User Administration
User Buffer:
When a user logon to the SAP, the authorizations present in his/her user master record are copied in memory area called User Buffer. Each user has his or her own user buffer.
When the users try to perform activities in the SAP environment, authorizations are checked in the user buffer. If the required authorization is in the user buffer, he/she will perform the activity successfully otherwise system will show the pop up “You are not authorized”
IBM Global Business Services
© 2007 IBM Corporation64 March-2007User Administration
A user would fail an authorization check if:
The authorization object does not exist in the user buffer.
The values checked by the application are not assigned to the authorization object in the user buffer
The user buffer contains too many entries and has overflowed. The number of entries in the user buffer can be controlled using the system profile parameter auth/number_in_userbuffer.
User Buffer:
IBM Global Business Services
© 2007 IBM Corporation65 March-2007User Administration
User can display his/her own user buffer using the transaction SU56
User Buffer:
IBM Global Business Services
© 2007 IBM Corporation66 March-2007User Administration
Authorization update in the User Buffer:
Any change in authorizations in the user master record should be updated in the user buffer. This update can happen two ways
User has to logoff and re-login to get the effect of authorizations change.
The parameter auth/new_buffering set to be 4. So that authorization changes take place immediately and no need to logoff from the system.
IBM Global Business Services
© 2007 IBM Corporation67 March-2007User Administration
Questions ?