SAP Security - Day 2 1st Half_Radha Krishna

IBM Global Business Services

User Administration March-2007 © 2007 IBM Corporation

User Administration


© 2007 IBM Corporation2 March-2007User Administration

Objectives

The participants will be able to: Know what are the responsibilities of a user administrator

What are the components of User master

What are the different user types

How to maintain users in SU01



User Administration :

Maintaining User Master records

Giving authorization by adding roles or profiles (SAP Profiles)

Display authorization and profiles

Maintain Roles

Generate Authorization Profiles



ProfilesParameters Roles Groups Personalization License Data

Personal data, Communication data, Company address

Logon DataAddress Defaults

User group, user type, validity period

Start menu, logon language, default printer

Default values for parameter IDs

Assignment of roles

Assignment of profiles

Assignment of user groups

Assignment of personalization

Assignment of license data

Components of the User Master Record:



SAP User Type:

Dialog user Logon with SAPGUI is possible. The user is therefore interaction-capable with the

SAPGUI. Expired or initial passwords are checked. Users have the option of changing their own passwords. Multiple logon is checked.

System User Logon with SAPGUI is not possible. The user is therefore not interaction-capable with the SAPGUI. The passwords are not subject to the password change requirement, that is, they cannot be initial or expired. Only an administrator user can change the password. Multiple logon is permitted.



Service User Logon with SAPGUI is possible. The user is therefore interaction-capable with the

SAPGUI. The passwords are not subject to the password change requirement, that is, they

cannot be initial or expired. Only a user administrator can change the password. Multiple logon is permitted.

Communication User Logon with SAPGUI is not possible. The user is therefore not interaction-capable

with the SAPGUI. Expired or initial passwords are checked but the conversion of the password

change requirement that applies in principle to all users depends on the caller (interactive/not interactive). (*)

Users have the option of changing their own passwords.

SAP User Type Cont………



Reference User

No logon possible. Reference users are used for authorization assignment to other users

SAP User Type Cont………



User Maintenance:



User Maintenance contd..



Questions ?



Address Field in User wrt Address Management



Objectives

The participants will be able to: Recognize what is company address

How company address can be created

How a user can be assigned to a company address



You can create, maintain and display Company address using the tcode SUCOMP

Company Address – Creation of Company



You need to enter the above information and click on save

Company Address – Creation of Company



The very first company need to be created in SUCOMP. After that all the newly created users have the default company address automatically assigned to them. To demonstrate the concept we need to have a look at the SU01 screen.

Company Address –



Create a user in SU01

Creation of User



The user is automatically assigned to the default company address

Assign Company Address



You can assign this user to any of the existing company address using the button Assign other company address

Assign other Company Address



From here you can also create a new company address

Assign Company Address



You need to enter the new company name what you do in SUCOMP

Company Address contd..



The same screen like SUCOMP and the same steps are required to be performed.

Company Address –



Questions ?



User Groups



Objectives

The participants will be able to: The concept of user group

Specify the group for a user

Realize the importance of user groups in the context of user administration



User Group:

User group can be used for different purpose and in different way in an SAP environment -

One of the Primary uses of user groups is to sort users into logical groups.

This allows users to be categorized in a method that is not dependent on roles, Responsibilities & Profiles etc. User Groups also allow segregation of user maintenance, this is especially useful in a large organization as you can control who your user admin team can maintain - an example would be giving a team leader the authority to change passwords for users in their team.



In the latest versions of SAP, actually two types of user group exist

The authorization user group (exist in Logon data tab in the user master record)

The general user groups (exist in Group tab in the user master record)

The authorization user group is used in conjunction with S_USER_GROUP authorization object. It allows to create security management authorization by user group. e.g. you can have a local security administrator only able to manage users in his groups, Help-Desk to reset password for all users except users in group SUPER, etc.. The general user group can be used in conjunction with SUIM and SU10, to select all the users in a specific group. User can only be member of one authorization user group but several general user group.

User Group –



User Group (SUGR):



User Group –



USER GROUPS for authorization Check are used for access control to transactions and tables based on user group assignment for a particular user and to which respective group he/she belongs and the tables and transactions and reports that group has access.

Groups tab on SU01 Transaction is used for logical grouping of users based on similar functionalities and for mass operations of same type for multiple users.

User Group –



Questions ?



Mass Change for users



Objectives

The participants will be able to: Use SU10 as a mass user maintenance tool

Display the log once the mass changes are done.



Mass Changes (Su10)

Defaults

Logon data

Passwords

ParametersProfiles

Roles

Mass changes:



Authorization DataAddress Data

Mass Changes (SU10):



Mass Changes (SU10):

Please check the change check box – other wise changes will not take place



Mass Changes Log:



Questions?



Authorization objects S_USER_GRP…………..



Objectives

The participants will be able to:

Understand the importance of different authorization objects related to user administration

Divide the administrative power among various roles to be used by administrator.



Authorization objects for Maintaining User master record:

S_USER_GRP - User Master Maintenance: User Groups

S_USER_PRO - User Master Maintenance: Authorization Profile

S_USER_AUTH - User Master Maintenance: Authorizations

S_USER_AGR - Authorizations: Role Check

S_USER_TCD - Authorizations: Transactions in Roles

S_USER_VAL - Authorizations: Field Values in Roles



S_USER_GRP Auth. Object

CLASS

ACTVT

Field

Field

01: Create02: Change03: Display05: Lock, unlock06: Delete08: Display change documents22: Add users to activity groups24: Archive78: Assign68: Model users and assign to systems or activity groups in user management. The models are used later as templates for the actual assignments.




S_USER_PRO Auth. Object

Profile

ACTVT

Field

Field

01: Create02: Change03: Display06: Delete07: Activate08: Display change documents22: Assign profile to users / remove assignment24: Archive




S_USER_AUTH Auth. Object

Authorization object

Activity

Field

Field

01 = create02 = change03 = display06 = delete07 = activate08 = display change documents22 = assign authorization profiles24 = archive

Authorization name

Field




S_USER_AGR Auth. Object

ACT_GOUP

Activity

Field

Field




01 Create roles02 Change roles03 Display roles06 Delete roles22 Compare role user master recordsThe profiles generated in the Profile Generator are transferred into the user master record for the relevant role users. 36 This activity is not yet used. It is planned for use for additional objects that can be maintained from the roles.21 Transport role59 Distribute roles to another system using RFC64 Generate authorization profiles from the role68 Modeling: Assigning roles to systems or users in user management using models. The actual assignments can be derived from these models later.78 Assignment of roles to systems or user groups in the central system when using Central User Administration.79 Assignment of individual roles to composite roles.DL Download Save roles to a fileUL Upload Upload roles from a file




S_USER_VAL Auth. Object

OBJECT

AUTH_VALUE

Field

FieldAUTH_FIELD

Field

S_USER_TCD Auth. Object

TCD Field

T-Code




Authorization Objects for User Administration:

S_USER_GRP

ACTVT

CLASS

S_USER_SYS

ACTVT

SUBSYSTEM



Authorization Objects for Role Administration:

S_USER_AGR

ACTVT

ACT_GROUP

S_USER_TCD

TCD

S_USER_VAL

OBJECT

AUTH_FIELD

AUTH_VALUE



S_USER_PRO

ACTVT

PROFILE

Authorization Object for Profiles & Authorizations Administration:

S_USER_AUT

OBJECT

OBJECT

ACTVT



Questions?



User Buffer introduction



Objectives

The participants will be able to:

Realize the concept of User Buffer.

To view the user buffer.



User Buffer:

When a user logon to the SAP, the authorizations present in his/her user master record are copied in memory area called User Buffer. Each user has his or her own user buffer.

When the users try to perform activities in the SAP environment, authorizations are checked in the user buffer. If the required authorization is in the user buffer, he/she will perform the activity successfully otherwise system will show the pop up “You are not authorized”



A user would fail an authorization check if:

The authorization object does not exist in the user buffer.

The values checked by the application are not assigned to the authorization object in the user buffer

The user buffer contains too many entries and has overflowed. The number of entries in the user buffer can be controlled using the system profile parameter auth/number_in_userbuffer.

User Buffer:



User can display his/her own user buffer using the transaction SU56

User Buffer:



Authorization update in the User Buffer:

Any change in authorizations in the user master record should be updated in the user buffer. This update can happen two ways

User has to logoff and re-login to get the effect of authorizations change.

The parameter auth/new_buffering set to be 4. So that authorization changes take place immediately and no need to logoff from the system.



Questions ?

SAP Security - Day 2 1st Half_Radha Krishna

Documents

Transcript of SAP Security - Day 2 1st Half_Radha Krishna