SAP Security - Day 2 2nd Half_Anwar_chandra

Working with Proile Generator

P$CG % Checking i PG is "ctive
In &#' release ()* PG is alrea+, activate+ an+ there is no nee+ to set the
s,ste- para-eter in the &#' instance proile )
.o check whether PG is activate+/
) S,ste- Para-eter/ auth/no_check_in_some_cases
2) 1alue/ Y
P$CG ! verview
3einition/
"uto-aticall, generates authori4ations an+ authori4ation proiles
"ssigns the- to users
.ransaction Co+e/ P$CG
Beneits/
Si-pliies the task o setting up the authori4ation environ-ent
5nables proper 6ser &ole -apping
&e+uces o ti-e or &#' authori4ation i-ple-entation

P$CG ! Co-ponents o Proile Generator
Proile generator has the ollowing Co-ponents
"ctivit, Groups# &oles
6ser "ssign-ent
P$CG
.o launch the proile generator choose the ollowing ro- S"P Menu
Tools →
Administration →

P$CG % 8&ole Maintenance9 Screen
Change
Role
Display
Role
Create
Role
Create
P$CG % 3ierent $unctionalities# .abs
1. Define
Role names
1. Define
P$CG % 3escription .ab
P$CG % Menu .ab
P$CG % Menu Selection
$or e:a-ple i we choose to cop, the Menu b, selecting speciic ite-s or S"P
Menu it -a, be +one as ollows) "ter selection “*ransfer” button nee+s to be
clicke+
© 2007 IBM CorporationMarch!2007S"P# P$CG ! Proile Generator

P$CG % "uthori4ation .ab
P$CG % "uthori4ation "ctivities
$or -aintaining "uthori4ations it will take to the ollowing screen where the
“$rgani"ation +evel” nee+s to be -aintaine+)

P$CG % "uthori4ation "ctivities
"ter rgani4ation ;evels are -aintaine+ the ollowing screen will appear or
-aintaining "uthori4ations
P$CG % Proile Generation
nce "uthori4ations are -aintaine+ the Proile can be generate+ b,
clicking on the “Generate” button <Shit=$>?) .he new Proile @a-e nee+s
to be entere+)
P$CG % "uthori4ation .ab <status change?
B, going back to "uthori4ation .ab the Status change woul+ be visible
an+ Proile @a-e is +ispla,e+

P$CG % 6ser .ab
.he &ole can be assigne+ to as -an, 6ser I3s as reAuire+) Please note that this
applies onl, or the e:isting 6ser I3s) .hen the user -aster recor+ nee+s to be
up+ate+ ater 6ser Co-parison)

P$CG % 6ser .ab
.he user assign-ent an+ the generate+ proile -ust be up+ate+ in the user -aster recor+s)
.here are a nu-ber o wa,s in which we can +o this <+epen+ing on the release status?/
In all releases we can sche+ule a backgroun+ ob that regularl, up+ates the user -aster
recor+s)
We can either use the user co-parison unction or have the user -aster recor+s
auto-aticall, up+ate+ when saving the activit, groups or roles) <Choose Utilities→Settings,
an+ activate the option Automatic comparison at save)?
5ven i we use the User Comparison unction or the option Automatic Comparison at Save
it is reco--en+e+ to sche+ule a backgroun+ ob an+ ensure that all user -aster recor+s
are regularl, auto-aticall, up+ate+)

uestionsDD
6ser Menu an+ "rea Menu

6ser Menu E "rea Menu ! verview
User en!
Co-bination o all the &ole Menus o the &ole <one or -ore roles? which are
assigne+ to the 6ser)
Area en!
"nother t,pe o Menu that contain a set o unctions inten+e+ to peror- a
particular task in a co-pan,) .wo t,pes o "rea Menus are there/
) 3eault "rea Menus <pre+eine+ within S"P?
2) Custo-i4e+ "rea Menu <B, .ransaction S5('?

6ser Menu ! 3eining a Menu using P$CG
In transaction P$CG the Menu .ab gives the option to create Menu or a
particular &ole
$or e:a-ple i we choose to cop, the Menu b, selecting speciic ite-s or ,AP
en! it -a, be +one as ollows) "ter selection “*ransfer” button nee+s to be
clicke+
$or e:a-ple i we choose to cop, the Menu b, selecting other Area en! it -a, be
+one as ollows)
6ser Menu % "ssigning 6sers to &ole b, P$CG
.he &ole can be assigne+ to as -an, 6ser I3s as reAuire+) .he Menu o this
&ole then beco-es a part o the 6ser Menu or the users who woul+ be
assigne+ this &ole)
6ser Menu % "ssigning &ole to 6ser b, S60
n the 8&oles9 .ab o Maintain 6ser Screen <S60? the &oles are assigne+ to the
users) Fence the correspon+ing Menus <o &oles as create+ in P$CG? together or-s
the 6ser Menu)
In the 83eault9 .ab o Maintain 6ser Screen <S60? the Start -enu can be +eine+ b,
speci,ing the 8"rea Menu9 <pre+eine+# custo-i4e+?) B, +eault its 8S0009 i)e) 3eault
S"P Menu

6ser Menu % "ctivation
We can +eine how the -enus woul+ behave through the SSMC6S. table)
$or e:a-ple two ob roles are ever assigne+ to the sa-e user or two +erive+ roles ro- the
sa-e HB!&;5 to the sa-e users S"P will +,na-icall, consoli+ate the -enus an+
-ini-i4e +uplicate no+es provi+e+ the correct para-eters in the SSMC6S. table are set)
It +oes not prevent ro-
assigning the S"P 5as, -enu
to the users unless para-eter
";;6S5&M5@6S$$ is set

"rea Menu % Custo-i4e using S5('
Create a ne0
eisting Area en!
uestionsD
Working with Proiles
.he ne:t step is creating a proile or that role)

.he Profile ame tab an+ the Profile *et tab will be blank in case o a new role creation <as in this case?
In or+er to go insi+e the role we nee+ to click on the tab 8Change a!thori"ation Data” or 83pert mo'e for profile generation9
Selecting 3pert mo'e for profile generation pops up three options vi4 /
Delete an' recreate profile an' a!thori"ations $or an, role -o+iications i there is an, nee+ to +elete
the e:isting proile an+ authori4ation o the role an+ recreate a new proilethis option is use+)
3'it ol' stat!s .his option is sa-e as the 8Change a!thori"ation 'ata9 option which is the -ost use+
option use+ in +ail, work which +oes not have an, a++e+ unctionalities like the other two options but si-pl,
gui+e+ the user to the insi+e o the role keeping the ol+ +ata o the role intact)
Rea' ol' stat!s an' merge 0ith ne0 'ata In case o e:isting role -o+iications in o+er -erge new
+atas that have been a++e+ to a role <while a++ing a tco+e to a role the obects that are pulle+ +ue to
,U24? with the e:isting one this option is use+)


So-eti-es initiall, so-e obects appears to be ,ellow in colour) We can e:pan+ the obect b,
clicking on the icon
$iel+s
.he ,ellow iel+ is +ue to the unavailabilit, o
the values in the obect iel+s <which can be
-aintaine+ through S62(?)
known as $pen Fiel's.
We can change#e+it the e:isting values o a
iel+ or a++ so-e values to a -issing iel+
+epen+ing upon the Business reAuire-ent)

In or+er to change the values o an, authori4ation obect click on the Icon
" ollowing pop!up e-erges out /
A!thori"ation9 to provi+e ull
access an+ click on
.here is a special iel+ calle+ 8Activity9 which +eci+es what t,pe o access shoul+ be provi+e+)
Clicking on that iel+ e-erge+ out another t,pe pop!up wherero- we can select the t,pe o
activit,
clicking on the +esire+ checkbo: <002
an+ 0( in this case?)
We can also provi+e ull access b,
clicking on the tab 8F!ll
A!thori"ation9 an+ then click on the
icon
We can also a++ an obect -anuall, into the role b, clicking on the tab
.he ollowing screen pops!up
We nee+ to put the obect na-e in the
iel+ <S."B63IS in this case? an+
click on the green check)
.he obect will be -anuall, a++e+ to the
role)
+escribe+ in the previous sli+es)

We can also assign the $rgani"ational -al!es to a role b, clicking on the icon
We can put the values o
Plant Co-pan, Co+e etc) in
the respective iel+ as
propose+ b, the business
all the $rg -al!es b, clicking
on the tab F!ll A!thori"ation

.he last but the -ost i-portant step is Generation of a profile
Profile Creation can also be +one through this -etho+)
Click on the Icon
.he ollowing screen will pop!out
.he proile na-e as well as the +escription can be change+ )
nce +one ,ou nee+ to click on the green check to save the changes
5ver, ti-e an, change In the role is -a+e it is -an+ator, to Generate the proile otherwise the
entire role will not be an, use an+ an, user who will be assigne+ with the role will not get an, access
to the authori4ations)
6S5& "SSIG@M5@. E 6S5& CMP"&IS@

WF". IS " 6S5& I@ " S"P SS.5MD
" user here is reerre+ to as an en+ user) .here are ive t,pes o users in S"P as
-entione+ below/!
i? 3ialog
ii? S,ste-
iii? Co--unication
iv? Service
In a S"P &#' S,ste- 6sers are assigne+ to &oles <where each role is
associate+ to so-e transactions? an+ the authori4ations to run these transactions
are store+ within the proile) 6ser "ssign-ent to a &ole can be +one b,
con+ucting the ollowing proce+ure)

6S5& "SSIG@M5@. E 6S5& CMP"&IS@ U,3R *A5

Click on 8 Selection9 button an+ then the
below screen appears) i)e it +ispla,s all the
users belonging to a single user Group)
ou can as -an, users ro- the list)
6ser "ssign-ent 1ali+it, Perio+s

.he user -aster recor+ co-parison consists o three t,pes o co-parison/
a) Profile comparison % .he proile assign-ents an+ newl, generate+ proiles are up+ate+
an+ associate+ with the respective roles an+ thus eventuall, gets associate+ with the users)
%) Composite role comparison ! .his up+ates the role assign-ents +eine+ in co-posite
roles i)e) an, kin+ o up+ation within the granular level roles present within the co-posite
role)
c) 6R comparison# .his generates the +irect role assign-ents ro- the in+irect role
assign-ents o the F&!&G -o+el)

Click on 6ser Master
6S5& CMP"&IS@! .&"@S P$63
Click here to enter the roles

Fere the
Hob na-e

.here are two wa,s to e:ecute the co-parison)
"s a backgroun+ ob beore the start o each +a,) I report PFCG9*739D3P3D3C: is
run ever, night the authori4ation proiles in the user -aster will be current each -orning
<assu-ing that the ob has run correctl,?)
&eport PFCG9*739D3P3D3C: -ust also have run ater each i-port o roles ro-
other s,ste-s)
6sing .ransaction P$63 Co-pare 6ser Master
"n a+-inistrator shoul+ use this transaction regularl, to check that no errors have occurre+

65S.I@S D

SAP Security - Day 2 2nd Half_Anwar_chandra

Documents

Transcript of SAP Security - Day 2 2nd Half_Anwar_chandra