Day1-Day8

Day1 @GainingHub

Introduction To • SAP stands for Systems Application and Products SAP in Data Processing. • SAP is an ERP ( Enterprise Resource Planning) software which is develop for managing business operations and customer relationship. • SAP Software is a European multinational, founded in 1972 • SAP system consists of a number of fully integrated modules, which cover every aspect of business. • SAP is rank 1 in the ERP market @GainingHub

ERP ( Enterprise Resource Planning) It is a software which help business in resource planning. •Client contacts the sales team to check the availability of the product •Sales team approaches the Inventory department to check for the availability of the product •In case the product is out of stock, the sales team approaches the Production Planning Department to manufacture the product •The production planning team checks with inventory department for availability of raw material •If the raw material is not available with inventory, the Production Planning team buys the raw material from the Vendors •Then Production Planning forwards the raw materials to the Shop Floor Execution for actual production •Once ready, the Shop Floor Team sends the goods to the Sales Team •Sales Team who in turn deliver it to the client •The sales team updates the finance with revenue generated by the sale of the product. Production planning team update the finance with payments to be made to different vendors for raw materials. •All departments approach the HR for any Human Resource related issue. @GainingHub

SAP is a Centeralized ERP solution @GainingHub

What is SAP Security SAP security is a technical module SAP Security is an important module that works within SAP systems to of SAP as it provide restriction not allow access where it’s needed and only on access but also on the data for the end user. For Example: If an prevent access where it’s not. employee accidentally accesses Establishing good internal security data that should be restricted, they and access processes is a vital part of could cause problems by deleting or helping ensure your SAP system is protected and will function well. moving something.  @GainingHub

Why we need SAP Security • Confidentiality. This means no data should be disclosed in an unauthorized manner. • Integrity. No data should be modified in an unauthorized way. • Availability. Distributed denial-of- service (DDoS) attacks should not occur. @GainingHub

SAP: Three – Tier Architecture • The Presentation Layer contains the software components that make up the SAPgui (graphical user interface). This layer is the interface between the R/3 System and its users. The R/3 System uses the SAPgui to provide an intuitive graphical user interface for entering and displaying data. • The Application Layer consists of one or more application servers and a message server. Each application server contains a set of services used to run the R/3 System. Theoretically, you only need one application server to run an R/3 System. • The Database Layer consists of a central database system containing all of the data in the R/3 System. @GainingHub

SAP LOGON @GainingHub

Presentation Layer • S/4 & ECC are suite of SAP Business ( SAP LOGON – ECC & S/4) ECC + Any database ( eg: ORACLE)  SAP ECC System ECC + HANA Database - SOH ( Suite On HANA) Application Layer S/4 + HANA Database  S/4 Hana ** S/4 is not compatible for any other database except HANA Database ( Any database / HANA) @GainingHub

What is a Client • A client is a logical portion of an SAP R/3 physical database. From a business standpoint, a client can be interpreted as a logical group of companies. • Client length is 3 ( numeric value) • Every portion of client having same functionality and there two type of data between this client structure Client Dependent ( shared between the clients) Client Independent ( Not Shared, specific to particular client) @GainingHub

SAP R/3 Client Architecture USER 100 USER 200 USER 300 MASTER MASTER MASTER DATA DATA DATA Client Dependent Data Client Dependent Data Client Dependent Data Client Independent Data ( Cross Client Data) @GainingHub

Client-Dependent vs. Client-Independent The data in each client may be separate from that of the other clients. There are basically two types of data in an SAP R/3 system − Client-dependent and Client- independent data. • Client-dependent data is defined as data specific to an individual client. Examples of client-dependent data include number ranges, ABAP variants, and user masters as well as the data that is created or updated through SAP R/3 transactions. • Client-independent data can be defined as data contained across all clients in the system. Examples of client-independent data include data dictionary objects (tables, views), ABAP source code, screens, and menus. @GainingHub

SAP R/3 • Every SAP R/3 system contains the three clients 000, Default 001, and 066. Let’s review these clients and examine Clients what they contain. • These clients provide different features and must not be deleted. • Client 000 performs special functions. In particular, it is given extended functionality during upgrades. • Client 001 is basically a copy of 000 and can be used as a basis for a new customizing client. • Client 066 is a special client which is provided for operational system monitoring. It is used by SAP R/3’s Early Watch Service to provide performance recommendations. @GainingHub

Default Passwords CLIENT 000 001 006 New Client USER ID SAP* DDIC EARLY WATCH SAP* PASSWORD 06071992 19920706 Support Pass Reference blog: https://www.cisoplatform.com/profiles/blogs/sap-netweaver-abap-security-configuration-part-2-default @GainingHub

SAP SECURITY LEVEL @GainingHub

System Access Control • System access controls (such as user master records, password rules), and access controls that the SAP system provides (authorization checks for programs and transactions) • If a user has access to a system, this certainly does not mean that he or she can run something in the system. • In order to work with an SAP system, users require unique user IDs. A user master record must be created in the system for each user. This user master record also contains the password that the system prompts the user to enter when logging on. @GainingHub

USER MASTER DATA • A user can only logon to an SAP system if a user master record with a corresponding password exists. The scope of activity of individual users in the SAP system is defined in the master record by one or more roles and is restricted by the assignment of the appropriate authorizations. • User master records are client- specific. @GainingHub

Transaction: SU01 Used for maintaining the User Master Data Authorization Objects Description S_USER_GRP Authorization to create or maintain a user master record, and to assign it to a user group. S_USER_PRO Authorization for the authorization profiles that you assign to users S_USER_AUTH Authorization to create and maintain authorizations S _USER_AGR Authorization to protect roles With this authorization object, you specify which roles can be edited, and which activities (display, change, create, and so on) are intended for the role(s). S_USER_TCD Authorization for transactions that you may assign to the role and for which you can assign S_USER_VAL authorization to start the transaction in the Profile Generator Authorization to restrict values that the system administrator can include in a role or change in the Profile Generator @GainingHub

SU01 – ADDRESS TAB • On the Address tab page, you only need to maintain the Last name field. • USER ID is 12 character. @GainingHub

SU01 – Logon Tab • Alias is an alternative ID for an SAP user. An alias can be assigned to a user. This means that 40 characters are available when assigning usernames (longer, more descriptive names). • User Group for Authorization Check: To assign the user to a user group, enter the user group. • User Type: The system proposal is Dialog (normal dialog user). The other user types can be assigned if special kinds of processing have to be performed. • Validity Period: We can specify the validity period of the user master record with these fields. • Other Data: For each user or user group, you should assign an accounting number which you can choose as required. • Reference User (L) To assign a reference user to a dialog user, specify it when maintaining the dialog user on the Roles tab page. REF_USER_CHECK in table PRGN_CUST to .E ( only user type Reference can be assigned ). @GainingHub

SAP USERS TYPE @GainingHub

@GainingHub

DEFAULT TAB • Start Menu In this field you can specify an area menu which you can choose using the possible entries help. The SAP menu (SAP Easy Access) then only contains the components of this area menu. • Logon Language system language when the user logs on. On the logon screen, the user can choose another language if required. • Output Device (Short) name of a printer in the SAP system, specified in the device definition. The users in the SAP system use this name (or the long name) to select the output device. • Time Zone The time zone describes the location of an object in relation to its local time. • Decimal Notation and Date Format Different counties use different formats for numbers and dates. Enter the format us for your country. @GainingHub

Parameters • A user only has authorization for company code 1000. When a transaction starts, this company code is saved to the memory using the corresponding parameter ID. On all subsequent screens, all fields referencing the company code data element are then automatically filled with the value 1000. @GainingHub

ROLES • A role is a set of functions describing a specific work area. In the role, you organize transactions, reports, or Web addresses in a user menu. A role can be assigned to any number of users. @GainingHub

GROUPS TAB • We assign the user to a user group on this tab page. This is purely a grouping, suitable, for example, for mass maintenance of user data (transaction .SU10.). Assignments that you make on the Groups tab page are not used for authorization checks that are specified on the Logon Data tab page using the User Group field. The user groups are also used by the Global User Manager. PERSONALIZATION TAB • On the Personalization tab page, you can make person-related settings using personalization objects. Personalization is available both from role maintenance and in user maintenance. @GainingHub

License Data Tab • The measurement program is used exclusively to determine the number of users and the utilized units of SAP products. The results are evaluated in accordance with the contractually agreed conditions. @GainingHub

USER GROUP IN LOGON TAB GROUPS IN SU01 It is a primary group for the user It is not considered as primary group Single group can be assigned at a time Multiple group can be assigned to the user When we assign a user group in logon tab, it shown in It will not be visible in SUIM SUIM report Entries will be checked for user group in Whereas group in table: USGRP_USER S_USER_GROUP and it is stored in table USR02 It will go under authorization check It will not go under authorization checks @GainingHub

Mass Changes in User Master Data @GainingHub

Day2 @GainingHub

Role Based Access Control • KAREN performs the .Create Purchase Requisition role in the PROCUREMENT business scenario. • John has been assigned the roles Service Representative, Create Purchase Requisition and Release Purchase @GainingHub

SAP Terminology • Role  A role is a group of activities performed within business scenarios. • Transaction  A transaction is term as a business entity which is design to perform task in SAP system. • User ID  It is an entity which represent a person in SAP and contain authority to access the SAP System with required roles. USER ID ROLES Transaction-1 Transaction-2 @GainingHub Transaction-3

Authorization • Authorization object class: Logical grouping of authorization Objects In SAP objects (for example, all authorization objects for object class FI begin with .F_.). • Authorization Object: Groups 1 to 10 authorization fields together. These fields are then checked simultaneously (example: F_LFA1_APP, Creditor: Application authorization). • Authorization field: Smallest unit against which a check should be run (ACTVT,BUKRS). • Authorization: An instance of an authorization object, that is, a combination of allowed values for each authorization field of an authorization object. • Authorization profile: Contains instances (authorizations) for different authorization objects. @GainingHub

Authorization Object: ORG LEVEL FIELD • We can access the organizational level values defined for a role by clicking the “org level” button in the main toolbar within PFCG. • In fact, all org levels are also authorization fields but not all auth fields are org levels.  • Once we maintain a particular value for an org level in a role, all authorization objects using the same org level as a field will automatically take the same value. • AGR_1252 / AGR_1250 are table for org level. @GainingHub

ORG LEVEL FIELD • Suppose we need to provide edit PLANT 001 COMPANY - ROLE PLANT 003 plant function in SAP and this ORG LEVEL 001 PLANT 002 ORG LEVEL 003 plant functions are controlled by authorization object: S_TDAR_G ORG LEVEL 002 and have two field ACTVT & PLANT then this plant value will be taken from this structure. 727536- Use of customer-specific organizational levels in PFCG 1539556- Administration of authorization default values @GainingHub

Authorization Fields, Objects & Object Classes • The authorization fields BUKRS (company code) and ACTVT (activity) are used in the following authorization objects, among others: • M_RECH_BUK: Authorization to release blocked invoices for specific company codes • F_BKPF_BUK: Authorization to edit documents for specific company codes. • F_KNA1_BUK: Authorization to maintain the accounts receivable master record for specific company codes. @GainingHub

Roles, Transaction & Authorization Objects ROLES ROLE MENU TRANSACTION Authorizati TRANSACTION on • Roles contain ‘n’ number of transactions TRANSACTION • Transaction can be link to ‘n’ number of objects Authorizati authorization objects. • Role is assigned to user for the required access. on objects Authorizati on object @GainingHub

Authorization • Authorization “A” allows the user to perform the activities create, change and display in company codes 1000 and 2000. • Authorization “B” allows the user to perform only the display activity in company codes 1000, 2000, and 3000. If the user has authorization “A” and authorization “B”, they work together. This means that the user can perform the create, change and display activities in company codes 1000 and 2000, but can only perform the display activity in company code 3000. @GainingHub

Role is a Role Menu collection of • The transactions, reports, Web links, and so on in a role are combined into a business activities. menu, to which the users of the role are to have access. Report: Authorizations RSUSR070 to • The authorizations define the access rights for business functions and data. display all User templates • To grant the access rights of a role to a user @GainingHub

Roles in SAP Transaction : PFCG • Transaction : PFCG is responsible for creating & maintaining roles in SAP. Role tables in SAP AGR_USERS  Role assigned to list of users AGR_1251  Authorization objects in Role AGR_1252  ORG Level AGR_1250  Roles & Authorization objects @GainingHub

Role name is a unique identity in SAP, this will contain the transactions & authorization objects. Length of Role: 30 • Edit button  To change in the existing roles in SAP • Display button  To see the role in display mode • Single Role  To create the single role in SAP • Composite role  To create the composite role in SAP • Copy role  We can create any new role from existing role in SAP • Delete role  Deleting role from SAP • Truck button  This will help to transport the role from one SAP system to another system : Role is a client dependent data. • Description  This tab will help us to write the logs of role, if you want to maintain the changes in role • Menu  This tab will contain the transaction added to role • Authorization  Through this we can add authorization object linked to transaction. • User  Here we get the list of user assigned to role @GainingHub

• This text will help us in creating derived roles and maintaining the master role relationship. AUTHORIZATION TAB • PROFILE NAME  Every role is associated with profile, without profile, role can not be assigned to the user and it will not be considered as active in SAP system. • Change Authorization Data  This will add the authorization objects linked to transaction. Expert Mode for Profile Generation • Delete and recreate profile and authorization  If we choose this option, then it will re-create all auth again. • Edit old status  This option will not recreate everything again but activate or reactivate the changes associated with authorization objects. • Read old status and merge with new data  This will keep the old status as it is and new changes to the role. @GainingHub

Different • Standard Roles  These roles are pre-delivered Type of Roles by SAP and contain wider access in SAP and role name start with SAP*. • Single roles  are known as task roles as well as business role in SAP as it contain the list of transactions. Role which contain the transaction can be consider as part of single role. • Composite roles  are collection of single roles, there can be ‘n’ number of single roles in composite role. When we assigned the composite role to end user then automatically all single role part of composite role will be assigned to user ( Table: AGR_AGRS) @GainingHub

Roles Strategies • Master & Derived Roles  This is the role strategy in which derived roles adhere all the transactions & authorization objects of master role, once this relationship is created, we cannot change anything in the derived role, if we do so then this relationship will break. We can only change the org levels in the derived roles and if we make any changes in master role then it need to push to the derived roles. Menu of Derived role can not be changed. TABLE: AGRS_DEFINE • Enabler role Concept  This role concept is like master derived role but here we have 1: N concept, one role which contain all authorization while another role contain authorization object which contain org value. Combination of both will give access to end user • Template Role  This role is used as a template in SAP @GainingHub

MASTER ROLE MANAGER MASTER ROLE contain below authorization MANAGER – CREATE objects: MANAGER- DISPLAY MANAGER - CHANGE X1 X2 X3-1 ( Create) X3-2 ( Change) X3-3 ( Display) Therefore, MASTER ROLE contain MANAGER – CREATE ( X1, X2 & X3-1) MANAGER – CHANGE ( X1, X2 & X3-2) MANAGER – DISPLAY ( X1, X2 & X3-2) PLANT - 01 PLANT -02 PLANT -03 Master & Derived Roles Considering this scenario, we need to create three derived roles for each plant therefore total roles will be 3 – Master Role & 3* ( MANAGER – CREATE/CHANGE/DISPLAY) Enabler Role Concept Considering the scenario, there will be one master role contain authorization objects X1 & X2 while each plants have 3 * ( ENABLER ROLE ( CREATE / CHANGE / DISPLAY) @GainingHub

Traffic Lights • Green: All fields below this level have been filled with values. • Yellow: There is at least one field (but no organizational levels) below this level for which no data has been proposed or entered. • Red: There is at least one organizational level field (also known as org level) below this level for which no value has been maintained. @GainingHub

Status Text for Authorization Object • Standard: All field values in the subordinate levels of the hierarchy are unchanged from the SAP defaults. • Maintained: At least one field in the subordinate levels of the hierarchy was empty by default and has since been filled with a value. • Changed: The proposed value for at least one field in the subordinate levels of the hierarchy has been changed from the SAP default value. • Manual: Authorization object added manually and has no relation with transaction. @GainingHub

Transactions • Transactions are business entity which help us to execute the tasks in SAP and these transactions are added to the role so that it can be assigned to the end user. • Transactions cannot be assigned directly to end users; it need to go through the role. • Transactions are linked to authorization objects which are automatically pulled while adding the transaction into the role. • Relation of transaction & authorization object can be checked into the tables: USOBT_C & USOBX_C OR by executing the transaction: SU24 • S_TCODE is the special type of authorization object which is linked to every transaction in above table, if not maintained then also they are pulled automatically with the transaction. • Every task executing in the SAP system is through transaction only. @GainingHub

• Every transaction is linked to an ABAP report, when end user enter the transaction in SAP screen then automatically that ABAP code will be executed. • We can check the report linked to the transaction by SE93 (T-CODE) • All the authorization objects checks are mentioned into the ABAP program. • Therefore user should also have required access to the authorization objects. Transaction code Authority Authorization Object 1 CHECK Authorization Object 2 ABAP PROGRAM . . N @GainingHub

Transaction: SE93 • This transaction will help us to know the relation of transaction & ABAP program / report. • In this transaction we can also get the mandatory authorization object which is required to execute the transaction in SAP screen, this authorization is checked into program in AUTHORITY_CHECK. • Here Authorization Object: S_USER_GRP • Program: SAPMSUU0 @GainingHub