Day1-Day8

R/O Transactions & Authorization Objects Transaction: SU24 & TABLES: USOBT_C & USOBX_C • Data in SU24 will be read from tables USOBT_C ( which contain the proposal of authorization object & USOBX_C ( which contain all the authorization objects linked to transaction) • Every authorization object is not pulled into the role which link to the transaction in SU24 as there are check indicators which control this. • Authorization object is only pulled when Check indicator  YES & proposal  YES • CHECK INDICATOR  1. CHECK & 2. DO NOT CHECK • PROPOSAL  1. YES, 2. NO, 3. YES, Without Values, 4. Yes, INACTIVE • TSTCA is a table and act as field in SU24, which implies that this authorization object is mandatory for execution of SU01. @GainingHub

Complete Authorization ROLE -1 USER ID ROLE -2 Transaction-1 ABAP Auth-1 Transaction-2 PROGRA Auth-1 Transaction-3 Auth-1 Transaction-n M Auth-1 ROLE -3 ROLE -n @GainingHub

First Step 1 : Transaction also checked for lock or unlock ( SM01), if transaction is locked then execution will fail. Authority Check in SAP @GainingHub

Role PROFILE & AUTHORIZATION PROFILES @GainingHub

Roles & Profiles • A profile is a collection of authorization instances in a role. • Authorization object can have maximum 101 instances and maximum 10 fields. • A role can contain maximum 150 authorization objects in one profile therefore a profile can contain 150 authorization objects and if this object exceed then a new profile get attached to the role. • A role can be linked to more than one profiles in SAP. @GainingHub

USER • User Comparison will reconcile the PROFILES within a COMPARISION user's account and make the necessary changes. This is especially true when you've assigned specific Valid-To dates for the roles on an account. If the Valid-To (expiry) date of a role has passed, the User Comparison will REMOVE the profile/role from that account. • As mentioned above, if you see a red button in PFCG this means that a User Comparison should be executed to help reconcile the profiles for the users. You can also see this in SU01 if a specific role has a red button. • As a suggestion, SAP recommends running the report PFCG_TIME_DEPENDENCY & transaction: PFUD once a day to perform a User Comparison and help 'clean up' the User Master Record for your system. @GainingHub

Transaction: PFCG Used for Role Maintenance in SAP Authorization Objects Description S_USER_AUT The authorization object defines which authorizations the administrator can process S_USER_GRP ( Creating / Deleting / Displaying change documents) S_USER_PRO The authorization object is used in role administration when assigning users to roles and during the user master comparison. S_USER_AGR User master maintenance: Authorization profiles Profiles are protected with this authorization object. Administrator’s processing types for S_USER_TCD the profiles ( creating, deleting and archiving). Authorization system: Check for roles S_USER_VAL This authorization object protects roles. The roles combine users into groups to assign S_USER_SAS various properties to them; in particular, transactions and authorization profiles. Authorization system: Transactions in roles This authorization object determines the transactions that an administrator can assign to a role. This authorization object allows the restriction of values that a system administrator can insert or change in a role in the Profile Generator. User master maintenance: System-specific assignments @GainingHub

SU02 – Transaction is used to SAP_ALL & SAP_NEW are the create the SAP profiles in special type of profiles which system are not associated with any role and can be assigned to the end user in profile tab. SAP Profiles SAP_ALL contain the all the SAP_NEW contain the new active authorization objects authorization objects released with full access. by SAP in upgrade. SAP_ALL is an example of composite profile which contain multiple profiles. @GainingHub

Day3 @GainingHub

SUIM • RSUSR002 : Users by complex selection criteria • RSUSR008 : By critical combinations of authorizations at transaction start • RSUSR0025 : List of users with critical authorizations • RSUSR020 : Profiles by complex selection criteria • RSUSR030 : Authorizations by complex selection criteria • RSUSR040 : Authorization objects by complex selection criteria • RSUSR070 : Roles by complex selection criteria • RSUSR100 : Change documents for users • RSUSR101 : Change documents for profiles • RSUSR003 : Check the Passwords of Users .SAP*. and .DDIC. in All Clients • RSUSR200 : List of Users by Logon Data and Password Change @GainingHub

Audit Information System ( AIS) • AIS improves the flow and quality of the check • The Audit Information System (AIS) is a checking tool for External auditing Internal auditing System checks Data protection • Transaction : SECR @GainingHub

Pre-defined in SAP Systems @GainingHub

Day4 @GainingHub

LOGON PARAMETERS • login/min_password_lng: This parameter defines the minimum length of the logon password. The password must have at least 3 characters, but the administrator can force a longer length. • login/fails_to_session_end: Number of incorrect logon attempts allowed with a user master record before the logon procedure is terminated. • login/fails_to_user_lock: Number of incorrect logon attempts allowed with a user master record before the user master record is locked. An entry is written in the system log at the same time. The lock is removed at midnight. • login/failed_user_auto_unlock: Controls unlocking of the users locked due to an incorrect logon. If the parameter is set to 1 (default), user locks caused by incorrect logons during previous days are not taken into consideration. If the value is set to 0, the lock is not removed. • login/password_expiration_time: The value .0. means that the user is not forced to change the password. A value .> 0. specifies the number of days after which the user must change the logon password. • login/disable_multi_gui_login: If this parameter is set to value .1., the system blocks multiple SAP dialog logons (in the same client and with the same user name). When the system detects a multiple logon, a warning message appears, permitting the user either to .End the existing sessions. or .End this logon.. This parameter applies to SAP GUI logons. • login/multi_login_users: A list containing the users who may log onto the system more than once is stored. @GainingHub

Special Users login/no_automatic_user_sapstar : if value greater than 0 then SAP* no longer have any special properties Please note – DDIC user id never be reset as it used for upgrade activities internally. • Essentially, there are two types of special users: those created by installing the SAP system and those created when you copy clients. During the installation of the SAP system, the clients 000 and 066 are created (the client 001 is not always created during an SAP installation; it is also created, for example, during an SAP R/3 installation). • The SAP system special user, SAP* SAP* is the only user in the SAP system for which no user master record is required, Default Password: PASS • The DDIC user This user is responsible for maintaining the ABAP Dictionary and the software logistics. • The EarlyWatch user The EarlyWatch user is delivered in client 066 and is protected with the password SUPPORT. The EarlyWatch experts at SAP work with this user. @GainingHub

S_TCODE • Each time a transaction is started, the kernel always automatically checks the transaction code (.TCD.) as a value against the authorization object S_TCODE. This also applies for customer-developed transaction codes. @GainingHub

Table Maintenance Authorization • Authorization object S_TABU_DIS defines which table contents may be maintained by which employees. • These group assignments are defined in table TDDAT. • The object consists of the following fields: DICBERCLS: Authorization group for ABAP Dictionary objects (description - max.4 characters) ACTVT: Activity (02, 03) • V_DDAT: Assignment of tables/views to authorization groups (.SM30.) • V_BRG: Definition of authorization groups (.SM30.) @GainingHub

Table Maintenance Authorization (Cross-Client) • Authorization object S_TABU_CLI: Grants authorization to maintain cross-client tables with the standard table maintenance transaction (SM31), extended table maintenance transaction (SM30) and the Data Browser, and also in the Customizing system. • The object has the following field: CLIIDMAINT If identifier .X. or .*. is set, cross-client tables can be maintained. @GainingHub

Row-Oriented Authorizations for Tables • A possible use for S_TABU_LIN would be to display and to change content for only a certain work area, such as a country or a plant. As you can see in the graphic, the object consists of fields. • Activity: 02: Add, change, or delete table entries 03: Only display table contents. • Organizational criterion: Table key fields/row authorization, such as organizational criteria (defined in Customizing) • Attribute for organizational criterion: 1. to 8 attributes for the organizational criterion, each attribute for a certain table key field. @GainingHub

ABAP: Program Flow Checks The programs (reports) are combined into program authorization groups and can be protected against unauthorized access using the groups. The authorization group is stored in the properties of the programs. We can assign authorizations for the following activities by program groups: Starting a program (SUBMIT) Scheduling a program as a background job (BTCSUBMIT) Variant maintenance (VARIANT) @GainingHub

Start the program RSCSAUTH. • It creates a list of reports, the authorization group delivered by SAP and the authorization group maintained by the customer (.Customer. column). • The Customer. column accepts input, Customers can enter their own authorization groups here. • When the customer chooses Save, the customer's own authorization groups for all SELECTED reports are transferred to the table TRDIR. • This is equivalent to a change of the authorization group in the program attributes, and the exiting SAP authorization groups are overwritten. • The authorization group for each report is also entered in the table SREPOATH, meaning that the customer's own authorization groups can be restored by restarting RSCSAUTH after an upgrade. • Start the program .RSABAUTH.. The new authorization groups are written to the table TPGP. @GainingHub

Administration Authorization • The object User Master Record Maintenance: User Groups (S_USER_GRP) defines the user groups for which an administrator has authorization and the activities that are allowed. • The object S_USER_GRP can be used to grant administration rights for only a certain user group in decentralized administration. • The object User Master Record Maintenance: System for central user maintenance (S_USER_SYS) defines which system a user administrator can access from the central user administration and the activities that are allowed. • The object S_USER_SYS can be used in decentralized administration to grant administration rights for only users in a certain system from the central user administration. @GainingHub

Role Administration • The object Authorization: Check for roles (S_USER_AGR) defines the roles names for which an administrator is authorized and the activities that are allowed. • The object Authorization: Transactions in roles (S_USER_TCD) defines the transactions that an administrator may include in a role. • The object Authorization: Field Values for roles (S_USER_VAL) defines which field values an administrator may enter in roles for which authorization object and which fields. • The object S_USER_VAL can be used to grant an administrator authorization to assign • only certain authorizations in roles and thus prevent critical authorizations from being included in roles. @GainingHub

Profile Authorization • The object User Master Record Maintenance: Authorization Profile (S_USER_PRO) defines the profile names for which an administrator has authorization and the activities that are allowed. • The object User Master Record Maintenance: Authorizations (S_USER_AUT) defines the authorization object name and the authorization name for which an administrator has authorization and the activities that are allowed. • The object S_USER_AUT can be used to grant an administrator authorization to create only certain authorizations in roles and thus prevent critical authorizations from being created in roles. @GainingHub

Principle of Treble Control Sharing the administrative tasks amongst three administrators @GainingHub

Transport Of Authorization component Authorization that can be transported Component • User master data • Roles • Authorization profiles • Check indicators @GainingHub

USER MASTER DATA • It is only possible to transport all user master records when performing a client copy. • SCCL ( LOCAL CLIENT COPY) • SCC9 ( REMOTE CLIENT COPY) • SCC8 ( CLIENT EXPORT) • This will transport all user master data at one go. @GainingHub

CLIENT PROFILES @GainingHub

ROLES & USER Roles are transported with authorization profiles. ASSIGNMENT TRANSPORT User assignment to roles can also be transported with selected option. If we want to restrict any of the above option: Table: PRGN_CUST must contain the entry USER_REL_IMPORT:=NO & PROFILE_TRANSPORT:=NO SE01 is the transaction which used to control the transport. @GainingHub

Type of • There are two type of transports in SAP: Transports  Customizing Transport  Workbench Transport • Authorization : Roles & user assignment will be captured in customizing transport as it is client dependent data. • SU25 changes & cross client changes are captured in workbench TR as it is client independent data. • Every transport is linked to particular user and he/she is the owner of the transport, we can change the ownership as well. • Transport copies – we can have multiply transport copy in a main transport. @GainingHub

SE84 – To Transport Object • With help of this transaction we can transport any authorization objects and transactions in terms of SAP Security. @GainingHub

Deleting Transport Logs • We can delete the transport logs by help of transaction SE10, double click on the TR. • We will get the objects that need to be deleted. @GainingHub

Central User Administration (CUA) • User master record data, such as the address, logon data, user defaults and user parameters. • The assignment of the user to roles or profiles for each child system. The advantage of administering assignments centrally is that you no longer need to log onto each system in order to make system-specific assignments of roles and profiles; it is all managed at one location in the central system. Role authorization data is not pulled in Central systems. • The initial password: When you create a new user, the initial password is distributed to the child systems as a default. The passwords are distributed in coded form. • The lock status of a user. In addition to the locks caused by incorrect logon that already existed in previous releases or those set manually by the local administrator, there is now also a new .global lock.. This applies to all of the child systems in which the user is defined and can be cancelled in the central system or locally if required. @GainingHub

ALE Distribution ( SCUA) @GainingHub

SCUM • If a field of the user maintenance transaction has field attribute global, data for this field can only be maintained in the central system. The data is automatically distributed to the child systems when it is saved. Such fields are in display mode in the user maintenance transaction of the child systems, that is, you cannot change these fields. • If you use field attribute default, a default value that is automatically distributed to the child systems when it is saved can be maintained when you create a user in the central system. After distribution, the data is only maintained locally in the child systems and cannot be returned. • If you use field attribute Redistribution, the data can be maintained in both the central system and the child systems. If a change is made to the child system, the data is returned to the central system and passed on to other existing child systems from there. • The field attribute local means that the data for the corresponding field can only be administered locally in the child systems. When fields of this type are changed in the central system, this data is not distributed to the child systems. • The field attributed everywhere is used if you can want to be able to change data locally and globally. In the case of local maintenance, however, no redistribution takes place. @GainingHub

Copying User Master Data @GainingHub

Consequences of Debug Access in Production S_DEVELOP ( ACTVT – 03, OBJTYPE – DEBUG) • Debug display access will lead to give access to reports in the SAP system and it is very dangerous for the HR system as developer can easily view the data, so it impact on the integrity of the data. • Affects Performance: Troubleshooting an application running in production may have a negative impact on its performance. Even the lightest solution can impact the overall performance. • User Experience Risks: Modifying the application while it is being actively used can create unpredictable situations for your users and disrupt the overall user experience @GainingHub

Day5 @GainingHub

SU21 • Transaction code is used to create the authorization objects CREATE / and field in the SAP System. MAINTAIN AUTHORIZATION • There is an option to regenerate the SAP_ALL profile from OBJECTS SU21, this option is used when any new authorization object introduced in the upgrade then we need to use this option. @GainingHub

SU24 – R/o of authorization object & Transaction as well as check indicator • SU24 reads data from tables : USOBT_C & USOBX_C • Check indicators determine if an authorization check will run within the transaction or not. The following check indicators are supported: • N: No check. NO check is performed against the corresponding authorization object in this transaction. • U: Unmaintained. A check is performed against the corresponding authorization object in this transaction. • C: Check. A check is performed against the corresponding authorization object in this transaction. • CM: Check/Maintain. A check is performed against the corresponding authorization object in this transaction. @GainingHub

Profile Generator • Tables USOBX_C and USOBT_C control the behaviour of the Profile Generator after the transaction has been selected. • SAP delivers the tables USOBX and USOBT  These tables are filled with default values and are used for the initial fill of the customer tables USOBX_C and USOBT_C. • Table USOBX defines which authorization checks are to be performed within a transaction and which not. • Table USOBT defines for each transaction and for each authorization object which default values an authorization created from the authorization object should have in the Profile Generator. @GainingHub

SU25 • SU25 transaction code is executed during the initial implementation of SAP and during each time an upgrade take place. • SU25 is required to upgrade the system as per the business requirements. • Tables and transactions which are affected by SU25: USOBT_C USOBT_X SU24 SU22 @GainingHub

@GainingHub

We can compare the table through two perspectives: 1. SAP standard values 2. Customer specific values (which is provided by SME, depend on project requirement) We can run the comparison in Test mode to check the changes pulled out after comparison of SU24 and SU22. @GainingHub

@GainingHub

2C. Roles to Be checked Here, it checked all the active roles in the system and compare their menu list for the changed transaction. This Step mapped the menu of the roles that has been changed or renamed. @GainingHub

@GainingHub

@GainingHub

@GainingHub

@GainingHub