How to Properly Maintain Security using Profile Generator

Slides:



Advertisements
Similar presentations
RP Designs Semi-Custom e-Commerce Package. Overview RP Designs semi- custom e-commerce package is a complete website solution. Visitors can browse a catalog.
Advertisements

Introduction to Ledgers
CREDO online is a new portal for RGU staff which allows you to view your research and knowledge transfer online. This presentation provides guidance on.
Unicenter© ServicePlus Service Desk How to manage helpdesk tickets
Booking Rules SLCM_AD_315. Course Content This course is designed to teach users how to view, add, and remove restrictions on courses and course sections.
HP Support Agreement Manager Tools Support Contract Assistant (SCA) Quick Reference Guide September 2006.
Unit Visit Tracking System Enhancements. Unit Visit Tracking System NEW! Unit Visit Tracking (UVTS) has a new look, better navigation, and improved features.
Advanced Order Copy with Online Availability Checking An Enhancement For iSeries 400 DMAS from  Copyright I/O International, 2005 Skip Intro.
Ordering Textbooks Using the KIMRC On-Line Ordering System Reminder: The KIMRC is unable to purchase workbooks.
PantherSoft Financials Smart Internal Billing. Agenda  Benefits  Security and User Roles  Definitions  Workflow  Defining/Modifying Items  Creating.
CSO’s 2014 Training & Networking Conference | Austin, TX | Copyright © 2014 CSO Research, Inc. Wonderful World of Data Cleanup Keenan & Mona.
What’s New in Accounting?
Biller Direct Getting Started
Workflow & Event Derivation Workshop
Copyright © 2003 Americas’ SAP Users’ Group Custom Archiving 101 Session Code 108 Karin Tillotson Sr. Basis Administrator Tuesday, May 20 th, 2003.
Monitoring Security With Standard SAP Tools Session Code 805 Sandi McKinney.
Copyright © 2003 Americas’ SAP Users’ Group Simple Document Management in Project Systems Kent Bettisworth BETTISWORTH & ASSOCIATES, INC. Tuesday, May.
SAP Preventive Maintenance An Overview
#4502 – Streamlining the Physical Inventory Process Using a Custom Solution.
Subsequent Creation/Deletion of Depreciation Areas A step-by-step guide Tom Michael - Michael Management Corp. Eddie Luther - Motorola.
 SAP AG CSU Chico 102/14/981SAP Security Lecture MINS 298C SAP Configuration & Use: Security Copyright 1996, 1997, James R. Mensching, Gail Corbitt.
Copyright © 2003 Americas’ SAP Users’ Group Segregation of Duties (SOD) Strategies, Techniques, and Tools Christopher Lane Manager – PricewaterhouseCoopers.
Workflow & Event Derivation Workshop
SAP Preventive Maintenance An Overview
Page 1 of 29 To the OASIS Roles Online Training Course Each company has an assigned ETS Site Administrator who is responsible to create their company's.
C-TPAT Security Link Portal Online Application. Online C-TPAT Application - Part 1. Part 1 of the Online C-TPAT Application process: Complete the Company.
Mandatory Annual ACE Training Fiscal Year 2011 – 2012.
Integrated Security Solutions © 2006 TK Consulting, LP realtime Confidential March 11, 2007 APM Demo.
0 UMN 2011 ERP Terapan ABAP Introduction Session # 8.
What is Sure BDCs? BDC stands for Batch Data Communication and is also known as Batch Input. It is a technique for mass input of data into SAP by simulating.
Mandatory Annual ACE Training Fiscal Year 2012 – 2013.
Enforcement: Viewing/Editing Your User Profile FMCSA Portal Prioritization Phase I Release, December 2010 v1.4.
Session #23 Hands On NSLDS for Beginners Valerie Sherrer & Andrea Wise.
1 1 TRACO Excel Upload. 2 TRACO 2nd step - Excel Upload Contents 1.Security 2.Overview / Aim 3.Basic principles 4.Download existing Services/Rates 5.Handling.
Session 252 What’s New in EDExpress 9.1 Direct Loan for
FACILITY SURVEY In MHPD. 2 Overview Getting started with the survey Facility-wide review Program review Completion of the survey and post-survey edits.
2 Session 26 EDExpress Pell Update: What’s New in EDExpress 9.1 Pell for 2003–2004.
RDN Enhancements Dear Customers, RDN is happy to announce our next release, scheduled to go into production on June 25, Below is a list.
R BRO SOLUTIONS INC. ©2006 RBRO Solutions Inc., All Rights Reserved Systems Design Consultants Document Migration into WorkSite.
June Release 3.2 June 23 rd, Person Management Workers will no longer receive an unnecessary pop-up when editing an address on the Person.
Retail Training Manuel 2 Overview  One stop, secure, and easy-to-use web-based tool that incorporates rate, quote, and bind functions  Enables agents.
Access Online Cardholder Transaction Approval Training 1 Client Logo.
Pack Company Procedures. Accepting a HIP request from a supplier Allocating the Component Providers Sending the instruction through to the Component Providers.
FMCSA Portal Prioritization Phase 1 Release, December 2010 v1.3 Company: Viewing/Editing Your User Profile.
Exercise Your your Library ® RefWorks: Advanced November 21, 2006.
What is Web Site Administration Tool ? WAT Allow you to Configure Web Site With Simple Interface –Manage Users –Manage Roles –Manage Access Rules.
12/14/20151 Uniquescriptz Backend Support Document Ver 2.0.
Authorizations AtlasNet Release Notes Authorizations.
SAP Account Administration Account Administration.
A user guide to accessing, reviewing and contributing to the Online Registry System.
Social CRM March 7, The Case for Social CRM » On average 31% of people change their address every year New job Moving ISP change Change.
Page 1 of 42 To the ETS – Create Client Account & Maintenance Online Training Course Individual accounts (called a Client Account) are subsets of the Site.
UNCLASSIFIED – For Official Use Only 1 Contract Load Notification “Fly-in” Action ( Continue to Page Down/Click on each page…) Electronic Document Access.
Session 272 DL Tools for DL Schools Session 273 Direct Loan Tools  Introductions Misty Parkinson, U.S. Department of Education/ FSA Bob Berry, U.S.
GS CERN GS Department CH-1211 Genève 23 Switzerland CSC for Service Owners How to use the CERN Service Catalogue maintenance tool.
Legal Module Release Date: June 27, Legal Module Introduction  Enhance existing functionality to streamline the Legal module  Legal Record  Legal.
HRMS Implementation Project HRMS Security Overview Module.
SAP R/3 User Administration1. 2 User administration in a productive environment is an ongoing process of creating, deleting, changing, and monitoring.
1 A Look at the Application Authorized users can access Communicator! NXT from any Internet-capable computer via the Web.
American Diploma Project Administrative Site Training.
BEST PRACTICES FOR DYNAMICS NAV ADMINISTRATION AND SECURITY Per Mogensen.
Welcome! To the ETS – Create Client Account & Maintenance
iShop Training Module Access & Security
Unit4 Customer Portal Submitting & Managing Cases.
Unit4 Partner Portal for Case Creator
Orders & Shipment Tracking
SLCM_AD_315 Booking Rules
Industry Mall User Administration Webinar
Admin Manual (version 1.0).
Service Access Management Tool
Presentation transcript:

How to Properly Maintain Security using Profile Generator

Profile Generator Best Practice Summary Objective SAP Security Overview Profile Generator Best Practice Summary The objective today is to provide a brief overview of SAP Security and to discuss the best practice of PFCG.

SAP Security Overview USER ID, e.g. TTSAN Security Role 1 In SAP, a User ID is assigned with one or more Security Role based on his/her Job Role. SAP’s documentation calls it Role, but I prefer to use the term Security Role to differentiate it from Job Role. For those who are using pre-profile generator sap system, an ID is assigned with one or more profiles. Is there anyone here who is still on 3.0? I feel your pain in creating a profile. However, I find that those who have experience with the manual method tends to have a better understanding of how SAP Security works. User

Security Role, e.g. Security Administrator SAP Security Overview Security Role, e.g. Security Administrator Profile 1 Profile 2 Profile 3 With the advent of Profile Generator, a Security Role may have one or more Profile and each profile may contain up to 150 authorizations.

Profile (Contain up to 150 Authorizations) SAP Security Overview Profile (Contain up to 150 Authorizations) Authorization1 Authorization2 Authorization150 If you create a role that has 450 authorizations, then Profile Generator will create 3 profiles.

Authorization Object 1, e.g. S_TCODE SAP Security Overview Authorization Object 1, e.g. S_TCODE Field (TCD) Value (SU01) You might wonder what’s the difference between Authorization Object and Authorization? AO has one or more fields and is the foundation of all SAP Security program checks. When you add value or combination of values to the field, it becomes an authorization. One AO can be used to create one or more Auth. For example, S_TCODE has only one field and therefore you can only create one Standard authorization per Security Role.

Authorization Object 2, e.g. S_USR_GRP SAP Security Overview Authorization Object 2, e.g. S_USR_GRP Field (ACTV) Value (01, 02, 03, 06) However, with S_USR_GRP it has two fields. Therefore you may create multiple authorizations using different combination to satisfy your business requirement. Field (CLASS) Value (Customer Define)

Authorization Object 2, e.g. S_USR_GRP SAP Security Overview Authorization Object 2, e.g. S_USR_GRP Field (ACTV) Value (01, 02, 06) Let’s say that you are creating a security helpdesk role that has the ability to create, change, & delete only users from the Houston region and display access to all users. The first authorization would contain object S_USR_GRP and the Activity would have 01, 02, 06 and User Group value would be Houston. Field (CLASS) Value (HOUSTON)

Authorization Object 2, e.g. S_USR_GRP SAP Security Overview Authorization Object 2, e.g. S_USR_GRP Field (ACTV) Value (03) The second authorization using the same object would have 03 for Activity and * for Class. As a result you now have 2 authorizations. Field (CLASS) Value (*)

Execute “SU01” – Change User AUTHORITY-CHECK “Authorization1” SAP Security Overview Execute “SU01” – Change User AUTHORITY-CHECK “Authorization1” Object 1 = “S_TCODE” Now that we have an understanding of how an ID is linked to a Role and the Role to Profile & Authorization, let’s discuss the mechanic of SAP’s Authority-Check. When a user logs in to SAP, his authorizations are loaded into the User Buffer. When he execute SU01 to maintain user, the program perform an A-C against the authorization in the buffer to see if it contain the object S_TCODE. If yes, it then performs the next check against the field TCD for value “SU01”. TCD = “SU01”

Execute “SU01” – Change User AUTHORITY-CHECK “Authorization2” SAP Security Overview Execute “SU01” – Change User AUTHORITY-CHECK “Authorization2” Object 2 = “S_USR_GRP” ACTV = “02” Then it checks the next authorization for objects S_USR_GRP. Once the program verifies all the necessary auth, it will allow you to perform the task. Any question before we discuss the Profile Generator Best Practice? CLASS = “HOUSTON”

Profile Generator Transaction After you assign tcode to a role from the Menu tab, the first option available is “Change Authorization Data”…the little pencil. If this is a new role and also the first time you select this option, Profile Generator will retrieve all necessary authorization objects from USOBT table. USOBT is a table that contains all transactions and each tcode is supposedly associated with the proper AO and values. If this is not the first time you select this option, PFCG will not reread and compare data from USOBT table to your existing Authorizations. Therefore this option is the same as “Edit old Status”.

Change authorization data Profile Generator Change authorization data After you assign tcode to a role from the Menu tab, the first option available is “Change Authorization Data”…the little pencil. If this is a new role or you have added additional tcode to the existing role, using this option will cause Profile Generator will retrieve all necessary authorization objects from USOBT table. USOBT is a table that contains all transactions and each tcode is supposedly associated with the proper AO and values. If this is not a new role or you have not add any new transaction, this option will not reread and compare data from USOBT table to your existing Authorizations. Therefore this option is the same as “Edit old Status”.

Expert mode for profile generation Profile Generator Expert mode for profile generation The next option is “Expert mode for profile generation” which has three options. I always use this option.

Delete and recreate profile and authorizations Profile Generator The first option means that all maintained authorization will be deleted and it will rescan the USBOT to create new authorization. Delete and recreate profile and authorizations

Profile Generator Edit old status This option allows you to maintain the authorization without rescanning the USOBT table. It is the same as “Change Authorization Data” Edit old status

Read old status and merge with new data Profile Generator The last option is “Read old”. I recommend that we ALWAYS use the option unless you need to “Delete and recreate”. In next couple of slides, I will explain why I always use this option Read old status and merge with new data

SAP Security Overview Missing Organization Value $BURKS As you can see there are several stop lights. The red stop light means that your role is missing an org value. If any field that has a value beginning with $, then it’s an org value. Missing Organization Value

Profile Generator Organizational Level Do not make changes directly to that authorization unless you must. Always use the Org. Level button to maintain your value.

Profile Generator Missing Customer Define Value The yellow light means that you may define value based on your business restriction. Missing Customer Define Value

Profile Generator No open field

Profile Generator Authorization Status

Profile Generator Authorization Status STANDARD - SAP Standard Value MAINTAIN - Customer Maintained Value CHANGED - SAP Standard Value maintained by Customer MANUALLY – Manually inserted Value

Removing Authorization Value Profile Generator Removing Authorization Value S_USR_GRP 01, 02, 03, 05, 06, 08, 24 The default auth. of this role is 01-24. Because I only want this role to have 02, 03, 05, and 08, I remove the value from the SAP Standard authorization. The status would then become “Changed”.

Removing Authorization Value Profile Generator Removing Authorization Value Status = Changed If you use the “Edit old status” option you would not see the new Std.

Profile Generator Common Security Issue New Authorization However, if you add a new tcode or happens to use “Read old and Merge” then the new would come back. A few Admins I know would inactive the new and delete. The next time they perform “Read old and Merge”, it would come back…this becomes a vicious cycle.

Profile Generator Best Practice Make Copy Inactive Original The best way would be to make a copy, inactive the original, and make changes to the copy.

Profile Generator Best Practice Make changes to copy If you have a Std and a Change, the “Read old and Merge” will not insert a new auth.

Changed Authorization without Inactive Standard Profile Generator Best Practice Changed Authorization without Inactive Standard If you review your authorization and you see that there’s a Changed Auth without Inactive Std, you may delete it.

Double-click to add comment Profile Generator Best Practice Double-click to add comment If you add auth, manually always document why.

Does making changes to Copied Authorization Applies to all situation? Profile Generator Does making changes to Copied Authorization Applies to all situation? M_MATE_MAT (01, 02) The answer is NO. Let’s say that you do not want to give 01 for MM: Material. The rule is if you need to remove value from an existing Std like above, you must make sure that there is not a transaction linked to the value you’re trying to remove. For example, if you have an object that control Material Movement type M_MATE_STA with Activity value 01, 02 and you don’t want them to have the ability to create do you remove it? No, because there’s a tcode associated with 01…ie MM01. If you remove MM01, it would remove the value 01.

Profile Generator Where-Used Icon To find out if there’s a value, click the Where-used icon to see if there’s a tcode associated with that value.

Profile Generator Where-used MM01 = 01 This show that 01 is associate with MM01. When you remove transaction MM01 from the menu, it will remove the value. If you do not have that option because all of S_USR_GRP is controlled by SU01, you would then make a copy. What if you need to add additional value to S_USR_GRP. First you have to determine if it’s a require SAP value or customer value. I liken SAP Value to static value because no matter who execute SU01 to create user, the check would always require you to have value 01. As for Customer value, I like to call it dynamic value because it varies from user to user. An Admin for the Houston User would need the value H and so on a so forth.

Profile Generator Adding Authorization Value What if you want to add value 03? Again determine if there’s a transaction that satisfy the required value. Since there’s MM01 & MM02, most likely there’s MM03. So by adding MM03 you add the value 03.

What if SU53 indicates that MM01 requires an Activity of 24? Profile Generator SU53 Errors What if SU53 indicates that MM01 requires an Activity of 24? Here is where you must determine whether to add it to USOBT or to the Authorization.

Static Value vs. Dynamic Value Profile Generator Static Value vs. Dynamic Value Static Value – a value that is required by a transaction no matter who execute it. Dynamic Value – a customer-defined value such as company code. To determine what to do you must determine whether or the required value is a Static Value or a Dynamic Value.

MM01 always requires an Activity of 01? Profile Generator Static Value MM01 always requires an Activity of 01? For example MM01 will always requires object M_MATE_MAT to have value 01. Therefore it’s a static value

Profile Generator Dynamic Value Company Code value may vary from user to user depending on business restriction. Because you have to option to restrict which user can update what company code, therefore it is a dynanic value

Static Value vs. Dynamic Value Profile Generator Static Value vs. Dynamic Value Static Value – add to USOBT using transaction SU24. Dynamic Value – add directly to the Authorization or Org. Data.

Authorization counter = 1 Profile Generator Reorganize & Generate Authorization counter = 1 The counter is increased by 1

Profile Generator Reorganize & Generate Reorganize

Authorization counter = 0 Profile Generator Reorganize & Generate Authorization counter = 0 The counter is reset to 0

USOBT – SU24 Overview To maintain USBOT, use transaction SU24. USOBT is a table that contain all the authorization check against a transaction.

Summary of Rules and Restrictions Profile Generator Summary of Rules and Restrictions NEVER modify S_TCODE unless the Role is built manually. Modify Standard delivered authorization: Only modify when there’s a request to REMOVE authorization and IF AND ONLY IF no other transaction is linked to that value. Otherwise, by removing the transaction, it will remove the value.

Summary of Rules and Restrictions Profile Generator Summary of Rules and Restrictions Modify Standard delivered authorization (CONT’D): Always make a copy of the authorization and make changes. Inactive the original authorization. Modify the copied authorization and the status become Changed. Double-click on description of the authorization to document the reason. The same applies to manually inserted authorization.

Summary of Rules and Restriction Profile Generator Summary of Rules and Restriction If a Changed authorization exists without an Inactived Standard authorization, delete the Changed authorization. Bogus SU53 check most of the time: S_ADMI_FCD (SM02). S_CTS_ADMI. S_LAYO_ALV (023).

Profile Generator Question?

Profile Generator Contact Information Thomas Tsan SAP Security Architect TK Consultants, Inc. Email: ttsan@tkconsultants.com Phone: (281) 412-6800

Thank you for attending! Please remember to complete and return your evaluation form following this session. Session Code: [801]

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.