adm940 en col99 fv co a4

ADM940ABAP AS Authorization Concept

SAP NetWeaver

Course OutlineCourse Version: 99Course Duration: 3 Day(s)Publication Date: 2014Publication Time:

Copyright

Copyright SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose withoutthe express permission of SAP AG. Additionally this publication and its contents are providedsolely for your use, this publication and its contents may not be rented, transferred or sold withoutthe express permission of SAP AG. The information contained herein may be changed withoutprior notice.

Some software products marketed by SAP AG and its distributors contain proprietary softwarecomponents of other software vendors.

Trademarks

Microsoft, WINDOWS, NT, EXCEL, Word, PowerPoint and SQL Server areregistered trademarks of Microsoft Corporation.

IBM, DB2, OS/2, DB2/6000, Parallel Sysplex, MVS/ESA, RS/6000, AIX,S/390, AS/400, OS/390, and OS/400 are registered trademarks of IBM Corporation.

ORACLE is a registered trademark of ORACLE Corporation.

INFORMIX-OnLine for SAP and INFORMIX Dynamic ServerTM are registeredtrademarks of Informix Software Incorporated.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, the Citrix logo, ICA, Program Neighborhood, MetaFrame, WinFrame,VideoFrame, MultiWin and other Citrix product names referenced herein are trademarksof Citrix Systems, Inc.

HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C, WorldWide Web Consortium, Massachusetts Institute of Technology.

JAVA is a registered trademark of Sun Microsystems, Inc.

JAVASCRIPT is a registered trademark of Sun Microsystems, Inc., used under license fortechnology invented and implemented by Netscape.

SAP, SAP Logo, R/2, RIVA, R/3, SAP ArchiveLink, SAP Business Workflow, WebFlow, SAPEarlyWatch, BAPI, SAPPHIRE, Management Cockpit, mySAP.com Logo and mySAP.comare trademarks or registered trademarks of SAP AG in Germany and in several other countriesall over the world. All other products mentioned are trademarks or registered trademarks oftheir respective companies.

Disclaimer

THESEMATERIALS ARE PROVIDED BY SAP ON AN "AS IS" BASIS, AND SAP EXPRESSLYDISCLAIMS ANY AND ALL WARRANTIES, EXPRESS OR APPLIED, INCLUDINGWITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY AND FITNESS FOR APARTICULAR PURPOSE, WITH RESPECT TO THESE MATERIALS AND THE SERVICE,INFORMATION, TEXT, GRAPHICS, LINKS, OR ANY OTHER MATERIALS AND PRODUCTSCONTAINED HEREIN. IN NO EVENT SHALL SAP BE LIABLE FOR ANY DIRECT,INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES OF ANYKIND WHATSOEVER, INCLUDING WITHOUT LIMITATION LOST REVENUES OR LOSTPROFITS, WHICH MAY RESULT FROM THE USE OF THESE MATERIALS OR INCLUDEDSOFTWARE COMPONENTS.

g201476562

ADM940 Contents

Contents

Course Overview ....................................................................... v

Course Goals .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vCourse Objectives ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v

Unit 1: Authorizations in General .................................................. 1

What Are Authorizations?... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Creating and Implementing an Authorization Concept.. . . . . . . . . . . . . . . . . . . . . . . . . 1

Unit 2: Basic Terminology of Authorizations.................................... 2

Elements and Terminology of the Authorization Concept (ABAP)... . . . . . . . . . . 2Authorization Checks in the SAP System ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Unit 3: User Settings .................................................................. 3

Maintaining and Evaluating User Data ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Unit 4: Working with the Role Maintenance ..................................... 4

Role Maintenance and Standard Roles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Special ABAP Roles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Subtleties of Authorization Maintenance... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Unit 5: Basic Settings................................................................. 6

Role Maintenance: Installation and Upgrade ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Access Control and User Administration... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Unit 6: Using Traces................................................................... 7

Troubleshooting and Administration Aids ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Using Trace Evaluation to maintain Menus and Authorizations ... . . . . . . . . . . . . 7

Unit 7: Transporting Authorizations............................................... 8

Transporting Authorization Components.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Unit 8: Integration into the Company Landscape .............................. 9

Central User Administration (CUA) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Integration into Organizational Management .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9SAP NetWeaver Identity Management.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2014 SAP AG. All rights reserved. iii

ADM940 Contents

2014 SAP AG. All rights reserved. iv

ADM940 Course Overview

Course OverviewThis course provides information about the fundamentals of the SAP authorization concept,using SAP systems based on AS ABAP. Basic knowledge about the SAP environment isvital for this training course.

Target AudienceThis course is intended for the following audiences:

Project team members

Authorization and user administrators from system administration

Authorization and user administrators from the user departments

Course PrerequisitesRequired Knowledge

SAPTEC (SAP NetWeaver: Fundamentals of the Application Platform)

Recommended Knowledge

SAP01 (SAP Overview)

Attendance of basic and advanced training courses in at least one application area

Course GoalsThis course will prepare the participant to:

Outline the elements, strategies, and tools of the SAP authorization concept

Generate and assign authorization profiles with the Role Maintenance

Work with the Central User Administration (CUA) tool

Course ObjectivesAfter completing this course, the participant will be able to:

List the elements and objects of the authorization concept

Explain the use and purpose of the Role Maintenance

Analyze authorizations

Describe special objects for administrators

2014 SAP AG. All rights reserved. v

ADM940 Course Overview

2014 SAP AG. All rights reserved. vi

ADM940 Course Outline

Unit 1Authorizations in General

Unit OverviewThis unit is the entry point into the topic of authorizations.

Starting with the basic concepts of the authorizations topic, it addresses SAPs role-basedauthorization concept, and discusses a method that describes how to create and structureauthorizations, and how to implement them in a customer landscape.

Lesson: What Are Authorizations?

Lesson ObjectivesAfter completing this lesson, the participant will be able to:

Describe the SAP authorization concept as part of a comprehensive security concept

Explain the access control mechanisms

Explain how users, roles, and authorizations are related

Describe the technical implementation of a role-based authorization concept

Lesson: Creating and Implementing an Autho-rization Concept


Explain the structure of an authorization concept

List the steps required to implement a concept

Describe the activities for the individual implementation steps

Use the presented procedure model for implementing an authoriza-tion concept for your own projects

Explain the strategy for user and authorization administration

2014 SAP AG. All rights reserved. 1


Unit 2Basic Terminology of Authorizations

Unit OverviewThis unit uses two lessons to provide an introduction to the basic terms of authorization andthe main authorization check in the SAP system. The relationships between the authorizationterms are explained step-by-step and form a good basis for all subsequent units.

Lesson: Elements and Terminology of the Au-thorization Concept (ABAP)


Describe and differentiate between the individual elements of theauthorization concept

Describe the relationships between the elements in the overall concept

Explain the differences between roles and authorization profiles

Find out the meaning of an authorization object

Explain the relationship between roles and the Easy Access Menu

Lesson: Authorization Checks in the SAP System


Explain when authorization checks are performed

Describe the difference between the authorization check when a transaction isstarted and the authorization check performed by a program

Define the function of the user buffer and evaluate the buffered user authorizations

Control some additional checks without "modifying" the system



Unit 3User Settings

Unit OverviewWhat is the user master record? This question is answered in this unit.

SAP systems differentiate between system access control and role-based access control. Bothare assigned and controlled using the user master record of a user.

Lesson: Maintaining and Evaluating User Data


Create and change user master records

Set the values on the tab pages of the user master record

Define the differences between the user types

Operate and implement mass maintenance

Display and archive change documents for authorization assignment



Unit 4Working with the Role Maintenance

Unit OverviewRole maintenance in the central place in an SAP system where you set authorizations for users,and combine them into reusable blocks (roles). This unit describes all options and buttons inrole maintenance. In practice, due to historical reasons this is also referred to as the ProfileGenerator or "PFCG", which is the transaction code.

This unit is divided into three lessons to allow a step-by-step approach.

Lesson: Role Maintenance and Standard Roles


Describe and explain the basic steps for assigning authorizationswith the Role Maintenance

Create new roles, change and copy roles, and specify their activities

Display and maintain authorizations that were generated automatically

Compare user master records directly in role maintenance "PFCG"or in user maintenance "SU01"

Describe how to perform a mass comparison and state which report youcan schedule for an automatic comparison

Lesson: Special ABAP Roles


Describe the use of Customizing roles

Explain the advantages and disadvantages of composite roles

Define the relationship between reference roles and derived roles

Bundle frequently used transactions and map them with differentinstances using derived roles

Describe how to perform a mass comparison and state, which report youcan schedule for an automatic comparison



Lesson: Subtleties of Authorization Maintenance


Interpret the red, yellow, and green traffic lights for different field contents

Describe the meaning of the icons in the PFCG authorization maintenance

Define the hierarchy of status terms, and explain when which term is used

Distinguish between the expert mode and simple maintenance for authorizations

List additional functions that are accessible through the menu



Unit 5Basic Settings

Unit OverviewThis unit describes basic settings for the topic of authorizations. Some of these settings shouldbe made before "PFCG" is used (lesson 1: Installation and Upgrade), while others are madeduring operation (lesson 2: Concept of User Administration). A number of parameters,switches, and objects are used for this purpose. These are described here.

Lesson: Role Maintenance: Installation and Upgrade


Perform the steps necessary to install the Role Maintenance

Find default values and check indicators in the system

Modify, delete, or extend the default values of the Role Maintenance

Perform the necessary steps after an upgrade for postprocessingold and new authorization values

Describe new functionality in transaction SU25

Lesson: Access Control and User Administration


Define password rules and system profile parameters

Protect special users in the SAP system

Protect SAP functions with authorization object S_TCODE

Protect tables and views using authorization groups

Protect programs with authorization groups

Describe tasks in user and authorization administration

List options for separating functions of user and authorization administration

Describe options for decentralization of user administration

Create user and authorization administrators with limited rights(using authorization objects)



Unit 6Using Traces

Unit OverviewThe first lesson discusses the Information System and AIS, which provides the administratordifferent search options for listing the system settings and requirements for the area ofauthorization. This also includes the analysis of failed authorization checks, and the systemtrace. The second lesson shows how to use the system trace to maintain the menu andauthorization data for roles, and to maintain authorization default values.

Lesson: Troubleshooting and Administration Aids


Analyze authorization checks in various ways

Use transaction "SU53" to find missing authorizations (also for other users)

Run the system trace ("ST01" or "STAUTHTRACE")

Apply the features of the information system and use them for different tasks

Understand and apply the new functions of the Audit Information System (AIS)

Lesson: Using Trace Evaluation to maintainMenus and Authorizations


Use the system trace to maintain the menu and authorization data for roles

Use the system trace to maintain authorization default values



Unit 7Transporting Authorizations

Unit OverviewThis unit describes the transport of authorization data. Starting with user master records,through roles up to check indicators and customer default values for the Role Maintenance.

Lesson: Transporting Authorization Components


Copy user master records to other clients

Transport roles and describe the behavior in the system: With and without profileinformation, with and without user assignments, in a CUA landscape or without CUA

Transport check indicators using Transaction "SU25"

Describe the transport behavior of composite, reference, and derived roles

List other transport options



Unit 8Integration into the Company Landscape

Unit OverviewSome of the daily work for an administrator is the assignment of authorizations to end users.These are often connected to certain rules and processes that always follow the same schema.Two additional methods for user maintenance and authorization assignment are introducedhere to help you optimize this regular process and the time spent. These are Central UserAdministration and the Integration into Organizational Management.

As an overview, SAP NetWeaver Identity Management is introduced here to give you animpression how the Central User Administration can be enhanced.

Lesson: Central User Administration (CUA)


Explain how the central user administration functions

Specify the most important steps for setting up the central user administration

Define distribution rules for user data

Create, maintain and distribute users centrally

Perform system comparisons for users that are not yet maintained centrally

Lesson: Integration into Organizational Management


Create organizational units in HR Organizational Management

Link roles with the organizational plan objects

Link users with the organizational plan objects

Perform a comparison of the indirect role and user assignments

Compare user master record

Assign roles for a specific period of time



Lesson: SAP NetWeaver Identity Management


understand what SAP NetWeaver Identity Management is

estimate the effort switching from CUA to SAP NetWeaver Identity Management


tocAuthorizations in GeneralLesson: What Are Authorizations?Lesson: Creating and Implementing an Authorization Concept

Basic Terminology of AuthorizationsLesson: Elements and Terminology of the Authorization Concept (ALesson: Authorization Checks in the SAP System

User SettingsLesson: Maintaining and Evaluating User Data

Working with the Role MaintenanceLesson: Role Maintenance and Standard RolesLesson: Special ABAP RolesLesson: Subtleties of Authorization Maintenance

Basic SettingsLesson: Role Maintenance: Installation and UpgradeLesson: Access Control and User Administration

Using TracesLesson: Troubleshooting and Administration AidsLesson: Using Trace Evaluation to maintain Menus and Authorizati

Transporting AuthorizationsLesson: Transporting Authorization Components

Integration into the Company LandscapeLesson: Central User Administration (CUA)Lesson: Integration into Organizational Management Lesson: SAP NetWeaver Identity Management

adm940 en col99 fv co a4

Documents