adm940 en col99 fv co a4
DESCRIPTION
basis adm 940TRANSCRIPT
-
ADM940ABAP AS Authorization Concept
SAP NetWeaver
Course OutlineCourse Version: 99Course Duration: 3 Day(s)Publication Date: 2014Publication Time:
-
Copyright
Copyright SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose withoutthe express permission of SAP AG. Additionally this publication and its contents are providedsolely for your use, this publication and its contents may not be rented, transferred or sold withoutthe express permission of SAP AG. The information contained herein may be changed withoutprior notice.
Some software products marketed by SAP AG and its distributors contain proprietary softwarecomponents of other software vendors.
Trademarks
Microsoft, WINDOWS, NT, EXCEL, Word, PowerPoint and SQL Server areregistered trademarks of Microsoft Corporation.
IBM, DB2, OS/2, DB2/6000, Parallel Sysplex, MVS/ESA, RS/6000, AIX,S/390, AS/400, OS/390, and OS/400 are registered trademarks of IBM Corporation.
ORACLE is a registered trademark of ORACLE Corporation.
INFORMIX-OnLine for SAP and INFORMIX Dynamic ServerTM are registeredtrademarks of Informix Software Incorporated.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, the Citrix logo, ICA, Program Neighborhood, MetaFrame, WinFrame,VideoFrame, MultiWin and other Citrix product names referenced herein are trademarksof Citrix Systems, Inc.
HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C, WorldWide Web Consortium, Massachusetts Institute of Technology.
JAVA is a registered trademark of Sun Microsystems, Inc.
JAVASCRIPT is a registered trademark of Sun Microsystems, Inc., used under license fortechnology invented and implemented by Netscape.
SAP, SAP Logo, R/2, RIVA, R/3, SAP ArchiveLink, SAP Business Workflow, WebFlow, SAPEarlyWatch, BAPI, SAPPHIRE, Management Cockpit, mySAP.com Logo and mySAP.comare trademarks or registered trademarks of SAP AG in Germany and in several other countriesall over the world. All other products mentioned are trademarks or registered trademarks oftheir respective companies.
Disclaimer
THESEMATERIALS ARE PROVIDED BY SAP ON AN "AS IS" BASIS, AND SAP EXPRESSLYDISCLAIMS ANY AND ALL WARRANTIES, EXPRESS OR APPLIED, INCLUDINGWITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY AND FITNESS FOR APARTICULAR PURPOSE, WITH RESPECT TO THESE MATERIALS AND THE SERVICE,INFORMATION, TEXT, GRAPHICS, LINKS, OR ANY OTHER MATERIALS AND PRODUCTSCONTAINED HEREIN. IN NO EVENT SHALL SAP BE LIABLE FOR ANY DIRECT,INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES OF ANYKIND WHATSOEVER, INCLUDING WITHOUT LIMITATION LOST REVENUES OR LOSTPROFITS, WHICH MAY RESULT FROM THE USE OF THESE MATERIALS OR INCLUDEDSOFTWARE COMPONENTS.
g201476562
-
ADM940 Contents
Contents
Course Overview ....................................................................... v
Course Goals .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vCourse Objectives ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Unit 1: Authorizations in General .................................................. 1
What Are Authorizations?... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Creating and Implementing an Authorization Concept.. . . . . . . . . . . . . . . . . . . . . . . . . 1
Unit 2: Basic Terminology of Authorizations.................................... 2
Elements and Terminology of the Authorization Concept (ABAP)... . . . . . . . . . . 2Authorization Checks in the SAP System ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Unit 3: User Settings .................................................................. 3
Maintaining and Evaluating User Data ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Unit 4: Working with the Role Maintenance ..................................... 4
Role Maintenance and Standard Roles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Special ABAP Roles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Subtleties of Authorization Maintenance... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Unit 5: Basic Settings................................................................. 6
Role Maintenance: Installation and Upgrade ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Access Control and User Administration... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Unit 6: Using Traces................................................................... 7
Troubleshooting and Administration Aids ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Using Trace Evaluation to maintain Menus and Authorizations ... . . . . . . . . . . . . 7
Unit 7: Transporting Authorizations............................................... 8
Transporting Authorization Components.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Unit 8: Integration into the Company Landscape .............................. 9
Central User Administration (CUA) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Integration into Organizational Management .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9SAP NetWeaver Identity Management.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2014 SAP AG. All rights reserved. iii
-
ADM940 Contents
2014 SAP AG. All rights reserved. iv
-
ADM940 Course Overview
Course OverviewThis course provides information about the fundamentals of the SAP authorization concept,using SAP systems based on AS ABAP. Basic knowledge about the SAP environment isvital for this training course.
Target AudienceThis course is intended for the following audiences:
Project team members
Authorization and user administrators from system administration
Authorization and user administrators from the user departments
Course PrerequisitesRequired Knowledge
SAPTEC (SAP NetWeaver: Fundamentals of the Application Platform)
Recommended Knowledge
SAP01 (SAP Overview)
Attendance of basic and advanced training courses in at least one application area
Course GoalsThis course will prepare the participant to:
Outline the elements, strategies, and tools of the SAP authorization concept
Generate and assign authorization profiles with the Role Maintenance
Work with the Central User Administration (CUA) tool
Course ObjectivesAfter completing this course, the participant will be able to:
List the elements and objects of the authorization concept
Explain the use and purpose of the Role Maintenance
Analyze authorizations
Describe special objects for administrators
2014 SAP AG. All rights reserved. v
-
ADM940 Course Overview
2014 SAP AG. All rights reserved. vi
-
ADM940 Course Outline
Unit 1Authorizations in General
Unit OverviewThis unit is the entry point into the topic of authorizations.
Starting with the basic concepts of the authorizations topic, it addresses SAPs role-basedauthorization concept, and discusses a method that describes how to create and structureauthorizations, and how to implement them in a customer landscape.
Lesson: What Are Authorizations?
Lesson ObjectivesAfter completing this lesson, the participant will be able to:
Describe the SAP authorization concept as part of a comprehensive security concept
Explain the access control mechanisms
Explain how users, roles, and authorizations are related
Describe the technical implementation of a role-based authorization concept
Lesson: Creating and Implementing an Autho-rization Concept
Lesson ObjectivesAfter completing this lesson, the participant will be able to:
Explain the structure of an authorization concept
List the steps required to implement a concept
Describe the activities for the individual implementation steps
Use the presented procedure model for implementing an authoriza-tion concept for your own projects
Explain the strategy for user and authorization administration
2014 SAP AG. All rights reserved. 1
-
ADM940 Course Outline
Unit 2Basic Terminology of Authorizations
Unit OverviewThis unit uses two lessons to provide an introduction to the basic terms of authorization andthe main authorization check in the SAP system. The relationships between the authorizationterms are explained step-by-step and form a good basis for all subsequent units.
Lesson: Elements and Terminology of the Au-thorization Concept (ABAP)
Lesson ObjectivesAfter completing this lesson, the participant will be able to:
Describe and differentiate between the individual elements of theauthorization concept
Describe the relationships between the elements in the overall concept
Explain the differences between roles and authorization profiles
Find out the meaning of an authorization object
Explain the relationship between roles and the Easy Access Menu
Lesson: Authorization Checks in the SAP System
Lesson ObjectivesAfter completing this lesson, the participant will be able to:
Explain when authorization checks are performed
Describe the difference between the authorization check when a transaction isstarted and the authorization check performed by a program
Define the function of the user buffer and evaluate the buffered user authorizations
Control some additional checks without "modifying" the system
2014 SAP AG. All rights reserved. 2
-
ADM940 Course Outline
Unit 3User Settings
Unit OverviewWhat is the user master record? This question is answered in this unit.
SAP systems differentiate between system access control and role-based access control. Bothare assigned and controlled using the user master record of a user.
Lesson: Maintaining and Evaluating User Data
Lesson ObjectivesAfter completing this lesson, the participant will be able to:
Create and change user master records
Set the values on the tab pages of the user master record
Define the differences between the user types
Operate and implement mass maintenance
Display and archive change documents for authorization assignment
2014 SAP AG. All rights reserved. 3
-
ADM940 Course Outline
Unit 4Working with the Role Maintenance
Unit OverviewRole maintenance in the central place in an SAP system where you set authorizations for users,and combine them into reusable blocks (roles). This unit describes all options and buttons inrole maintenance. In practice, due to historical reasons this is also referred to as the ProfileGenerator or "PFCG", which is the transaction code.
This unit is divided into three lessons to allow a step-by-step approach.
Lesson: Role Maintenance and Standard Roles
Lesson ObjectivesAfter completing this lesson, the participant will be able to:
Describe and explain the basic steps for assigning authorizationswith the Role Maintenance
Create new roles, change and copy roles, and specify their activities
Display and maintain authorizations that were generated automatically
Compare user master records directly in role maintenance "PFCG"or in user maintenance "SU01"
Describe how to perform a mass comparison and state which report youcan schedule for an automatic comparison
Lesson: Special ABAP Roles
Lesson ObjectivesAfter completing this lesson, the participant will be able to:
Describe the use of Customizing roles
Explain the advantages and disadvantages of composite roles
Define the relationship between reference roles and derived roles
Bundle frequently used transactions and map them with differentinstances using derived roles
Describe how to perform a mass comparison and state, which report youcan schedule for an automatic comparison
2014 SAP AG. All rights reserved. 4
-
ADM940 Course Outline
Lesson: Subtleties of Authorization Maintenance
Lesson ObjectivesAfter completing this lesson, the participant will be able to:
Interpret the red, yellow, and green traffic lights for different field contents
Describe the meaning of the icons in the PFCG authorization maintenance
Define the hierarchy of status terms, and explain when which term is used
Distinguish between the expert mode and simple maintenance for authorizations
List additional functions that are accessible through the menu
2014 SAP AG. All rights reserved. 5
-
ADM940 Course Outline
Unit 5Basic Settings
Unit OverviewThis unit describes basic settings for the topic of authorizations. Some of these settings shouldbe made before "PFCG" is used (lesson 1: Installation and Upgrade), while others are madeduring operation (lesson 2: Concept of User Administration). A number of parameters,switches, and objects are used for this purpose. These are described here.
Lesson: Role Maintenance: Installation and Upgrade
Lesson ObjectivesAfter completing this lesson, the participant will be able to:
Perform the steps necessary to install the Role Maintenance
Find default values and check indicators in the system
Modify, delete, or extend the default values of the Role Maintenance
Perform the necessary steps after an upgrade for postprocessingold and new authorization values
Describe new functionality in transaction SU25
Lesson: Access Control and User Administration
Lesson ObjectivesAfter completing this lesson, the participant will be able to:
Define password rules and system profile parameters
Protect special users in the SAP system
Protect SAP functions with authorization object S_TCODE
Protect tables and views using authorization groups
Protect programs with authorization groups
Describe tasks in user and authorization administration
List options for separating functions of user and authorization administration
Describe options for decentralization of user administration
Create user and authorization administrators with limited rights(using authorization objects)
2014 SAP AG. All rights reserved. 6
-
ADM940 Course Outline
Unit 6Using Traces
Unit OverviewThe first lesson discusses the Information System and AIS, which provides the administratordifferent search options for listing the system settings and requirements for the area ofauthorization. This also includes the analysis of failed authorization checks, and the systemtrace. The second lesson shows how to use the system trace to maintain the menu andauthorization data for roles, and to maintain authorization default values.
Lesson: Troubleshooting and Administration Aids
Lesson ObjectivesAfter completing this lesson, the participant will be able to:
Analyze authorization checks in various ways
Use transaction "SU53" to find missing authorizations (also for other users)
Run the system trace ("ST01" or "STAUTHTRACE")
Apply the features of the information system and use them for different tasks
Understand and apply the new functions of the Audit Information System (AIS)
Lesson: Using Trace Evaluation to maintainMenus and Authorizations
Lesson ObjectivesAfter completing this lesson, the participant will be able to:
Use the system trace to maintain the menu and authorization data for roles
Use the system trace to maintain authorization default values
2014 SAP AG. All rights reserved. 7
-
ADM940 Course Outline
Unit 7Transporting Authorizations
Unit OverviewThis unit describes the transport of authorization data. Starting with user master records,through roles up to check indicators and customer default values for the Role Maintenance.
Lesson: Transporting Authorization Components
Lesson ObjectivesAfter completing this lesson, the participant will be able to:
Copy user master records to other clients
Transport roles and describe the behavior in the system: With and without profileinformation, with and without user assignments, in a CUA landscape or without CUA
Transport check indicators using Transaction "SU25"
Describe the transport behavior of composite, reference, and derived roles
List other transport options
2014 SAP AG. All rights reserved. 8
-
ADM940 Course Outline
Unit 8Integration into the Company Landscape
Unit OverviewSome of the daily work for an administrator is the assignment of authorizations to end users.These are often connected to certain rules and processes that always follow the same schema.Two additional methods for user maintenance and authorization assignment are introducedhere to help you optimize this regular process and the time spent. These are Central UserAdministration and the Integration into Organizational Management.
As an overview, SAP NetWeaver Identity Management is introduced here to give you animpression how the Central User Administration can be enhanced.
Lesson: Central User Administration (CUA)
Lesson ObjectivesAfter completing this lesson, the participant will be able to:
Explain how the central user administration functions
Specify the most important steps for setting up the central user administration
Define distribution rules for user data
Create, maintain and distribute users centrally
Perform system comparisons for users that are not yet maintained centrally
Lesson: Integration into Organizational Management
Lesson ObjectivesAfter completing this lesson, the participant will be able to:
Create organizational units in HR Organizational Management
Link roles with the organizational plan objects
Link users with the organizational plan objects
Perform a comparison of the indirect role and user assignments
Compare user master record
Assign roles for a specific period of time
2014 SAP AG. All rights reserved. 9
-
ADM940 Course Outline
Lesson: SAP NetWeaver Identity Management
Lesson ObjectivesAfter completing this lesson, the participant will be able to:
understand what SAP NetWeaver Identity Management is
estimate the effort switching from CUA to SAP NetWeaver Identity Management
2014 SAP AG. All rights reserved. 10
tocAuthorizations in GeneralLesson: What Are Authorizations?Lesson: Creating and Implementing an Authorization Concept
Basic Terminology of AuthorizationsLesson: Elements and Terminology of the Authorization Concept (ALesson: Authorization Checks in the SAP System
User SettingsLesson: Maintaining and Evaluating User Data
Working with the Role MaintenanceLesson: Role Maintenance and Standard RolesLesson: Special ABAP RolesLesson: Subtleties of Authorization Maintenance
Basic SettingsLesson: Role Maintenance: Installation and UpgradeLesson: Access Control and User Administration
Using TracesLesson: Troubleshooting and Administration AidsLesson: Using Trace Evaluation to maintain Menus and Authorizati
Transporting AuthorizationsLesson: Transporting Authorization Components
Integration into the Company LandscapeLesson: Central User Administration (CUA)Lesson: Integration into Organizational Management Lesson: SAP NetWeaver Identity Management