copyright © 2003 americas’ sap users’ group authorizations in the finance & controlling...
Post on 18-Dec-2015
214 views
TRANSCRIPT
Copyright © 2003 Americas’ SAP Users’ Group
Authorizations in the Finance & Controlling Modules
Ranvir Singh, Sherman WrightBusiness Analysts, LSI LOGIC Corporation
Sam SanghaTechnical Consultant, VIRSA Systems Corp.
May 20, 2003
Agenda
1 – Introduction to Finance Authorizations (Basic Concepts)
2 – Important Reports and Transactions
(PFCG, SU01, SU53, SUIM, SU24)
3 –Challenges in Finance (Responsibilities and Roles)
4 – Finding Risks in the Finance Environment (Segregation of Duties Matrix, VRAT, etc.)
5 – Tools for Analysis (VIRSA, SAP, etc.)
Authorizationobject class
Authorizationobject
Authorization Profile Role
User
Linkage of various Objects/Fields/Groups etc.
Introduction to Finance Authorizations
Introduction to Finance Authorizations
Terminology• Authorization Profile/Activity Group/Role:
Contains instances (Authorization) for different Authorization Objects grouped by Object Class.
• Authorization Object class: Logical grouping of auth. Objects, for example All auth. Objects for object class FI (Financial Accounting).
• Authorization Object:Group of Auth. Fields, these fields are checked simultaneously, F_LFA1_APP (Vendor: Application Authorization).
• Authorization Field: Smallest unit against which the Check should be run, BUKRS forcompany code
• Authorization: An instance of Auth. Obj., that is combination of allowed values for each auth. field of a Auth. Obj.
Authorizations
Object class : Financial Accounting
User name: Joe Smith and N.A. Credit
Role / Profile : North America Credit
Authorization : Company code= US10
Authorization Objects : Company code
Introduction to Finance Authorizations
Create Purchase Requisition(ME51)
OrderPurchaseRequisition(ME58)
ReleasePurchaseRequisition(ME54)
Employees Employees have roles roles with specific functions functions and need authorizations authorizations for these functions Employees Employees have roles roles with specific functions functions and need authorizations authorizations for these functions
KarenKaren
SusanSusan
JohnJohn
Pro
curem
ent
EmployeeService
Representative
EmployeeService
RepresentativeManager
EmployeePurchaser
Authorization to create purchase requisitions
Authorization to release purchase requisitions
Authorization to create purchase orders
Business Scenario
Employee can have multiple roles
Role is group of activities performed within a Business Scenario
Introduction to Finance Authorizations
BUKRS US10,US18ACTVT 01, 02, 03 US10 US18 US42 US18 US42
Authorization AAuthorization A
BUKRS
ACTVT
CreateChangeDisplay
BUKRS US10, US18, US42ACTVT 03
Authorization BAuthorization B
BUKRS
ACTVT
CreateChangeDisplay
US10 US18 US42 US18 US42
1. Authorization A allows the user to perform create, change and display activitites in company codes US10&US182. Authorization B allows the user to perform only the display activity in company codes US10,US18, & US42.3. If the user has authorization A and authorization B, they work together. This means that the user can perform create,
change and display activities in company codes US10&US18, can only display activity in company code 3000
Introduction to Finance Authorizations
AuthorizationObjects
WorkCenter 1
WorkCenter 2
WorkCenter 3
F-22, F-27FB02, FB03
F-43, F-41FB02, FB03
01, 02, 031000
01, 02, 031000, 2000
01, 02, 03A, D, S
01, 02, 03K
....... .......
S_TCODETCD
F_BKPF_BUK
ACTVTBUKRS
F_BKPF_GSPACTVTGSBER
F_BKPF_KOAACTVTKOART.......
01, 02, 032000
Authorization
AuthorizationProfile
F-22, F-27FB02, FB03
01, 02, 031000
01, 02, 032000
01, 02, 03D.......
031000
Introduction to Finance Authorizations
Introduction to Finance Authorizations
Any questions ??
Let’s move to the 2nd Part of our agenda items
1 - PFCG – Profile Generator
2 - SU01 – User Maintenance
3 - SU53 – Display Authorization Data
4 - SUIM – User Information System
5 - SU24 – Authorization Assignment (transactions and authorization objects)
6 - Other important reports.
Important Report and Transactions
PFCG – Profile Generator (PG)
Important Report and Transactions
•SAP’s automated method for generating user profiles through the use of pick and choose authorization objects and values.
PFCG – Profile Generator (PG)
Important Report and Transactions
•When a transaction is selected and placed in the “Menu” while creating or changing the activity group, the PG selects the authorization objects that are checked in this transaction and maintained in the PG.
SU01 – User Maintenance
Important Report and Transactions
• Type of Users:
Dialog Users (Only dialog users are logon to R/3 system interactively)
Background Users
Batch Data communication users (BDC)
Common program interface communication users (CPI-C)
SU53 – Display Authorization
Important Report and Transactions
• Menu Path is : System>Utilities>Display Authorization Check
• Authorization can be analyzed by Authorization Trace also, transaction ST01
• You can analyze an error in your system which just occurred because of missing authorization.
• Running SU53 after getting authorization error shows following information:
1. Authorization Object that was checked2. Authorization Object Class that was checked3. Value of the object user needs to perform the Action. 4. Value of the object user has already in his/her master record.
SUIM – User Information System
Important Report and Transactions
A collection of reports to analyze user access, activity group and profile content, and changes to accounts, etc.
SU24 – Authorization Assignment (transactions and authorization objects)
Important Report and Transactions
Done automatically when the Profile Generator (PFCG) is used, but still useful for modifications and verification.
Other Important reports (some in SUIM)
Important Report and Transactions
• RSUSR000: Display Current Active Users
• RSUSR002: Display user according to complex selection criteria
• RSUSR005: Display users with critical authorization
• RSUSR006: Display users that are locked by the system and by the administrator because of the incorrect logons
• RSUSR010: Transactions executable for the users, with profile or authorization
• RSUSR070: Display activity group by complex search criteria.
Challenges in Finance
Responsibilities & Roles
1. What responsibilities need to be provided & need to be “protected”?- Vendor creation, invoice processing, payment processing, billing, collections, GL, P&L, etc.
2. Have roles been created to provide access for specific responsibilities, yet keeping the different ones separated?
3. Do some roles provide too much access?
4. Who defines the roles (Security Admin, Business Process Owners, others)?
Finding Risks in the Finance Environment
Segregation of Duties
1. SOD Concept: Segregation of Duties is the primary internal control intended to prevent, or to minimize, the risk of errors or irregularities; identify problems; and ensure corrective action is taken.
2. No single individual should have control over all phases of a transaction.
3. Using roles to keep job activities separate.
4. Using reports to ensure users don’t have too much access.
Finding Risks in the Finance Environment
Segregation of Duties (continued)
5. Defining Risks
At what level can risks be defined?- Transaction level- Authorization object level- Other
6. Translating Risks into a Matrix
- Transaction level is easy: just list the combinations of transactions that cause risks.
- Object level is more difficult because of the many objects and values that can be involved.
Any questions ??
Let’s move to the 5th Part of our agenda items
Finding Risks in the Finance Environment
Tools for Analysis
SAP – what it offers:
1. SUIM: User Information System
- Critical Combinations of Authorizations at Transaction Start
- Lists of Users with Critical Authorizations
- Other reports also
2. AIS: Audit Information System
- Several system audit reports
- Limited analysis capabilities
Why we selected VIRSA
1. Real time SOD Analysis on live data
2. Real time Simulation on live data (ongoing compliance)
3. Responsive to our needs (Supplementary SOD Analysis)
4. User friendly & powerful reporting (precise information)
5. Eliminates false errors
6. Documentation of Mitigating Controls
7. Positive feedback from other customers
About VIRSA
VIRSA Systems, Inc.
1. SAP Security Company with 100% focus on providing SAP Security & Controls products & solutions.
2. VIRSA’s Products and Solutions:
- VIRSA Risk Assessment Tool (VRAT)
- VIRSA Role Management Tool (VRMT)
- VIRSA Fire Fighting Tool (VFAT)
- VIRSA Risk Assessment Service (VRAS)
- Complete Security Redesign
3. VIRSA Security and controls training and workshops
VIRSA Features
1. VRAT Key Features:
Designed for Auditors, Security & Controls Team, Business Process Owners
Real Time Online SOD Analysis/Reporting at both Trans. Code and Auth. Object level
Automated Simulation & Remote Simulation on live data Intuitive Interface & ALV Drill Down Reports
Rule building/upgrading automation (add-on)
Supplementary SOD Analysis (e.g. USR05)
VRAT Tool Box (Complimentary SOD Reports/Utilities)
Monitoring of actual execution of Conflicting Transactions (New Release)
HR & BW Specific functionality (Future Release) Custom default settings, can link custom reports to VRAT Tool Box