Copyright © 2003 Americas’ SAP Users’ Group

Authorizations in the Finance & Controlling Modules

Ranvir Singh, Sherman WrightBusiness Analysts, LSI LOGIC Corporation

Sam SanghaTechnical Consultant, VIRSA Systems Corp.

May 20, 2003

Agenda

1 – Introduction to Finance Authorizations (Basic Concepts)

2 – Important Reports and Transactions

(PFCG, SU01, SU53, SUIM, SU24)

3 –Challenges in Finance (Responsibilities and Roles)

4 – Finding Risks in the Finance Environment (Segregation of Duties Matrix, VRAT, etc.)

5 – Tools for Analysis (VIRSA, SAP, etc.)

Authorizationobject class

Authorizationobject

Authorization Profile Role

User

Linkage of various Objects/Fields/Groups etc.

Introduction to Finance Authorizations

Introduction to Finance Authorizations

Terminology• Authorization Profile/Activity Group/Role:

Contains instances (Authorization) for different Authorization Objects grouped by Object Class.

• Authorization Object class: Logical grouping of auth. Objects, for example All auth. Objects for object class FI (Financial Accounting).

• Authorization Object:Group of Auth. Fields, these fields are checked simultaneously, F_LFA1_APP (Vendor: Application Authorization).

• Authorization Field: Smallest unit against which the Check should be run, BUKRS forcompany code

• Authorization: An instance of Auth. Obj., that is combination of allowed values for each auth. field of a Auth. Obj.

Authorizations

Object class : Financial Accounting

User name: Joe Smith and N.A. Credit

Role / Profile : North America Credit

Authorization : Company code= US10

Authorization Objects : Company code

Introduction to Finance Authorizations

Create Purchase Requisition(ME51)

OrderPurchaseRequisition(ME58)

ReleasePurchaseRequisition(ME54)

Employees Employees have roles roles with specific functions functions and need authorizations authorizations for these functions Employees Employees have roles roles with specific functions functions and need authorizations authorizations for these functions

KarenKaren

SusanSusan

JohnJohn

Pro

curem

ent

EmployeeService

Representative

EmployeeService

RepresentativeManager

EmployeePurchaser

Authorization to create purchase requisitions

Authorization to release purchase requisitions

Authorization to create purchase orders

Business Scenario

Employee can have multiple roles

Role is group of activities performed within a Business Scenario

Introduction to Finance Authorizations

BUKRS US10,US18ACTVT 01, 02, 03 US10 US18 US42 US18 US42

Authorization AAuthorization A

BUKRS

ACTVT

CreateChangeDisplay

BUKRS US10, US18, US42ACTVT 03

Authorization BAuthorization B

BUKRS

ACTVT

CreateChangeDisplay

US10 US18 US42 US18 US42

1. Authorization A allows the user to perform create, change and display activitites in company codes US10&US182. Authorization B allows the user to perform only the display activity in company codes US10,US18, & US42.3. If the user has authorization A and authorization B, they work together. This means that the user can perform create,

change and display activities in company codes US10&US18, can only display activity in company code 3000

Introduction to Finance Authorizations

AuthorizationObjects

WorkCenter 1

WorkCenter 2

WorkCenter 3

F-22, F-27FB02, FB03

F-43, F-41FB02, FB03

01, 02, 031000

01, 02, 031000, 2000

01, 02, 03A, D, S

01, 02, 03K

....... .......

S_TCODETCD

F_BKPF_BUK

ACTVTBUKRS

F_BKPF_GSPACTVTGSBER

F_BKPF_KOAACTVTKOART.......

01, 02, 032000

Authorization

AuthorizationProfile

F-22, F-27FB02, FB03

01, 02, 031000

01, 02, 032000

01, 02, 03D.......

031000

Introduction to Finance Authorizations

Introduction to Finance Authorizations

Any questions ??

Let’s move to the 2nd Part of our agenda items

1 - PFCG – Profile Generator

2 - SU01 – User Maintenance

3 - SU53 – Display Authorization Data

4 - SUIM – User Information System

5 - SU24 – Authorization Assignment (transactions and authorization objects)

6 - Other important reports.

Important Report and Transactions

PFCG – Profile Generator (PG)

Important Report and Transactions

•SAP’s automated method for generating user profiles through the use of pick and choose authorization objects and values.

PFCG – Profile Generator (PG)

Important Report and Transactions

•When a transaction is selected and placed in the “Menu” while creating or changing the activity group, the PG selects the authorization objects that are checked in this transaction and maintained in the PG.

SU01 – User Maintenance

Important Report and Transactions

• Type of Users:

Dialog Users (Only dialog users are logon to R/3 system interactively)

Background Users

Batch Data communication users (BDC)

Common program interface communication users (CPI-C)

SU01 – User Maintenance

Important Report and Transactions

Main Display of user master data

SU53 – Display Authorization

Important Report and Transactions

• Menu Path is : System>Utilities>Display Authorization Check

• Authorization can be analyzed by Authorization Trace also, transaction ST01

• You can analyze an error in your system which just occurred because of missing authorization.

• Running SU53 after getting authorization error shows following information:

1. Authorization Object that was checked2. Authorization Object Class that was checked3. Value of the object user needs to perform the Action. 4. Value of the object user has already in his/her master record.

SUIM – User Information System

Important Report and Transactions

A collection of reports to analyze user access, activity group and profile content, and changes to accounts, etc.

SU24 – Authorization Assignment (transactions and authorization objects)

Important Report and Transactions

Done automatically when the Profile Generator (PFCG) is used, but still useful for modifications and verification.

Other Important reports (some in SUIM)

Important Report and Transactions

• RSUSR000: Display Current Active Users

• RSUSR002: Display user according to complex selection criteria

• RSUSR005: Display users with critical authorization

• RSUSR006: Display users that are locked by the system and by the administrator because of the incorrect logons

• RSUSR010: Transactions executable for the users, with profile or authorization

• RSUSR070: Display activity group by complex search criteria.

Any questions ??

Let’s move to the 3rd Part of our agenda items

Important Report and Transactions

Challenges in Finance

Responsibilities & Roles

1. What responsibilities need to be provided & need to be “protected”?- Vendor creation, invoice processing, payment processing, billing, collections, GL, P&L, etc.

2. Have roles been created to provide access for specific responsibilities, yet keeping the different ones separated?

3. Do some roles provide too much access?

4. Who defines the roles (Security Admin, Business Process Owners, others)?

Any questions ??

Let’s move to the 4th Part of our agenda items

Challenges in Finance

Finding Risks in the Finance Environment

Segregation of Duties

1. SOD Concept: Segregation of Duties is the primary internal control intended to prevent, or to minimize, the risk of errors or irregularities; identify problems; and ensure corrective action is taken.

2. No single individual should have control over all phases of a transaction.

3. Using roles to keep job activities separate.

4. Using reports to ensure users don’t have too much access.

Finding Risks in the Finance Environment

Segregation of Duties (continued)

5. Defining Risks

At what level can risks be defined?- Transaction level- Authorization object level- Other

6. Translating Risks into a Matrix

- Transaction level is easy: just list the combinations of transactions that cause risks.

- Object level is more difficult because of the many objects and values that can be involved.

Finding Risks in the Finance Environment

Segregation of Duties (continued)

Any questions ??

Let’s move to the 5th Part of our agenda items

Finding Risks in the Finance Environment

Tools for Analysis

SAP – what it offers:

1. SUIM: User Information System

- Critical Combinations of Authorizations at Transaction Start

- Lists of Users with Critical Authorizations

- Other reports also

2. AIS: Audit Information System

- Several system audit reports

- Limited analysis capabilities

Why we selected VIRSA

1. Real time SOD Analysis on live data

2. Real time Simulation on live data (ongoing compliance)

3. Responsive to our needs (Supplementary SOD Analysis)

4. User friendly & powerful reporting (precise information)

5. Eliminates false errors

6. Documentation of Mitigating Controls

7. Positive feedback from other customers

About VIRSA

VIRSA Systems, Inc.

1. SAP Security Company with 100% focus on providing SAP Security & Controls products & solutions.

2. VIRSA’s Products and Solutions:

- VIRSA Risk Assessment Tool (VRAT)

- VIRSA Role Management Tool (VRMT)

- VIRSA Fire Fighting Tool (VFAT)

- VIRSA Risk Assessment Service (VRAS)

- Complete Security Redesign

3. VIRSA Security and controls training and workshops

VIRSA Features

1. VRAT Key Features:

Designed for Auditors, Security & Controls Team, Business Process Owners

Real Time Online SOD Analysis/Reporting at both Trans. Code and Auth. Object level

Automated Simulation & Remote Simulation on live data Intuitive Interface & ALV Drill Down Reports

Rule building/upgrading automation (add-on)

Supplementary SOD Analysis (e.g. USR05)

VRAT Tool Box (Complimentary SOD Reports/Utilities)

Monitoring of actual execution of Conflicting Transactions (New Release)

HR & BW Specific functionality (Future Release) Custom default settings, can link custom reports to VRAT Tool Box

Copyright © 2003 Americas’ SAP Users’ Group

Thank you for attending!

Please remember to complete and return your evaluation form following this session.

Session Code: 1607