how to properly maintain security using profile generator
TRANSCRIPT
![Page 1: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/1.jpg)
How to Properly Maintain Security using Profile Generator
![Page 2: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/2.jpg)
Objective
• SAP Security Overview
• Profile Generator Best Practice
• Summary
![Page 3: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/3.jpg)
SAP Security Overview
USER ID, e.g. TTSAN
Security Role
1
Security Role
2
Security Role
3
User
![Page 4: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/4.jpg)
SAP Security Overview
Security Role, e.g. Security Administrator
Profile 1 Profile 2 Profile 3
![Page 5: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/5.jpg)
SAP Security Overview
Profile (Contain up to 150 Authorizations)
Authorization1
Authorization2
Authorization150
![Page 6: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/6.jpg)
SAP Security Overview
Authorization Object 1, e.g. S_TCODE
Field (TCD)
Value (SU01)
![Page 7: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/7.jpg)
SAP Security Overview
Authorization Object 2, e.g. S_USR_GRP
Field (ACTV)
Value (01, 02, 03, 06)
Field (CLASS)
Value (Customer Define)
![Page 8: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/8.jpg)
SAP Security Overview
Authorization Object 2, e.g. S_USR_GRP
Field (ACTV)
Value (01, 02, 06)
Field (CLASS)
Value (HOUSTON)
![Page 9: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/9.jpg)
SAP Security Overview
Authorization Object 2, e.g. S_USR_GRP
Field (ACTV)
Value (03)
Field (CLASS)
Value (*)
![Page 10: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/10.jpg)
SAP Security Overview
Execute “SU01” – Change UserAUTHORITY-CHECK “Authorization1”
Object 1 = “S_TCODE
”
TCD = “SU01”
![Page 11: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/11.jpg)
SAP Security Overview
ACTV = “02”
Object 2 = “S_USR_GRP
”
CLASS = “HOUSTO
N”
Execute “SU01” – Change UserAUTHORITY-CHECK “Authorization2”
![Page 12: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/12.jpg)
Profile Generator
Transaction
![Page 13: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/13.jpg)
Profile Generator
Change authorization data
![Page 14: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/14.jpg)
Profile Generator
Expert mode for profile generation
![Page 15: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/15.jpg)
Profile Generator
Delete and recreate profile and authorizations
![Page 16: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/16.jpg)
Profile Generator
Edit old status
![Page 17: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/17.jpg)
Profile Generator
Read old status and merge with new data
![Page 18: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/18.jpg)
SAP Security Overview
Missing Organization Value
$BURKS
![Page 19: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/19.jpg)
Profile Generator
Organizational Level
![Page 20: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/20.jpg)
Profile Generator
Missing Customer Define Value
![Page 21: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/21.jpg)
Profile Generator
No open field
![Page 22: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/22.jpg)
Profile Generator
Authorization Status
![Page 23: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/23.jpg)
Profile Generator
STANDARD - SAP Standard Value
MAINTAIN - Customer Maintained ValueCHANGED - SAP Standard Value maintained by Customer
Authorization Status
MANUALLY – Manually inserted Value
![Page 24: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/24.jpg)
Profile Generator
S_USR_GRP 01, 02, 03, 05, 06, 08, 24
Removing Authorization Value
![Page 25: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/25.jpg)
Profile Generator
Status = Changed
Removing Authorization Value
![Page 26: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/26.jpg)
Profile Generator
New Authorization
Common Security Issue
![Page 27: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/27.jpg)
Profile Generator
Make Copy
Inactive Original
Best Practice
![Page 28: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/28.jpg)
Profile Generator
Make changes to copy
Best Practice
![Page 29: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/29.jpg)
Profile Generator
Best Practice
Changed Authorization without Inactive
Standard
![Page 30: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/30.jpg)
Profile Generator
Best Practice
Double-click to add comment
![Page 31: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/31.jpg)
Profile Generator
M_MATE_MAT(01, 02)
Does making changes to Copied Authorization Applies to all situation?
![Page 32: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/32.jpg)
Profile Generator
Where-Used Icon
![Page 33: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/33.jpg)
Profile Generator
Where-used
MM01 = 01
![Page 34: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/34.jpg)
Profile Generator
Adding Authorization Value
What if you want to add value 03?
![Page 35: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/35.jpg)
Profile Generator
SU53 Errors
What if SU53 indicates that MM01 requires an Activity
of 24?
![Page 36: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/36.jpg)
Profile Generator
Static Value vs. Dynamic Value
Static Value – a value that is required by a transaction no matter who execute it.
Dynamic Value – a customer-defined value such as company code.
![Page 37: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/37.jpg)
Profile Generator
MM01 always requires an Activity
of 01?
Static Value
![Page 38: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/38.jpg)
Profile Generator
Company Code value may vary
from user to user depending on
business restriction.
Dynamic Value
![Page 39: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/39.jpg)
Profile Generator
Static Value vs. Dynamic Value
Static Value – add to USOBT using transaction SU24.
Dynamic Value – add directly to the Authorization or Org. Data.
![Page 40: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/40.jpg)
Profile Generator
Reorganize & Generate
Authorization counter = 1
![Page 41: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/41.jpg)
Profile Generator
Reorganize & Generate
Reorganize
![Page 42: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/42.jpg)
Profile Generator
Reorganize & Generate
Authorization counter = 0
![Page 43: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/43.jpg)
USOBT – SU24
Overview
![Page 44: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/44.jpg)
Profile Generator
1. NEVER modify S_TCODE unless the Role is built manually.
2. Modify Standard delivered authorization:
a. Only modify when there’s a request to REMOVE authorization and IF AND ONLY IF no other transaction is linked to that value. Otherwise, by removing the transaction, it will remove the value.
Summary of Rules and Restrictions
![Page 45: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/45.jpg)
Profile Generator
2. Modify Standard delivered authorization (CONT’D):
b. Always make a copy of the authorization and make changes.
c. Inactive the original authorization.
d. Modify the copied authorization and the status become Changed.
e. Double-click on description of the authorization to document the reason. The same applies to manually inserted authorization.
Summary of Rules and Restrictions
![Page 46: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/46.jpg)
Profile Generator
3. If a Changed authorization exists without an Inactived Standard authorization, delete the Changed authorization.
4. Bogus SU53 check most of the time:
a. S_ADMI_FCD (SM02).
b. S_CTS_ADMI.
c. S_LAYO_ALV (023).
Summary of Rules and Restriction
![Page 47: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/47.jpg)
Profile Generator
Question?
![Page 48: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/48.jpg)
Profile Generator
Contact Information
Thomas TsanSAP Security ArchitectTK Consultants, Inc.Email: [email protected]: (281) 412-6800
![Page 49: How to Properly Maintain Security using Profile Generator](https://reader036.vdocument.in/reader036/viewer/2022081421/56649c8e5503460f94947038/html5/thumbnails/49.jpg)
Thank you for attending!Please remember to complete and return your evaluation form following this session.
Session Code: [801]