roles and authorizations
TRANSCRIPT
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 1/74
Roles and Authorization Concept inSAP Solution Manager 7.1Erik Dietzel
August, 2013
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 2/74
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 3/74
Motivation and Scope
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 4/74
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 5/74
© 2013 SAP AG. All rights reserved. 5Public
The main SAP Solution Manager security risks are:
SAP Solution Manager system can be damaged by: – unauthorized changes to master data – unauthorized customizing or configuration changes
SAP Solution Manager could be misused to illegally access managed systems due to: – missing authorization concept
(authorization in SAP Solution Manager) – missing security concept
(communication around SAP Solution Manager)
Authorization and Security ConceptRisks with SAP Solution Manager
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 6/74
© 2013 SAP AG. All rights reserved. 6Public
Security of SAP Solution Manager
To ensure the security in your system environment,SAP Solution Manager should be considered
as production system !
Secure Authorization Concept for SAP Solution Manager
Security Concept (RFC destinations, communication channels, etc.)around SAP Solution ManagerFour eyes principle for authorization and user administrationNever design and test your authorization concept on production system.Please use a development or test system for it.…
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 7/74
Concept for Technical Usersand End Users
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 8/74© 2013 SAP AG. All rights reserved. 8Public
Users in SAP Solution Manager
In general we consider two different user types when talking aboutSAP Solution Manager authorization concept:
End Users Are defined as dialog users, which are user IDs for dialog communicationon SAP Solution Manager. So the end user on SAP Solution Manager ismainly working easy access menu as well as in Solution Manager WorkCenters (web based application).
Technical Users
Are defined as system users which are user IDs for dialog-freecommunication between systems or internal processing on SAP SolutionManager. Technical users are used, for example, for setting up RFCdestinations, schedule background jobs, etc.
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 9/74© 2013 SAP AG. All rights reserved. 9Public
SAP Standard Roles and Template UsersConception will be prepared in SOLMAN_SETUP
In parallel to the scenario configuration in SOLMAN_SETUP you establish the SAPSolution Manager authorization concept for each scenario:
SOLMAN_SETUP
Technical Monitoring Step Step Step Step Step Step Create TemplateUsers Complete
IT Service Management Step Step Step Step Step Step Create TemplateUsers Complete
Business Process Monitoring Step Step Step Step Step Step Create TemplateUsers Complete
Business Process Change An. Step Step Step Step Step Step Create TemplateUsers Complete
Basic Configuration Step Step Step Step Step StepSpecify Users … Complete
System Preparation Step Step Step Step Step StepCreate Users Complete
Managed System Configuration Step Step Step Step Step Step Create Users Complete
Offers scenario specificstandard roles for End User
authorization concept
Technical Users on SAP SolutionManager and Managed Systems
are created
Technical Users on SAP SolutionManager and Managed Systems
are created
Creation of Technical Users onSAP Solution Manager and
Managed Systems
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 10/74© 2013 SAP AG. All rights reserved. 10Public
Authorization Concept for Technical Users
Technical Users are automatically created during the BasicConfiguration of SAP Solution Manager (using transactionSOLMAN_SETUP).
Technical users in SAP Solution Manager are automatically created as system users.We recommend to keep the technical users untouched, so that SOLMAN_SETUP is able totrack the changes and update the users in case of a new SAP Solution Manager version.
Note: If you need to create the users manually since you have an Identity Managementsystem (e.g. central user administration) in place, refer to Security Guide Chapter“Landscape Setup, Configuration, and Root Cause Analysis Guide ”.
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 11/74© 2013 SAP AG. All rights reserved. 11Public
Authorization Concept for End Users
Security Guide for SAP Solution Manager 7.1 andSOLMAN_SETUP already provide a number of standard rolesand users which your authorization concept can be based on.
Read the User Descriptions and UserRoles part of the corresponding Scenario-Specific Guide in Security Guide , to getan impression of which permissions yourusers may require.
Go to the corresponding step for creatingTemplate / Standard Users inSOLMAN_SETUP (e.g. "Create StandardUsers" or "Create Template Users") toidentify the required standard roles.
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 12/74
Concept inSAP Solution Manager
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 13/74© 2013 SAP AG. All rights reserved. 13Public
SU01 User PFCG Role
CRM Business PartnerEmployee / Organization CRM Business Role
Allows access toCRM Web UI in
a specified view forIncident Management
SAP Solution Manager Roles and AuthorizationsConcept in SAP Solution Manager
Allows access to user’sincident messages
Allows access toSAP Solution Manager
system
Allowsactivities (display,
change, etc.) atmessage level
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 14/74© 2013 SAP AG. All rights reserved. 14Public
SU01 User SU01 User
SU01 User (User Master Record)user account on a SAP systemallows access to SAP systemattributes that identify an end-usermaintained in transaction SU01authorization roles (PFCG roles) can be assignedcan be synchronized with business partner by e-mail address
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 15/74© 2013 SAP AG. All rights reserved. 15Public
PFCG Rolealso called “Authorization Role” grants a user access to more functionalityon technical levelcontains authorization data with definition based
on authorization objectscan be configured by role (transaction PFCG)SAP Solution Manager providesdifferent role types:
– work center roles (basic/navigation)
– authorization roles (functional/infrastructure authorization)
PFCG RolePFCG Role
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 16/74© 2013 SAP AG. All rights reserved. 16Public
CRM Business Partner (1/2) CRM Business PartnerEmployee/Organization
CRM Business Partnercan be linked with the CRM org. modela person or an organization within company ITprocesses, based on SAP Solution ManagerBusiness Partner Types:
– BP Organization: companies/organizations(internal or external)
– BP Person: company staff, such as key users andprocessors, and individuals who are not part of thecompany
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 17/74© 2013 SAP AG. All rights reserved. 17Public
CRM Business Partner (2/2)
BP Organizationusually linked to organizationalunits in CRM org. modelcan be created:
– manually (transaction BP)
– manually from CRM org. model(transaction PPOMA_CRM)
BP Personusually linked to user accountson SAP Solution Manager and/ormanaged systemscan be created:
– manually (transaction BP) – automatically (transaction BP_GEN) – automatically or background job (transaction BP_USER_GEN)
automatic synchronization of CRM business partners and user accounts in background job
CRM Business PartnerEmployee/Organization
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 18/74
© 2013 SAP AG. All rights reserved. 18Public
CRM Business Role
CRM Business Roledescribes the SAP CRM user interface, and displays the functions in the CRM Web Clientthe most important CRM business role in SAP Solution Manager is “SOLMANPRO” (IT Service Management)can be assigned to the end user via
– SU01 using parameter CRM_UI_PROFILE – CRM org. model – PFCG role which is linked to
a CRM business role
a user can have multipleCRM business roles
CRM Business Role
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 19/74
© 2013 SAP AG. All rights reserved. 19Public
Roles and authorizations in SAP Solution Managercan be granted also using the CRM Org model .
SAP Solution Manager Roles and AuthorizationsConcept in SAP Solution Manager (without CRM org. model)
IT Organization
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 20/74
Required Users and Rolesin SAP Solution Manager Environment
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 21/74
© 2013 SAP AG. All rights reserved. 21Public
ABAP
Productive Client
SAP Solution Manager
User Identificationin SAP Solution Manager Environment
Support Portal Managed SystemS-User
SU01 User
CRM Business Partner
SAP BW Client
SU01 User
Java
Java User
ABAP
Productive Client
SU01 User
Java
Java User
Important: If the SAP BW of SAP Solution Manager is in a dedicated client or system,a SU01 user is also required on that client.
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 22/74
© 2013 SAP AG. All rights reserved. 22Public
SAP Solution Manager
Authorizations and Rolesin SAP Solution Manager Environment
Support Portal Managed System ABAP authorizations
Java authorization
ABAP authorizations
Composite Role
Java authorizations
Work Center Basic Roles
Work Center Navigation Roles
Functional Roles
Infrastructure Roles
CRM Business Roles
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 23/74
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 24/74
PFCG Roles inSAP Solution Manager
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 25/74
© 2013 SAP AG. All rights reserved. 25Public
Work Centers …
are role-based
enable easy navigation for end users
provide a common user interface for all SAPSolution Manager capabilities
are available since SAP Solution Manager7.0 EhP1
are extended on SAP Solution Manager 7.1
Work Centers Available (7.1)My HomeImplementation and UpgradeSolution Documentation AssistantChange Request ManagementChange Request Management for SPCTest ManagementSystem Monitoring for SPC
Business Process OperationsJob ManagementRoot Cause AnalysisRoot Cause Analysis for SPCTechnical AdministrationTechnical MonitoringTechnical Monitoring for SPC
Data Volume ManagementSAP Engagement and Service DeliverySAP Solution Manager AdministrationSAP Solution Manager ConfigurationIncident ManagementIncident Management for SPCCustom Code Life Cycle Management
SAP Solution Manager 7.1 Work Centers
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 26/74
© 2013 SAP AG. All rights reserved. 26Public
Role Types in SAP Solution Manager
Work Center Basic Role
Work Center Navigation Role
Authorization Role
Role Type Role Namespace Role Description
Work Center Basic Role SAP_SMWORK_BASIC_* Basic authorization for a work center
Work Center Navigation Role SAP_SMWORK_* Authorization for user-specific work center view
Authorization Role SAP_* Modularized role for certain SAP Solution Managerfunctions or sub-functions
Work Center - Authorizations
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 27/74
© 2013 SAP AG. All rights reserved. 27Public
Work Center Basis Roles
PFCG role SAP_SMWORK_BASIC contains all authorizations required for work centersEach end user who works with work centers needs this roleRole does not contain the authorization objects required for individual work centers
Based on this role, a work-center-specificbasic role is delivered with SAP standard(beginning with SAP_SMWORK_BASIC_* ,e.g. SAP_SMWORK_BASIC_SERVICES).This role contains authorization (on objectSM_WC_VIEW) for the single
work center only.
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 28/74
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 29/74
© 2013 SAP AG. All rights reserved. 29Public
Authorization Roles
Basis for the successful operation of an SAP Solution Manager scenarioModularized for certain SAP Solution Manager functions or sub-functionsBased on SAP standard rolesYou need to define the single authorizations depending on the customer needs.
Authorization RolesSAP_OP_DSWP_EWA
SAP_MAINT_OPT*SAP_RCA_DISP
SAP_ISSUE_MANAGEMENT*
…
Applications/FunctionsEarlyWatch Alert
Maintenance OptimizerRCA Tools
Issue Management
…
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 30/74
© 2013 SAP AG. All rights reserved. 30Public
SAP Solution Manager Role Concept
Work Center RolesWork Center-Specific BasicRolesRole Name: SAP_SMWORK_BASIC *
Incl. View Switches, Sub-Views.Common Tasks
Work Center Navigation RolesRole Name: SAP_SMWORK *
Incl. Related Links
Authorization RolesFunctional Roles
SAP_OP_DSWP_EWA
SAP_MAINT_OPT*
SAP_RCA_DISP
SAP_ISSUE_MANAGEMENT*
…
Functions:EarlyWatch Alert
Maintenance Optimizer
RCA ToolsIssue Management
…
Work Centers:SAP Engagement andService Delivery
Root Cause Analysis
Change Management
Incident Management
System Monitoring
Test Management
…
Function
Function
Function
Function
SAP_SMWORK_SERVICES SAP_SMWORK_DIAG
SAP_SMWORK_SYSMON
SAP_SMWORK_BASIC_SERVICES SAP_SMWORK_BASIC_DIAG
SAP_SMWORK_BASIC_SYSMON
Function
…
…
…
…
End User
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 31/74
Customizing ofWork Center Navigation
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 32/74
© 2013 SAP AG. All rights reserved. 32Public
Customizing of Work Center NavigationHow to Customize the Navigation Panel in Work Centers
It is often necessary to restrict the navigation menu withina work center for a specific user. The following slides showhow to change the view of a work center.
You can fully adaptthe navigation menu of a work center inthe corresponding work center navigation role .
The work center menu entries have a two-folder hierarchy:
First level in the work center is where you canchange views, subviews, common tasks
Second level consists of related links , which youcan also change
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 33/74
© 2013 SAP AG. All rights reserved. 33Public
Customizing of Work Center Navigation Authorization Object SM_WC_VIEW (1/5)
As of SAP Solution Manager 7.1, there is an authorization object ( SM_WC_VIEW )available, which allows administrators to hide UI navigation items in SAP SolutionManager work centers.
View SwitchesSub-Switches
Common Task Elements
Note: The authorization forSM_WC_VIEW is included inwork center basic rolesSAP_SMWORK_BASIC or
SAP_SMWORK_BASIC_*. Torestrict the visibility in thenavigation, use a role copy anddefine the user-specific viewthere.
View Switch
Sub View
Common Task
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 34/74
© 2013 SAP AG. All rights reserved. 34Public
SM_WC_VIEW is a UI authorization object that only shows views, subviews orcommon tasks. It has no functional relevance !
Customizing of Work Center Navigation Authorization Object SM_WC_VIEW (2/5)
SM_WC_VIEW
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 35/74
© 2013 SAP AG. All rights reserved. 35Public
Customizing of Work Center Navigation Authorization Object SM_WC_VIEW (3/5)
The Authorization Administration of the customer organization can hide work centerviews, subviews or common tasks by defining authorization object SM_WC_VIEW in PFCG.
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 36/74
© 2013 SAP AG. All rights reserved. 36Public
Customizing of Work Center NavigationBAdI Activation for SM_WC_VIEW (4/5)
The authorization checks based on object SM_WC_VIEW are not enabled bydefault and must be enabled manually. This can be done centrally during the Setupof SAP Solution Manager via transaction SOLMAN_SEUP.
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 37/74
© 2013 SAP AG. All rights reserved. 37Public
Customizing of Work Center NavigationRelated Links
Related Links section is designedto be enhanced and modified by the customerare linked to related URLs, such asService Marketplace or Help Portalprovide additional and work-center-specific information for the customer
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 38/74
© 2013 SAP AG. All rights reserved. 38Public
Customizing of Work Center NavigationHow to Configure Related Links (1/4)
In the corresponding work center navigation role(usually a copy of standard role) you can now customizethe related links for specific users or groups.
The following example shows you the configurationbased on navigation role ZSM_SMWORK_CONFIG(copy of SAP_SMWORK_CONFIG) which refers towork center “SAP Solution Manager Configuration”.
Before our customizing, a userin “SAP Solution Manager Configuration” work centercan see the following related links:
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 39/74
© 2013 SAP AG. All rights reserved. 39Public
Customizing of Work Center NavigationHow to Configure Related Links (2/4)
Proceed as follows to customize Related Links:1. Call transaction PFCG2. Open the corresponding PFCG role (e.g.: ZSM_SMWORK_CONFIG) in change mode3. Go to tab “Menu” 4. Drill down to the menu folder you want to edit
5. Add a new entry of type “Web address or file”
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 40/74
© 2013 SAP AG. All rights reserved. 40Public
6. Enter a new details link and confirm
7. Save the role with the new link entry
Customizing of Work Center NavigationHow to Configure Related Links? (3/4)
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 41/74
© 2013 SAP AG. All rights reserved. 41Public
Customizing of Work Center NavigationHow to Configure Related Links (4/4)
The end user (with the customized navigation role) will seea new entry in the “Related Links” section:
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 42/74
Organizational Separationwith Infrastructure Roles
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 43/74
© 2013 SAP AG. All rights reserved. 43Public
Example: Customer has three responsibility groups in SAP Basis team:Group A: responsible for systems MW3, P9H and PI4Group B: responsible for systems P6J, PEP and PMDGroup C: responsible for systems EP9, P02 and PBI
A user (SAP Basis administrator)should only be able to access andchange definitions forsystems for which he is responsible.
Challenge in IT Organization
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 44/74
© 2013 SAP AG. All rights reserved. 44Public
Example: Previous Situation
Without a suitable authorization concept (e.g. users are working with SAP_ALL)the user would see all systems .
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 45/74
© 2013 SAP AG. All rights reserved. 45Public
Infrastructure Roles Advantage in Customer Environment
We provide an optional approach to maintain user-based context in PFCG roles. Itis particularly useful and time-saving if you need to separate users intoorganizational groups and limit them by user responsibility. It has been proven forlarge customers who change their IT organization structure regularly, and haveseveral user groups accessing SAP Solution Manager.
Note: Some (small) customers even maintain user context within the deliveredstandard roles. This approach is only a recommendation. You must decide whetherto use the infrastructure role approach.
Note: For more information about the standard infrastructure roles, see the chapter“Authorizations and Roles for Infrastructure” in the SAP Solution Manager 7.1 Security Guide.
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 46/74
© 2013 SAP AG. All rights reserved. 46Public
Organizational Separation based on PFCG Roles
The restriction on particular entity level can be performed using PFCG roles .
Following slides will show you how to grant authorizations to usersbased on the previous example (restriction on system level).
define PFCG role (with authorization for only certain responsibility)assign PFCG role to user (of corresponding group) – either directly – or via CRM Org Model to his position in the Org structure
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 47/74
© 2013 SAP AG. All rights reserved. 47Public
Example: Define PFCG Role (Display only)
Defining a corresponding PFCG role helps to restrict the access at a particularobject. Here authorization object AI_LMDB_OB is used to define the authorizationon system level.
Recommendation: The same authorization should not be exist in another role of the user toavoid overlapping.
This example shows how to define “Display only” authorizationon managed systems MW3, P9H and PI4
03 standsfor „Display “authorization
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 48/74
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 49/74
© 2013 SAP AG. All rights reserved. 49Public
Example: Assign PFCG Role to User
Finally you need to assign the PFCG role to the corresponding user ID:
Recommendation: Other PFCGroles containing authorizations on
object AI_LMDB_OB should not beassigned to the same user ID.Otherwise you can have an overlapping.
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 50/74
© 2013 SAP AG. All rights reserved. 50Public
Example: Target Situation
The end user (member of SAP Basis group A)should only be able to see the following systems:
This example represents a single application only. Other applications inSAP Solution Manager also work in this way. Other entities, like projects or solutions, arealso supported.
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 51/74
General Recommendations
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 52/74
© 2013 SAP AG. All rights reserved. 52Public
General RecommendationsCopy SAP Standard Roles
It is often necessary to define specific authorization within a SAPstandard role. Since SAP standard roles can be modified by
a system upgrade, copy all the SAP standard roles used , into customernamespace. You can define your own authorizations later.
Exception: Some PFCG roles must not be copied, to assign authorization to users. For example,SAP_J2EE_ADMIN role must not be copied, it must be assigned directly, to activate administrator rightsin the connected SAP J2EE Engine.
Work center roles: Work center don’t need to be copied into customer namespace, as long as nocustomizing of the UI is performed.
– Workcenter Basic Roles: UI customizing can be performed changing authorization on object SM_WC_VIEW. In this caseyou should copy the role into customer name space. Otherwise it is enough to generate and assign the role.
– Workcenter Navigation Roles: UI customizing can be performed changing the related links in the menu. In this case youshould copy the role into customer name space. Otherwise it is enough to assign the role to a user.
CRM navigation role: CRM UI related PFCG roles don’t need to be copied into customer namespace, aslong as no customizing of the UI is performed. If you need to copy the role (e.g. in case of creating a newCRM Business Role), please do not forget to create the link to the CRM business role.
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 53/74
© 2013 SAP AG. All rights reserved. 53Public
General RecommendationsReview Authorization Concept after Upgrade
Review your SAP Solution Manager authorization concept whenever you upgradeyour SAP Solution Manager . The higher SAP Solution Manager release maycontain new authorization objects, and the authorization checks in applications mayhave changed.
Recommendation: Test all functions after changing the SAP Solution Manager release, or review theauthorization concept completely.
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 54/74
© 2013 SAP AG. All rights reserved. 54Public
Documentation and Traceability of Authorizations
Whenever you establish or adapt your authorization concept, document itcomprehensively , so that a third party can understand your changes.
Recommendation: Document only the changes that you made, on basis of the SAP template. If youcreate a new ABAP role, document it entirely.
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 55/74
© 2013 SAP AG. All rights reserved. 55Public
General RecommendationsDevelopment and Testing of PFCG Roles
For the initial authorization concept, and during daily operation, separate thedevelopment and tests of PFCG roles from the production SAP Solution Manager.We recommend at least a two-system SAP Solution Manager landscape.
Note: If you only have one SAP Solution Manager system, which is productive, you can move thedevelopment of PFCG roles to a separate client, but SAP Solution Manager is not multi-client-capable(several entities are cross client), so testing on this client might affect the productive client – e.g. messagesthat you create in test client will also appear on production client, and cannot be deleted.
Development System Production System
Development
of PFCG Roles
Testing of newPFCG Roles
12
Transport of new
PFCG Roles
3
Productive Use
of PFCG Roles
4
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 56/74
© 2013 SAP AG. All rights reserved. 56Public
After we demonstrated the authorization concept for SAP Solution Manager usingSU01 and PFCG, we now show you the specifics in the SAP Solution Managerscenarios using CRM Web UI.
CRM Business PartnerEmployee / Organization CRM Business Role
SAP Solution Manager Roles and AuthorizationsConcept in SAP Solution Manager
SU01 User PFCG Role
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 57/74
CRM Web UI andCRM Business Roles
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 58/74
© 2013 SAP AG. All rights reserved. 58Public
CRM Web UI and CRM Business Roles
Contrary to mostof the SAP SolutionManager functionsa few scenariosintegrate a workingarea which is calledCRM Web UI .
Within the CRM Web UI (transaction SM_CRM ) it is possible to e.g.:Create and Process Messages (Incidents, Problems, Change Requests etc.)Get access to Incident and Change Management CRM Web UI work centerMaintain Master Data
Access to ITSM Dashboards and Reports
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 59/74
CRM W b UI d CRM B i R l
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 60/74
© 2013 SAP AG. All rights reserved. 60Public
Maintenance of CRM Business Role in Implementation Guide:Transaction SPRO SAP Solution Manager Implementation Guide CustomerRelationship Management UI Framework Business Roles Define Business RoleChoose the CRM business role you want to adapt (e.g. SOLMANPRO) and double click
Here you are able to define all technical roles which characterize your CRM Business Role
CRM Web UI and CRM Business RolesStructure of a CRM Business Role (2/2)
There you define the PFCG role(field PFCG Role ID), which linksthe CRM Business Role to your
SU01 user
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 61/74
Documentation
D i
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 62/74
© 2013 SAP AG. All rights reserved. 62Public
DocumentationOverview
The most important information sources for establishing anauthorization concept are:
SAP Solution Manager 7.1 Security Guidehttp://service.sap.com/instguides/ SAP Components
SAP Solution Manger Release <current release> Operations SAP Solution Manager Security Guide <current release>
SDN Wiki “SMAUTH”
http://wiki.sdn.sap.com/wiki/display/SMAUTH/Home
D t ti
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 63/74
© 2013 SAP AG. All rights reserved. 63Public
DocumentationSecurity Guide
The SAP Security Guide is the primary documentation for establishing anauthorization concept for SAP Solution Manager, and provides a collection of SAPguidelines and recommendations pertaining to SAP System security.
This document offers general guidelines for obtaining a medium level of security. The security of your ownsystem landscape, and the use of software packages (SAP and non-SAP) are also important factors inachieving overall system security, so analyze your own risks and needs and establish your own securitypolicy (or policies). This guide assists you in this process, but cannot replace your own customer-specificpolicies.
H t U th S it G id ?
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 64/74
© 2013 SAP AG. All rights reserved. 64Public
How to Use the Security Guide?Online Help
You need a good understanding of your futureSAP Solution Manager applications , beforeyou use the Security Guide. See the SAPonline help under http://help.sap.com/
SAP Solution Manager 7.1.
Determine which SAP Solution Manager scenariosyou are going to use, from Security Guideperspective (consider the terminology used bySAP – see chapter 3 “ Terminology as Used in SAPSolution Manager ”)
H t U th S it G id ?
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 65/74
© 2013 SAP AG. All rights reserved. 65Public
How to Use the Security Guide? Authorization Concept for SAP Solution Manager
In the next step you need tounderstand the SAP SolutionManager authorization concept , which differs from other products,and is in addition to the NetWeaverauthorization concept .
Read the basic chapters of the SecurityGuide, and work through the Chapter“Authorization Concept for SAPSolution Manager” .
If you are running several scenarios,consider their integration and (seechapter “ Integration of Functions/Capabilities“ )
H t U th S it G id ?
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 66/74
© 2013 SAP AG. All rights reserved. 66Public
How to Use the Security Guide?Core Guide
You also need to understand the basicinfrastructure (communicationchannels, technical users, etc.), thetechnical basis for all scenarios and foryour security concept.
Read the chapter “ Landscape Setup,Configuration, and Root CauseAnalysis Guide ”
How to Use the Security Guide?
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 67/74
© 2013 SAP AG. All rights reserved. 67Public
How to Use the Security Guide?Scenario-Specific Guides
After you have decided whichscenarios you are going to use, ONLYwork through the relevant scenariochapters.
Documentation (3/4)
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 68/74
© 2013 SAP AG. All rights reserved. 68Public
Documentation (3/4)SDN Wiki: SAP Solution Manager – Security and Authorization
SDN Wiki link: http://wiki.sdn.sap.com/wiki/display/SMAUTH/Home
The SAP Solution Manager Authorization Wiki, in SDN, is a complement to the SAPSolution Manager Security Guide. It is primarily valid for SAP Solution Manager
release 7.1.
It provides: Authorization objectdocumentationUse casesBest practicesTechnical infrastructureFrequently asked questions
Documentation (4/4)
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 69/74
© 2013 SAP AG. All rights reserved. 69Public
Documentation (4/4)Define PFCG Roles in Authorization Concept
Which scenarios do we consider?
Which users do I need in for each scenario?
Which roles does the user need?
Question: How to define “yellow” authorizations in a role?
Security Guide
SDN WikiWhich scenario is considered?
Which authorization object do we consider?
Is there a use case that fits my situation?
Answer: The use case explains how to define authorizations.
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 70/74
How to get support ?
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 71/74
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 72/74
Expert Guided Implementation
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 73/74
© 2013 SAP AG. All rights reserved. 73Public
SAP Solution Manager 7.1Roles and Authorization Concept
This session shows customers how to work with the rolesand authorization concept in SAP Solution Manager 7.1. Iteven helps establishing and individual authorizationconcept based on clear and predefined examples.
Our SAP expert guides the customer through theimplementation of roles and authorizations based on aproject approach for three exemplary SAP SolutionManager scenarios. With these demonstrations andexercises you will be able to adopt the authorizationconcept approach for all other scenarios.
Beside the classical work with authorizations (transactionPFCG) and the SAP Solution Manager specific roleconcept we will also show you how to include the CRMWeb UI into your concept, which is relevant for a few SAPSolution Manager scenarios.
Expert Guided ImplementationSAP Solution Manager 7.1 – Roles and Authorization Concept
8/13/2019 Roles and Authorizations
http://slidepdf.com/reader/full/roles-and-authorizations 74/74
Thank you
Contact information:
Erik DietzelSAP Active Global Support