Вы находитесь на странице: 1из 6

SAP Security FastTrak on

Netweaver 7.3

Role Creation Based on Functional Input


Received

2013
Scenario 1
You have received a mail from the business; the user is not able to see the
table USR40 and he is getting the following error while trying to execute that
table USR40.
When user log on and trying to execute the table USR40 he/she got the error
shown below

Fig: User gets authorization error

User runs su53 dump and send the above screenshot to the administrator.

IBM Confidential 2013


Page 1

SAP Security FastTrak on


Netweaver 7.3

Role Creation Based on Functional Input


Received

2013

Fig: SU53 dump sent by user

Solution:
Log in as user security1 (super user) and do the following activities
1. Execute the transaction PFCG.
2. Get into the role in which the business user a part of. Go to
the specified Authorization object
3. Add the specific authorization group to the object field value.
4. Save the Role and generate the Profile.
5. Assign the user to the role and do user comparison.
6. Login as the user XXX
7. Run SE16 and see whether that table can be executed or
not.
8. Also run SU53 dump if needed.

IBM Confidential 2013


Page 2

SAP Security FastTrak on


Netweaver 7.3

Role Creation Based on Functional Input


Received

2013

Fig: Authorization profile for the role Z:TESTROLE1

Solution:
1 Execute the transaction PFCG.
2 Open the role in edit mode - YYYY.
3 Click on the authorization tab, expand the Object Class
BC_A
Youll find the authorization S_TABU_DIS (or you can also
search the authorization object directly) in the
authorization groupfield insert the value SUSR in
addition to SUGR
4 Save the Role and generate the Profile
5 Assign the user to the role and do user comparison.
6 Login as the user XXX.
7 Run SE16 and try to execute table USR40.

IBM Confidential 2013


Page 3

SAP Security FastTrak on


Netweaver 7.3

Role Creation Based on Functional Input


Received

2013

Fig: Adding SUSR authorization Group.

Check again by running SE16 to access USR40

Fig: Successful display of USR40 table

IBM Confidential 2013


Page 4

SAP Security FastTrak on


Netweaver 7.3

Role Creation Based on Functional Input


Received

2013
USR40:
You can prevent users from choosing passwords that you do not want
to allow. To prohibit the use of a password, enter it in table USR40. You can
maintain table USR40 with Transaction SM30.
In USR40, you can specify impermissible passwords generically if you want.
There are two wildcard characters:

? stands for a single character

* stands for a sequence of any combination characters of any length

Question 1.
a. What is the use of S_TABU_DIS?
With this authorization object you can, for example, restrict access just to
data in table entries defined in this object; even if the user who wants to
access the data has authorization for transaction SE16 (and therefore for all
ABAP Dictionary objects). In this way, you can prevent system administrators
from accessing application data. Once you implement this authorization
object, only those table entries can be modified or displayed that have been
given the appropriate authorization in S_TABU_DIS.
b. What is the difference between Expert mode and Change
mode?
Both Change auth data and Expert Mode are used to change authorization
data.

IBM Confidential 2013


Page 5

SAP Security FastTrak on


Netweaver 7.3

Role Creation Based on Functional Input


Received

2013
Change auth data option is similar to edit old status option of expert mode
Where expert mode provides you more options as explained below.
1. Delete and recreate profile and authorizations
All authorizations are recreated. Values which had previously been
maintained, changed or entered manually are lost. Only the maintained
values for organizational levels remain.
2. Edit old status
The last saved authorization data for the role is displayed. This is not useful,
if transactions in the role menu have been changed.
3. Read old status and compare with new data
If you change transactions in the role menu, this option is the preconfigured.
The profile generator compares the existing authorization data with the
authorization default values for the menu transactions. If new authorizations
are added during this process, they receive the status New. Authorizations
that already existed receive the status Old.
c. How we can see the defined authorization groups are listed?
Table -- TPGP
d. What is the use of TRDIR table?
We can see the authorization groups assigned to ABAP Reports in table
TRDIR.

e. How you can determine which authorization group is responsible


for a particular table?
TableTDDAT

IBM Confidential 2013


Page 6