Вы находитесь на странице: 1из 86

ERP

Enterprise Technology - SAP

Day 5 : SAP R/3 Application Authorization Concept

Course Content

Unit 1 Unit 2 Unit 3 Unit 4

Introduction Conception with ASAP Methodology Elements of the R/3 Authorization Concept The User Master

Unit 5 Unit 6

Working with the Profile Generator

Access Control and User Administration

Introduction

Introduction

Contents:
l Security Requirements l SAP Security Levels

l SAP Access Control


l Users, Roles and Authorizations l Technical Implementation of Roles

Introduction Unit Objectives

At the conclusion of this unit, you will be able to: l Describe the SAP authorization concept as part of a comprehensive security concept l Explain the access control mechanisms l Explain how users, roles and authorizations are related l Describe the technical implementation of a rolebased authorization concept

Security - Overview
l Persons
n

l Technology
n n

Incorrect Operation Hackers Floods Earthquakes

Disk Crash Power Supply Interruption

Threats

l Environment
n
n

l Organization
n

l Technology
n n n n n

Procedures Training Fire Alarms Water Detection

Hardware Router DB Backup Password Rules Authorizations ...

Measures

l Environment
n
n

Assets

l Hardware l Software l Data l Persons

SAP Security Levels


Layer
Presentation

Components
GUI, Browser, PC SAProuter Network, SNC ,

Security Considerations
Access control, virus scanners, encryption

Communication

Access control, packet filtering, encryption

Web Connection

ITS

Encryption, certificates, Single Sign-On

Application

Application modules, work processes, interfaces

SAP users, password rules, authorizations

Database

Relational database

Access to SAP tables, backup, consistency

Operating System

UNIX, Windows NT, OS/ 400, OS 390

Access to SAP files, OS services

SAP Access Control


l System Access Control
n

Users must identify themselves in the system Configuration of system access control (e.g. password rules)

l Access Control
Data
n

Access rights for functions and data must be granted explicity using authorizations Authorization checks for

Functions

w w

Transaction/report calls Program execution

Users, Roles, and Authorizations

Employees have roles with specific specific functions and need need authorizations for these these functions functions Employees have roles with functions and authorizations for
Create Purchase Requisition (ME51)

Karen

l Employee l Service Representative l Employee l Service Representative l Manager

Authorization to create purchase requisitions

Procurement

Susan

Release Purchase Requisition (ME54) Order Purchase Requisition (ME58)

Authorization to release purchase requisitions

l Employee l Purchaser John

Authorization to create purchase orders

Technical Implementation of Roles

Role Role Professional Professional Purchaser Purchaser


l

Role Menu
n

Accessible Transctions , Reports, Web Links Structure of the Menus/Access Paths

Authorizations
n

Selective Access to Business Functions and Data

User

SAP Easy Access - User-Specific Menus

Menu

Edit

Favorites

Extras

System

Help

Other menu

Create menu

Assign users

Favorites SM51 List of SAP Systems Role BC_USER_ADMIN User Administration SU01 - User Maintenance PFCG - Role Maintenance SU01D - Display User SU05 - Internet User Maintenance SU10 - User Mass Maintenance

SUGR - Maintain User Groups

Introduction: Unit Summary

You are now able to:

l Describe the SAP authorization concept as part of a comprehensive security concept


l Explain the access control mechanisms l Explain how users, roles and authorizations are related

l Describe the technical implementation of a rolebased authorization concept

Conception with ASAP Methodology

Conception with ASAP Methodology

Contents:
l ASAP methodology for creating an authorization concept l Project preparation

l Analysis and design of the authorization concept


l Implementation of the authorization concept l Testing and quality assurance l Cutover

Conception with ASAP Methodology: Unit Objectives

At the conclusion of this unit, you will be able to: l List the steps necessary to implement an authorization concept l Describe the activities to be performed in each step l Assign responsible persons to each activity l Use the ASAP procedure model for implementing an authorization concept for your own projects

Conception with ASAP Methodology: Business Scenario

l Before going live, your company wants to implement an authorization concept. l The steps required to realize the authorization concept must be planned in the context of the entire implementation process. l During the planning phase you want to estimate the time and personnel resources needed.

Role and Authorization Concept: Steps

Preparation

Analysis & Conception

Implementation

Quality Assurance & Tests

Cutover

Determine User and Authorization Administration Strategy

l A Role and Authorization Concept is Implemented in 5 Steps l Each Step Comprises Different Activities

l Each Activity is Associated with a Responsible Person


l User Administration and Authorization Management Organization is Parallel to User and Authorization Concept Implementation

Step 1: Preparation

Preparation

Analysis & Conception

Implementation

Quality Assurance & Tests

Cutover

Measures:
l Set Up a Team for User Roles and Authorizations l Clarify Prerequisites for Authorization Assignment l Train the Team for User Roles and Authorizations l Trigger Role and Authorization Project

Team for User Roles and Authorizations

FI/ CO PP BASIS SD/ MM HR


KU KU KU BC KU BC KU
KU = BC = Key User Basis User (technical authorization management)

Step 2: Analysis & Conception

Preparation

Analysis & Conception

Implementation

Quality Assurance & Tests

Cutover

Measures: l Determine User Roles l Complete Roles l Determine Framework for Implementing the Roles l Check Framework for Implementing the Roles

SAP AG 1999

Analysis: Determine User Roles


Authorization List - Role Design
Instruction... Business Processes Financial Accounting General Ledger Processing Closing Operations Profit and Loss Adjustment General ledger: Profit and Loss Adjustment General ledger: General ledger: General ledger: General ledger: Accounts Payable Accounting Update Balance Sheet Adj. Post Balance Sheet Readj. Balance Sheet Readj., Log B/S Readj ., Spec. Functions F.50 F.5D F.5E F.5F F.5G Enterprise area Role name Scope Scope Scope

Invoices and Credit Memos Parked Document Posting [Vendors] Post Parked Document Change Parked Document Display Parked Document
Change Parked Doc. (Header) Document Changes: Parked Documents Reject Parked Document Vendor Account Analysis Balance Analysis Customer Account Analysis Vendor Account Balance Display Vendor Balances Vendor Line Items Correspondence with Vendors Correspondence with Vendors Correspondence: Print Requests Correspondence: Print Internal Docs. Correspondence: Delete Requests Correspondence: Maintain Requests

FBV0 FBV2 FBV3 FBV4 FBV5 FBV6

FD11 FK10 FK10N FBL1N

F.61 F.62 F.63 F.64

Conception: Complete User Roles (1)


Authorization List - Role Design
Instruction... Business Processes Financial Accounting General Ledger Processing Closing Operations Profit and Loss Adjustment General ledger: Profit and Loss Adjustment General ledger: General ledger: General ledger: General ledger: Accounts Payable Accounting Update Balance Sheet Adj. Post Balance Sheet Readj. Balance Sheet Readj., Log B/S Readj ., Spec. Functions F.50 F.5D F.5E F.5F F.5G Enterprise area Rollenname
FI FI FI FI_ Manag AP_Manag AP_Acc

Scope

Scope

Scope

x x x x x x x x x x x x x x x x x x x x x x x

Invoices and Credit Memos Parked Document Posting [Vendors] Post Parked Document Change Parked Document Display Parked Document
Change Parked Doc. (Header) Document Changes: Parked Documents Reject Parked Document Vendor Account Analysis Balance Analysis Customer Account Analysis Vendor Account Balance Display Vendor Balances Vendor Line Items Correspondence with Vendors Correspondence with Vendors Correspondence: Print Requests Correspondence: Print Internal Docs. Correspondence: Delete Requests Correspondence: Maintain Requests

FBV0 FBV2 FBV3 FBV4 FBV5 FBV6

FD11 FK10 FK10N FBL1N

x x x x

F.61 F.62 F.63 F.64

x x x x

Technical Conception: Role Implementation (1)


User
User Master Record

User Role
Composite Role
Accounts Payable Accounting Manager Accounts Payable Accountant

Activity Block (Group of Related Activities)


Role

Balance Analysis

G/L Document Maintenance

Activities
Transactions, Reports

Vendor Line Items Display Vendor Balances

Maintain Account Balances

Post Documents Change Documents

........

Technical Conception: Role Implementation (2)

Financial Accounting Manager Maintain Documents Maintain Documents Closing Operations

Closing Operations

Accounts Payable Accounting Manager

Maintain Documents Balance Analysis

Balance Analysis

Accounts Payable Accountant

Correspondence

Maintain Documents

Correspondence

Step 3: Implementation

Preparation

Analysis & Conception

Implementation

Quality Assurance & Tests

Cutover

Measures: l Create Roles l Create Derived Roles l Create Composite Roles

Step 4: Quality Assurance & Tests

Preparation

Analysis & Conception

Implementation

Quality Assurance & Tests

Cutover

Measures:
l Test User Roles and Authorization Concept l Release Roles and Authorization Concept

Step 5: Cutover

Preparation

Analysis & Conception

Implementation

Quality Assurance & Tests

Cutover

Measures: l Set Up Productive Environment l Create User Master Records for Productive Users l Accept Role and Authorization Project

User and Authorization Administration Strategy

Preparation

Analysis & Conception

Implementation

Quality Assurance & Tests

Cutover

Determine User and Authorization Administration Strategy

Measures:
l Specify Technical User and Authorization Administration Strategy l Specify User and Authorization Administration Procedure l Train Users and Authorization Administrators

User and Authorization Administration Strategy

System Administrator

Authorization Data Administrator

Authorization Profile Administrator

User Administrator

Create Role

Maintain Role Development System

Activate Profile

Assign Role

Maintain Users

User Administration System

Conception with ASAP Methodology: Unit Summary

You are now able to: l List the steps necessary to implement an authorization concept l Describe the activities to be performed in each step l Assign responsible persons to each activity l Use the ASAP procedure model for implementing an authorization concept for your own projects

Elements of SAP Authorization Concept

Elements of the SAP R/3 Authorization Concept: Business Scenario

l The SAP R/3 authorization concept prevents unauthorized access to the system and to data and objects within the system. Users that are to perform specific functions in the SAP R/3 System need a user master record with the relevant authorizations.

Overview of the elements of the SAP R/3 authorization concept

Authorization object class

Authorization object

Authorization

Profile

Role

User

Authorization field:

Authorization Fields, Objects, Object Classes


Authorization Fields Authorization Objects Authorization Object Classes MM_R

BUKRS

M_RECH_BUK F_BKPF_BUK

FI F_KNA1_BUK ACTVT C_KAPA_PLA C_ARPL_WRK WERKS MM_B PP

M_MSEG_WWA
SD V_KNA1_BRG

BEGRU

CV C_DRAW_BGR

Authorization
Authorization A
BUKRS ACTVT Create Change Display

1000

2000

3000

BUKRS 1000, 2000 ACTVT 01, 02, 03

Authorization B
BUKRS ACTVT Create Change Display

1000

2000

3000

BUKRS 1000, 2000, 3000 ACTVT 03

Authorizations and Authorization Profiles

Authorization Objects S_TCODE TCD F_BKPF_BUK ACTVT BUKRS F_BKPF_GSP ACTVT GSBER F_BKPF_KOA ACTVT KOART .......

Work Center 1 F-22, F-27 FB02, FB03 01, 02, 03 2000

Work Center 2 F-22, F-27 FB02, FB03 01, 02, 03 1000

Work Center 3 F-43, F-41 FB02, FB03 03 1000 01, 02, 03 1000, 2000

Authorization

01, 02, 03 1000


01, 02, 03 A, D, S .......

01, 02, 03 2000

01, 02, 03 D ....... Authorization Profile

01, 02, 03 K .......

Authorization Check in the Program

Change Accounting Document

Transaction FB02 Program SAPMF05L

.... User Authorizations


Check

Object F_BKPF_BUK Authorization BUK 1000


Result

AUTHORITY-CHECK OBJECT F_BKPF_BUK ID ACTVT FIELD 02 ID BUKRS FIELD BUK. IF SY-SUBRC NE 0. MESSAGE E083 WITH BUK. ENDIF. .....

Authorization BUK 1000 Field ACTVT BUKRS Value 02, 03 1000

Security Checks during Transaction Start

Change Accounting Document

System Program Authorization for transaction (Authorization Object S_TCODE)? Authorization for authorization object in table TSTCA?

No

STOP
No

Y E S
ABAP Program Authorization Checks

Initial Screen Next Screen

Roles and Authorization Profiles


Create Roles Using the Profile Generator (PFCG)
Choose Activities (Transactions, Reports, Web links)

User Menu Maintain Authorization Data (Define Authorization Objects)

Generation
Authorization Profile Authorization for Authorization Object xxx ....

Roles and the Easy Access Menu

Menu

Edit

Favorites

Extras

System

Help

Other menu

Create menu

Assign users

Favorites SU01 User Maintenance Role SAP_BC_USER_ADMIN_AG User Administration SU01 - User Maintenance PFCG - Role Maintenance SU01D - Display User SU05 - Internet User Maintenance SU10 - User Mass Maintenace

SUGR - Maintain User Groups

Elements of the SAP R/3 Authorization Concept: Unit Summary

You are now able to:

l Describe the elements of the authorization concept


l Describe the process flow of an authorization check in the program l Describe the authorization checks during transaction start l Describe the differences between roles and authorization profiles

l Explain what the relationship between roles and the Easy Access menu

User Master

The User Master Record

Contents :
l Identifying users by means of the user master record l SAP R/3 user types

l Components of the user master record


l User buffer l Change documentation

The User Master Record: Unit Objectives

At the conclusion of this unit, you will be able to: l List the different SAP R/3 user types l Distinguish between the components of the user master record l Create and change user master records l Evaluate change documents l Display and archive change documents l Analyze the user buffer l Understand the function of the user buffer and evaluate the buffered user authorizations

The User Master Record: Business Scenario

l To access the SAP R/3 System and work with the data in the system, a user master record with appropriate authorizations is required . Other elements of the user master record make it easier to work with the SAP R/3 System.

User Master Record Components

Display User

User
Last changed by

Saved

Address

Logon Data

Defaults

Parameters

Roles

Profiles

Groups

Personal Data, Communication Data, Company Address

Start Menu, Logon Language, Standard Printer

Assignment of Roles

Assignment of User Groups

Assignment of Profiles User Group, User Type, Validity Period Default Parameter IDs

User Buffer

User WolfMeier

Role MY_FI_AR_DISPLAY_MASTER_DATA Logon to the SAP R/3 System User Buffer Object ........... F_BKPF_KOA F_KNA1_AEN F_KNA1_APP F_KNA1_APP F_KNA1_BED F_KNA1_BUK F_KNA1_GEN F_KNA1_GEN ...............

Authorization Profile T-T0030107

Authorization T-T003010700 T-T003010700 T-T003010700 T-T003010701 T-T003010700 T-T003010700 T-T003010700 T-T003010701

The User Master Record: Unit Summary

You are now able to:

l List the different SAP R/3 user types


l Distinguish between the components of the user master record l Create and change user master records l Evaluate change documents l Display and archive change documents l Analyze the user buffer

l Understand the function of the user buffer and evaluate the buffered user authorizations

Working with Profile Generator

Working with the Profile Generator

Contents:
l This unit describes how to design SAP Easy Access user menus for the various work centers (or roles) in your company and how to automatically generate authorization profiles for those menus. l The first part of this unit deals with simpler basic maintenance. The focus is placed on the creation of menus and the associated authorizations, profiles, and user assignments. l The second part deals with more advanced topics: The focus here is placed on derived and composite roles.

Working with the Profile Generator: Unit Objectives

At the conclusion of this unit, you will be able to: l Perform the steps involved in assigning authorizations with the Profile Generator l Copy, change, and create roles and determine their activities l Display and maintain authorizations that were generated automatically

Working with the Profile Generator: Business Scenario

l When you create authorizations and authorization profiles for groups of users, you should use the Profile Generator. Based on selected menu functions, the Profile Generator automatically generates authorization data and offers it for postprocessing.

The Profile Generator: Steps

Profile Generator
Role

Description

Menu

Authorizations

User

Define Role Names

Define Activities Design User Menus

Maintain Authorization Data Generate Authorization Profile

Assign Users Adjust User Master Records

Profile Generator: Views

Information

Role Description

SAP_FI_AR_MASTER_DATA Accounts Payable Clerk

Display

Change

Create

Create Composite Role

Simple Simple Maintenance: Maintenance: Menu Menu Agents Agents Basic Maintenance: Menu Authorizations Agents

Simple Maintenance (Workplace Menu Maintenance) Basic Maintenance (Menus, Profiles, Other Objects) Overview (Organisational Management and Workflow)

Overview: Menu Authorizations Tasks Agents Organisational Management

Profile Generator: Steps

Define Role Name Determine Activities

Design User Menus


Maintain Authorization Data Generate Authorizaion Profile Assign Users Adjust User Master Records

SAP AG 1999

Define Role Name and Description


Information

Role Description Display

MY_ROLE FI: Accounts Payable Accountant Change Create Create Composite Role

Other Role

Information

Role Descrption FI: AccountsPayable Accountant

Description

Menu

Authorizations

User

Pers...

Beschreibung

Men

Berechtigungen

Benutzer

Profile Generator: Steps

Define Role Name Determine Activities

Design User Menus


Maintain Authorization Data Generate Authorizaion Profile Assign Users Adjust User Master Records

Determine Activities Role 1


Transaction TA1 Web Report xyz Link Transaction Transaction Transaction Web Report TA1 Transaction TA1 TA1 Report xyz Link Report TA3 xyz xyz

Transaction TA1

???
Transaction TA2

Role 2
Web Link

Transaction TA1

Description

Menu

Authorizations

User

Profile Generator: Steps

Define Role Name Determine Activities

Design User Menus


Maintain Authorization Data Generate Authorizaion Profile Assign Users Adjust User Master Records

Design Menus

Web Link

Transaction Transaction TA1 Transaction TA3 TA2

Define Functions

Role Description

MY_ROLE FI: Accounts Payable Accountant - (Template Copy)

Description

Menu Transaction

Authoirzations Report Other

Users All

Pers ..

Web Link Web Link


Report xxx Report zab Report xyz

Customize Menu Structure

Role Menu URL - www .mysap.com URL - Route Planner SM04 - User List SE16 - Data Broswer Account Master Data FK01 - Create Vendor FK02 - Change Vendor FK03 - Display Vendor FK04 - Display Changes FK05 - Lock Vendor FK06 - Set Deletion Flag Confirmation of Change Compare Correspondence Closing Reporting Withholding Tax Information System Other Addresses

T70CLNT400 Distribute

drag&drop
From the SAP Menu From Other Role From Area Menu Import From File

Translate Node Display Documentation Find in Docu.

Description

Menu

Authorizations

User

Profile Generator: Steps

Define Role Name Determine Activities

Design User Menus


Maintain Authorization Data Generate Authorizaion Profile Assign Users Adjust User Master Records

Profile Generator: Create Authorization Profiles


Maint:
MY_ROLE

0 Unmaint. Org levels,

7 Open Fields , Status:


FI: Accounts Payable Accountant

Saved

Role Description
Description
Angelegt

MY_ROLE Gepflegt Old Cross-Application Authorization Objects Gepflegt FI: Accounts Payable Accountant - created from SAP template Old Asset Management Gepflegt New Basis - Administration
Menu Authorizations User Standard Standard
Letzte nderung

New New

Authorization for File Access Authorization for File Access

User Date Time

MEYERS 16.01.2000 13:22:12

Benutzer Datum Uhrzeit

BENZ 18.01.2000 17:50:59

Aktivity Physical File Name ABAP Program Name Maintained Old SAPscript: Standard text

Informationen zum Berechtigungsprofil

Profile name Profile text Status

T-K6840005 Profile for Role MY_ROLE Current Version Not Generated

Standard Old Basis - Development Environment Maintained New Basis - Central Functions Standard Old Materials Management - Procurement

Maintain Authorization Data and Generate Profiles

Change Authorization Data Expert Mode for Profile Generation

Description

Menu

Authorizations

User

Profile Generator: Steps

Define Role Name Determine Activities

Design User Menus


Maintain Authorization Data Generate Authorizaion Profile Assign Users Adjust User Master Records

Generate Authorization Profile


Maint.: MY_ROLE Maintained Maintained Maintained 0 Unmaint. Org Levels, 7 Open Fields, Status: FI: Accounts Payable Accountant Old Cross-Application Authorization Objects Old Asset Management New Basis - Administration Standard Standard New Authorization for File Access Saved

Generate

New Authorization for File Access

Activity Physical Filename ABAP Program Name Maintained Old Standard Old Maintained New Standard Old SAPscript: Standardtext

Basis - Development Environment Basis - Central Functions Materials Management - Procurement

Assign Profile Name for Generated Authorization Profile

You can change the default profile name here


Profie lname
MY_ROLE_PF

You will not be able to change this profile name later Text Profile for role MY_ROLE

Description

Menu

Authorizations

User

Profile Generator : Steps

Define Role Name Determine Activities

Design User Menus


Maintain Authorization Data Generate Authorization Profile Assign Users Adjust User Master Records

Assigning Users to Roles

Role 1

Role 3
Role 2

Role 4

Profile Generator: Steps

Define Role Name Determine Activities

Design User Menus


Maintain Authorization Data Generate Authorizaion Profile Assign Users Adjust User Master Records

Comparing the User Master


Other Role Information

Role Description Description

MY_ROLE FI: Accounts Payable Accountant Menu Selection Authorizations User Pers ... User Compare

Compare Role User Master Record Last Comparison User Date Time Information for user master comparison Status User authorization changed since last save Complete Adjustment User Date Time

Complete Compare

Expert Mode for Compare

Information

Description

Menu

Authorizations

User

Derived Roles

Organisational Structure

Derived Role 1
Authorizations for: Plant 1 Company Code 0020 Business Area 110 ...

(Reference) Role

Organisational Structure

Derived Role 2
Authorizations for: Plant 1 Company Code 0020 Business Area * ...

Organisational Structure

Derived Role 3
Authorizations for: Plant 2 Company Code 0001 Business Area 100 ...

Menus of Derived Roles

Changes to the menu are only possible here

Derived Role 1

Reference Role

Derived Role 2

Derived Role 3

Composite Roles

Role 2 Role 5 Role 1 Role 3 Role 4 Role 6 Role 7

Composite Role A

Composite Role B

Menus of Composite Roles

Role 1
Menu Role 1

Composite Role

Menu Role 1

Changes to the Entire Menu Are Possible!

Menu Role 2

Menu Role 2

Role 2

Working with the Profile Generator: Unit Summary

You are now able to:

l Perform the steps involved in assigning authorizations with the Profile Generator
l Copy, change, and create roles and determine their activities l Display and maintain authorizations that were generated automatically

Access Control and User Administration

Access Control and User Administration

Contents:
l Special Users

l Administration Tasks in User and Authorization Administration


l SAP Authorization Objects for Protection from Access to Administration Functions l Scenarios for Distributing Administration Tasks in the System Infrastructure

Access Control and User Administration: Unit Objectives

At the conclusion of this unit, you will be able to: l Protect special users in SAP R/3. l Describe tasks in user and authorization administration l List options for separating functions of user and authorization administration. l Describe options for decentralization of user administration. l Create user and authorization administrators with limited rights

Access Control and User Administration: Business Scenario

l In order to protect your SAP R/3 System against unauthorized access, you must define password rules, set the relevant profile parameters and protect special users. l You must also define areas of responsibility for user and authorization administration. l The organizational areas of responsibility must be clearly defined technically using authorizations.

Special Users

Initial Logon Procedure in SAP Clients

Client User Initial password

000 SAP*

001 DDIC

066 EarlyWatch

Client (new) SAP*

06071992

19920706

support

pass

Since these users are generally known, they must be protected against unauthorized access.

User and Authorization Administration: Activities

l Create, maintain, lock and unlock users, and change passwords l Create and Maintain Roles l Maintain Transaction Selections and Authorization Data in Roles l Generate Authorization Profiles l Assign Roles and Profiles l Transport Roles

l Monitor Using the Information System


l Archive Change Documents

Security Requirements

l An administrator may not


n n n

Administer users and Maintain authorizations and

Generate authorization profiles

l Separation of functions
n

Principle of dual control

w w
n

User administration

Authorization maintenance and generation

Principle of triple control

w w w

User administration Authorization maintenance Authorization generation

Separation of Functions
Superuser

User Administrator
Maintain user master records l Assign roles to users l Assign profiles to users (only T...) l Display authorizations and profiles l Call "Information System Authorizations"
l l

Authorization Profile Administrator


Maintain roles n Create authorizations (only T-...) n Create profiles (only T-...) l Execute Transaction SUPC l Call "Information System Authorizations"

Authorization Data Administrator


Maintain roles n Change transaction selection n Change authorization data l Call "Information System Authorizations"
l

Decentral User Administration

User Admin.

User Admin.

User Admin.

User Admin.

User Admin.

User Administrator

Location 1 Location 2 Location 3 Location 4

User Administrator
User Administrator User Administrator

FI

CO

SD

MM

PP

Scenario 1

l Central user administration


n n

One user administrator for all users


Unlimited authorizations for all user administration tasks of the user administrator

l Central maintenance of roles and profiles


n

One administrator takes on both roles

w w
n

Authorization data administrator Authorization profile administrator

All authorizations for maintaining the roles and profiles

l Principle of dual control

Scenario 2
l Decentral user administration (production system)
n

One user administrator per application area (FI, MM)

w w w

Authorized to maintain a certain user group Authorized to assign a certain number of roles and profiles No other restrictions in the specific user administration tasks

l Central maintenance of roles and profiles


n

Separation of responsibilities

w w
n

One authorization data administrator One authorization profile administrator

No other restrictions in the specific roles or profiles for both administrators

l Principle of triple control

Scenario 3
l Central creation and deletion for all users (prod.) l Decentral user administration (production system)
n

One user administrator per application area (FI, MM)

w w w

Authorized to maintain a certain user group Authorized to assign a certain number of roles and profiles Authorized for only certain user administration tasks (change, lock/unlock, reset password)

l Central maintenance of roles and profiles


n

Separation of responsibilities

w w
n

One authorization data administrator One authorization profile administrator

No other restrictions in the specific roles or profiles for both administrators

l Principle of triple control

Access Control and User Administration : Unit Summary

You are now able to:

l Change password rules with system profile parameters


l Protect special users in the R/3 System. l Describe tasks in user and authorization administration

l List options for separating functions of user and authorization administration


l Describe options for decentralization of user administration l Create user and authorization administrators with limited rights