Single Role creation using PFCG in SAP Security


Creating Single Role:
  •   Hit the T_Code PFCG
 
  •  Enter a name for the role and click on Create Role button
(Note: You should note that the roles supplied by SAP begin with the prefix "SAP_". If you are creating your own user roles, do not use the SAP namespace. Start with either Y or Z)



  • Give Description (contains 61 characters only) & also enter Long text if needed


  • Click on Menu tab


  • Click on Transaction button.
  • Enter the T_Codes which we want to include in this role & Click on Assign transactions button.
    We will get information that how many transactions we have addedin this role.




      click on Authorizations Tab


   
Expand the Required Authorization Objects &provide authorization field values(Activity Values) under upropriate Authorization fields


After providing all the values under fields you need generate the profiles.profiles contains exact Authorizations.
Now click on generate button .









Now we will assigne this role to users using su01 Tcode



7 comments:

Table , Program and transaction code access control


  • Table Restriction

  • In order to restrict table access,  a number of table authorization classes should be defined.  All standard tables have been assigned to authorization classes and  Authorization objects, Table Maintenance is used to maintain the tables in each authorization class.  Two levels of access are allowed value = 02 (add, change, or delete) and 03 (display only).
  • S_TABU_DIS authorization object is used for regulating viewing access to the 
  •    contents of the various tables among the different user groups.
  • TABLE ACCESS PROTECTION-  Key points to check:  -
  • Whether all system tables are assigned an appropriate authorization class
  •  Whether users are assigned system table maintenance access (Through S_TABU_DIS) based on authorization classes  commensurate with their job responsibilities.
    S_TABU_DIS- CASE STUDIES
       Test case for verification:

    Required for a successful pass of the authority-check is the following authorization:

    for authorization object     S_TABU_DIS
    for field             ACTVT              value 02
    for field             DICBERCLS     value FC01
    Scenario :
    The user has the following authorizations assigned.

    Authorization A
    for authorization object     S_TABU_DIS
    for field             ACTVT              value 03
    for field             DICBERCLS     value FC01


    Authorization B
    for authorization object     S_TABU_DIS
    for field             ACTVT              value 02
    for field             DICBERCLS     value FC32

     
4 comments:
Subscribe to: Posts (Atom)