The objective today is to provide a brief overview of SAP Security and to discuss the best practice of PFCG.
In SAP, a User ID is assigned with one or more Security Role based on his/her Job Role. SAP’s documentation calls it Role, but I prefer to use the term Security Role to differentiate it from Job Role. For those who are using pre-profile generator sap system, an ID is assigned with one or more profiles. Is there anyone here who is still on 3.0? I feel your pain in creating a profile. However, I find that those who have experience with the manual method tends to have a better understanding of how SAP Security works.
With the advent of Profile Generator, a Security Role may have one or more Profile and each profile may contain up to 150 authorizations.
If you create a role that has 450 authorizations, then Profile Generator will create 3 profiles.
You might wonder what’s the difference between Authorization Object and Authorization?
Auth.Object has one or more fields and is the foundation of all SAP Security program checks. When you add value or combination of values to the field, it becomes an authorization. One Auth.Object can be used to create one or more Auth. For example, S_TCODE has only one field and therefore you can only create one Standard authorization per Security Role.
However, with S_USR_GRP it has two fields. Therefore you may create multiple authorizations using different combination to satisfy your business requirement.
Let’s say that you are creating a security helpdesk role that has the ability to create, change, & delete only users from the Houston region and display access to all users. The first authorization would contain object S_USR_GRP and the Activity would have 01, 02, 06 and User Group value would be Houston.
The second authorization using the same object would have 03 for Activity and * for Class. As a result you now have 2 authorizations
Now that we have an understanding of how an ID is linked to a Role and the Role to Profile & Authorization, let’s discuss the mechanic of SAP’s Authority-Check. When a user logs in to SAP, his authorizations are loaded into the User Buffer. When he execute SU01 to maintain user, the program perform an A-C against the authorization in the buffer to see if it contain the object S_TCODE. If yes, it then performs the next check against the field TCD for value “SU01”.
Then it checks the next authorization for objects S_USR_GRP. Once the program verifies all the necessary auth, it will allow you to perform the task.