SAP Security Profile Generator

The objective today is to provide a brief overview of SAP Security and to discuss the best practice of PFCG. 
 





















 In SAP, a User ID is assigned with one or more Security Role based on his/her Job Role.  SAP’s documentation calls it Role, but I prefer to use the term Security Role to differentiate it from Job Role.  For those who are using pre-profile generator sap system, an ID is assigned with one or more profiles.  Is there anyone here who is still on 3.0?  I feel your pain in creating a profile.  However, I find that those who have experience with the manual method tends to have a better understanding of how SAP Security works. 







With the advent of Profile Generator, a Security Role may have one or more Profile and each profile may contain up to 150 authorizations. 





























If you create a role that has 450 authorizations, then Profile Generator will create 3 profiles. 

 





























You might wonder what’s the difference between Authorization Object and Authorization?
Auth.Object has one or more fields and is the foundation of all SAP Security program checks. When you add value or combination of values to the field, it becomes an authorization. One Auth.Object can be used to create one or more Auth.  For example, S_TCODE has only one field and therefore you can only create one Standard authorization per Security Role. 






























However, with S_USR_GRP it has two fields.  Therefore you may create multiple authorizations using different combination to satisfy your business requirement.  

 
































Let’s say that you are creating a security helpdesk role that has the ability to create, change, & delete only users from the Houston region and display access to all users.  The first authorization would contain object S_USR_GRP and the Activity would have 01, 02, 06 and User Group value would be Houston.   
 


























  
The second authorization using the same object would have 03 for Activity and * for Class.  As a result you now have 2 authorizations
 































 Now that we have an understanding of how an ID is linked to a Role and the Role to Profile & Authorization, let’s discuss the mechanic of SAP’s Authority-Check.  When a user logs in to SAP, his authorizations are loaded into the User Buffer.  When he execute SU01 to maintain user, the program perform an A-C against the authorization in the buffer to see if it contain the object S_TCODE.  If yes, it then performs the next check against the field TCD for value “SU01”.  

 


























  
Then it checks the next authorization for objects S_USR_GRP.  Once the program verifies all the necessary auth, it will allow you to perform the task. 
 

SAP Security and GRC Course Content

SAP Security and GRC Course Content

1 SAP R/3 Security
1.1      Overview of SAP
1.2      Overview of SAP BASIS
1.3      Introduction to SAP Security
           1.3.1      Why we need security
           1.3.2      What needs to be protected
           1.3.3      From whom we need to protect
           1.3.4      Implementation methodology
1.4      User administration
           1.4.1       Single user administration
           1.4.2       Mass User administration
           1.4.3       LSMW Script running
1.5      Introduction of CUA (Central User administration)
           1.5.1       CUA Configuration for different landscapes
           1.5.2       Performing user administration activities in CUA
           1.5.3      Distributing User/IDOCS and troubleshooting issues
1.6      User Groups Concept
1.7      Role Administration and authorizations concept
           1.7.1       Overview of authorizations and roles
           1.7.2       Change management process
           1.7.3       Creating custom authorization objects
           1.7.4       SAP Role types
           1.7.5       Working with Profile Generator
           1.7.6       Creating and modifying different roles
1.8      Authorization Group Concept
1.9      Missing authorization
1.10    Tracing the user for missing authorization.
1.11    Working with R/3 tables, parameters and Reports
1.12    SAP Security Audit.


2.     BW/BI Security
2.1     Architecture and strategies for a BI authorization concept
2.2     Security requirements in SAP BI
2.3     Standard roles and templates for the authorization concept
2.4     Creating BW/BI roles and modification
2.5      Difference between BW and R/3 security
2.6      Difference between BW and BI Security
2.7      Different authorization objects involved in  BW/BI
2.8      Analysis authorization concept and reporting
2.9      Troubleshooting BW/BI issues
 

3 HR Security

3.1      Introduction to HR security
3.2      Personal administration and Organizational management
3.3      HR General and Structural authorizations
3.4      HR authorization objects and info types
3.5      Troubleshooting HR issues

4 GRC (Governance, Risks and Compliances 5.3

4.1      Introduction to GRC
4.2      Sarbanes Oxley Rules (SOX)
4.3      In depth discussion  of GRC Components
          4.3.1        Compliance User Provisioning (CUP)
          4.3.2         Risk Analysis and Remediation (RAR)
          4.3.3         Enterprise Role management (ERM)
          4.3.4         Super User Privilege Management (SPM)
4.4      Working with functions, Risks and Mitigation Controls
4.5       Introduction to GRC 10.