authorization in sap software design and configuration

1 Introduction………………………………………………………………………..23 2 Introduction and Concept Definition……………………………………………29 3 Organization And Authorization…………………………………………………45 4 Legal Framework – Standardization Framework……………………………..95 5 Authorizations in Process View………………………………………………..123 6 Basic Technical Principles of Authorization Maintenance………………….145 7 System Settings and Customizing……………………………………………203 8 Role Assignment via Organizational Management…………………………277 9 Automated Organizational Differentiation: The Role Generator…………..289 10 General Administration of Users and Management of Authorizations……309 11 Authorizations: Standards and Analysis……………………………………..347 12 SAP BusinessObjects Access Control……………………………………….367 13 User Management Engine…………………………………………………….385 14 Authorization in SAP ERP HCM………………………………………………409 15 Authorizations in SAP CRM……………………………………………………432 16 Authorization in SAP SRM……………………………………………………..509 17 Authorizations in SAP NetWeaver BW……………………………………….533 18 Process in SAP ERP – Specific Authorizations……………………………..555 19 Project Concepts and Approaches……………………………………………617 20 Appendices………………………………………………………………………643 21 Index……………………………………………………………………………...665

Foreword ......................................................................................................................19

Acknowledgments .......................................................................................................21

1 Introduction .............................................................................................................23

PART I Business Concepts ..................................................................27

2 Introduction and Concept Definition ................................................................... 29

2.1 Methodical Considerations .............................................................................30

2.1.1 Approaches for the Business Authorization Concept ...................... 30

2.1.2 Persons Involved in the Authorization Concept ............................... 33

2.2 Compliance ....................................................................................................33

2.3 Risk ............................................................................................................... 34

2.4 Corporate Governance .................................................................................. 38

2.5 Technical versus Business Significance of the Authorization Concept .........40

2.6 Technical Versus Business Roles................................................................. 42

3 Organization and Authorizations ......................................................................... 45

3.1 Example of an Organizational Differentiation .................................................46

3.2 Introduction .....................................................................................................48

3.3 Institutional Organization Concept .................................................................50

3.3.1 Object of the Organization .................................................................51

3.3.2 Legal Forms of the Organization .......................................................51

3.3.3 Organization and Environment ......................................................... 52

3.3.4 Summary .......................................................................................... 53

3.4 Instrumental Organization Concept .............................................................. 54

3.4.1 Specialization (Division of Labor) ..................................................... 55

3.4.2 Organizational Structure ................................................................... 58

3.4.3 Task Analysis .................................................................................... 68

3.5 Consequences of the Examination of the Organization ................................ 72

3.6 Views of the Organizational Structure in SAP Systems ................................ 73

3.6.1 Organizational Management ............................................................. 74

3.6.2 Organization View of External Accounting .........................................76

3.6.3 Organization View of Funds Management .........................................77

3.6.4 Organization View of the Standard Cost Center Hierarchy ...............78

3.6.5 Organization View of the Profit Center Hierarchy ............................. 79

3.6.6 Enterprise Organization .................................................................... 80

3.6.7 Organization View in the Project System ..........................................81

3.6.8 Logistical Organization View ............................................................ 82

3.6.9 Integration of the Organization Views with the Authorization Concept

... 82

3.7 Organizational Levels and Structures in SAP ERP ....................................... 83

3.7.1 Organizational Level “Client” ............................................................84

3.7.2 Relevant Organizational Levels of Accounting ................................ 84

3.7.3 Relevant Organizational Levels in MM ............................................ 88

3.7.4 Relevant Organizational Levels in Sales and Distribution ............... 89

3.7.5 Relevant Organizational Levels in Warehouse Management .......... 89

3.7.6 Integration of the Organizational Levels with the Authorization

Concept ... 90

3.8 Information on the Methodology in the Project ..............................................91

3.9 Summary ........................................................................................................93

4 Legal Framework — Standardization Framework .............................................. 95

4.1 Basic Principles of Internal and External Regulations ....................................96

4.2 Internal Control System ............................................................................... 100

4.3 Sources of Law for External Accounting ......................................................101

4.3.1 Sources of Law and Effects for the Private Sector ........................ 103

4.3.2 Concrete Requirements for the Authorization Concept ................. 106

4.4 Data Privacy Laws ....................................................................................... 107

4.4.1 Legal Definitions Relating to Data Processing ............................... 110

4.4.2 Rights of the Person Affected .........................................................111

4.4.3 Recommendations Relating to the ICS .......................................... 112

4.4.4 Concrete Requirements for the Authorization Concept ..................113

4.4.5 Compliance versus Data Privacy ................................................... 113

4.5 General Requirements for Authorization Concepts ..................................... 115

4.5.1 Identity Principle ............................................................................ 116

4.5.2 Minimal Principle ............................................................................117

4.5.3 Job Principle ..................................................................................117

4.5.4 Document Principle in Financial Accounting ................................. 118

4.5.5 Document Principle in Authorization Management ....................... 118

4.5.6 Separation of Duties Principle .......................................................119

4.5.7 Approval Principle ......................................................................... 119

4.5.8 Standard Principle .........................................................................120

4.5.9 Written-Form Principle .................................................................. 120

4.5.10 Control Principle ............................................................................ 120

4.6 Summary .........................................................................................................121

5 Authorizations in the Process View .................................................................. 123

5.1 Process Overview ..........................................................................................123

5.2 The Sales Process ........................................................................................ 125

5.3 The Procurement Process ............................................................................. 131

5.4 Support Processes ........................................................................................ 136

5.5 Requirements of the Separation of Duties .................................................... 139

5.6 Summary ....................................................................................................... 140

PART II Tools and Authorization Maintenance in the SAP System ................... 143

6 Basic Technical Principles of Authorization Maintenance .............................. 145

6.1 User/Authorization ........................................................................................ 145

6.1.1 User ..................................................................................................146

6.1.2 User Maintenance (ABAP) .............................................................. 147

6.2 Transaction — Program — Authorization Object ........................................ 153

6.2.1 Transaction ...................................................................................... 153

6.2.2 Check in the Program Flow .............................................................. 155

6.2.3 Authorization Object .........................................................................158

6.3 Role and Role Profiles ................................................................................. 163

6.3.1 Authorization Profiles ........................................................................163

6.3.2 Creating and Maintaining Roles ........................................................164

6.4 Analysis of Authorization Checks ................................................................ 193

6.4.1 Evaluation of the Authorization Check ............................................. 193

6.4.2 Analysis in the Program Flow — System Trace/Authorization Trace 195

6.4.3 Program Check ............................................................................... 197

6.5 Additional Role Types in SAP ERP ............................................................. 199

6.5.1 Composite Role ...............................................................................200

6.5.2 Value Role/Functional Role .............................................................201

6.6 Summary ..................................................................................................... 202

7 System Settings and Customizing .................................................................... 203

7.1 Maintaining and Using the Defaults for the Profile Generator ..................... 204

7.1.1 Functions for the Profile Generator ................................................ 206

7.1.2 Function in the Upgrade ................................................................. 208

7.1.3 Normative Use ............................................................................... .208

7.1.4 Using Default Values for Risk Analyses and External Role

Maintenance Tools ...................................................................... 210

7.1.5 Original State and Maintenance of Default Values ......................... 211

7.2 Upgrading Authorizations ............................................................................218

7.3 Parameters for Password Rules ................................................................. 223

7.4 Customizing Settings for the Menu Concept .............................................. 226

7.5 Authorization Groups .................................................................................. 233

7.5.1 Optional Authorization Checks for Authorization Groups ................236

7.5.2 Table Authorizations ....................................................................... 241

7.5.3 Authorization Groups as Organizational Levels .............................. 244

7.6 Parameter and Query Transactions ........................................................... 246

7.6.1 Parameter Transaction for Maintaining Tables via Defined Views ...

248

7.6.2 Parameter Transaction for Viewing Tables ..................................... 250

7.6.3 Implementing Queries in Transactions ............................................251

7.7 Promoting an Authorization Field to an Organizational Level .................... 254

7.7.1 Effects Analysis ............................................................................... 254

7.7.2 Procedure for Promoting a Field to an Organizational Level .......... 258

7.7.3 Promoting the Area of Responsibility to an Organizational Level ... 259

7.8 Developer and Authorization Trace ............................................................ 262

7.8.1 Procedure for the Developer and Authorization Trace ....................262

7.9 Creating Authorization Fields and Objects ................................................. 265

7.9.1 Creating Authorization Fields .......................................................... 265

7.9.2 Creating Authorization Objects ........................................................267

7.10 Further Transactions of the Authorization Administration .......................... 269

7.11 Transferring Roles Between Systems or Clients .........................................271

7.11.1 Downloading/Uploading Roles ....................................................... 271

7.11.2 Transporting Roles ......................................................................... 272

7.12 User Master Comparison ...........................................................................274

7.13 Summary ................................................................................................... 274

8 Role Assignment via Organizational Management ......................................... 277

8.1 Basic Concept of SAP ERP HCM Organizational Management .................. 278

8.2 Technical Prerequisites ................................................................................ 281

8.3 Technical Implementation .............................................................................281

8.3.1 Prerequisites ..................................................................................... 282

8.3.2 Technical Basics of SAP ERP HCM Organizational Management ... 282

8.3.3 Assigning Roles .................................................................................283

8.3.4 Evaluation Path ................................................................................. 284

8.3.5 User Master Comparison .................................................................. 285

8.4 Conceptual Special Feature ........................................................................ 285

8.5 Summary ..................................................................................................... 286

9 Automated Organizational Differentiation: The Role Generator ................... 289

9.1 Challenge and Solution Approach ................................................................ 290

9.1.1 Role Generator OM ........................................................................... 292

9.1.2 Area Role Concept ............................................................................295

9.1.3 Combining Area Roles and OM ........................................................ 298

9.2 Implementation Example for the Area Role Concept ....................................298

9.3 Integration, Restrictions, and Prospects ....................................................... 307

9.4 Summary .......................................................................................................307

10 Central Administration of Users and Management of Authorizations ......... 309

10.1 Basic Principles .............................................................................................310

10.1.1 Business Background .......................................................................310

10.1.2 User Lifecycle Management ............................................................ 313

10.1.3 SAP Solutions for the Central Administration of Users .................... 315

10.2 Central User Administration ........................................................................ 316

10.2.1 Procedure for Setting up the CUA .................................................. 318

10.2.2 Integration with Organizational Management of SAP ERP HCM ... 323

10.2.3 Integration with SAP BusinessObjects Access Control .................. 324

10.3 SAP BusinessObjects Access Control Compliant User Provisioning ......... 325

10.4 SAP NetWeaver Identity Management ........................................................331

10.4.1 Relevant Technical Details .............................................................. 332

10.4.2 Functionality .................................................................................... 333

10.4.3 Technical Architecture ..................................................................... 340

10.4.4 Integration of SAP BusinessObjects Access Control ....................... 343

10.5 Summary ..................................................................................................... 345

11 Authorizations: Standards and Analysis ........................................................ 347

11.1 Standards and Their Analysis .....................................................................347

11.1.1 Role Instead of Profile .................................................................... 347

11.1.2 Definition of the Role Through Transactions .................................. 349

11.1.3 Using Defaults ................................................................................ 351

11.1.4 Table Authorizations ....................................................................... 351

11.1.5 Program Execution Authorizations ................................................. 352

11.1.6 Derivation ........................................................................................ 353

11.1.7 Programming — Programming Guideline ....................................... 354

11.2 Critical Transactions and Objects ............................................................... 356

11.3 General Evaluations of Technical Standards ..............................................358

11.3.1 User Information System ............................................................... 358

11.3.2 Table-Based Analysis of Authorizations .........................................361

11.4 Summary ..................................................................................................... 365

12 SAP BusinessObjects Access Control ........................................................... 367

12.1 Basic Principles ............................................................................................ 367

12.2 Risk Analysis and Remediation .................................................................... 371

12.3 Enterprise Role Management ....................................................................... 377

12.4 Compliant User Provisioning ........................................................................379

12.5 Superuser Privilege Management ............................................................... 381

12.6 Risk Terminator ........................................................................................... 383

12.7 Summary ..................................................................................................... 384

13 User Management Engine ................................................................................ 385

13.1 Overview of the UME ......................................................................................386

13.1.1 UME Functions ................................................................................. 386

13.1.2 UME Architecture .............................................................................. 387

13.1.3 User Interface of the UME ................................................................ 389

13.1.4 Configuration of the UME ..................................................................390

13.2 Authorization Concept of SAP NetWeaver AS Java .................................... 393

13.2.1 UME Roles ....................................................................................... 394

13.2.2 UME Actions ..................................................................................... 394

13.2.3 UME Group ....................................................................................... 396

13.2.4 J2EE Security Roles ......................................................................... 397

13.3 User and Role Administration Using the UME .............................................. 399

13.3.1 Prerequisites for User and Role Administration ................................ 399

13.3.2 Administration of Users ..................................................................... 400

13.3.3 User Types ........................................................................................ 401

13.3.4 Administration of UME Roles ..............................................................402

13.3.5 Administration of UME Groups ......................................................... 403

13.3.6 Tracing and Logging ......................................................................... 403

13.4 Summary ....................................................................................................... 406

PART III Authorizations in Specific SAP Solutions .............................................. 407

14 Authorizations in SAP ERP HCM ..................................................................... 409

14.1 Basic Principles ...............................................................................................409

14.2 Special Requirements of SAP ERP HCM .............................................. 410

14.3 Authorizations and Roles ...................................................................... 412

14.3.1 Authorization-Relevant Attributes in SAP ERP HCM .........................412

14.3.2 Personnel Action Example ................................................................ 414

14.4 Authorization Main Switch ..............................................................................417

14.5 Organizational Management and Indirect Role Assignment .......................... 420

14.6 Structural Authorizations ................................................................................ 421

14.6.1 The Structural Authorization Profile ..................................................... 422

14.6.2 Evaluation Path .................................................................................... 424

14.6.3 Structural Authorizations and Performance ........................................ 426

14.7 Context-Sensitive Authorizations ................................................................... 426

14.8 Summary ........................................................................................................ 429

15 Authorizations in SAP CRM .............................................................................. 431

15.1 Basic Principles .............................................................................................. 432

15.1.1 The SAP CRM User Interface: CRM Web Client ............................... 432

15.1.2 Creating Business Roles for the CRM Web Client .............................440

15.2 Dependencies Between Business Role and PFCG Roles ............................. 442

15.3 Creating PFCG Roles Depending on the Business Roles ............................. 443

15.3.1 Prerequisites for Creating PFCG Roles ............................................ 444

15.3.2 Creating PFCG Roles ......................................................................... 449

15.4 Assigning Business Roles and PFCG Roles .................................................. 454

15.5 Sample Scenarios for Authorizations in SAP CRM ........................................ 463

15.5.1 Authorizing Interface Components .....................................................464

15.5.2 Authorizing Transaction Launcher Links ........................................... 473

15.5.3 Authorizing Master Data .................................................................... 475

15.5.4 Authorizing Business Transactions .................................................... 478

15.5.5 Authorizing Attribute Sets ...................................................................488

15.5.6 Authorizing Marketing Elements ........................................................ 489

15.6 Troubleshooting in the CRM Web Client ........................................................ 491

15.7 Access Control Engine ................................................................................... 494

15.8 Summary ........................................................................................................ 507

16 Authorizations in SAP SRM .............................................................................. 509

16.1 Basic Principles .............................................................................................. 509

16.2 Authorization Assignment in SAP SRM .......................................................... 512

16.2.1 Authorizations of User Interface Menus .................................................515

16.2.2 Authorizations of Typical Business Processes ......................................517

16.3 Summary ........................................................................................................ 531

17 Authorizations in SAP NetWeaver BW ............................................................. 533

17.1 OLTP Authorizations .......................................................................................534

17.2 Analysis Authorizations .................................................................................. 536

17.2.1 Basic Principles ................................................................................... 537

17.2.2 Barrier Principle ....................................................................................538

17.2.3 Transaction RSECADMIN .................................................................. 539

17.2.4 Authorization Maintenance ................................................................. 539

17.2.5 Assignment to Users: Transactions RSU01 and SU01 ...................... 542

17.2.6 Analysis and Authorization Log .......................................................... 546

17.2.7 Generation .......................................................................................... 549

17.2.8 Authorization Migration ....................................................................... 551

17.3 Modeling Authorizations in SAP NetWeaver BW ........................................... 552

17.3.1 InfoProvider-Based Models ................................................................ 553

17.3.2 Characteristic-Based Models ............................................................... 553

17.3.3 Mixed Models ...................................................................................... 554

17.4 Summary ........................................................................................................ 554

18 Processes in SAP ERP — Specific Authorizations ......................................... 555

18.1 Basic Principles ................................................................................................556

18.1.1 Master and Transaction Data ...............................................................556

18.1.2 Organizational Levels ......................................................................... 557

18.2 Authorizations in Financial Accounting .......................................................... 558

18.2.1 Organizational Differentiation Criteria .................................................. 559

18.2.2 Master Data .........................................................................................561

18.2.3 Postings ............................................................................................... 568

18.2.4 Payment Run .......................................................................................572

18.3 Authorizations in Controlling ............................................................................ 574

18.3.1 Organizational Differentiation Criteria ................................................. 575

18.3.2 Maintaining Master Data ...................................................................... 576

18.3.3 Postings .............................................................................................. 585

18.3.4 Old and New Authorization Concept in Controlling ............................. 588

18.4 Authorizations in Logistics (General) .............................................................. 588

18.4.1 Organizational Differentiation Criteria ................................................. 588

18.4.2 Material Master/Material Type .............................................................590

18.5 Authorizations in Purchasing .......................................................................... 594

18.5.1 Maintaining Master Data .....................................................................594

18.5.2 Procurement Processing .....................................................................594

18.6 Authorizations in Sales and Distribution ..........................................................601

18.6.1 Maintaining Master Data ......................................................................601

18.6.2 Sales Processing ................................................................................ 602

18.7 Authorizations in Technical Processes ........................................................... 605

18.7.1 Segregation of Duties in Authorization Management .......................... 606

18.7.2 Segregation of Duties in the Transport System ....................................610

18.7.3 RFC Authorizations ............................................................................. 612

18.7.4 Debugging Authorizations ................................................................... 613

18.7.5 Client Change ......................................................................................613

18.7.6 Change Logging ................................................................................. 615

18.7.7 Batch Authorizations ........................................................................... 615

18.8 Summary ....................................................................................................... 616

19 Project Concepts and Approaches .................................................................. 617

19.1 Authorization Concept in the Project Context ................................................ 617

19.2 Procedure Model ............................................................................................620

19.2.1 Logical Approach ................................................................................621

19.2.2 Implementation .................................................................................. 622

19.2.3 Redesign ............................................................................................ 624

19.2.4 Concrete Procedure ........................................................................... 625

19.3 SAP Best Practices Template Role Concept ................................................. 628

19.3.1 SAP Best Practices ........................................................................... 629

19.3.2 SAP Template Roles ......................................................................... 629

19.3.3 Methodical Procedure of the SAP Best Practices Role Concept ....... 631

19.3.4 Combination with SAP BusinessObjects Access Control .................. 635

19.4 Content of an Authorization Concept ............................................................. 636

19.4.1 Introduction and Standardization Framework of the Concept ............ 637

19.4.2 Technical Context ...............................................................................638

19.4.3 Risk Evaluation ................................................................................... 638

19.4.4 Person — User — Authorization ........................................................ 639

19.4.5 Authorization Management ................................................................ 640

19.4.6 Organizational Differentiation .............................................................641

19.4.7 Process Documentation .................................................................... 641

19.4.8 Role Documentation .......................................................................... 642

19.5 Summary ....................................................................................................... 642

Appendices ............................................................................................................... 643

A List of Abbreviations .............................................................................................645

B Glossary ................................................................................................................649

C Bibliography ......................................................................................................... 661

D The Authors ......................................................................................................... 663

Index ......................................................................................................................... 665