properly maintaining security with pfcg

How to Properly Maintain Security using Profile Generator

Objective

• SAP Security Overview

• Profile Generator Best Practice

• Summary

SAP Security Overview

USER ID, e.g. TTSAN

Security Role

1

Security Role

2

Security Role

3

User

SAP Security Overview

Security Role, e.g. Security Administrator

Profile 1 Profile 2 Profile 3

SAP Security Overview

Profile (Contain up to 150 Authorizations)

Authorization1

Authorization2

Authorization150

SAP Security Overview

Authorization Object 1, e.g. S_TCODE

Field (TCD)

Value (SU01)

SAP Security Overview

Authorization Object 2, e.g. S_USR_GRP

Field (ACTV)

Value (01, 02, 03, 06)

Field (CLASS)

Value (Customer Define)

SAP Security Overview

Authorization Object 2, e.g. S_USR_GRP

Field (ACTV)

Value (01, 02, 06)

Field (CLASS)

Value (HOUSTON)

SAP Security Overview

Authorization Object 2, e.g. S_USR_GRP

Field (ACTV)

Value (03)

Field (CLASS)

Value (*)

SAP Security Overview

Execute “SU01” – Change UserAUTHORITY-CHECK “Authorization1”

Object 1 = “S_TCODE

”

TCD = “SU01”

SAP Security Overview

ACTV = “02”

Object 2 = “S_USR_GRP

”

CLASS = “HOUSTO

N”

Execute “SU01” – Change UserAUTHORITY-CHECK “Authorization2”

Profile Generator

Transaction

Profile Generator

Change authorization data

Profile Generator

Expert mode for profile generation

Profile Generator

Delete and recreate profile and authorizations

Profile Generator

Edit old status

Profile Generator

Read old status and merge with new data

SAP Security Overview

Missing Organization Value

$BURKS

Profile Generator

Organizational Level

Profile Generator

Missing Customer Define Value

Profile Generator

No open field

Profile Generator

Authorization Status

Profile Generator

STANDARD - SAP Standard Value

MAINTAIN - Customer Maintained ValueCHANGED - SAP Standard Value maintained by Customer

Authorization Status

MANUALLY – Manually inserted Value

Profile Generator

S_USR_GRP 01, 02, 03, 05, 06, 08, 24

Removing Authorization Value

Profile Generator

Status = Changed

Removing Authorization Value

Profile Generator

New Authorization

Common Security Issue

Profile Generator

Make Copy

Inactive Original

Best Practice

Profile Generator

Make changes to copy

Best Practice

Profile Generator

Best Practice

Changed Authorization without Inactive

Standard

Profile Generator

Best Practice

Double-click to add comment

Profile Generator

M_MATE_MAT(01, 02)

Does making changes to Copied Authorization Applies to all situation?

Profile Generator

Where-Used Icon

Profile Generator

Where-used

MM01 = 01

Profile Generator

Adding Authorization Value

What if you want to add value 03?

Profile Generator

SU53 Errors

What if SU53 indicates that MM01 requires an Activity

of 24?

Profile Generator

Static Value vs. Dynamic Value

Static Value – a value that is required by a transaction no matter who execute it.

Dynamic Value – a customer-defined value such as company code.

Profile Generator

MM01 always requires an Activity

of 01?

Static Value

Profile Generator

Company Code value may vary

from user to user depending on

business restriction.

Dynamic Value

Profile Generator

Static Value vs. Dynamic Value

Static Value – add to USOBT using transaction SU24.

Dynamic Value – add directly to the Authorization or Org. Data.

Profile Generator

Reorganize & Generate

Authorization counter = 1

Profile Generator

Reorganize & Generate

Reorganize

Profile Generator

Reorganize & Generate

Authorization counter = 0

USOBT – SU24

Overview

Profile Generator

1. NEVER modify S_TCODE unless the Role is built manually.

2. Modify Standard delivered authorization:

a. Only modify when there’s a request to REMOVE authorization and IF AND ONLY IF no other transaction is linked to that value. Otherwise, by removing the transaction, it will remove the value.

Summary of Rules and Restrictions

Profile Generator

2. Modify Standard delivered authorization (CONT’D):

b. Always make a copy of the authorization and make changes.

c. Inactive the original authorization.

d. Modify the copied authorization and the status become Changed.

e. Double-click on description of the authorization to document the reason. The same applies to manually inserted authorization.

Summary of Rules and Restrictions

Profile Generator

3. If a Changed authorization exists without an Inactived Standard authorization, delete the Changed authorization.

4. Bogus SU53 check most of the time:

a. S_ADMI_FCD (SM02).

b. S_CTS_ADMI.

c. S_LAYO_ALV (023).

Summary of Rules and Restriction

Profile Generator

Question?

Profile Generator

Contact Information

Thomas TsanSAP Security ArchitectTK Consultants, Inc.Email: ttsan@tkconsultants.comPhone: (281) 412-6800

Thank you for attending!Please remember to complete and return your evaluation form following this session.

Session Code: [801]