Implementing User and Authorization Management Strategies

Objective

After completing this lesson, you will be able to implement user and authorization management strategies.

User and Authorization Administration

In today's system landscapes, an administrator has many tasks to perform to structure and maintain user master records and roles. These activities should also be subjected to an authorization check and should not all be available to one administrator. You can use the object presented on the following pages to flexibly create a principle of dual or treble control.

Daily Tasks and Activities of an Administrator

  • Create, maintain, lock and unlock users, and change passwords

  • Create and maintain roles

  • Maintain transaction selections and authorization data in roles

  • Generate authorization profiles

  • Assign roles and profiles

  • Transport roles

  • Monitor using the Information System

  • Archive change documents

The administrator uses the transactions SU01 and PFCG for the activities listed above. When these transaction codes are used, the following objects are checked in the program code.

Diagram showing Authorization Objects: Users.

The object User Master Record Maintenance: User Groups (S_USER_GRP) defines the user groups for which an administrator has authorization and the activities that are allowed.

The object S_USER_GRP can be used to grant administration rights for only a certain user group in decentralized administration.

Authorization object S_USER_SAS is checked in transactions SU01, SU10, PFCG, and PFUD when roles, profiles, and systems are assigned to users. It is a further development of the authorization objects S_USER_GRP, S_USER_AGR, S_USER_PRO, and S_USER_SYS, which were previously checked when authorizations were made.

The checking of authorization object S_USER_SAS is activated by default and can be deactivated using a Customizing switch. To deactivate, use transaction SM30 to create an entry in table PRGN_CUST with the IDCHECK_S_USER_SAS and the value NO. This means that the authorization objects S_USER_GRP, S_USER_AGR, S_USER_PRO, and S_USER_SYS, are used again.

Only one of the Role and Authorization Profile fields is ever checked. The other field can be left empty in the definition of the authorizations.

The previous object S_USER_SYS can be used in decentralized administration to grant administration rights for only users in a certain system from the central user administration. The object S_USER_SYS defines which system a user administrator can access from the central user administration and the activities that are allowed.

Diagram showing Authorization Objects: Roles.

The object Authorization: Role Check (S_USER_AGR) defines the role names for which an administrator is authorized and the activities that are allowed.

The object S_USER_AGR can be used in decentralized administration to grant an administrator authorization access to only certain roles (such as for a module or an organizational unit).

The object Authorizations: Transactions in Roles (S_USER_TCD) defines the transactions that an administrator may include in a role.

The object S_USER_TCD can be used to grant an administrator authorization to include only certain transactions in roles and thus prevent critical transactions from being included in roles.

The object Authorizations: Field Values for Roles (S_USER_VAL) defines the field values an administrator may enter in roles for a particular authorization object and particular fields.

The object S_USER_VAL can be used to grant an administrator authorization to assign only certain authorizations in roles and thus prevent critical authorizations from being included in roles.

Diagram showing Authorization Objects: Profiles and Authorizations.

The object User Master Record Maintenance: Authorization Profile (S_USER_PRO) defines the profile names for which an administrator has authorization and the activities that are allowed.

The object S_USER_PRO can be used to grant an administrator authorization to assign only certain profiles in a decentralized administration (such as for a module or an organizational unit).

The object User Master Record Maintenance: Authorizations (S_USER_AUT) defines the authorization object name and the authorization name for which an administrator has authorization and the activities that are allowed.

The object S_USER_AUT can be used to grant an administrator authorization to create only certain authorizations in roles and thus prevent critical authorizations from being created in roles.

Diagram showing Authorization Objects: Administration Functions.

This authorization object S_USER_ADM checks access to general administration functions for user and authorization administration.

The object contains exactly one authorization field with the name of the administration functions. The field S_ADM_AREA can have the following values:

  • CHKSTDPWD: Display special users (such as SAP*) with default passwords.
  • PRGN_CUST: Change the Customizing table PRGN_CUST.
  • SSM_CUST: Change the Customizing table SSM_CUST.
  • USR_CUST: Change the Customizing table USR_CUST.
  • USR_CUST_S: Change the Customizing table USR_CUST_SYSTEM.
  • ID_MODEL: Change the identity model.
  • SNC4: Check canonical SNC names.

Each administration function includes the area to be administered and the activity required to do this.

Options for Decentralization of User Administration

Options for Decentralization of User Administration

Security Requirements

  • An administrator may not administer users and maintain authorizations and generate authorization profiles

  • Solution by separating functions

    Principle of dual control

    • User administration

    • Authorization maintenance and generation

    Principle of treble control

    • User administration

    • Authorization maintenance

    • Authorization generation

The authorization system can be used to flexibly organize maintenance of the user master records, profiles, and authorizations.

  • If your company is small and is organized centrally, all the tasks connected with maintaining the user master records and the authorization components can be handled by a single user called the superuser.

  • If you want to ensure that your system maintains a higher level of security, you can share the responsibility for maintaining the user master records and the authorizations among a user administrator and an authorization administrator, each having limited responsibility (principle of dual control).

  • For maximum system security you can share the responsibility for maintaining the user master records and the authorizations among a user administrator, an authorization data administrator and an authorization profile administrator, each having limited responsibility (principle of treble control).

  • Since you can assign specific authorizations for the user and administrator maintenance, the administrators need not be privileged users in your IT department. Normal users can be responsible for maintaining the user master records and authorizations.

Illustration showing the separation of functions among three administrators.

Sharing the administrative tasks among three administrators is called the principle of treble control.

The superuser sets up all the user master records, profiles, and authorizations for the administrator.

The authorization data administrator creates the roles, selects transactions, and maintains the authorization data. He or she simply saves the data in Role Maintenance since he or she does not have the necessary authorization for generating the profile. He or she accepts the proposed profile name "T-...". The authorization data administrator may not change users, nor generate profiles.

The authorization profile administrator starts transaction SUPC and chooses All Roles. He or she then restricts his or her selection, for example by entering the ID of the role to be edited. On the next screen, he or she chooses Display Profile to check the data. If all the data is correct, he or she generates the authorization profile. The authorization profile administrator may not change users, change the data for roles, nor generate profiles containing authorization objects beginning with S_USER*.

The user administrator then assigns this role to a user (from the user maintenance transaction SU01). The profile is entered for the user. The user administrator may not change data for roles, nor change or generate profiles.

The principle of dual control combines the tasks and authorizations of the authorization data administrator and those of the authorization profile administrator.

Diagram showing Decentralized User Administration.

With decentralized user administration, there are several user administrators each responsible for administration of a certain group of users.

The administration tasks in decentralized user administration can be shared according to different criteria:

  • Application Area / Module

    The users are assigned to decentralized user administrators, each of whom is responsible for a business application or an SAP module.

  • Locations

    The users are assigned to decentralized user administrators, each of whom is responsible for all users at that location.

  • Departments

    The users are assigned to decentralized user administrators, each of whom is responsible for all the users in the department.

Technically, decentralization is implemented by grouping users to form user groups. Each decentralized user administrator may only administer the users assigned to the user group for which he or she is responsible. Accordingly, each decentralized user administrator may only assign the roles needed for his or her application module, location, or department.

Scenario 1, Principle of Dual Control

  • Central User Administration

    • One user administrator for all users

    • Unlimited authorizations for all user administration tasks of the user administrator

  • Central Maintenance of Roles and Profiles

    One administrator performs both roles

    • Authorization data administrator

    • Authorization profile administrator

    • All authorizations for maintaining the roles and profiles

First scenario showing the authorization management.

In this scenario, there is one central user administrator for the development system and one for the production system.

The development system also has a central administrator responsible for authorization data administration and authorization profile administration.

Scenario 2, Principle of Treble Control

  • Decentralized User Administration (Production System)

    One user administrator for each application area (FI, MM):

    • Authorized to maintain a certain user group

    • Authorized to assign a certain number of roles and profiles

    • No other restrictions in the specific user administration tasks

  • Central Maintenance of Roles and Profiles

    Separation of responsibilities:

    • One authorization data administrator

    • One authorization profile administrator

    • No other restrictions with regard to specific roles or profiles for both administrators

Second scenario showing the authorization management.

This scenario has two user groups, each of which is administered by its own user administrator in the production system.

  • The group of FI users (FI_USER) is administered by the FI user administrator.

  • The group of MM users (MM_USER) is administered by the MM user administrator.

The decentralized user administrators must be restricted as follows:

  • Administration of the user group for which they are responsible (S_USER_GRP)

  • Assignment of the relevant roles and profiles for the user group (S_USER_AGR, S_USER_PRO)

The users must be assigned to the appropriate groups (FI_USER, MM_USER).

Caution: Users not belonging to any group can be administered by both user administrators.

Scenario 3, Principle of Treble Control, Decentralized User Administration in PRD

  • Central Creation and Deletion for All Users (prod.)

  • Decentralized User Administration (Production System)

    One user administrator for each application area (FI, MM):

    • Authorized to maintain a certain user group

    • Authorized to assign a certain number of roles and profiles

    • Authorized for only certain user administration tasks (change, lock/unlock, reset password)

  • Central Maintenance of Roles and Profiles

    Separation of responsibilities:

    • One authorization data administrator

    • One authorization profile administrator

    • No other restrictions with regard to specific roles or profiles for both administrators

Third scenario showing the authorization management.

This scenario has two user groups, each of which is administered by its own user administrator in the production system:

  • The group of FI users (FI_USER) is administered by the FI user administrator.

  • The group of MM users (MM_USER) is administered by the MM user administrator.

In contrast to scenario 2, the user administrators may only perform the following activities for users in their group:

  • Lock / unlock users

  • Change passwords

  • Assign roles and profiles

A central user administrator creates and deletes the users.

The decentralized user administrators must be restricted as follows:

  • Administration of the user group for which they are responsible (S_USER_GRP)

  • Activities in user administration (S_USER_GRP)

  • Assignment of the relevant roles and profiles for the user group (S_USER_AGR, S_USER_PRO)

The users must be assigned to the appropriate groups (FI_USER, MM_USER).

Practice System Exercise: Access Control and User Administration

Note

If you have access to a practice system, you can now execute this exercise.

Business Example

As part of their daily work, they check the security settings. You can refine these by setting up a security policy.

Task 1: Check Security Settings

You are the data protection officer and want to check the SAP system's assignment of authorizations and security.

Steps

  1. Display all the users GR##* according to logon date and password change.

    Which of your users GR##* are not in use?

    ___________________________________________________

    Which of your users GR##* do not have a valid password?

    ___________________________________________________

    When did the user GR##-ADM log on to the system?

    ___________________________________________________

    1. Navigate to the User Information System in the SAP Menu.

      SAP Menu:ToolsAdministrationUser MaintenanceInformation System

    2. Expand the structure for the User node, and select the report By Logon Date and Password Change (RSUSR200) by double-clicking it.

    3. Enter GR##* in the User field.

    4. Choose Execute (F8).

    Result

    The users which are not in use are displayed in the Date of Last Logon column.

    ___________________________________________________

    The users who do not have a valid password are displayed in the Password Status column.

    ___________________________________________________

    The logon date and time of the user GR##-ADM is displayed in the Date of Last Logon and Last Logon Time columns.

    ___________________________________________________

  2. Check the logon rules and settings for special users in the system. How can you request this information?

    How many characters are set for the minimum password length?

    _____________________________________

    After how many incorrect logons is the user locked?

    _____________________________________

    Is the user automatically unlocked?

    _____________________________________

    1. Start the Display Profile Parameter transaction (RSPFPAR).

      In the OK code field, enter the transaction code RSPFPAR.

    2. Enter login* in the Profile Parameters field.

    3. Choose Execute (F8).

    Result

    System parameter to define the minimum password length: login/min_password_lng :="5"

    System parameter to define the number of incorrect logons is the user locked: login/fails_to_user_lock :="5"

    System parameter to define if users are automatically unlocked: login/failed_user_auto_unlock :="0 (no)"

    You can view the descriptions of the system parameters in transaction RZ11.

Task 2: Create a Security Policy

Create a security policy with the following restrictions: MIN_PASSWORD_LENGTH = 8 and PASSWORD_CHANGE_INTERVAL = 100.

Steps

  1. Start the transaction SECPOL.

    1. In the OK code field, enter the transaction code SECPOL.

  2. Create an new security policy GR##-SECPOL.

    1. Choose the Display → Change (Ctrl+F1) icon.

    2. Choose New Entries.

    3. Enter GR##-SECPOL in the Security Policy column and enter Policy ## in the Short Text column.

    4. Choose Save (Ctrl+S).

    5. Select a transport request or create a new one:

      To create a new transport request choose Create.

      Enter a short description and choose Save (Enter).

      Enter a short description and choose Save.

    6. Select the line with your security policy GR##-SECPOL.

    7. Double-click Attributes in the Dialog Structure area.

    8. Choose New Entries.

    9. Enter MIN_PASSWORD_LENGTH in the Policy Attribute Name column and enter 8 in the Attrib. Value column.

    10. Enter PASSWORD_CHANGE_INTERVAL in the Policy Attribute Name column and enter 100 in the Attrib. Value column.

    11. Choose Save (Ctrl+S).

    12. Choose Back (F3) twice.

  3. Assign the security policy to the users you have created using the User Mass Maintenance transaction.

    User Name
    GR##-FI1
    GR##-FI2
    GR##-SD1
    GR##-SD2
    GR##-MM1
    GR##-MM2

    1. Start the User Mass Maintenance transaction.

      SAP Menu:ToolsAdministrationUser MaintenanceUser Mass Maintenance (transaction code SU10).

    2. Choose Address Data in the User selection area.

    3. Enter GR##* in the Users field.

    4. Choose Execute (F8).

    5. Choose the Select All icon on the top left of the resulting table (Ctrl+A).

    6. Choose Transfer.

    7. Choose Change (Shift+F6).

    8. Enter GR##-SECPOL in the Security Policy field.

    9. Choose Change.

    10. Choose Save (Ctrl+S).

    1. Choose Back (F3) twice.

Task 3: Explore Authorization Objects for Table Maintenance Using Standard Tools

Create authorizations so that a user can view specific tables in transaction SE16. The user must be able to display two tables. Those table names are USR40 and PRGN_CUST.

Steps

  1. Which authorization objects give access for the display or maintenance of table contents with generic table access tools?

    ___________________________________________________

    ___________________________________________________

    Result

    The following authorization objects give access for the display or maintenance of table contents with generic table access tools?

    - S_TABU_DIS

    - S_TABU_NAM

  2. Explore authorization object S_TABU_DIS.

    Display the documentation for the authorization object S_TABU_DIS.

    What is the main function of this authorization object?

    ___________________________________________________

    ___________________________________________________

    1. Navigate to the User Information System in the SAP Menu.

      SAP Menu:ToolsAdministrationUser MaintenanceInformation System

    2. Expand the structure for the Authorization Objects node, and select the report Authorization Objects - By Object Name, Text by double-clicking it.

    3. Enter S_TABU_DIS in the Authorization Object field.

    4. Choose Execute (F8).

    5. Double-click objectS_TABU_DIS.

    6. Choose Display Object Documentation.

      This authorization object checks authorizations for displaying or maintaining table contents.

  3. Which fields does authorization object S_TABU_DIS contain?

    ___________________________________________________

    ___________________________________________________

    1. Take the fields of S_TABU_DIS from the Defined fields in the documentation:

      - DICBERLCS (Authorization Group)

      - ACTVT (activity)

      Authorization object S_TABU_DIS provides access for all tables of an authorization groups.

    2. Choose Close.

    3. Choose Cancel (F12).

    4. Choose Back (F3) to return to the Authorization Objects by Complex Selection Criteria screen.

  4. Explore authorization object S_TABU_NAM.

    Display the documentation for the authorization object S_TABU_NAM.

    What is the main function of this authorization object?

    ___________________________________________________

    ___________________________________________________

    1. Navigate to the User Information System in the SAP Menu.

      SAP Menu:ToolsAdministrationUser MaintenanceInformation System

    2. Expand the structure for the Authorization Objects node, and select the report Authorization Objects - By Object Name, Text by double-clicking it.

    3. Enter S_TABU_NAM in the Authorization Object field.

    4. Choose Execute (F8).

    5. Double-click objectS_TABU_NAM.

    6. Choose Display Object Documentation.

      This authorization object checks authorizations for displaying or maintaining table contents.

  5. Which fields does authorization object S_TABU_NAM contain?

    ___________________________________________________

    ___________________________________________________

    1. Take the fields of S_TABU_NAM from the Defined fields in the documentation:

      - TABLE (table or view name)

      - ACTVT (activity)

      Authorization object S_TABU_DIS provides access for a table or a view. The object is only checked if the authorization check for object S_TABU_DIS failed.

    2. Choose Close.

    3. Choose Cancel (F12).

    4. Choose Back (F3) to return to the Authorization Objects by Complex Selection Criteria screen.

Task 4: Find the Authorization Group Assigned to a Table

Find the authorization group assigned to table USR40.

Then, find all tables assigned to authorization group SUSR.

Steps

  1. Find the authorization group assigned to table USR40.

    Table group assigned to table USR40:

    _________________________________

    1. Start the Generate Table Maintenance Dialog transaction (SE54).

      SAP Menu: ToolsABAP WorkbenchDevelopmentOther ToolsGeneral Table Maintenance Dialog, (transaction code: SE54).

    2. Select "Assign Authoriz. Group" and choose Display.

    3. Enter USR40 in the Table/View field.

    4. Choose Execute (F8).

      Table USR40 is assigned to the authorization group SUSR

    5. Choose Back (F3) twice to return to the start screen of transaction SE54.

  2. How many tables are assigned to authorization group SUSR?

    _________________________________

    1. Start the Generate Table Maintenance Dialog transaction (SE54).

      SAP Menu: ToolsABAP WorkbenchDevelopmentOther ToolsGeneral Table Maintenance Dialog (transaction code: SE54).

    2. Select "Assign Authoriz. Group" and choose Display.

    3. Enter SUSR in the Authorization Group field.

    4. Choose Execute (F8).

      52 tables are assigned to the authorization group SUSR.

    5. Choose Back (F3) twice to return to the start screen of transaction SE54.

Task 5: Create a Role for Reading Tables USR40 and PRGN_CUST

Create a role for reading tables USR40 and PRGN_CUST. Access to table USR40 should be assigned by authorization object S_TABU_DIS and access to table PRGN_CUST should be assigned by authorization object S_TABU_NAM.

Steps

  1. Start Role Maintenance, create the role GR##_TAB_ANZ, and write a short description.

    1. SAP Menu:

      ToolsAdministrationUser MaintenanceRole AdministrationRoles (transaction code PFCG).

    2. Enter the name for the role GR##_TAB_ANZ in the Role field.

    3. Choose Create Single Role.

    4. Enter description Display tables in the Description field.

    5. Then choose Save (Ctrl+S) to save your role.

  2. Add the transaction SE16 to the role menu.

    1. Go to the Menu tab page.

    2. Choose the Transaction button and enter the following transaction code in the Transaction code field:

      - SE16

    3. Choose Assign Transactions.

    4. Then choose Save (Ctrl+S) to save your role.

  3. Go to the Authorizations tab page and define the authorizations.

    Define the following authorizations:

    ObjectFieldValue (Interval)
    S_TABU_DISDICBERCLSSUSR
     ACTVTDisplay
    ObjectFieldValue (Interval)
    S_TABU_NAMTABLEPRGN_CUST
     ACTVTDisplay

    1. Go to the Authorizations tab page.

    2. Choose Change Authorization Data.

    3. Expand Object Class BC_A.

    4. Expand Authorization Object S_TABU_DIS.

    5. Expand Authorization Authorizat. 00.

    6. Choose the Pencil icon to the right of the DICBERCLS field..

    7. Enter SUSR in the Field values window.

    8. Choose Transfer (Enter).

    9. Expand Authorization Object S_TABU_NAM.

    10. Expand Authorization Authorizat. 00.

    11. Choose the Pencil icon to the right of the TABLE field.

    12. Enter PRGN_CUST in the Field values window.

    13. Choose Transfer (Enter).

  4. If necessary: Maintain Authorizations - Set all open authorization values to full authorization.

    1. Choose the Status button.

    2. Choose Execute (Enter) in the Assign Full Authorization of Subtree window.

  5. Maintain Authorizations - Generate the authorization profile for your role.

    1. Choose the Generate icon.

    2. In the Assign Profile Name for Generated Authorization Profile window, accept the proposed profile name and choose Execute (Enter).

    3. Choose Back (F3) to return to the Change Roles screen.

  6. Assign the role to your user GR##-FI1. Perform a user master comparison and exit role maintenance.

    1. Go to the User tab page.

    2. Enter GR##-FI1 in the User ID column.

    3. Choose Save (Crtl+S).

    4. Choose User Comparison.

    5. Choose Full Comparison on the Compare Role User Master Record window.

    6. Choose Cancel (F12) on the Compare Role User Master Record window.

    7. Choose Back (F3) to return to the Role Maintenance screen.

Task 6: Log On as GR##-FI1 and Check the Table Authorizations

Log on as GR##-FI1. Call transaction SE16, and answer the following questions:

Use the password automatically generated in the exercise for the user master record or assign a new initial password in user maintenance.

Change the password when you log on: ______________________

Steps

  1. Log on to the system as user GR##-FI1.

    1. Start SAP Logon.

    2. Select system T41 and choose Log On.

    3. Enter the user name GR##-FI1 in the User field.

    4. Enter the generated password in the Password field.

      Use the password automatically generated in the exercise for the user master record or assign a new initial password in user maintenance.

    5. Choose Enter.

    6. Enter a new productive password of your choice in the New Password and the Repeat Password fields.

      New password : ______________________

    7. ChooseTransfer (Enter).

    8. ChooseContinue (Enter).

  2. Can you display table USR40? Why?

    ___________________________________________________

    ___________________________________________________

    1. Start transaction SE16 (Data Browser) from the User menu.

    2. Enter USR40 in the Table Name field.

    3. Choose Table Contents (F7).

    4. Choose Execute (F8).

    5. Choose Back (F3) twice, to return to the Data Browser: Initial Screen.

    Result

    Yes, you can display table USR40. When this table is displayed, authorization group SUSR, which is in the user master record, is checked.

  3. Can you display table USREFUSVAR? Why?

    ___________________________________________________

    ___________________________________________________

    1. Start transaction SE16 (Data Browser) from the User menu.

    2. Enter USREFUSVAR in the Table Name field.

    3. Choose Table Contents (F7).

    4. Choose Execute (F8).

    5. Choose Back (F3) twice, to return to the Data Browser: Initial Screen.

    Result

    Yes, you can display table USREFUSVAR. This table is also assigned to the authorization group SUSR.

  4. Can you display table PRGN_CUST? Why?

    ___________________________________________________

    ___________________________________________________

    1. Start transaction SE16 (Data Browser) from the User menu.

    2. Enter PRGN_CUST in the Table Name field.

    3. Choose Table Contents (F7).

    4. Choose Execute (F8).

    5. Choose Back (F3) twice, to return to the Data Browser: Initial Screen.

    6. Log off the system.

    Result

    Yes, you can display table PRGN_CUST. When this table is displayed, authorization is checked by authorization object S_TABU_NAM.

Log in to track your progress & complete quizzes

Learning

SAP FacebookSAP YoutubeSAP LinkedIn