Establish User Role and Authorization Concept

1
Establish User Role and Authorization Concept
presented by Mareike Kallweit
2
Establish User Role and Authorization Concept
3
Establish User Role and Authorization Concept
Start
4
Establish User Role and Authorization Concept
http//www.mit.edu/afs/athena/project/its-alive/sa
p-docs/R3-SecGuide-Vol1.pdf
5
Establish User Role and Authorization Concept
Realization Phase Tasks of Establishing User
Role and Authorization Concept

• Create Authorization Detailed Design
• Review Company Security Philosophy
• Document Transactions Associated with Job
  Functions
• Conduct Authorization Interview with Data Owners
• Identify General Information access and Service
  Use
• Create Authorization Management Procedures
• Implement Authorization Concept
• Create Activity Groups
• Generate Authorization Profile
• Create User Master Models for Job Roles
• Test User Master Models
  
• Validate Authorization Concept
• Identify Activity Group for Individual Users
• Create User Master
• Validate User Masters for Job Functions
• Refine Authorization Design
• Sign Off Authorization Design

? Authorization List
? Complete developed authorization environment
? User Master Records for all Users
6
Establish User Role and Authorization Concept

• What are User Roles and Authorization ?
• ? To access or execute SAP transactions a
• user requires corresponding authorization
• ? A User Role defines the users authorization

Why are User Roles and an Authorization Concept
necessary? ? Company Security philosophy
protection from unauthorized access
Requirement of maximum security and sufficient
privileges for end users to fulfill their job
duties
7
Establish User Role and Authorization Concept

• FLEXIBLE AUTHORIZATION CONCEPT
• protects applications and data from unauthorized
  access
• provides users with the necessary authorization
  for individual application
• Main tool to create, implement and validate
  authorization concept is the
• Profile Generator

8
Establish User Role and Authorization Concept

• Responsibilities for processes and functions
  already defined in
• Business Blueprint phase
• These responsibility definitions are used in
  authorization design
• Company Security Philosophy
• Security policy of organization to be checked
• Security requirements in each department to be
  checked
• Level of Security to be recorded
• each application area must supply roles
  (Authorization List)
• a role is a task or activity, or combination of
  tasks and activities
• authorizations are based on selection of
  activities grouped in activity groups

9
Establish User Role and Authorization Concept

• Authorization Management Procedures
• To create, change and monitor activity groups,
  profiles, authorizations and users
• Authorization data administrator creates
  activity groups, chooses transactions
• and maintains the authorization data,
• NOT allowed to generate profiles
• Authorization profile administrator displays
  mode to check data created by
• authorization data administrator, if data is
• correct administrator generates profiles
• User administrator assigns activity group to
  users, authorization
• profile is then added to user master record

10
Establish User Role and Authorization Concept
Job functions?
Authorization Profile
Activity Group/ User Role
Authorization
END-USER
User Master Record Roles are assigned to an End
User
Automatically generated with Profile Generator
11
Establish User Role and Authorization Concept

• Create Activity Groups / User Roles

Standard User Roles

• Activity group/User Role
• - Based on the organizational plan of the company
• - covers a specific work area / job function
• includes transactions, reports, links (user
  menu)
• Single Roles, Derived Roles, Composite Roles

12
Establish User Role and Authorization Concept

• Generate Authorization Profiles
• Authorizations are defined as set of permitted
  values for the fields of an
• authorization object

Activityobject
SAP transaction CREATING SALES ORDER Sales
Organization Distribution Channel Division
fields
Authorization profile - Authorizations are
combined in profiles - contains all individual
authorizations for User Roles
13
Establish User Role and Authorization Concept
Role 3
Assigning Users to Roles
Role 1
Role 4
Role 2
Derived Role 1
Composite Role A

• Job description and related activity group and
  profile must be
• identified for each end user
• employees of same department are often grouped
  in one end user group

User Masters as complete list of activity groups
(User Roles) and profiles to assign to each end
user
14
Establish User Role and Authorization Concept

• Creating User Master Models for Job Roles
• Samples User Master Records are developed and
  tested for all user roles
• User Master Records are client-specific
• User Master Record
• - determines which activities contain in user
  menu
• - allows access to functions and objects
  (authorization)
• - enables user to log onto SAP system / password
• - contains all user parameters
• - work within limits of specified authorization
  profile possible
• - definition of start menus

15
Establish User Role and Authorization Concept

• Test User Masters for Job Functions
• ? Test for users to ensure that all necessary
  activities and transactions can be executed and
  accessed
• ? Each User Master Record (activity group and
  generated authorization profile) must be tested
• ? Test if optimum data security has been achieved
• Final step before productive operation
• ? Sign Off Authorization Design

16
Establish User Role and Authorization Concept
for your attention !
Reference various pages of help.sap.com