Search This Blog

Wednesday, March 23, 2011

SAP Security FAQs - User Management & Authorization

What are the main enhancements for authorizations in higher releases?

The Profile Generator has been available since SAP R/3 3.1H, but contains all functions only as of SAP R/3 4.5A. Central User Administration is new for SAP R/3 4.5A with stable functions as of SAP R/3 4.6D. An integration of external LDAP directory services (for user administration) is available with SAP Web Application Server 6.10 (APO, CRM) and the SAP R/3 Enterprise 4.7.
There is a Microsoft Excel-based tool (authorization list) available with the ASAP CD for SAP R/3 4.6B (order number: 50035571) for setting up user roles.

What has to be taken into consideration to make a transition from SAP R/3 to mySAP.com without major changes to the current authorization concept/setup?

Roles should be used as well as Central User Administration (CUA) to provide a clear authorization concept. We recommend that you look at the predefined roles, and copy and enhance them before creating your own roles.

Is a tool available to graphically display authorizations and roles/profiles in connection with the company process model/company data model (not with organizational management)?

Not from SAP. A graphical display is only possible through organizational management if roles are assigned to objects from organizational management. You can otherwise only display roles in the Profile Generator (transaction PFCG) or in the User Information System (transaction SUIM). Partner products with additional value are currently in the certification process.

Is documentation available for tables USERS_SSM and SSM_CUST?

Table USERS_SSM: no documentation available, self-explanatory in maintenance view (transaction SM30).
Table SSM_CUST: For more information, see SAP Notes (search SAP Notes for SSM_CUST and PRGN_CUST).
F4 help is available with SAP Web Application Server 6.10.

Will there be major changes for structural profiles?

With SAP R/3 4.6C, any missing authorizations due to a lack of required data in a structural profile will be reported in transaction SU53. F4 help is also available in table T77UA as of the same release.

Since when do SAP systems support Central User Administration?

Since SAP R/3 4.5A. For more information about Central User Administration, see composite SAP Note 0159885.

Can the users on systems with SAP R/3 4.0 and lower be administered with Central User Administration on SAP R/3 4.5 and higher?

No.

Do I have to maintain roles in the Central User Administration (CUA) once CUA is used?

The system offers you a reasonable degree of flexibility about where you maintain roles. If you are using this feature to assign a role to objects in the organizational structure, such as positions, users, and so on, you should keep in mind the target systems and where you would like to maintain the allocation to the organizational structure.

Does SAP offer directory services?

The SAP system can act as an LDAP directory client. For more information, see the following document on 'Business User Administration'.

How can I link indirect role assignment using organizational management in HR with central user administration?

There are two scenarios in which you can successfully use HR Organizational Management and Central User Administration together:

1.    HR-Org in the child systems of the CUA, and local role assignment: Both direct role assignment (transactions SU01, SU10, and so on) and assignment via the HR organizational structure are performed locally. You need to set the switch in transaction SCUM of the central system to local role assignment.

2.    HR-Org in the central CUA system, and global role assignment: Both direct and indirect role assignment are performed only in the central system. To do this, the HR organizational model has to be migrated from the HR system to the central system (for notes on how to do this, see the CUA documentation). In this scenario, single roles for a specific target system cannot be assigned via the HR organizational structure. You can, however, assign collective roles that consist of single roles for specific target systems.

Since when can I synchronize SAP user data with directory services through LDAP?

As of SAP Web Application Server 6.10, user data can be synchronized with a directory.

 

No comments:

Post a Comment