Question:
Hello all,
I am writing a SAP Security manual which will probably be finished somewhere around the end of january/february.
At this moment I have included the general authorization concept and already some topics on SAP CRM specific security. an extra chapter on BW authorizations will be included afterwards!
Those that are intrested in more information cal always email me at davy.pelssers@cernum.com
1. Introduction 4
2. SAP Authorization Concept 4
2.1. Authorization Components and their Relationships 5
2.2. The Profile Generator (PFCG) 8
2.2.1. Installing the Profile Generator 9
2.2.2. Creation of a new Role 19
2.2.3. Single Role versus Composite Role (collective role) 19
2.2.4. Master role and Derived Role 22
2.2.5. Assigning Users 29
2.2.6. Transporting Roles 33
2.3. Organizing Authorization Administration 34
2.3.1. Creating administrator roles 34
2.3.2. List of available templates 40
2.3.3. Authorization Objects checked in role maintenance 41
2.3.4. Relevant SAP Tables for Authorizations and Roles 41
2.3.5. System Settings-profile parameters 42
2.3.6. Protective measures for Special profiles SAP_ALL & SAP_NEW 43
2.4. Authorization Checks 44
2.4.1. Checking at program level with AUTHORITY-CHECK 44
2.4.2. Starting SAP Transactions 46
2.4.3. Starting Report Classes 51
2.4.4. Calling RFC Function Modules 52
2.4.5. Checking assignment of Authorization Groups to Tables 52
2.5. Analyzing Authorization Checks 53
2.5.1. System Trace 53
2.5.2. Authorization error Analysis 56
3. Testing the roles 58
4. User Maintenance 60
4.1. Creation of a User in the CRM system 60
4.1.1. Display user information 61
4.1.2. Initial Data load for Users and Authorizations 70
4.2. Creation of a User in the SAP Enterprise Portal 71
4.3. Creation of an Employee in the CRM system 78
4.4. Maintaining the Organizational Model 81
5. CRM specific Authorizations 85
5.1. Marketing and Campaign Management 85
5.1.1. Role for creating marketing plan and campaign 87
5.1.2. Restrictions made based on person responsible 93
5.1.3. Restrictions made based on Authorization Group 95
5.1.4. Restrictions made based on the Campaign Type 97
5.2. Business Partner Security 97
5.3. Product Security 98
5.4. Authorization check in Business Transactions 98
6. BW specific authorizations 98
7. Frequently Asked Questions 98
8. Tips and Tricks 99
APPENDIX 100
Answer:
I take it that this is going to be for sale?
I would be interested in one thing to get a feeling for the rest:
What font size did you use to get these 4 topics onto 1 page?
5.3. Product Security 98
5.4. Authorization check in Business Transactions 98
6. BW specific authorizations 98
7. Frequently Asked Questions 98
Answer:
As I explained the manual is not finished yet!!
for the topics you mentioned I only added the index !
this still needs to be elaborated, but will be included ofcourse!
the font size by the way is times new roman (12)
Answer:
And If I post my email address here, then you (and Readers Digest) will send me some index's? Or are you looking for a review of the doc?
Answer:
WHat does this have to offer that Authorization made easy does not have?... Where are the topics like configurable access, HR, Security by position, list of all activity fields , useful SAP deliverd reports and tcodes, Role based security concept, Backdoors and how to control, naming conventions, autorizaiton group concept, etc? You know all the things that are not in authorizaiton made easy but are required to have a secure system.
Answer:
Well,
I am not telling or selling anyone a complete end-to-end guide...
As I said, in SAP authorizations made easy, you already have a nice overview of the sap authorizations concept, but I don't remember having seen ANY sap CRM or SAP BW related concepts, examples or procedures in this guide?
That is the first reason why I writing such a manual...which can serve as a practical guide!!
The purpose is to combine theory (which you can find back in several places like service.sap.com or saphelp) with practical examples...illustrated with quite a lot of system screenshots!
I notice that most authorization administrators who might have a pretty good knowledge of the general authorization concept (R/3) are struggling when the customer for example implements BW or CRM.
As I said, for some people this might not bring much added value, for others this will be a huge help in understanding and finding their way back into the SAP authorization concept in general, but next more specific in SAP CRM (and BW).
By showing the index on this forum once the manual is finished you WILL KNOW what you would be buying...
_________________
Davy Pelssers
Independant SAP Consultant CRM/BW/Authorisations
pelssersdavy@hotmail.com
Answer:
What about all the other apps, SCM/APO, BW, etc. how about Portal Security issues. I'm not talking about role ivew but the Netweaver issues that we really don't get to hear much about. Or issues with the User Measurement and the LAW tool that some of us Security People are responsible for.
Just asking
Answer:
Well...I started working on the E-book again...and altough it's not finished yet (It never WILL ofcourse) since I will include every topic in the book that I investigate during my career. thefore it will be an ebook..
Since a lot of people wanted to have the ebook already, although it's not finished I decided to sell it already....
you can choose the following:
- Pay either 15 euro (= 19 USD) for the current content -no updates will be sent in that case.
- Pay one time 30 USD and you will receive updates as soon as I add new chapters/elaborated examples..
Payment is prefered to be done via Paypal ..delivery by email.
INDEX so far is:
1. Introduction 6
2. SAP Authorization Concept 6
2.1. Authorization Components and their Relationships 7
2.2. The Profile Generator (PFCG) 10
2.2.1. Installing the Profile Generator 10
2.2.2. Creation of a new Role 21
2.2.3. Single Role versus Composite Role (collective role) 21
2.2.4. Master role and Derived Role 24
2.2.5. Assigning Users 31
2.2.6. Transporting Roles 35
2.3. Organizing Authorization Administration 36
2.3.1. Creating administrator roles 36
2.3.2. List of available templates 42
2.3.3. Authorization Objects checked in role maintenance 43
2.3.4. Relevant SAP Tables for Authorizations and Roles 43
2.3.5. System Settings-profile parameters 44
2.3.6. Protective measures for Special profiles SAP_ALL & SAP_NEW 45
2.4. Authorization Checks 46
2.4.1. Checking at program level with AUTHORITY-CHECK 46
2.4.2. Starting SAP Transactions 48
2.4.3. Starting Report Classes 53
2.4.4. Calling RFC Function Modules 54
2.4.5. Checking assignment of Authorization Groups to Tables 54
2.5. Analyzing Authorization Checks 55
2.5.1. System Trace 55
2.5.2. Authorization error Analysis 58
3. Testing the roles 60
4. User Maintenance 62
4.1. Creation of a User in the CRM system 62
4.1.1. Display user information 63
4.1.2. Initial Data load for Users and Authorizations 72
4.2. Creation of a User in the SAP Enterprise Portal 73
4.3. Creation of an Employee in the CRM system 80
4.4. Maintaining the Organizational Model 83
5. CRM specific Authorizations 87
5.1. Marketing and Campaign Management 87
5.1.1. Role for creating marketing plan and campaign 89
5.1.2. Restrictions made based on person responsible 95
5.1.3. Restrictions made based on Authorization Group 97
5.1.4. Restrictions made based on the Campaign Type 99
5.2. Business Partner Security 99
5.2.1. General role SAP_CRM_BUSINES_PARTNER 100
5.2.2. Restrictions for certain input fields based on Authorization Type 100
5.2.3. Restrictions for certain field groups 103
5.2.4. Restrictions based on Authorization Group 106
5.2.5. Restrictions for maintaining certain Business Partner Roles 108
5.2.6. Perform authorization checks for sales area related data for business partners. 108
5.3. Product Security 109
5.3.1. Relevant SAP Authorization objects 109
5.3.2. Product maintenance 110
5.4. Authorization check in Business Transactions 112
5.4.1. Relationship Business Transactions, Types and Categories 112
5.4.2. Process flow authorization check 125
5.4.3. Examples of the authorization assignment 127
5.4.5 Authorization Check at Field Level 129
5.5. Authorizations in E-commerce (Internet Sales) 132
5.5.1. Customizing settings for Internet Sales 132
5.5.2. User Administration 136
5.6. Interaction Center Winclient 150
5.6.1. Technical System Landscape 150
5.6.2. User Administration and authentication 151
5.6.3. Users Overview 151
5.6.4. Data synchronization between CRM system and other systems 152
5.6.5. Authorizations 152
6. BW specific authorizations 153
7. Frequently Asked Questions 153
8. Tips and Tricks 154
9. Relevant OSS notes regarding SAP Authorizations 155
9.1. SAP CRM related 155
APPENDIX 157
_________________
Davy Pelssers
Independant SAP Consultant CRM/BW/Authorisations
pelssersdavy@hotmail.com
Answer:
It appears your book is leaving out some fundamentals that are needed before one dives directly into Creating profiles. Some of those principles should be discussed up front to add value to what can already be gleaned from SAP's Authorizations Made Easy
Things to consider are:
Concept and Purpose
Assessing Risk
Segregation of Duties
Compensating Controls
Control Areas in SAP
Naming Conventions
Job Oriented Roles
Risk Assessments
Control Access Development
Profile Development Standards
Role Minimization
Grass Root Development
Wild Card Activity Values
Parent-Child Roles Pros and Cons
Composite RolesPros and Cons
Role Use Management
System Integrity - Ensuring Long-term Continuity
System Settings
List of commonly used Security Tables in SAP
Other SAP data ( Domain Values, Data Elements)
Transaction Lock
Transaction Access ( S_TCODE)
Call Transaction Authorization Check
Alternative Access Control
User Maintenance - SU01, SU10, PFCG, RHPROFL0, HRUSER
PD Profiles – Structural Authorizations
Table Maintenance
Organizational Levels
Call Transaction Control
Trouble Shooting Utilities
SAP Security Automation
User Activity Logs
Security Reports ( and their pitfalls)
Security System Parameter Settings
Configuration
Configuration for Security SSM_CUST, PRGN_CUST
Configurable Access
Password Controls
Special User Ids
Logon controls
Configuring Profile Generator
Security Strategies and Methodologies
Security User Exits
Security Weaknesses (Trojan Horse, SM59, Visible Passwords, S_DEVELOP Access, Tabke view with no S_TABU_DIS, etc)
_________________
John A. Jarboe
Answer:
Thanks for the advice John, but the focus of this book is for security administrators that already have knowledge of the SAP authorization concept, meaning the R/3 setup of authorisations and roles...
The focus of this ebook will mainly be about:
- SAP CRM authorizations and SAP BW authorizations
I am still elaborating the SAP CRM part, but I am negotiating with some companies to have remote access to development systems where they have CRM, R/3 and BW all together , So I can work out my testcases and examples....
Furthermore it will be a real practical guide...which explains the functional side of CRM topics in order to understand how you can setup and build testcases in order to try out your authorizations that you are trying to define.
But I am not going to spent a lot of my precious time to repeat or recreate documentation which is AVAILABLE already:
- You already have a specific SAP course for BW authorisations
--> but since this is an interesting topic, I still will include this in my ebook.
- There are already very good books about SAP authorisations:
1) ISBN 1-59229-062-0 SAP Security & Authorizations (English)
2) ISBN 1-59229-062-0 SAP Authorisation System (IBM)
3) SAP Authorizations Made easy
- and SAP also delivers courses such as:
A) BW365: Business Information Warehouse - Authorizations
B) ADM940: SAP Authorization Concept
C) HR940: Authorizations in HR
Next, you can also find lots of information on help.sap.com via Trex Search when doing a search on "authorization" ...and of course on service.sap.com
So please...everyone should decide for themselves what they want to read, learn or need... I am just offering an ebook at a cheap price since I will continue working on this book..and provide updates for those that are in need of centralized information... about in this specific case to start with SAP CRM authorizations ....
_________________
Davy Pelssers
Independant SAP Consultant CRM/BW/Authorisations
pelssersdavy@hotmail.com
Answer:
but John, where's your book?
Sorry, I couldn't resist
_________________
answering and posting Tuly Idiot questions /answers
Answer:
I just finished a new chapter about the usage of Marketing Attribute Sets and Attributes and how you can restrict the assigment of an attribute set to a business partner. Everything is well explained from a functional point of view, as well with all necessary Authorization objects and examples of role setup and test-analysis.
At this moment I am working on the functional chapter about SAP CRM Business partners:
Concepts such as:
- business partner categories
- business partner roles
- relationships
- partner processing (partner determination procedure and the use of access sequences)
- Business partner functions
will be explained functionally...
Furthermore all authorisation related objects which are availabe to set restrictions are already elaborated in my manual...
_________________
Davy Pelssers
Independant SAP Consultant CRM/BW/Authorisations
pelssersdavy@hotmail.com