Question:
Hi security experts,
Will you please enlighten me on some basic security questions? - I am a functional person trying to understand the authotization aspects in some detail.
1. I understand that you need to assign roles to users to restrict them to do only the job they need to do. I also know that there authorization objects and fields involved at the Tcode level that restrict on any one can do in a given Tcode. My question is how do these 2 work together, since role only gives you the restrictd menu of what you can see, where and how do you define what authorizations the user has? Are they defined separately in user master?
2. Take this example of MM02 - material master change. If one user is only allowed to change WM view and another user is only allowed to change QM view, how and where do you set up in SAP to say that both need access to MM02 but have restriction on what they can change? Starting from Tcode, how does this flow all the up to user master?
Thanks in advance for your help.
Answer:
Very broadly, to do something:
a user needs a profile (Role)
a Role is created in transaction PFCG
a Role will contain (required) transactions
each transaction has a set of authorisations to limit/control it
each authorisation requires one or more values to enable the desired controls.
So, for your two users you will have two Roles each will have MM02 but each will have different authorisation values enabling e.g. the holder of Role1 to only change the WM view and the holder of Role2 to only change the QM view.
Hope this helps
_________________
Best Regards
Bazza
Answer:
Bazza,
That is great. Then where do we set in the system to tell SAP that each user has to have different authorization values enabled, yet use the same transaction MM02 ( or the same program).
I understand you need to assign auth.profile in user master. What is this auth.profile consists of? where as these objects defined and connected to roles? Roles drill down only up to tcodes.
Am I missing something? can you explain how they all tie together and what gets set where in some what of a detail? This will help me understand some of the SAP auth.material that I am reading now to make sense of this subject. SAP explanation is confusing.
Thanks for your help
Answer:
In principle:
SAP supplies transactions, their authorisations and recommended authorisation values. These are held in a number of tables but for ease of reference it is best to consider them only in tables USOBX_C and USOBT_C which are maintained with transaction SU24.
The authorisations therein that are indicated with CM are made available to the profile generator - transaction PFCG. This is the initial link between transaction and authorisation/values. And when you use PFCG to create a Role/profile and key in a transaction, the authorisations indicated with CM and their initial values are brought in automatically.
Within PFCG you can amend the authorisation values to suit your business need. Thus you can create a specific Role for a specific business need.
Hence Roles will contain transactions, authorisations, authorisation values (and also Organisational elements like plant, company etc).
A Role is next assigned to a user.
So, working up the hierarchy:-
Authorisation values are supplied by SAP or maintained by the business security expert. They are assigned by SAP to Authorisation Objects.
Authorisation Objects are assigned by SAP to transactions.
Transactions can be included in Roles by the business security expert.
Roles can be assigned to users by the business security expert.
Hope this is clearer for you.
_________________
Best Regards
Bazza