Upload
dokhanh
View
222
Download
0
Embed Size (px)
Citation preview
Volker Lehnert, Katharina Bonitz, and Larry Justice
Authorizations in SAP8 Software
Design and Configuration
•, ^®
^» ..
Galileo Press
Bonn • Boston
Contents
Foreword 19
Acknowledgments 22
PART I Business Concepts
2.1 Methodical Considerations 30
2.1.1 Approaches for the Business Authorization
Concept 30
2.1.2 Persons Involved in the Authorization
Concept 33
2.2 Compliance 33
2.3 Risk 34
2.4 Corporate Governance 38
2.5 Technical Versus Business Significance of the
Authorization Concept 40
2.6 Technical Versus Business Roles 42
3.1 Example of an Organizational Differentiation 46
3.2 Introduction 48
3.3 Institutional Organization Concept 50
3.3.1 Object of the Organization 51
3.3.2 Legal Forms of the Organization 51
3.3.3 Organization and Environment 52
3.3.4 Summary 53
3.4 Instrumental Organization Concept 54
3.4.1 Specialization (Division of Labor) 55
3.4.2 Organizational Structure 58
3.4.3 Task Analysis 68
7
Contents
3.5 Consequences of the Examination of the Organization ...72
3.6 Views of the Organizational Structure in SAP Systems ...73
3.6.1 Organizational Management 74
3.6.2 Organization View of External Accounting 76
3.6.3 Organization View of Funds Management 77
3.6.4 Organization View of the Standard Cost
Center Hierarchy 78
3.6.5 Organization View of the Profit Center
Hierarchy 79
3.6.6 Enterprise Organization 80
3.6.7 Organization View in the Project System 81
3.6.8 Logistical Organization View 82
3.6.9 Integration of the Organization Views with the
Authorization Concept 82
3.7 Organizational Levels and Structures in SAP ERP 83
3.7.1 Organizational Level "Client" 84
3.7.2 Relevant Organizational Levels of Accounting ...84
3.7.3 Relevant Organizational Levels in MM 88
3.7.4 Relevant Organizational Levels in Sales and
Distribution 89
3.7.5 Relevant Organizational Levels in Warehouse
Management 89
3.7.6 Integration of the Organizational Levels
with the Authorization Concept 90
3.8 Information on the Methodology in the Project 91
3.9 Summary 93
^^^^^^S^^E^^^^^uL^^^^^^^E^E^^S^^B^E^^^^^ffl^^^^^^^^^H
4.1 Basic Principles of Internal and External Regulations 96
4.2 Internal Control System 100
4.3 Sources of Law for External Accounting 101
4.3.1 Sources of Law and Effects for the Private
Sector 103
4.3.2 Concrete Requirements for the
Authorization Concept 106
4.4 Data Privacy Laws 107
4.4.1 Legal Definitions Relating to Data Processing ... 110
4.4.2 Rights of the Person Affected 111
8
4.4.3 Recommendations Relating to the ICS 112
4.4.4 Concrete Requirements for the
Authorization Concept 113
4.4.5 Compliance versus Data Privacy 113
4.5 General Requirements for Authorization Concepts 115
4.5.1 Identity Principle 116
4.5.2 Minimal Principle 117
4.5.3 Job Principle 117
4.5.4 Document Principle in Financial Accounting 118
4.5.5 Document Principle in Authorization
Management 118
4.5.6 Separation of Duties Principle 119
4.5.7 Approval Principle 119
4.5.8 Standard Principle 120
4.5.9 Written-Form Principle 120
4.5.10 Control Principle 120
4.6 Summary 121
5.1 Process Overview 123
5.2 The Sales Process 125
5.3 The Procurement Process 131
5.4 Support Processes 136
5.5 Requirements of the Separation of Duties 139
5.6 Summary 140
PART II Tools and Authorization Maintenance in the
SAP System
6.1 User/Authorization 145
6.1.1 User 146
6.1.2 User Maintenance (ABAP) 147
6.2 Transaction — Program — Authorization Object 153
6.2.1 Transaction 153
9
Contents
6.2.2 Check in the Program Flow 155
6.2.3 Authorization Object 158
6.3 Role and Role Profiles 163
6.3.1 Authorization Profiles 163
6.3.2 Creating and Maintaining Roles 164
6.4 Analysis of Authorization Checks 193
6.4.1 Evaluation of the Authorization Check 193
6.4.2 Analysis in the Program Flow — System Trace/
Authorization Trace 195
6.4.3 Program Check 197
6.5 Additional Role Types in SAP ERP 199
6.5.1 Composite Role 200
6.5.2 Value Role/Functional Role 201
6.6 Summary 202
7.1 Maintaining and Using the Defaults for the
Profile Generator 204
7.1.1 Functions for the Profile Generator 206
7.1.2 Function in the Upgrade 208
7.1.3 Normative Use 208
7.1.4 Using Default Values for Risk Analyses and
External Role Maintenance Tools 210
7.1.5 Original State and Maintenance of Default
Values 211
7.2 Upgrading Authorizations 218
7.3 Parameters for Password Rules 223
7.4 Customizing Settings for the Menu Concept 226
7.5 Authorization Groups 233
7.5.1 Optional Authorization Checks for
Authorization Groups 236
7.5.2 Table Authorizations 241
7.5.3 Authorization Groups as OrganizationalLevels 244
7.6 Parameter and Query Transactions 246
7.6.1 Parameter Transaction for Maintaining
Tables via Defined Views 248
10
Contents
7.6.2 Parameter Transaction for Viewing Tables 250
7.6.3 Implementing Queries in Transactions 251
7.7 Promoting an Authorization Field to an
Organizational Level 254
7.7.1 Effects Analysis 254
7.7.2 Procedure for Promoting a Field to an
Organizational Level 258
7.7.3 Promoting the Area of Responsibility to an
Organizational Level 259
7.8 Developer and Authorization Trace 262
7.8.1 Procedure for the Developer and
Authorization Trace 262
7.9 Creating Authorization Fields and Objects 265
7.9.1 Creating Authorization Fields 265
7.9.2 Creating Authorization Objects 267
7.10 Further Transactions of the Authorization
Administration 269
7.11 Transferring Roles Between Systems or Clients 271
7.11.1 Downloading/Uploading Roles 271
7.11.2 Transporting Roles 272
7.12 User Master Comparison 274
7.13 Summary 274
^^^^Ul^^^Hfe«ttM^MM^^»^^^Wi^^^fc^^^^Bi^^^^Mw^^^^^M
8.1 Basic Concept of SAP ERP HCM
Organizational Management 278
8.2 Technical Prerequisites 281
8.3 Technical Implementation 281
8.3.1 Prerequisites 282
8.3.2 Technical Basics of SAP ERP HCM
Organizational Management 282
8.3.3 Assigning Roles 283
8.3.4 Evaluation Path 284
8.3.5 User Master Comparison 285
8.4 Conceptual Special Feature 285
8.5 Summary 286
11
Contents
^filiEllss^^HMl^y MM
9.1 Challenge and Solution Approach 290
9.1.1 Role Generator OM 292
9.12 Area Role Concept 295
9.1.3 Combining Area Roles and OAA 298
9.2 Implementation Example for the Area Role Concept 298
9.3 Integration, Restrictions, and Prospects 307
9.4 Summary 307
[tK^^ffi^SM^^IjB^ttS^SiL^^^^^ME^^^^^^^SK^^^^^^^S^^^Ey I
^^B^^SH^^H^sl^S^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ffl
10.1 Basic Principles 310
10.1.1 Business Background 310
10.1.2 User Lifecycle Management 313
10.1.3 SAP Solutions for the Central Administration
of Users 315
10.2 Central User Administration 316
10.2.1 Procedure for Setting up the CUA 318
10.2.2 Integration with Organizational Managementof SAP ERP HCM 323
10.2.3 Integration with SAP BusinessObjects
Access Control 324
10.3 SAP BusinessObjects Access Control Compliant User
Provisioning 325
10.4 SAP NetWeaver Identity Management 331
10.4.1 Relevant Technical Details 332
10.4.2 Functionality 333
10.4.3 Technical Architecture 340
10.4.4 Integration of SAP BusinessObjects Access
Control 343
10.5 Summary 345
IIIIk^^
11.1 Standards and Their Analysis 347
12
11.1.1 Role Instead of Profile 347
11.1.2 Definition of the Role Through Transactions 349
11.1.3 Using Defaults 351
11.1.4 Table Authorizations 351
11.1.5 Program Execution Authorizations 352
11.1.6 Derivation 353
11.1.7 Programming — Programming Guideline 354
11.2 Critical Transactions and Objects 356
11.3 General Evaluations of Technical Standards 358
11.3.1 User Information System 358
11.3.2 Table-Based Analysis of Authorizations 361
11.4 Summary 365
12.1 Basic Principles 367
12.2 Risk Analysis and Remediation 371
12.3 Enterprise Role Management 377
12.4 Compliant User Provisioning 379
12.5 Superuser Privilege Management 381
12.6 Risk Terminator 383
12.7 Summary 384
13 User Management Engine 385
13.1 Overview of the UME 386
13.1.1 UME Functions 386
13.1.2 UME Architecture 387
13.1.3 User Interface of the UME 389
13.1.4 Configuration of the UME 390
13.2 Authorization Concept of SAP NetWeaver AS Java 393
13.2.1 UME Roles 394
13.2.2 UME Actions 394
13.2.3 UME Group 396
13.2.4 J2EE Security Roles 397
13.3 User and Role Administration Using the UME 399
13.3.1 Prerequisites for User and Role
Administration 399
13
Contents
13.3.2 Administration of Users 400
13.3.3 User Types 401
13.3.4 Administration of UME Roles 402
13.3.5 Administration of UME Groups 403
13.3.6 Tracing and Logging 403
13.4 Summary 406
PART III Authorization in Specific SAP Solutions
^^^^^^^^^^^^^^^^^^^^^^m . -,,,. , Rg3
14.1 Basic Principles 409
14.2 Special Requirements of SAP ERP HCM 410
14.3 Authorizations and Roles 412
14.3.1 Authorization-Relevant Attributes in SAP
ERP HCM 412
14.3.2 Personnel Action Example 414
14.4 Authorization Main Switch 417
14.5 Organizational Management and Indirect Role
Assignment 420
14.6 Structural Authorizations 421
14.6.1 The Structural Authorization Profile 422
14.6.2 Evaluation Path 424
14.6.3 Structural Authorizations and Performance 426
14.7 Context-Sensitive Authorizations 426
14.8 Summary 429
15.1 Basic Principles 432
15.1.1 The SAP CRM User Interface: CRM Web
Client 432
15.1.2 Creating Business Roles fortheCRMWeb
Client 440
15.2 Dependencies Between Business Role and PFCG
Roles 442
15.3 Creating PFCG Roles Depending on the Business
Roles 443
14
Contents
15.3.1 Prerequisites for Creating PFCG Roles 444
15.3.2 Creating PFCG Roles 449
15.4 Assigning Business Roles and PFCG Roles 454
15.5 Sample Scenarios for Authorizations in SAP CRM 463
15.5.1 Authorizing Interface Components 464
15.5.2 Authorizing Transaction Launcher Links 473
15.5.3 Authorizing Master Data 475
15.5.4 Authorizing Business Transactions 478
15.5.5 Authorizing Attribute Sets 488
15.5.6 Authorizing Marketing Elements 489
15.6 Troubleshooting in the CRM Web Client 491
15.7 Access Control Engine 494
15.8 Summary 507
s
16.1 Basic Principles 509
16.2 Authorization Assignment in SAP SRM 512
16.2.1 Authorizations of User Interface Menus 515
16.2.2 Authorizations of Typical Business Processes 517
16.3 Summary 531
s
17.1 OLTP Authorizations 534
17.2 Analysis Authorizations 536
17.2.1 Basic Principles 537
17.2.2 Barrier Principle 538
17.2.3 Transaction RSECADMIN 539
17.2.4 Authorization Maintenance 539
17.2.5 Assignment to Users: Transactions RSU01
andSUOl 542
17.2.6 Analysis and Authorization Log 546
17.2.7 Generation 549
17.2.8 Authorization Migration 551
17.3 Modeling Authorizations in SAP NetWeaver BW 552
17.3.1 InfoProvider-Based Models 553
17.3.2 Characteristic-Based Models 553
15
Contents
17.3.3 Mixed Models 554
17.4 Summary 554
18.1 Basic Principles 556
18.1.1 Master and Transaction Data 556
18.1.2 Organizational Levels 557
18.2 Authorizations in Financial Accounting 558
18.2.1 Organizational Differentiation Criteria 559
18.2.2 Master Data 561
18.2.3 Postings 568
18.2.4 Payment Run 572
18.3 Authorizations in Controlling 574
18.3.1 Organizational Differentiation Criteria 575
18.3.2 Maintaining Master Data 576
18.3.3 Postings 585
18.3.4 Old and New Authorization Concept in
Controlling 588
18.4 Authorizations in Logistics (General) 588
18.4.1 Organizational Differentiation Criteria 588
18.4.2 Material Master/Material Type 590
18.5 Authorizations in Purchasing 594
18.5.1 Maintaining Master Data 594
18.5.2 Procurement Processing 594
18.6 Authorizations in Sales and Distribution 601
18.6.1 Maintaining Master Data 601
18.6.2 Sales Processing 602
18.7 Authorizations in Technical Processes 605
18.7.1 Segregation of Duties in Authorization
Management 606
18.7.2 Segregation of Duties in the Transport System ... 610
18.7.3 RFC Authorizations 612
18.7.4 Debugging Authorizations 613
18.7.5 Client Change 613
18.7.6 Change Logging 615
18.7.7 Batch Authorizations 615
18.8 Summary 616
16
19.1 Authorization Concept in the Project Context 617
19.2 Procedure Model 620
19.2.1 Logical Approach 621
19.2.2 Implementation 622
19.2.3 Redesign 624
19.2.4 Concrete Procedure 625
19.3 SAP Best Practices Template Role Concept 628
19.3.1 SAP Best Practices 629
19.3.2 SAP Template Roles 629
19.3.3 Methodical Procedure of the SAP Best
Practices Role Concept 631
19.3.4 Combination with SAP BusinessObjects
Access Control 635
19.4 Content of an Authorization Concept 636
19.4.1 Introduction and Standardization Framework
of the Concept 637
19.4.2 Technical Context 638
19.4.3 Risk Evaluation 638
19.4.4 Person — User — Authorization 639
19.4.5 Authorization Management 640
19.4.6 Organizational Differentiation 641
19.4.7 Process Documentation 641
19.4.8 Role Documentation 642
19.5 Summary 642
^3M^^^E^^^^^^^^^^^^^^^^^^^^^^^S^^^^^^ffl^P^ff,fl|:i%^^ff^3^^
A List of Abbreviations 645
B Glossary 649
C Bibliography 661
D The Authors 663
Index 665
17