Roles and Authorizations

8/13/2019 Roles and Authorizations

http://slidepdf.com/reader/full/roles-and-authorizations 1/74

Roles and Authorization Concept inSAP Solution Manager 7.1Erik Dietzel

August, 2013





Motivation and Scope





© 2013 SAP AG. All rights reserved. 5Public

The main SAP Solution Manager security risks are:

SAP Solution Manager system can be damaged by: – unauthorized changes to master data – unauthorized customizing or configuration changes

SAP Solution Manager could be misused to illegally access managed systems due to: – missing authorization concept

(authorization in SAP Solution Manager) – missing security concept

(communication around SAP Solution Manager)

Authorization and Security ConceptRisks with SAP Solution Manager




Security of SAP Solution Manager

To ensure the security in your system environment,SAP Solution Manager should be considered

as production system !

Secure Authorization Concept for SAP Solution Manager

Security Concept (RFC destinations, communication channels, etc.)around SAP Solution ManagerFour eyes principle for authorization and user administrationNever design and test your authorization concept on production system.Please use a development or test system for it.…



Concept for Technical Usersand End Users


http://slidepdf.com/reader/full/roles-and-authorizations 8/74© 2013 SAP AG. All rights reserved. 8Public

Users in SAP Solution Manager

In general we consider two different user types when talking aboutSAP Solution Manager authorization concept:

End Users Are defined as dialog users, which are user IDs for dialog communicationon SAP Solution Manager. So the end user on SAP Solution Manager ismainly working easy access menu as well as in Solution Manager WorkCenters (web based application).

Technical Users

Are defined as system users which are user IDs for dialog-freecommunication between systems or internal processing on SAP SolutionManager. Technical users are used, for example, for setting up RFCdestinations, schedule background jobs, etc.



SAP Standard Roles and Template UsersConception will be prepared in SOLMAN_SETUP

In parallel to the scenario configuration in SOLMAN_SETUP you establish the SAPSolution Manager authorization concept for each scenario:

SOLMAN_SETUP

Technical Monitoring Step Step Step Step Step Step Create TemplateUsers Complete

IT Service Management Step Step Step Step Step Step Create TemplateUsers Complete

Business Process Monitoring Step Step Step Step Step Step Create TemplateUsers Complete

Business Process Change An. Step Step Step Step Step Step Create TemplateUsers Complete

Basic Configuration Step Step Step Step Step StepSpecify Users … Complete

System Preparation Step Step Step Step Step StepCreate Users Complete

Managed System Configuration Step Step Step Step Step Step Create Users Complete

Offers scenario specificstandard roles for End User

authorization concept

Technical Users on SAP SolutionManager and Managed Systems

are created

Technical Users on SAP SolutionManager and Managed Systems

are created

Creation of Technical Users onSAP Solution Manager and

Managed Systems



Authorization Concept for Technical Users

Technical Users are automatically created during the BasicConfiguration of SAP Solution Manager (using transactionSOLMAN_SETUP).

Technical users in SAP Solution Manager are automatically created as system users.We recommend to keep the technical users untouched, so that SOLMAN_SETUP is able totrack the changes and update the users in case of a new SAP Solution Manager version.

Note: If you need to create the users manually since you have an Identity Managementsystem (e.g. central user administration) in place, refer to Security Guide Chapter“Landscape Setup, Configuration, and Root Cause Analysis Guide ”.



Authorization Concept for End Users

Security Guide for SAP Solution Manager 7.1 andSOLMAN_SETUP already provide a number of standard rolesand users which your authorization concept can be based on.

Read the User Descriptions and UserRoles part of the corresponding Scenario-Specific Guide in Security Guide , to getan impression of which permissions yourusers may require.

Go to the corresponding step for creatingTemplate / Standard Users inSOLMAN_SETUP (e.g. "Create StandardUsers" or "Create Template Users") toidentify the required standard roles.



Concept inSAP Solution Manager



SU01 User PFCG Role

CRM Business PartnerEmployee / Organization CRM Business Role

Allows access toCRM Web UI in

a specified view forIncident Management

SAP Solution Manager Roles and AuthorizationsConcept in SAP Solution Manager

Allows access to user’sincident messages

Allows access toSAP Solution Manager

system

Allowsactivities (display,

change, etc.) atmessage level



SU01 User SU01 User

SU01 User (User Master Record)user account on a SAP systemallows access to SAP systemattributes that identify an end-usermaintained in transaction SU01authorization roles (PFCG roles) can be assignedcan be synchronized with business partner by e-mail address



PFCG Rolealso called “Authorization Role” grants a user access to more functionalityon technical levelcontains authorization data with definition based

on authorization objectscan be configured by role (transaction PFCG)SAP Solution Manager providesdifferent role types:

– work center roles (basic/navigation)

– authorization roles (functional/infrastructure authorization)

PFCG RolePFCG Role



CRM Business Partner (1/2) CRM Business PartnerEmployee/Organization

CRM Business Partnercan be linked with the CRM org. modela person or an organization within company ITprocesses, based on SAP Solution ManagerBusiness Partner Types:

– BP Organization: companies/organizations(internal or external)

– BP Person: company staff, such as key users andprocessors, and individuals who are not part of thecompany



CRM Business Partner (2/2)

BP Organizationusually linked to organizationalunits in CRM org. modelcan be created:

– manually (transaction BP)

– manually from CRM org. model(transaction PPOMA_CRM)

BP Personusually linked to user accountson SAP Solution Manager and/ormanaged systemscan be created:

– manually (transaction BP) – automatically (transaction BP_GEN) – automatically or background job (transaction BP_USER_GEN)

automatic synchronization of CRM business partners and user accounts in background job

CRM Business PartnerEmployee/Organization




CRM Business Role

CRM Business Roledescribes the SAP CRM user interface, and displays the functions in the CRM Web Clientthe most important CRM business role in SAP Solution Manager is “SOLMANPRO” (IT Service Management)can be assigned to the end user via

– SU01 using parameter CRM_UI_PROFILE – CRM org. model – PFCG role which is linked to

a CRM business role

a user can have multipleCRM business roles

CRM Business Role




Roles and authorizations in SAP Solution Managercan be granted also using the CRM Org model .

SAP Solution Manager Roles and AuthorizationsConcept in SAP Solution Manager (without CRM org. model)

IT Organization



Required Users and Rolesin SAP Solution Manager Environment




ABAP

Productive Client

SAP Solution Manager

User Identificationin SAP Solution Manager Environment

Support Portal Managed SystemS-User

SU01 User

CRM Business Partner

SAP BW Client

SU01 User

Java

Java User

ABAP

Productive Client

SU01 User

Java

Java User

Important: If the SAP BW of SAP Solution Manager is in a dedicated client or system,a SU01 user is also required on that client.




SAP Solution Manager

Authorizations and Rolesin SAP Solution Manager Environment

Support Portal Managed System ABAP authorizations

Java authorization

ABAP authorizations

Composite Role

Java authorizations

Work Center Basic Roles

Work Center Navigation Roles

Functional Roles

Infrastructure Roles

CRM Business Roles





PFCG Roles inSAP Solution Manager




Work Centers …

are role-based

enable easy navigation for end users

provide a common user interface for all SAPSolution Manager capabilities

are available since SAP Solution Manager7.0 EhP1

are extended on SAP Solution Manager 7.1

Work Centers Available (7.1)My HomeImplementation and UpgradeSolution Documentation AssistantChange Request ManagementChange Request Management for SPCTest ManagementSystem Monitoring for SPC

Business Process OperationsJob ManagementRoot Cause AnalysisRoot Cause Analysis for SPCTechnical AdministrationTechnical MonitoringTechnical Monitoring for SPC

Data Volume ManagementSAP Engagement and Service DeliverySAP Solution Manager AdministrationSAP Solution Manager ConfigurationIncident ManagementIncident Management for SPCCustom Code Life Cycle Management

SAP Solution Manager 7.1 Work Centers




Role Types in SAP Solution Manager

Work Center Basic Role

Work Center Navigation Role

Authorization Role

Role Type Role Namespace Role Description

Work Center Basic Role SAP_SMWORK_BASIC_* Basic authorization for a work center

Work Center Navigation Role SAP_SMWORK_* Authorization for user-specific work center view

Authorization Role SAP_* Modularized role for certain SAP Solution Managerfunctions or sub-functions

Work Center - Authorizations




Work Center Basis Roles

PFCG role SAP_SMWORK_BASIC contains all authorizations required for work centersEach end user who works with work centers needs this roleRole does not contain the authorization objects required for individual work centers

Based on this role, a work-center-specificbasic role is delivered with SAP standard(beginning with SAP_SMWORK_BASIC_* ,e.g. SAP_SMWORK_BASIC_SERVICES).This role contains authorization (on objectSM_WC_VIEW) for the single

work center only.






Authorization Roles

Basis for the successful operation of an SAP Solution Manager scenarioModularized for certain SAP Solution Manager functions or sub-functionsBased on SAP standard rolesYou need to define the single authorizations depending on the customer needs.

Authorization RolesSAP_OP_DSWP_EWA

SAP_MAINT_OPT*SAP_RCA_DISP

SAP_ISSUE_MANAGEMENT*

…

Applications/FunctionsEarlyWatch Alert

Maintenance OptimizerRCA Tools

Issue Management

…




SAP Solution Manager Role Concept

Work Center RolesWork Center-Specific BasicRolesRole Name: SAP_SMWORK_BASIC *

Incl. View Switches, Sub-Views.Common Tasks

Work Center Navigation RolesRole Name: SAP_SMWORK *

Incl. Related Links

Authorization RolesFunctional Roles

SAP_OP_DSWP_EWA

SAP_MAINT_OPT*

SAP_RCA_DISP

SAP_ISSUE_MANAGEMENT*

…

Functions:EarlyWatch Alert

Maintenance Optimizer

RCA ToolsIssue Management

…

Work Centers:SAP Engagement andService Delivery

Root Cause Analysis

Change Management

Incident Management

System Monitoring

Test Management

…

Function

Function

Function

Function

SAP_SMWORK_SERVICES SAP_SMWORK_DIAG

SAP_SMWORK_SYSMON

SAP_SMWORK_BASIC_SERVICES SAP_SMWORK_BASIC_DIAG

SAP_SMWORK_BASIC_SYSMON

Function

…

…

…

…

End User



Customizing ofWork Center Navigation




Customizing of Work Center NavigationHow to Customize the Navigation Panel in Work Centers

It is often necessary to restrict the navigation menu withina work center for a specific user. The following slides showhow to change the view of a work center.

You can fully adaptthe navigation menu of a work center inthe corresponding work center navigation role .

The work center menu entries have a two-folder hierarchy:

First level in the work center is where you canchange views, subviews, common tasks

Second level consists of related links , which youcan also change




Customizing of Work Center Navigation Authorization Object SM_WC_VIEW (1/5)

As of SAP Solution Manager 7.1, there is an authorization object ( SM_WC_VIEW )available, which allows administrators to hide UI navigation items in SAP SolutionManager work centers.

View SwitchesSub-Switches

Common Task Elements

Note: The authorization forSM_WC_VIEW is included inwork center basic rolesSAP_SMWORK_BASIC or

SAP_SMWORK_BASIC_*. Torestrict the visibility in thenavigation, use a role copy anddefine the user-specific viewthere.

View Switch

Sub View

Common Task




SM_WC_VIEW is a UI authorization object that only shows views, subviews orcommon tasks. It has no functional relevance !


SM_WC_VIEW





The Authorization Administration of the customer organization can hide work centerviews, subviews or common tasks by defining authorization object SM_WC_VIEW in PFCG.




Customizing of Work Center NavigationBAdI Activation for SM_WC_VIEW (4/5)

The authorization checks based on object SM_WC_VIEW are not enabled bydefault and must be enabled manually. This can be done centrally during the Setupof SAP Solution Manager via transaction SOLMAN_SEUP.




Customizing of Work Center NavigationRelated Links

Related Links section is designedto be enhanced and modified by the customerare linked to related URLs, such asService Marketplace or Help Portalprovide additional and work-center-specific information for the customer




Customizing of Work Center NavigationHow to Configure Related Links (1/4)

In the corresponding work center navigation role(usually a copy of standard role) you can now customizethe related links for specific users or groups.

The following example shows you the configurationbased on navigation role ZSM_SMWORK_CONFIG(copy of SAP_SMWORK_CONFIG) which refers towork center “SAP Solution Manager Configuration”.

Before our customizing, a userin “SAP Solution Manager Configuration” work centercan see the following related links:





Proceed as follows to customize Related Links:1. Call transaction PFCG2. Open the corresponding PFCG role (e.g.: ZSM_SMWORK_CONFIG) in change mode3. Go to tab “Menu” 4. Drill down to the menu folder you want to edit

5. Add a new entry of type “Web address or file”




6. Enter a new details link and confirm

7. Save the role with the new link entry

Customizing of Work Center NavigationHow to Configure Related Links? (3/4)





The end user (with the customized navigation role) will seea new entry in the “Related Links” section:



Organizational Separationwith Infrastructure Roles




Example: Customer has three responsibility groups in SAP Basis team:Group A: responsible for systems MW3, P9H and PI4Group B: responsible for systems P6J, PEP and PMDGroup C: responsible for systems EP9, P02 and PBI

A user (SAP Basis administrator)should only be able to access andchange definitions forsystems for which he is responsible.

Challenge in IT Organization




Example: Previous Situation

Without a suitable authorization concept (e.g. users are working with SAP_ALL)the user would see all systems .




Infrastructure Roles Advantage in Customer Environment

We provide an optional approach to maintain user-based context in PFCG roles. Itis particularly useful and time-saving if you need to separate users intoorganizational groups and limit them by user responsibility. It has been proven forlarge customers who change their IT organization structure regularly, and haveseveral user groups accessing SAP Solution Manager.

Note: Some (small) customers even maintain user context within the deliveredstandard roles. This approach is only a recommendation. You must decide whetherto use the infrastructure role approach.

Note: For more information about the standard infrastructure roles, see the chapter“Authorizations and Roles for Infrastructure” in the SAP Solution Manager 7.1 Security Guide.




Organizational Separation based on PFCG Roles

The restriction on particular entity level can be performed using PFCG roles .

Following slides will show you how to grant authorizations to usersbased on the previous example (restriction on system level).

define PFCG role (with authorization for only certain responsibility)assign PFCG role to user (of corresponding group) – either directly – or via CRM Org Model to his position in the Org structure




Example: Define PFCG Role (Display only)

Defining a corresponding PFCG role helps to restrict the access at a particularobject. Here authorization object AI_LMDB_OB is used to define the authorizationon system level.

Recommendation: The same authorization should not be exist in another role of the user toavoid overlapping.

This example shows how to define “Display only” authorizationon managed systems MW3, P9H and PI4

03 standsfor „Display “authorization






Example: Assign PFCG Role to User

Finally you need to assign the PFCG role to the corresponding user ID:

Recommendation: Other PFCGroles containing authorizations on

object AI_LMDB_OB should not beassigned to the same user ID.Otherwise you can have an overlapping.




Example: Target Situation

The end user (member of SAP Basis group A)should only be able to see the following systems:

This example represents a single application only. Other applications inSAP Solution Manager also work in this way. Other entities, like projects or solutions, arealso supported.



General Recommendations




General RecommendationsCopy SAP Standard Roles

It is often necessary to define specific authorization within a SAPstandard role. Since SAP standard roles can be modified by

a system upgrade, copy all the SAP standard roles used , into customernamespace. You can define your own authorizations later.

Exception: Some PFCG roles must not be copied, to assign authorization to users. For example,SAP_J2EE_ADMIN role must not be copied, it must be assigned directly, to activate administrator rightsin the connected SAP J2EE Engine.

Work center roles: Work center don’t need to be copied into customer namespace, as long as nocustomizing of the UI is performed.

– Workcenter Basic Roles: UI customizing can be performed changing authorization on object SM_WC_VIEW. In this caseyou should copy the role into customer name space. Otherwise it is enough to generate and assign the role.

– Workcenter Navigation Roles: UI customizing can be performed changing the related links in the menu. In this case youshould copy the role into customer name space. Otherwise it is enough to assign the role to a user.

CRM navigation role: CRM UI related PFCG roles don’t need to be copied into customer namespace, aslong as no customizing of the UI is performed. If you need to copy the role (e.g. in case of creating a newCRM Business Role), please do not forget to create the link to the CRM business role.




General RecommendationsReview Authorization Concept after Upgrade

Review your SAP Solution Manager authorization concept whenever you upgradeyour SAP Solution Manager . The higher SAP Solution Manager release maycontain new authorization objects, and the authorization checks in applications mayhave changed.

Recommendation: Test all functions after changing the SAP Solution Manager release, or review theauthorization concept completely.




Documentation and Traceability of Authorizations

Whenever you establish or adapt your authorization concept, document itcomprehensively , so that a third party can understand your changes.

Recommendation: Document only the changes that you made, on basis of the SAP template. If youcreate a new ABAP role, document it entirely.




General RecommendationsDevelopment and Testing of PFCG Roles

For the initial authorization concept, and during daily operation, separate thedevelopment and tests of PFCG roles from the production SAP Solution Manager.We recommend at least a two-system SAP Solution Manager landscape.

Note: If you only have one SAP Solution Manager system, which is productive, you can move thedevelopment of PFCG roles to a separate client, but SAP Solution Manager is not multi-client-capable(several entities are cross client), so testing on this client might affect the productive client – e.g. messagesthat you create in test client will also appear on production client, and cannot be deleted.

Development System Production System

Development

of PFCG Roles

Testing of newPFCG Roles

12

Transport of new

PFCG Roles

3

Productive Use

of PFCG Roles

4




After we demonstrated the authorization concept for SAP Solution Manager usingSU01 and PFCG, we now show you the specifics in the SAP Solution Managerscenarios using CRM Web UI.

CRM Business PartnerEmployee / Organization CRM Business Role

SAP Solution Manager Roles and AuthorizationsConcept in SAP Solution Manager

SU01 User PFCG Role



CRM Web UI andCRM Business Roles




CRM Web UI and CRM Business Roles

Contrary to mostof the SAP SolutionManager functionsa few scenariosintegrate a workingarea which is calledCRM Web UI .

Within the CRM Web UI (transaction SM_CRM ) it is possible to e.g.:Create and Process Messages (Incidents, Problems, Change Requests etc.)Get access to Incident and Change Management CRM Web UI work centerMaintain Master Data

Access to ITSM Dashboards and Reports



CRM W b UI d CRM B i R l




Maintenance of CRM Business Role in Implementation Guide:Transaction SPRO SAP Solution Manager Implementation Guide CustomerRelationship Management UI Framework Business Roles Define Business RoleChoose the CRM business role you want to adapt (e.g. SOLMANPRO) and double click

Here you are able to define all technical roles which characterize your CRM Business Role

CRM Web UI and CRM Business RolesStructure of a CRM Business Role (2/2)

There you define the PFCG role(field PFCG Role ID), which linksthe CRM Business Role to your

SU01 user



Documentation

D i




DocumentationOverview

The most important information sources for establishing anauthorization concept are:

SAP Solution Manager 7.1 Security Guidehttp://service.sap.com/instguides/ SAP Components

SAP Solution Manger Release <current release> Operations SAP Solution Manager Security Guide <current release>

SDN Wiki “SMAUTH”

http://wiki.sdn.sap.com/wiki/display/SMAUTH/Home

D t ti

http://service.sap.com/instguides/



http://service.sap.com/instguides/




DocumentationSecurity Guide

The SAP Security Guide is the primary documentation for establishing anauthorization concept for SAP Solution Manager, and provides a collection of SAPguidelines and recommendations pertaining to SAP System security.

This document offers general guidelines for obtaining a medium level of security. The security of your ownsystem landscape, and the use of software packages (SAP and non-SAP) are also important factors inachieving overall system security, so analyze your own risks and needs and establish your own securitypolicy (or policies). This guide assists you in this process, but cannot replace your own customer-specificpolicies.

H t U th S it G id ?




How to Use the Security Guide?Online Help

You need a good understanding of your futureSAP Solution Manager applications , beforeyou use the Security Guide. See the SAPonline help under http://help.sap.com/

SAP Solution Manager 7.1.

Determine which SAP Solution Manager scenariosyou are going to use, from Security Guideperspective (consider the terminology used bySAP – see chapter 3 “ Terminology as Used in SAPSolution Manager ”)


http://help.sap.com/

http://help.sap.com/




How to Use the Security Guide? Authorization Concept for SAP Solution Manager

In the next step you need tounderstand the SAP SolutionManager authorization concept , which differs from other products,and is in addition to the NetWeaverauthorization concept .

Read the basic chapters of the SecurityGuide, and work through the Chapter“Authorization Concept for SAPSolution Manager” .

If you are running several scenarios,consider their integration and (seechapter “ Integration of Functions/Capabilities“ )





How to Use the Security Guide?Core Guide

You also need to understand the basicinfrastructure (communicationchannels, technical users, etc.), thetechnical basis for all scenarios and foryour security concept.

Read the chapter “ Landscape Setup,Configuration, and Root CauseAnalysis Guide ”

How to Use the Security Guide?




How to Use the Security Guide?Scenario-Specific Guides

After you have decided whichscenarios you are going to use, ONLYwork through the relevant scenariochapters.

Documentation (3/4)




Documentation (3/4)SDN Wiki: SAP Solution Manager – Security and Authorization

SDN Wiki link: http://wiki.sdn.sap.com/wiki/display/SMAUTH/Home

The SAP Solution Manager Authorization Wiki, in SDN, is a complement to the SAPSolution Manager Security Guide. It is primarily valid for SAP Solution Manager

release 7.1.

It provides: Authorization objectdocumentationUse casesBest practicesTechnical infrastructureFrequently asked questions

Documentation (4/4)






Documentation (4/4)Define PFCG Roles in Authorization Concept

Which scenarios do we consider?

Which users do I need in for each scenario?

Which roles does the user need?

Question: How to define “yellow” authorizations in a role?

Security Guide

SDN WikiWhich scenario is considered?

Which authorization object do we consider?

Is there a use case that fits my situation?

Answer: The use case explains how to define authorizations.



How to get support ?





Expert Guided Implementation




SAP Solution Manager 7.1Roles and Authorization Concept

This session shows customers how to work with the rolesand authorization concept in SAP Solution Manager 7.1. Iteven helps establishing and individual authorizationconcept based on clear and predefined examples.

Our SAP expert guides the customer through theimplementation of roles and authorizations based on aproject approach for three exemplary SAP SolutionManager scenarios. With these demonstrations andexercises you will be able to adopt the authorizationconcept approach for all other scenarios.

Beside the classical work with authorizations (transactionPFCG) and the SAP Solution Manager specific roleconcept we will also show you how to include the CRMWeb UI into your concept, which is relevant for a few SAPSolution Manager scenarios.

Expert Guided ImplementationSAP Solution Manager 7.1 – Roles and Authorization Concept



Thank you

Contact information:

Erik DietzelSAP Active Global Support

Documents

Roles and Authorizations