SAP Authorweization Concept

SAP Web AS Security Guide

2 SAP Web AS Security Guide for ABAP Technology

2.2 SAP Authorization Concept The SAP authorization concept protects transactions, programs, and services in SAP systems from unauthorized access. On the basis of the authorization concept, the administrator assignsauthorizations to the users that determine which actions a user can execute in the SAP System,after he or she has logged on to the system and authenticated himself or herself.

To access business objects or execute SAP transactions, a user requires correspondingauthorizations, as business objects or transactions are protected by authorization objects. Theauthorizations represent instances of generic authorization objects and are defined depending on the activity and responsibilities of the employee. The authorizations are combined in an authorization profile that is associated with a role. The user administrators then assign the corresponding roles using the user master record, so that the user can use the appropriatetransactions for his or her tasks.

The following graphic shows the authorization components and their relationships.

User

Comp. Role

Single Role

Auth.

Generated

Profile

Generated

Auth.

Manual

ProfileAuth.

m:n

m:n

Auth.

Objects

Auth.

ObjectsAuth. Field

with Values

Auth.

Objects

Single Role Auth.Auth.

Objects

1:11:10

Auth. Field

with Values1:10

Auth. Field

with Values1:10

Auth. Field

with Values1:10

Comp. Profile

Manual

ProfileAuth.

Auth.

Objects

Auth. Field

with Values1:10

m:n

Explanation of the Graphic

Term Comment

User masterrecord

These enable the user to log onto the SAP System and allow access to the functions and objects in it within the limits of the authorization profilesspecified in the role. The user master record contains all information about the corresponding user, including the authorizations.

Changes only take effect when the user next logs on to the system. Userswho are logged on when the change takes place are not affected in their current session.

Single role Is created with the profile generator and allows the automatic generation of an authorization profile. The role contains the authorization data and the logon menu for the user.

April 29, 2004 31



Term Comment

Composite role Consists of any number of single roles.

Generatedauthorizationprofile

Is generated in role maintenance from the role data.

Manualauthorizationprofile

To minimize the maintenance effort if you are using authorization profiles, do not usually enter single authorizations in the user master record, but rather authorizations combined into authorization profiles. Changes to theauthorization rights take effect for all users whose user master recordcontains the profile the next time they log on to the system. Users who arealready logged on are not immediately affected by the changes.

We strongly recommend that you do not assign profilesmanually [Page 41], but rather do so automatically with the profile generator [SAP Library].

Compositeprofile

Consists of any number of authorization profiles.

Authorization Definition of an authorization object, that is, a combination of permissiblevalues in each authorization field of an authorization object.

An authorization enables you to perform a particular activity in the SAPSystem, based on a set of authorization object field values.

Authorizations allow you to specify any number of single values or value ranges for a field of an authorization object. You can also allow all values, or allow an empty field as a permissible value.

If you change authorizations, all users whose authorization profile containsthese authorizations are affected.

As a system administrator, you can change authorizations in the followingways:

You can extend and change the SAP defaults with role maintenance.

You can change authorizations manually. These changes take effectfor the relevant users as soon as you activate the authorization.

The programmer of a function decides whether, where and howauthorizations are to be checked. The program determines whether the userhas sufficient authorization for a particular activity. To do this, it compares the field values specified in the program with the values contained in theauthorizations of the user master record.

The line of the authorization is colored yellow in the profile generator.

32 April 29, 2004



Term Comment

AuthorizationObject

An authorization object groups up to ten fields that are related by AND.

An authorization object allows complex tests of an authorization for multiple conditions. Authorizations allow users to execute actions within the system. For an authorization check to be successful, all field values of the authorization object must be appropriately maintained in the user master.

Authorization objects are divided into classes for comprehensibility. An object class is a logical combination of authorization objects and corresponds, for example, to an application (financial accounting, human resources, and so on). The line of the authorization object class is colored orange in the profile generator.

For information about maintaining the authorization values, double click an authorization object.

The line of the authorization object is colored green in the profile generator.

Authorizationfields

Contains the value that you defined. It is connected to the data elementsstored with the ABAP Dictionary.

The objects (such as authorizations, profiles, user master records, or roles) areassigned per client. For more information about transporting these objects from one client to another, or from one system to another, see the SAP Library, in the in sections Transporting Authorization Components [SAP Library] and Changeand Transport System (BC-CTS).

If you develop your own transactions or programs, you must add authorizations toyour developments yourself (see Authorization Checks in Your OwnDevelopments [SAP Library]).

To be able to successfully implement the authorization strategy, you need a reliable authorizationplan. To produce a plan, you must first decide which users may perform which tasks in the SAPsystem. You then need to assign the authorizations required for these tasks in the SAP system to each user.

The working out of a solid and reliable authorization plan is a constant process. We recommendthat you regularly revise the authorization plan so that it always corresponds to your requirements. Define standard roles and procedures for creating and assigning roles, profiles,and authorizations.

See also:

Assigning Authorizations [SAP Library]

Authorization Checks [Page 42]

Authorization Checks in Customer Developments [SAP Library]

Scenario for an Authorization Check [SAP Library]

Role Maintenance [SAP Library]

April 29, 2004 33



2.2.1 Overview This section of the Security Guide deals briefly with the most important areas for the topics of authorization concept and user and role maintenance:

Organizing Authorization Administration [Page 34]

Organization if You Are Using the Profile Generator [Page 35]

Setting Up Administrators [Page 35]

Setting Up Role Maintenance [Page 37]

Authorization Objects Checked in Role Maintenance [Page 38]

Organization without the Profile Generator [Page 39]

Creating and Maintaining Authorizations/Profiles Manually [Page 41]

Authorization Checks [Page 42]

Reducing the Scope of Authorization Checks [Page 44]

Searching for Deactivated Authorization Checks [Page 46]

Globally Deactivating Authorization Checks [Page 46]

Protecting Special Profiles [Page 47]

Authorization Profile SAP_ALL [Page 47]

Authorization Profile SAP_NEW [Page 47]

User Information System [Page 48]

Central User Administration [Page 49]

Security Aspects of the CUA [Page 50]

For the complete documentation for these topics, see the SAP Library, under Users and Roles(BC-SEC-USR) [SAP Library]. See also the Additional Information about the SAP Authorization Concept [Page 51].

2.2.2 Organizing Authorization Administration The authorization system allows you great flexibility in organizing and authorizing the maintenance of user master records and roles:

If your company is small and centralized, you can have all maintenance of user masterrecords and authorization components executed by a single superuser.

For more information on setting up superusers, see Protecting Special Users [SAP Library].

Depending on the size and organization of your company, you should, however, distributethe maintenance of user master records and authorizations among multiple administrators,each with limited areas of responsibility. This applies in particular in a decentralizedenvironment, in which different time zones might apply. This also helps to achievemaximum system security.

Each administrator should only be able to perform certain tasks. By dividing the tasks, you avoid a situation where a single superuser has absolute control over your userauthorizations. You also ensure that not only one person approves all authorizations andprofiles. You should also define standard procedures for creating and assigningauthorizations.

34 April 29, 2004



Since you can precisely restrict authorizations for user and authorization maintenance, the administrators do not have to be privileged users in your data processing organization.You can assign user and authorization maintenance to ordinary users.

We recommend that you use the role maintenance functions and the profile generator (transaction PFCG) to maintain your roles, authorizations, and profiles.The role maintenance functions support you in performing your task by automating various processes and allowing you more flexibility in your authorization plan. You can also use the central user administration functions to centrally maintain the roles delivered by SAP or your own, new roles, and to assign the roles to any number of users.

Organization if You Are Using the Profile Generator

If you are using the profile generator and role maintenance, you can distribute the administrationtasks within an area (such as a department, cost center, or other organizational unit) to the following administrator types:

Authorization data administrator, who creates roles (transaction selection andauthorization data), selects transactions, and maintains authorization data. However the authorization data administrator can only save data in the Profile Generator, since he or she is not authorized to generate the profile, He or she accepts the default profile name T_.... when doing this.

Authorization profile administrator, who checks and approves the data, and generates the

authorization profile. To do this, he or she choose ! All Roles in transaction SUPC, and then specifies the abbreviation of the role to be edited. On the following screen, he or she checks the data by choosing Display Profile.

User administrator, who maintains the user data with the user maintenance transaction(SU01) and assigns roles to the users. This enters the approved profiles in the masterrecords of the users.

These administrators of one or more areas are administered by superusers who set up their usermaster records, profiles, and authorizations. We recommend that you assign the superuser, the user administrator, and the authorization administrator the SUPER group. If you are usingpredefined user maintenance authorizations, this group assignment ensures that useradministrators cannot change their own user master records or those of other administrators.Only administrators with the predefined profile S_A.SYSTEM can maintain users of the group SUPER.

The table in the section Setting Up Administrators [Page 35] shows the tasks that you should assign to individual administrators, tasks that you should not assign, and the templates that wehave predefined for these tasks.

No authorization profile beginning with “T” may contain critical (S_USER* objects)authorization objects.

April 29, 2004 35



Setting Up Administrators

Use

If you have organized your user administration in a decentralized manner, in which you have distributed the user maintenance tasks among multiple administrators, you must create theseadministrators as normal SAP users or assign these tasks to existing users.

The table below shows the tasks that you should assign to individual administrators, tasks thatyou should not assign, and the templates that we have predefined for these tasks.

Organization of User Administrators if You Are Using the Profile Generator

Administrator Permissible Tasks Impermissible Tasks Templates

User Administrator Creating and changing user master records

Changing role data SAP_ADM_US

Assigning roles to users Changing or generatingprofiles

Assigning profiles beginningwith "T" to users

Displaying authorizations andprofiles

Using the User Information System

Authorization Data Administrator

Creating and changing roles Changing users SAP_ADM_AU

Changing authorization dataand transaction selection inroles

Generating profiles


Authorization Profile Administrator

Displaying roles and the associated data

Changing users SAP_ADM_PR

Using transaction PFCG or SUPC to generate the authorizations and profiles thatbegin with “T” for roles that have authorization data

Changing role data

Checking roles for the existence of authorization data(transaction SUPC)

Generating authorizationprofiles with authorizationobjects that begin withS_USER

Performing a user master comparison (transactionPFUD, Performing a profilecomparison of the user master comparison)


36 April 29, 2004



Prerequisites

You are an administrator with the predefined profile S_A.SYSTEM, with which you can maintainusers of the group SUPER.

Procedure...

1. Create a role for each administrator.

a. Enter a name in the Role field in role maintenance (transaction PFCG) and chooseCreate Role.

b. Do not assign any transactions; instead, choose Change authorization data on theAuthorizations tab page.

A dialog box appears asking you to choose a template.

c. Choose one of the following templates:

Template Administrator

SAP_ADM_PR Authorization profileadministrator

SAP_ADM_AU Authorization dataadministrator

SAP_ADM_US User administrator

d. Generate an authorization profile in each case.

Use a profile name that does not begin with “T”, so that the authorization dataadministrator cannot change his or her own authorizations.

2. On the User tab page, assign the role to the relevant user, that is, to the administrator.

3. Save your entries.

4. So that the user administrators cannot change their own user master records, or those of other administrators, assign them to the group SUPER. This applies if you are using the predefined user maintenance authorizations.

...

a. To do this, choose the Logon Data tab page in user maintenance (transactionSU01).

b. In the User Group for Authorization Check field, enter the value SUPER.

c. Save your entries.

5. If appropriate, restrict the authorizations of the administrators further:

You can use authorization objects S_USER_AGR, S_USER_TCD and S_USER_VAL to further differentiate the roles of the administrators.

For the user administrator, you can restrict the authorization to particular user groups.

For the profile administrator, you can exclude additional authorization objects, for example, for HR data. If you want your generated authorization profiles to begin with a letter other than “T”, you should inform your profile administrator.

April 29, 2004 37



Setting Up Role Maintenance You must first configure the system so that you can use the role maintenance function in the Profile Generator tool. To do this, perform the following steps:...

1. Set the profile parameter auth/no_check_in_some_cases to the value Y.

2. Execute transaction SU25.

The transaction Profile Generator: Upgrade and First Installation (SU25) copies the proposals for check indicators and authorization field values delivered by SAP to the customer tables, which you can then change.You can then use the role maintenance functions and the Profile Generator to manage the authorization information for your users.

Authorization Objects Checked in Role Maintenance The role maintenance functions (and the profile generator) check the following authorizationobjects:

Authorization Object Description

S_USER_AUT User master maintenance: Authorizations

This authorization object defines which authorizations the administrator can process. You can use the activities tospecify the types of processing (such as creating, deleting,displaying change documents).

S_USER_GRP User master maintenance: User groups

The authorization object is used in role maintenance whenassigning users to roles and during the user mastercomparison.

You can divide user administration between several administrators with this authorization object, by assigning only a certain user group to an administrator. You can use theactivities to specify the administrator’s processing types for the group (such as creating, deleting, and archiving).

S_USER_PRO User master maintenance: Authorization profiles

Profiles are protected with this authorization object. You canuse the activities to specify the administrator's processingtypes for the profile (such as creating, deleting, and archiving).

S_USER_AGR Authorization system: Check for roles

This authorization object protects roles. The roles combineusers into groups to assign various properties to them; in particular, transactions and authorization profiles.

You can use this authorization object together with theauthorization objects S_USER_GRP, S_USER_AUT,S_USER_PRO, S_USER_TCD, and S_USER_VAL to set up a distributed user administration.

38 April 29, 2004



Authorization Object Description

S_USER_TCD Authorization system: Transactions in roles

This authorization object determines the transactions that an administrator can assign to a role, and the transactions for which he or she can assign transaction authorization (objectS_TCODE).

Note that a user can only maintain ranges of transactions for the S_TCODE authorization object in the Profile Generator if he or she has full authorization for the S_USER_TCD authorization object. Otherwise, he or she can only maintain individual values for the S_TCODE object.

S_USER_VAL Authorization system: Field values in roles

This authorization object allows the restriction of values that a system administrator can insert or change in a role in the Profile Generator.

This authorization object relates to all field values with the exception of the values for the object S_TCODE.

The authorization to include transactions in a role or to change the transaction start authorization in a role is linked to the authorization object S_USER_TCD.

S_USER_SYS Authorization object for system assignment in the CentralUser Administration (CUA).

You can distribute users from a central system to various childsystems of a system group. The object S_USER_SYS is used to check the systems to which the user administrator can assign the users. This authorization object is also checkedwhen setting up the CUA.

S_USER_SAS User master maintenance: System-specific assignments

The authorization object S_USER_SAS is checked in transactions SU01, SU10, PFCG, and PFUD when you assign roles, profiles, and systems to users. It represents a development of the authorization objects S_USER_GRP,S_USER_AGR, S_USER_PRO, and S_USER_SYS, whichthe system previously checked when users madeassignments. If you do not activate the authorization objectS_USER_SAS using the Customizing switch, the previously-used authorization objects are checked.

To activate authorization object S_USER_SAS, usetransaction SM30 to create the Customizing switch CHECK_S_USER_SAS with the value YES in the table PRGN_CUST. All authorization checks for the objectsS_USER_AGR, S_USER_PRO, S_USER_GRP, and S_USER_SYS with the activity assign are replaced by authorization checks for the object S_USER_SAS.

For more information about the authorization checks, see the system documentation for the authorization objects.

April 29, 2004 39



Organization without the Profile Generator

You can distribute the administration tasks to multiple administrators even if you are not usingthe profile generator.

The user administrator creates the user master records and maintains them.

The authorization administrator creates profiles and authorizations and maintains them.

The activation administrator activates the profiles and authorizations.

The table below shows the authorization objects that you should assign to each administratorand the authorizations that the superuser should retain.

Organization of User Administration with Manual Maintenance of Profiles

AdministratorType

Object Fields Values

User administrator S_USER_GRP (Usergroups)

CLASS Name(s) of the permissible usergroups

ACTVT 01: Create user master records02: Change user master records03: Display user master records04: Delete user master records

S_USER_PRO(Authorization profile)

PROFILE Name(s) of permissible profiles

ACTVT 22: Display profiles and enterprofiles in user master records

ActivationAdministrator



ACTVT 06: Delete profiles07: Activate profiles

S_USER_AUT(Authorizations)

OBJECT Name(s) of permissible objects

AUTH Name(s) of permissibleauthorizations

ACTVT 06: Delete authorizations07: Activate authorizations

AuthorizationAdministrator



ACTVT 01: Create profiles 02: Change profiles03: Display profiles 06: Delete profiles08: Display change documents for profiles

40 April 29, 2004



AdministratorType

Object Fields Values

AuthorizationAdministrator

S_USER_AUT(Authorizations)

OBJECT Name(s) of permissible objects

AUTH Name(s) of permissibleauthorizations

ACTVT 01: Create authorizations02: Change authorizations03: Display authorizations06: Delete authorizations08: Display change documents for authorizations

Reserve the following user group authorizations for the superuser:

Authorization for users in group SUPER

05: Lock and unlock users (prevent or allow logons); change passwords

08: Display change documents

Creating and Maintaining Authorizations/Profiles Manually

As an alternative to maintaining your profiles and authorizations with the role maintenancefunctions of the Profile Generator, you can also maintain them manually.

As of SAP R/3 4.6C, we strongly recommend that you do not maintain authorizations and profiles manually. Instead, use roles and role maintenancefunctions to maintain your user authorization data.

As with the Profile Generator, you must first define all job descriptions in the job description foryour organization. You then define the desired authorizations for each job description. These authorizations consist of fields that contain values. The authorization checks in SAP systems usethese values to determine whether a user is authorized to perform certain actions. You can combine multiple authorizations in a profile. You can also create composite profiles. You then assign to each user the profiles that he or she requires to perform his or her tasks.

This section describes how to create and maintain authorizations manually.

You can generate authorizations and profiles on the basis of selectedtransactions. See Role Maintenance [SAP Library].

See also:

Administrative Tasks [SAP Library]

Maintaining Authorization Profiles [SAP Library]

Maintaining Authorizations [SAP Library]

Adding Authorization Checks to Customer Developments [SAP Library]

Analyzing Authorization Checks [SAP Library]

April 29, 2004 41



2.2.3 Authorization Checks To ensure that a user has the appropriate authorizations when he or she performs an action,users are subject to authorization checks.

The following actions are subject to authorization checks that are performed before the start of a program or table maintenance and which the SAP applications cannot avoid:

Starting SAP transactions (authorization object S_TCODE)

Starting reports (authorization object S_PROGRAM)

Calling RFC function modules (authorization object S_RFC)

Table maintenance with generic tools (S_TABU_DIS)

Checking at Program Level with AUTHORITY-CHECK

Applications use the ABAP statement AUTHORITY-CHECK, which is inserted in the source codeof the program, to check whether users have the appropriate authorization and whether theseauthorizations are suitably defined; that is, whether the user administrator has assigned the values required for the fields by the programmer. In this way, you can also protect transactionsthat are called indirectly by other programs.

AUTHORITY-CHECK searches profiles specified in the user master record to see whether the user has authorization for the authorization object specified in the AUTHORITY-CHECK. If one of the authorizations found matches the required values, the check is successful.

Starting SAP Transactions

When a user starts a transaction, the system performs the following checks:

The system checks in table TSTC whether the transaction code is valid and whether the system administrator has locked the transaction.

The system then checks whether the user has authorization to start the transaction.

The SAP System performs the authorization checks every time a user starts a transactionfrom the menu or by entering a command. Indirectly called transactions are not included in this authorization check. For more complex transactions, which call other transactions,there are additional authorization checks.

The authorization object S_TCODE (transaction start) contains the field TCD (transaction code). The user must have an authorization with a value for the selected transaction code.

If an additional authorization is entered using transaction SE93 for the transactionto be started, the user also requires the suitable defined authorization object(TSTA, table TSTCA).

If you create a transaction in transaction SE93, you can assign an additionalauthorization to this transaction. This is useful, if you want to be able to protect atransaction with a separate authorization. If this is not the case, you shouldconsider using other methods to protect the transaction (such as AUTHORITY-CHECK at program level).

42 April 29, 2004



The system checks whether the transaction code is assigned an authorization object. If so, a check is made that the user has authorization for this authorization object.

The check is not performed in the following cases:

You have deactivated the check of the authorization objects for the transaction(with transaction SU24) using check indicators [SAP Library], that is, you have removed an authorization object entered using transaction SE93. You cannotdeactivate the check for Basis and HR objects.

This can be useful, as a large number of authorization objects are often checkedwhen transactions are executed, since the transaction calls other work areas in the background. In order for these checks to be executed successfully, the user in question must have the appropriate authorizations. This results in some usershaving more authorization than they strictly need. It also leads to an increasedmaintenance workload. You can therefore deactivate authorization checks of this type in a targeted manner using transaction SU24.

You have globally deactivated authorization objects for all transactions [Page 46]with transaction SU24 or transaction SU25.

So that the entries that you have made with transactions SU24 and SU25 becomeeffective, you must set the profile parameterAUTH/NO_CHECK_IN_SOME_CASES to “Y” (using transaction RZ10).

All of the above checks must be successful so that the user can start the transaction. Otherwise, the transaction is not called and the system displays an appropriate message.

Starting Report Classes

You can perform additional authorization checks by assigning reports to authorization classes(using report RSCSAUTH). You can, for example, assign all PA* reports to an authorization classfor PA (such as PAxxx). If a user wants to start a PA report, he or she requires the appropriate authorization to execute reports in this class.We do not deliver any predefined report classes. You must decide yourself which reports you want to protect in this way. You can also enter the authorization classes for reports with the maintenance functions for report trees. This method provides a hierarchical approach for assigning authorizations for reports. You can, for example, assign an authorization class to a report node, meaning that all reports at this node automatically belong to this class. This meansthat you have a more transparent overview of the authorization classes to which the various reports are transported.

You must consider the following:

After you have assigned reports to authorization classes or have changedassignments, you may have to adjust objects in your authorization concept(such as roles (activity groups), profiles, or user master records).

There are certain system reports that you cannot assign to any authorizationclass. These include:o RSRZLLG0o STARTMEN (as of SAP R/3 4.0) o Reports that are called using SUBMIT in a customer exit at logon (such

as SUSR0001, ZXUSRU01).

Authorization assignments for reports are overwritten during an upgrade.After an upgrade, you must therefore restore your customer-specific reportauthorizations.

April 29, 2004 43



Calling RFC Function Modules

When RFC function modules are called by an RFC client program or another system, anauthorization check is performed for the authorization object S_RFC in the called system. Thischeck uses the name of the function group to which the function module belongs. You can deactivate this check with parameter auth/rfc_authority_check.

Checking Assignment of Authorization Groups to Tables

You can also assign authorization groups to tables to avoid users accessing tables using generalaccess tools (such as transaction SE16). A user requires not only authorization to execute thetool, but must also have authorization to be permitted to access tables with the relevant groupassignments. For this case, we deliver tables with predefined assignments to authorizationgroups. The assignments are defined in table TDDAT; the checked authorization object is S_TABU_DIS.

You can assign a table to authorization group Z000. (Use transaction SM30 for table TDDAT) A user that wants to access this table must have authorizationobject S_TABU_DIS in his or her profile with the value Z000 in the field DICBERCLS (authorization group for ABAP Dictionary objects).

See also:

SAP Notes 7642, 20534, 23342, 33154, and 67766

Documentation for RSCSAUTH

Reducing the Scope of Authorization Checks

When SAP System transactions are executed, a large number of Authorization Objects [SAPLibrary] are often checked, since the transaction calls other work areas in the background. In order for these checks to be executed successfully, the user in question must have the appropriate authorizations. This results in some users having more authorization than they strictly need. It also leads to an increased maintenance workload.

If you are using the Profile Generator, you can reduce the scope of the authorization checks(transaction SU24). When the Profile Generator generates a profile, it selects all of the authorizations associated with an activity. The generated profiles are not always complete(especially in older releases of the Profile Generator), meaning that you may have to add authorizations that are not contained in the profiles manually. (This is mainly the case with programs that call other programs, where the subprogram requires additional authorizations.) Tosimplify the administrative tasks with the Profile Generator, you could consider reducing the scope of the authorization checks in cases such as this.

If a user in PA calls a program that in turn calls an HR routine, the user requiresthe corresponding HR authorizations. If you have not installed the HR components, you may not want to assign all of the HR authorizations required for the PA report to the PA users. In this case, you can deactivate the authorizationchecks for HR authorizations in the PA transactions.

For an authorization check to be executed, it must be included in the source code of a transaction and must not be explicitly exempt from the check.

You can suppress authorization checks without changing the program code, as check indicatorscontrol authorization checks. You also use check indicators to control which objects appear in

44 April 29, 2004



the Profile Generator and which field values are displayed there for editing before the authorization profiles are generated automatically.

SAP supplies defaults for check indicator and authorization field values, which you should copy. You can then edit these copied defaults. You should only do this once you have defined yourcompany's authorization concept.

You can reduce authorization checks within a transaction or exclude an authorization objectglobally from the check. For more information, see:

Preparatory Steps [SAP Library]

Globally Deactivating Authorization Checks [Page 46]

Reducing Authorization Checks in Transactions [SAP Library]

Editing Templates for General Authorizations [SAP Library]

Comparing Check Indicators and Field Values After a Release Upgrade [SAP Library]

Authorization objects from the Basis (S_*) and Human Resource Managementapplications (P_*, PLOG) cannot be excluded from authorization checks. Thefield values for these objects are always checked.For parameter or variant transactions, you cannot exclude authorizationobjects from a check directly, only using the authorization objects in the corresponding transaction.

Advantages of the Restricted Scope of Authorization Checks in SAP Systems

As explained above, by reducing the scope of authorization checks, you simplify the administration tasks connected with the Profile Generator. You should carefully weigh-up which authorization checks you want to suppress. If you deactivate authorization checks, you permit users to perform tasks for which they are not explicitly authorized. You should possibly considerreducing the scope of authorization checks in the following cases:

You do not use the authorization object connected with the authorization check (as in the example above).

The authorization check for the object S_TCODE still protects the core transaction. (Note, however, that the S_TCODE authorization check only provides very general protection. This is not in itself a reason for suppressing an authorization check.)

April 29, 2004 45



You want to avoid permitting all values for all authorization fields in the authorizationobject.

Instead of assigning the asterisk (*) as the placeholder value, you can suppressauthorization checks for specific objects in specific transactions. You can use a standardauthorization check for the same authorization object for other transactions.

If you reduce the scope of authorization checks, you allow users to performactivities without ensuring that the users have the required authorization. This can have undesired consequences. Consider very carefully before suppressingauthorization checks.

Searching for Deactivated Authority Checks

Use

Use this procedure for searching for authority checks that have been deactivated using the transaction SU24.

Procedure...

1. Execute transaction SE16 for table USOBX_C.

2. Search for entries with OKFLAG set to N.

Result

The system returns a list of the transactions and objects for which authority checks have beendisabled.

Globally Deactivating Authorization Checks

As of SAP R/3 4.5, you can globally suppress authorization checks for individual authorizationobjects. If you use this option, the system does not perform any authorization checks at all for the specified objects. If you are using the Profile Generator, the option significantly reducesauthorization maintenance. The Profile Generator does not enter any authorization data for deactivated authorization checks in profiles. You also do not have to postprocess the authorization data after an upgrade for transactions for which you have globally deactivated thecorresponding authorization objects.

If you suppress authorization checks, you allow users to perform activities withoutensuring that the users have the required authorization. This can have undesiredconsequences. Consider very carefully before suppressing authorization checksfor authorization objects.

To suppress authorization checks for specific authorization objects, set the profile parameterauth/object_disabling_active to the value "Y". You then select the affected authorization

objects using transaction SU25 (or transaction AUTH_SWITCH_OBJECTS). [You deactivateauthorization objects in the tree display by selecting the checkbox to the left of the object. The deactivated authorization objects are then displayed in red. Then activate your settings (only then are the authorization checks ignored in the system).]

46 April 29, 2004



Note that:

You cannot suppress authorization checks for authorization objects that belong to Basis components or to Human Resources (HR).

You require authorization for the object S_USER_OBJ to be able to suppressauthorization checks for authorization objects. We recommend that you assign therelevant activities (saving, activating, or transporting) to different administrators.

If you reactivate previously suppressed authorization checks for authorization objects, you must postprocess the authorization data for the relevant roles.

These authorization objects are not contained in any role. In this case, call transactionPCFG and choose Read old status and compare with the new data on the tab pageAuthorizations in expert mode to generate profiles. Maintain missing authorization valuesand then regenerate the profile.

When transporting the settings (in transaction AUTH_SWITCH_OBJECTS), for securityreasons, the system does not transport the active version of the settings, but rather the saved version. You need to explicitly activate these in the target system (Authorization

Objects ! Activate Data).

To save or activate deactivated authorization checks for authorization objects,you require authorization for the object S_USER_OBJ. For security reasons, youshould assign the authorizations for saving and for activating deactivatedauthorizations checks for authorization objects to different users. It makes sense to deactivate the authorization checks only if at least two people agree on this.

2.2.4 Protective Measures for Special ProfilesSome specific profiles contain critical authorizations that you must protect. The following sectionsdescribe the relevant measures:

Authorization Profile SAP_ALL [Page 47]

Authorization Profile SAP_NEW [Page 47]

For more information about these profiles, see the Profiles Tab Page [SAP Library] section.

Authorization Profile SAP_ALL

This composite profile contains all SAP authorizations, meaning that a user with this profile can perform all tasks in the SAP System. You should therefore not assign this authorization profile to any of your users. We recommend that you maintain only one user with this profile. You shouldkeep the password of this user secret (store it in a safe) and only use it in emergencies (see alsoProtective Measures for SAP*).

Instead of using the SAP_ALL profile, you should distribute the authorizations contained within it to the relevant places. You should, for example, not assign the SAP_ALL authorization to the system administrator (or superuser), but rather only the authorizations required for systemadministration, that is the S_* authorizations. This gives the administrator authorization to administer the entire SAP System. However, he or she cannot perform any tasks in other areas(such as HR).

April 29, 2004 47



Authorization Profile SAP_NEW

This composite profile contains a single profile for each release that contains the authorizationsthat the users require to be able to continue using the functions that they have used until now,but which are protected with new authorization checks. However, you should not leave this profile active for a long period of time.

We recommend that you perform the following steps:...

1. After the upgrade, delete the SAP_NEW_* profiles from the composite profile SAP_NEWfor releases before the last revision of your authorization concept.

2. Assign the composite profile SAP_NEW to all users. This means that they can continue to use the functions that they have used until now.

3. Distribute the authorizations contained in the SAP_NEW single profiles to the roles or profiles that you use productively and maintain the authorization values.

4. Delete the profile assignment for SAP_NEW and the SAP_NEW profile.

A long list of SAP_NEW profiles (for example, after multiple upgrades) indicates that it is time torevise and redefine your authorization concept.

2.2.5 User Information System

Use

You can use the User Information System to obtain an overview of the authorizations and usersin your SAP System at any time using search criteria that you define. In particular, you candisplay lists of users to whom authorizations classified as critical are assigned. You can also usethe User Information System to:

Compare roles and users

Display change documents for the authorization profile of a user

Display the transactions contained in a role

Create where-used lists

We recommend that you regularly check the various lists that are important for you. Define a monitoring procedure and corresponding checklists to ensure that you constantly check your authorization plan.We also strongly recommend that you define the authorizations that are criticalfor you, and regularly check which users have these authorizations in their profiles.

To start the User Information System (transaction SUIM), either choose Tools !"Administration

! User Maintenance !"Information System in the SAP menu, or, in the user maintenance

transaction (SU01), choose Information ! Information System.

48 April 29, 2004

Documents

SAP Authorweization Concept