SAP SECURITY AUTHORIZATION INTERVIEW - The authorization check for dialog users

The authorization check for dialog users
Short introduction to the basic mode of operation

One has to deal with the following three steps.

I. 
The user enters a transaction code like for example FK01.

Initially SAP® checks if the called transaction code is valid (comparison with table entries in table TSTC), it is also evaluated if the transaction code is locked (via SM01 e.g.)
SAP then checks whether the user has a correspondent authorization on the object S_TCODE.
The authorization object S_TCODE consists of only one field (TCD).
The called transaction has to be part of the existing entries.
If the assigned authorization does not meet the requirements, then the user will fail the authorization check already at this stage of procedure.
This is the message that will accompany this step.

 

If the user successfully passes this check, then SAP continues with the next step (II.).

 


II.
SAP® then checks whether any values for transaction code authorizations were assigned to the called transaction. This can be looked up in the table TSTCA. For a successful pass the user needs a matching authorization.


 


The above described maintenance is executed with the help of the transactionSE93. 
There one can define whether an additional authorization check on especially selected authorization objects has to be passed additionally.
 
 

And again if the user fails the way ends right up here. If this step was passed too, SAP® proceeds with the next step.

III.
SAP® checks whether the user has a match for the so-called application authorization.
Every call of a transaction leads to the execution of a SAP® program. The program that is assigned to the transaction can also be reviewed with the call of the transaction SE93. And if further authorization checks are executed depends on the source code.
[You might check the source code with the help of the report RSABAPSC.]
Within the authority-check the object is listed together with the fields. 
The authority-check is always executed with a logical AND as a joint of the listed field that are part of the listed authorization object.

One entry as an example of the integrated authority-checks is:
…
AUTHORITY-CHECK OBJECT 'F_LFA1_BUK'
ID 'BUKRS' FIELD LFB1-BUKRS 
ID 'ACTVT' FIELD B_ACTVT    
IF SY-SUBRC <> 0.
        MESSAGE Exxx WITH xxx.
     ENDIF.
…

In this case the object F_LFA1_BUK (vendor: authorization for company codes) with both of the defined fields is checked. 
For the field BUKRS (company code) it is checked if the user has the same value assigned as provided by the variable LFB1-BUKRS.
For the field ACTVT (activity) it is checked if the user has the same value assigned as provided by the variable B_ACTVT. 
Only when all values correspond with the requirements, the return value will be set to 0.

Otherwise the authorization check fails IF SY-SUBRC <> 0 [means that the return value is not equal 0] and the user will get an error message. 

 
The authority-check may be integrated as a part of the program or may else be executed within an integrated call of a function module. The execution of the authority-check relies on the pass through of the correspondent source code 
section of course. 
If the dialog user has passed these authorization checks successfully, 
he will be able to execute the called transaction. 

Important exceptions 
As usual there are some exceptions from the rule.
In this case we have to look at two other adjustments.

1. Disabling of authorization objects
First of all SAP® offers the possibility to deactivate checks on authorization objects globally. In case an object is listed in the table TOBJ_OFF this object is excluded from any authority-checks. Objects with the initials S* or P* cannot be switched off.

2. Check indicator 
The second option that is to be considered is the adjustment for the individual transaction. With the help of the transaction SU24/SU22 authorization objects can be maintained to the effect that they will not be checked at the call of a transaction. These settings are located in the tables USOBX_C (check table forUSOBT_C) and USOBT_C (relation between transaction and authorization object). 
These tables are the customer specific tables that are valid if the profile generator is activated for use. The equivalent SAP® tables are the tablesUSOBX and USOBT.

 

The values the check indicator may adopt are:

Y                the authorization object is checked at the call of the transaction
                  the default values are located in the table USOBT_C
N               the authorization object is NOT checked at the call of the transaction
X                the authorization check takes place
U                not maintained
<empty>   not maintained 

SAP SECURITY INTERVIEW - HOW TO assign a same role to 200 users ?

You can do using PFCG- >  enter the role -> change -> go to  users tab -> paste the users -> click on user comparsion->   complete comparsion -> Save the role - it's done

or 

One can also use "Authorization Data" functionality in  transaction SU10 to complete this task.

SAP SECURITY INTERVIEW - What is the use of transaction PFUD at midnight?

The background job which gets scheduled using PFUD adjusts the non time depandant profile assignments with the time dependant role assignments right after midnight. You use it if you either work with time dependant role assignments in SU01 (or SU10) or if you use indirect role assignments by HR org. which are time dependant, too. 

SAP SECURITY INTERVIEW - How to check with users are lockdown?

RUN report RSUSR200  or   T-code SUIM : Users -> Click on By Logon Date and  password change -> Give * in user and give 90 days in  No.days since last logon and check Locked users and then  EXECUTE

SAP SECURITY INTERVIEW - What authorization objects are needed for PFCG?

SAP Transport Authorization

To release Task

S_TRANSPRT
ACTVT=43, 03, 75
TTYPE=TASK
Other type:CLCP  Client Transports
CUST  Customizing Requests
DTRA Workbench Requests
MOVE Relocation transports
PATC  Preliminary Corrections and Deliveries
PIEC    Piece lists
TASK  Tasks
TRAN  Transport of copies

S_DATASET  
PROGRAM=SAPLSTRF, SAPLSLOG 
ACTVT=34
FILENAME=* 

To release Customizing Requests

S_TRANSPRT  
TTYPE=CUST
ACTVT=43, 03, 75
S_DATASET  
PROGRAM=SAPLSCTS_RELEASE, SAPLSLOG, SAPLSTRF
ACTVT=33, 34
FILENAME=*
S_RFC 
FC_TYPE=FUGR
RFC_NAME=STPA
ACTVT=16; 

 

Authorization object needed for PFCG access 
 

S_USER_AGR 
ACT_GROUP= * (You can restrict by role, if proper naming convention is used)
ACTVT=01, 02, 03, 64 other fields below
01   Create or Generate
02   Change
03   Display
06   Delete
08   Display change documents
21  Transport
22   Enter, Include, Assign
36   Extended maintenance
59   Distribute
64   Generate
68   Model
78   Assign
79   Assign Role to Composite Role
DL   Download
UL   Upload

S_USER_GRP 
CLASS=  
ACTVT=22; 03   
Other activity
01        Create or Generate
02        Change
03        Display
05        Lock
06        Delete
08        Display change documents
22        Enter, Include, Assign
24        Archive
68        Model
78        Assign

S_USER_TCD 
TCD=   * (Transaction in role)

S_USER_PRO
PROFILE= *
ACTVT=01, 06   
Other activity
01        Create or Generate
02        Change
03        Display
06        Delete
07        Activate, generate
08        Display change documents
22        Enter, Include, Assign
24        Archive

S_TCODE
TCD=PFCG;

SAP SECURITY INTERVIEW - What will happen whenever we execute a t-code?

SAP system program makes various checks to ensure that the user has the appropriate authorization.  

1) Table TSTC is check to see if tcode is locked.  2) The authorization object S_TCODE (call transaction) contains the field TCD (transaction code).  3) The user must have an authorization with a value for the selected transaction code.

4) If you have 2 profile and each profile have same object but different activity such as "create" and the latter "delete", you ended up having access to both create and delete activity.

SAP SECURITY INTERVIEW QUESTION - Difference between SE01, SE10 & SE09?

SE09 (workbench organizer) Registration of modification  done on client independent object SE10 (customizing organizer) Registration of modification  done on client specific object  SE01 (Transport organizer) can do both functions of se09  and se10

Difference between short and Long Description in PFCG?

Short Description is actual name of role & Long Description is used to mention whatever changes have been done from date role was created. e.g  ZT.1011001 has short name "R/3 Test Role" then in column Long Description information will be like anything say  Added tcode MM01,MM02 Added purchasing organization 1001  Remove tcode MM03

Difference between se16 and sm31

se16: table display sm31: table ,view modification

SAP SECURITY INTERVIEW - What is the name of critical auth object for table access through SE16

This can be control by using object S_TABU_DIS and field DICBERCLS 

SMT2 - Display Trusted system

1. There is an easy way to check all trusted system status.
2. Just execute SMT2

Difference between SE01, SE10 & SE09?

SE09 (workbench organizer) Registration of modification  done on client independent object 

SE10 (customizing organizer) Registration of modification  done on client specific object  SE01 (Transport organizer) can do both functions of se09  and se10

SAP SECURITY - Create authorization object and used in ABAP

Authorization Objects are used to manipulate the current user's privileges for specific data selection and activities from within a program.

We could always create our own authorization objects and implement it in our own abap programs. As an example, we will create our own authorization field similar to TCD used in S_TCODE 

Steps to create authorization field

1. Go to transaction code SU20

2. Click the create new button on the application toolbar.

3. Enter "ZTCODE" in the Field Name and "TCODE" in the Data Element, then hit Enter.

4. Click the save button on the system toolbar.

Next step is to create the authorization class and authorization object

Steps to create authorization class

1. Go to transaction code SU21

2. Click on the Create button's drop down icon and select "Object Class".

3. Enter "ZTRN" on the Object Class field.

4. Give it a description and save it.

Steps to create authorization object

1. Again in SU21, in the list of authorization class(folder icon), click the one that we've created(ZTRN).

2. Click on the Create buttodrop down, this time selecting "Authorization Object".

3. Enter "Z_TCODE" on the Object field and give it a description.

4. On the authorization fields section, enter ACTVT and ZTCODE. ACTVT is used to set and limit the activity of the user, while the ZTCODE is the authorization field that we've created earlier which is

responsible for holding a list of tcodes.

5. On the Further Authorization Object Settings, click on "Permitted activities" button. Here we will select the specific activities that we want to be available for our authorization object.

6. As an example, we will select 01(Create), 02(Change), and 03(Display).

7. Save and Exit.

Now we're done creating our own authorization object, let us now use and assign it to a user.

Steps to create a role

1. Go to transaction code PFCG.

2. Enter "ZAUTHTEST" on Role field and click the "Single Role" button.

3. Now give it a description, click the save button and click the Authorization tab.

4. Click the "Change Authorization Data" button inside the authorization tab.

5. Then click the "Manually" button on the application toolbar and type in the name of the authorization object that we've created earlier("Z_TCODE") and press enter.

6. Expand all the nodes, double click on the input field of the Activity and select activity 01 and 02.

7. Enter the tcode of our own abap program in ZTCODE field, in our example I used "ZCOMM" .

8. And also don't forget to add the S_TCODE authorization object and enter ZCOMM on it's field.

9. Now Click on the Generate button in the application toolbar and press enter on the pop-up screen.

10. press the back button and assign a specific user on the user tab and click User Comparison button.

11. Now create another role by repeating steps 1 to 9 but this time select activity 03 on step 6.

12. Then assign this 2nd role to another user.

SAP SECURITY - Create authorization object and assign to user

Authorization Objects are used to manipulate the current user's privileges for specific data selection and activities from within a program.

We could always create our own authorization objects and implement it in our own abap programs. As an example, we will create our own authorization field similar to TCD used in S_TCODE 

Steps to create authorization field

1. Go to transaction code SU20

2. Click the create new button on the application toolbar.

3. Enter "ZTCODE" in the Field Name and "TCODE" in the Data Element, then hit Enter.

4. Click the save button on the system toolbar.

Next step is to create the authorization class and authorization object

Steps to create authorization class

1. Go to transaction code SU21

2. Click on the Create button's drop down icon and select "Object Class".

3. Enter "ZTRN" on the Object Class field.

4. Give it a description and save it.

Steps to create authorization object

1. Again in SU21, in the list of authorization class(folder icon), click the one that we've created(ZTRN).

2. Click on the Create buttodrop down, this time selecting "Authorization Object".

3. Enter "Z_TCODE" on the Object field and give it a description.

4. On the authorization fields section, enter ACTVT and ZTCODE. ACTVT is used to set and limit the activity of the user, while the ZTCODE is the authorization field that we've created earlier which is

responsible for holding a list of tcodes.

5. On the Further Authorization Object Settings, click on "Permitted activities" button. Here we will select the specific activities that we want to be available for our authorization object.

6. As an example, we will select 01(Create), 02(Change), and 03(Display).

7. Save and Exit.

Now we're done creating our own authorization object, let us now use and assign it to a user.

Steps to create a role

1. Go to transaction code PFCG.

2. Enter "ZAUTHTEST" on Role field and click the "Single Role" button.

3. Now give it a description, click the save button and click the Authorization tab.

4. Click the "Change Authorization Data" button inside the authorization tab.

5. Then click the "Manually" button on the application toolbar and type in the name of the authorization object that we've created earlier("Z_TCODE") and press enter.

6. Expand all the nodes, double click on the input field of the Activity and select activity 01 and 02.

7. Enter the tcode of our own abap program in ZTCODE field, in our example I used "ZCOMM" .

8. And also don't forget to add the S_TCODE authorization object and enter ZCOMM on it's field.

9. Now Click on the Generate button in the application toolbar and press enter on the pop-up screen.

10. press the back button and assign a specific user on the user tab and click User Comparison button.

11. Now create another role by repeating steps 1 to 9 but this time select activity 03 on step 6.

12. Then assign this 2nd role to another user.

SAP SECURITY: How to Create and Use the Authorization Objects in ABAP

Authorization Objects are used to manipulate the current user's privileges for specific data selection and activities from within a program.

We could always create our own authorization objects and implement it in our own abap programs. As an example, we will create our own authorization field similar to TCD used in S_TCODE 

Steps to create authorization field
1. Go to transaction code SU20
2. Click the create new button on the application toolbar.
3. Enter "ZTCODE" in the Field Name and "TCODE" in the Data Element, then hit Enter.
4. Click the save button on the system toolbar.

Next step is to create the authorization class(see #1 in figure 1) and authorization object(see #2 in figure 1).

Steps to create authorization class
1. Go to transaction code SU21
2. Click on the Create button's drop down icon and select "Object Class".
3. Enter "ZTRN" on the Object Class field.
4. Give it a description and save it.

Steps to create authorization object
1. Again in SU21, in the list of authorization class(folder icon), click the one that we've created(ZTRN).
2. Click on the Create buttodrop down, this time selecting "Authorization Object".
3. Enter "Z_TCODE" on the Object field and give it a description.
4. On the authorization fields section, enter ACTVT and ZTCODE. ACTVT is used to set and limit the activity of the user, while the ZTCODE is the authorization field that we've created earlier which is
responsible for holding a list of tcodes.
5. On the Further Authorization Object Settings, click on "Permitted activities" button. Here we will select the specific activities that we want to be available for our authorization object.
6. As an example, we will select 01(Create), 02(Change), and 03(Display).
7. Save and Exit.

Now we're done creating our own authorization object, let us now use and assign it to a user.

Steps to create a role(see figure 2)
1. Go to transaction code PFCG.
2. Enter "ZAUTHTEST" on Role field and click the "Single Role" button.
3. Now give it a description, click the save button and click the Authorization tab.
4. Click the "Change Authorization Data" button inside the authorization tab.
5. Then click the "Manually" button on the application toolbar and type in the name of the authorization object that we've created earlier("Z_TCODE") and press enter.
6. Expand all the nodes, double click on the input field of the Activity and select activity 01 and 02.
7. Enter the tcode of our own abap program in ZTCODE field, in our example I used "ZCOMM" .
8. And also don't forget to add the S_TCODE authorization object and enter ZCOMM on it's field.
9. Now Click on the Generate button in the application toolbar and press enter on the pop-up screen.
10. press the back button and assign a specific user on the user tab and click User Comparison button.
11. Now create another role by repeating steps 1 to 9 but this time select activity 03 on step 6.
12. Then assign this 2nd role to another user.

Security Authorization Objects for SAP BW

Like HR,  BW have a set of different authorization objects. These authorization objects are used for field level security in BW reporting. Below are objects in two areas of BW security.

1. BW Reporting 

• S_RS_COMP
• S_RS_COMP1
• S_RS_FOLD

2. BW Administration

• S_RS_ADMWB
• S_RS_IOBJ
• S_RS_ISOUR
• S_RS_ISRCM

3.General Authorization Object

• S_RS_ICUBE
• S_RS_ODSO 
• S_RS_HIER. 

One key point to note is that BW reporting authorization objects for field level security are created as needed whereas the BW administration authorization objects are used across the module to secure admin functions.

HR authorization - Structural Authorization

Structural authorizations

They control access specifically to data that is stored in time-dependent structures (organizational structures, business event hierarchies, qualifications catalog, etc.).

ser and Authorization Management (BC-SEC-USR)

An element of the authorization concept.

Authorization profiles give users access to the SAP System. They contain authorizations, which are identified using the name of an authorization object and the name of an authorization. If a profile is specified in a user master record, the user is assigned all of the authorizations defined in this profile.

Personnel Management >Basic Settings > Authorization Management >Structural Authorization >Maintain Structural Profiles

                       STEP 1                                                         STEP 2                                                        STEP 3                                                          STEP 4
  
                     STEP 5                                                         STEP 6
 

v	„maintaining"
O-O-S-P	Staff assignments along organizational structure
12	Status Vector /1-active /2- planned

Personnel Management >Basic Settings > Authorization Management >Structural Authorization >Assign Structural Authorization

                       STEP 7                                                     STEP 8                                                                 STEP 9