Tuesday, 31 May 2011
SAP SECURITY AUTHORIZATION INTERVIEW - The authorization check for dialog users
Short introduction to the basic mode of operation
One has to deal with the following three steps.
I.
The user enters a transaction code like for example FK01.
Initially SAP® checks if the called transaction code is valid (comparison with table entries in table TSTC), it is also evaluated if the transaction code is locked (via SM01 e.g.)
SAP then checks whether the user has a correspondent authorization on the object S_TCODE.
The authorization object S_TCODE consists of only one field (TCD).
The called transaction has to be part of the existing entries.
If the assigned authorization does not meet the requirements, then the user will fail the authorization check already at this stage of procedure.
This is the message that will accompany this step.
If the user successfully passes this check, then SAP continues with the next step (II.).
II.
SAP® then checks whether any values for transaction code authorizations were assigned to the called transaction. This can be looked up in the table TSTCA. For a successful pass the user needs a matching authorization.
The above described maintenance is executed with the help of the transactionSE93.
There one can define whether an additional authorization check on especially selected authorization objects has to be passed additionally.
And again if the user fails the way ends right up here. If this step was passed too, SAP® proceeds with the next step.
III.
SAP® checks whether the user has a match for the so-called application authorization.
Every call of a transaction leads to the execution of a SAP® program. The program that is assigned to the transaction can also be reviewed with the call of the transaction SE93. And if further authorization checks are executed depends on the source code.
[You might check the source code with the help of the report RSABAPSC.]
Within the authority-check the object is listed together with the fields.
The authority-check is always executed with a logical AND as a joint of the listed field that are part of the listed authorization object.
One entry as an example of the integrated authority-checks is:
…
AUTHORITY-CHECK OBJECT 'F_LFA1_BUK'
ID 'BUKRS' FIELD LFB1-BUKRS
ID 'ACTVT' FIELD B_ACTVT
IF SY-SUBRC <> 0.
MESSAGE Exxx WITH xxx.
ENDIF.
…
In this case the object F_LFA1_BUK (vendor: authorization for company codes) with both of the defined fields is checked.
For the field BUKRS (company code) it is checked if the user has the same value assigned as provided by the variable LFB1-BUKRS.
For the field ACTVT (activity) it is checked if the user has the same value assigned as provided by the variable B_ACTVT.
Only when all values correspond with the requirements, the return value will be set to 0.
Otherwise the authorization check fails IF SY-SUBRC <> 0 [means that the return value is not equal 0] and the user will get an error message.
The authority-check may be integrated as a part of the program or may else be executed within an integrated call of a function module. The execution of the authority-check relies on the pass through of the correspondent source code
section of course.
If the dialog user has passed these authorization checks successfully,
he will be able to execute the called transaction.
Important exceptions
As usual there are some exceptions from the rule.
In this case we have to look at two other adjustments.
1. Disabling of authorization objects
First of all SAP® offers the possibility to deactivate checks on authorization objects globally. In case an object is listed in the table TOBJ_OFF this object is excluded from any authority-checks. Objects with the initials S* or P* cannot be switched off.
2. Check indicator
The second option that is to be considered is the adjustment for the individual transaction. With the help of the transaction SU24/SU22 authorization objects can be maintained to the effect that they will not be checked at the call of a transaction. These settings are located in the tables USOBX_C (check table forUSOBT_C) and USOBT_C (relation between transaction and authorization object).
These tables are the customer specific tables that are valid if the profile generator is activated for use. The equivalent SAP® tables are the tablesUSOBX and USOBT.
The values the check indicator may adopt are:
Y the authorization object is checked at the call of the transaction
the default values are located in the table USOBT_C
N the authorization object is NOT checked at the call of the transaction
X the authorization check takes place
U not maintained
<empty> not maintained
SAP SECURITY INTERVIEW - HOW TO assign a same role to 200 users ?
You can do using PFCG- > enter the role -> change -> go to users tab -> paste the users -> click on user comparsion-> complete comparsion -> Save the role - it's done
or
One can also use "Authorization Data" functionality in transaction SU10 to complete this task.
Thursday, 26 May 2011
SAP SECURITY INTERVIEW - What is the use of transaction PFUD at midnight?
Tuesday, 24 May 2011
SAP SECURITY INTERVIEW - How to check with users are lockdown?
RUN report RSUSR200 or T-code SUIM : Users -> Click on By Logon Date and password change -> Give * in user and give 90 days in No.days since last logon and check Locked users and then EXECUTE
Monday, 23 May 2011
SAP SECURITY INTERVIEW - What authorization objects are needed for PFCG?
SAP Transport Authorization
To release Task
S_TRANSPRT
ACTVT=43, 03, 75
TTYPE=TASK
Other type:CLCP Client Transports
CUST Customizing Requests
DTRA Workbench Requests
MOVE Relocation transports
PATC Preliminary Corrections and Deliveries
PIEC Piece lists
TASK Tasks
TRAN Transport of copiesS_DATASET
PROGRAM=SAPLSTRF, SAPLSLOG
ACTVT=34
FILENAME=*
To release Customizing Requests
S_TRANSPRT
TTYPE=CUST
ACTVT=43, 03, 75
S_DATASET
PROGRAM=SAPLSCTS_RELEASE, SAPLSLOG, SAPLSTRF
ACTVT=33, 34
FILENAME=*
S_RFC
FC_TYPE=FUGR
RFC_NAME=STPA
ACTVT=16;
Authorization object needed for PFCG access
S_USER_AGR
ACT_GROUP= * (You can restrict by role, if proper naming convention is used)
ACTVT=01, 02, 03, 64 other fields below
01 Create or Generate
02 Change
03 Display
06 Delete
08 Display change documents
21 Transport
22 Enter, Include, Assign
36 Extended maintenance
59 Distribute
64 Generate
68 Model
78 Assign
79 Assign Role to Composite Role
DL Download
UL Upload
S_USER_GRP
CLASS=
ACTVT=22; 03
Other activity
01 Create or Generate
02 Change
03 Display
05 Lock
06 Delete
08 Display change documents
22 Enter, Include, Assign
24 Archive
68 Model
78 AssignS_USER_TCD
TCD= * (Transaction in role)S_USER_PRO
PROFILE= *
ACTVT=01, 06
Other activity
01 Create or Generate
02 Change
03 Display
06 Delete
07 Activate, generate
08 Display change documents
22 Enter, Include, Assign
24 ArchiveS_TCODE
TCD=PFCG;
SAP SECURITY INTERVIEW - What will happen whenever we execute a t-code?
SAP system program makes various checks to ensure that the user has the appropriate authorization.
1) Table TSTC is check to see if tcode is locked. 2) The authorization object S_TCODE (call transaction) contains the field TCD (transaction code). 3) The user must have an authorization with a value for the selected transaction code.
4) If you have 2 profile and each profile have same object but different activity such as "create" and the latter "delete", you ended up having access to both create and delete activity.
Saturday, 21 May 2011
SAP SECURITY INTERVIEW QUESTION - Difference between SE01, SE10 & SE09?
SE09 (workbench organizer) Registration of modification done on client independent object SE10 (customizing organizer) Registration of modification done on client specific object SE01 (Transport organizer) can do both functions of se09 and se10
Difference between short and Long Description in PFCG?
Short Description is actual name of role & Long Description is used to mention whatever changes have been done from date role was created. e.g ZT.1011001 has short name "R/3 Test Role" then in column Long Description information will be like anything say Added tcode MM01,MM02 Added purchasing organization 1001 Remove tcode MM03
Thursday, 19 May 2011
SAP SECURITY INTERVIEW - What is the name of critical auth object for table access through SE16
Wednesday, 18 May 2011
Sunday, 15 May 2011
Difference between SE01, SE10 & SE09?
SE09 (workbench organizer) Registration of modification done on client independent object
SE10 (customizing organizer) Registration of modification done on client specific object SE01 (Transport organizer) can do both functions of se09 and se10
Thursday, 12 May 2011
SAP SECURITY - Create authorization object and used in ABAP
SAP SECURITY - Create authorization object and assign to user
SAP SECURITY: How to Create and Use the Authorization Objects in ABAP
Authorization Objects are used to manipulate the current user's privileges for specific data selection and activities from within a program.
We could always create our own authorization objects and implement it in our own abap programs. As an example, we will create our own authorization field similar to TCD used in S_TCODE
Steps to create authorization field1. Go to transaction code SU20
2. Click the create new button on the application toolbar.
3. Enter "ZTCODE" in the Field Name and "TCODE" in the Data Element, then hit Enter.
4. Click the save button on the system toolbar.
Next step is to create the authorization class(see #1 in figure 1) and authorization object(see #2 in figure 1).
Steps to create authorization class
1. Go to transaction code SU21
2. Click on the Create button's drop down icon and select "Object Class".
3. Enter "ZTRN" on the Object Class field.
4. Give it a description and save it.
Steps to create authorization object
1. Again in SU21, in the list of authorization class(folder icon), click the one that we've created(ZTRN).
2. Click on the Create buttodrop down, this time selecting "Authorization Object".
3. Enter "Z_TCODE" on the Object field and give it a description.
4. On the authorization fields section, enter ACTVT and ZTCODE. ACTVT is used to set and limit the activity of the user, while the ZTCODE is the authorization field that we've created earlier which is
responsible for holding a list of tcodes.
5. On the Further Authorization Object Settings, click on "Permitted activities" button. Here we will select the specific activities that we want to be available for our authorization object.
6. As an example, we will select 01(Create), 02(Change), and 03(Display).
7. Save and Exit.
Now we're done creating our own authorization object, let us now use and assign it to a user.
Steps to create a role(see figure 2)
1. Go to transaction code PFCG.
2. Enter "ZAUTHTEST" on Role field and click the "Single Role" button.
3. Now give it a description, click the save button and click the Authorization tab.
4. Click the "Change Authorization Data" button inside the authorization tab.
5. Then click the "Manually" button on the application toolbar and type in the name of the authorization object that we've created earlier("Z_TCODE") and press enter.
6. Expand all the nodes, double click on the input field of the Activity and select activity 01 and 02.
7. Enter the tcode of our own abap program in ZTCODE field, in our example I used "ZCOMM" .
8. And also don't forget to add the S_TCODE authorization object and enter ZCOMM on it's field.
9. Now Click on the Generate button in the application toolbar and press enter on the pop-up screen.
10. press the back button and assign a specific user on the user tab and click User Comparison button.
11. Now create another role by repeating steps 1 to 9 but this time select activity 03 on step 6.
12. Then assign this 2nd role to another user.
Wednesday, 11 May 2011
Security Authorization Objects for SAP BW
1. BW Reporting
- S_RS_COMP
- S_RS_COMP1
- S_RS_FOLD
- S_RS_ADMWB
- S_RS_IOBJ
- S_RS_ISOUR
- S_RS_ISRCM
- S_RS_ICUBE
- S_RS_ODSO
- S_RS_HIER.
HR authorization - Structural Authorization
Structural authorizations
They control access specifically to data that is stored in time-dependent structures (organizational structures, business event hierarchies, qualifications catalog, etc.).
ser and Authorization Management (BC-SEC-USR)
An element of the authorization concept.
Authorization profiles give users access to the SAP System. They contain authorizations, which are identified using the name of an authorization object and the name of an authorization. If a profile is specified in a user master record, the user is assigned all of the authorizations defined in this profile.
Personnel Management >Basic Settings > Authorization Management >Structural Authorization >Maintain Structural Profiles
STEP 1 STEP 2 STEP 3 STEP 4
STEP 5 STEP 6
v | „maintaining" |
O-O-S-P | Staff assignments along organizational structure |
12 | Status Vector /1-active /2- planned |
Personnel Management >Basic Settings > Authorization Management >Structural Authorization >Assign Structural Authorization
STEP 7 STEP 8 STEP 9