Monday, 25 July 2011
SAP SECURITY AUTHORIZATION ABAP AUTHORITY-CHECK
of the program, to check whether users have the appropriate authorization and whether these
authorizations are suitably defined; that is, whether the user administrator has assigned the
values required for the fields by the programmer. In this way, you can also protect transactions
that are called indirectly by other programs.
AUTHORITY-CHECK searches profiles specified in the user master record to see whether the
user has authorization for the authorization object specified in the AUTHORITY-CHECK. If one of
the authorizations found matches the required values, the check is successful.
Tuesday, 12 July 2011
How to create derived role and When to use it ?
Article below was found from URL:
http://sap-securityguide.com/how-to-create-derived-role-and-when-to-use-it/#more-264There are 2 possible reasons to use derive role method ( deriving a role authorization from an existing role)
● The role menus are identical but the authorizations for the menu actions are different in the derived role.
● The menu and authorizations of the derived role are identical, but the organizational levels are different in the derived role.
Step by step to create derived role
1. Create a single role that will use as a template .
2. Enter a role description text.
3. Enter the name of the role from which all transactions including the menu structure are to be copied in the Derive from role field in the Description tab page.
4. Save to create a role whose menu was derived from another role.
If there are additional transaction codes added to the menu of the original role, they are copied into the derived role.
Step by step to Copying the Authorizations of the Original Role to the Derived Role
1. Made change in the original role from which the authorizations are to be derived.
2. Click on generate derived role button to copy authorization to derived role.
**Remarks ***
The organization level data is only copied the first time the authorization data is adjusted for the derived role. If data is maintained for the organizational levels in the derived role, and if you have maintained the organizational levels using the dialog box, the data is not overwritten by another conciliation (See more detail in SAP Note 314513).
How to Extract users list like who didn't login since 3 months
1. SUIM > Users > Click on By Logon Date and password change
2. Give * in user and give 90 days since last logon and check locked users.
Wednesday, 6 July 2011
SAP SECURITY INTERVIEW - Customized and Workbench differences
Tuesday, 5 July 2011
SAP SECURITY INTERVIEW - Can we assign generated profiles to users directly?
Yes but the best practice is not to assign profile to a user master record instead, assign single role or composite role to the user