Authorization Concept

IB - Projectmanagement - Prof.Dr.Reusch 1

Establish User Role and

Authorization Concept

presented by Mareike Kallweit


Establish User Role and Authorization Concept



Start



http

://w

ww

.mit.

edu/

afs/

athe

na/p

roje

ct/it

s-al

ive/

sap-

docs

/R3-

Sec

Gui

de-V

ol1.

pdf



Create Authorization Detailed Design Review Company Security Philosophy Document Transactions Associated with Job Functions Conduct Authorization Interview with Data Owners Identify General Information access and Service Use Create Authorization Management ProceduresImplement Authorization Concept Create Activity Groups Generate Authorization Profile Create User Master Models for Job Roles Test User Master Models Validate Authorization Concept Identify Activity Group for Individual Users Create User Master Validate User Masters for Job Functions Refine Authorization Design Sign Off Authorization Design

Authorization List

Complete developed authorization environment

Realization Phase: Tasks of Establishing User Role and Authorization Concept

User Master Records for all Users


Establish User Role and Authorization ConceptWhat are User Roles and Authorization ?

To access or execute SAP transactions a

user requires corresponding authorization

A User Role defines the user’s authorization

Requirement of maximum security and

sufficient privileges for end users to

fulfill their job duties

Why are User Roles and an Authorization Concept necessary?

Company Security philosophy: protection from unauthorized access



FLEXIBLE AUTHORIZATION CONCEPT protects applications and data from unauthorized access provides users with the necessary authorization for individual

application

Main tool to create, implement and validate authorization concept is the

Profile Generator



Responsibilities for processes and functions already defined in Business Blueprint phase:

These responsibility definitions are used in authorization design

Company Security Philosophy • Security policy of organization to be checked

• Security requirements in each department to be checked

• Level of Security to be recorded

• each application area must supply roles (Authorization List)

• a role is a task or activity, or combination of tasks and activities

• authorizations are based on selection of activities grouped in activity groups



Authorization Management Procedures

To create, change and monitor activity groups, profiles, authorizations and users

• Authorization data administrator: creates activity groups, chooses transactions

and maintains the authorization data,

NOT allowed to generate profiles

• Authorization profile administrator: displays mode to check data created by

authorization data administrator, if data is

correct administrator generates profiles

• User administrator: assigns activity group to users, authorization

profile is then added to user master record



END-USER

Authorization

ProfileActivity Group/

User Role

Job functions?

Authorization

Automatically generated with Profile Generator

User Master Record

Roles are assigned to an End User


Establish User Role and Authorization ConceptCreate Activity Groups / User Roles

Activity group/User Role:

- Based on the organizational plan of the company

- covers a specific work area / job function

-includes transactions, reports, links (user menu)

- Single Roles, Derived Roles, Composite Roles

Standard User Roles


Establish User Role and Authorization Concept Generate Authorization Profiles Authorizations are defined as set of permitted values for the fields of an

authorization object

Authorization profile:

- Authorizations are combined in profiles

- contains all individual authorizations for

User Roles

SAP transaction

CREATING SALES ORDER

Sales Organization

Distribution Channel

Division

fields

Activity=object



Role 1 Role 3Role 2Assigning Users to Roles

Derived Role 1

Composite Role A

Role 4

• Job description and related activity group and profile must be

identified for each end user

• employees of same department are often grouped in one end user group

User Masters as complete list of activity groups (User Roles) and profiles to assign to each end user



Creating User Master Models for Job Roles• Samples User Master Records are developed and tested for all user roles• User Master Records are client-specific

User Master Record:

- determines which activities contain in user menu

- allows access to functions and objects (authorization)

- enables user to log onto SAP system / password

- contains all user parameters

- work within limits of specified authorization profile possible

- definition of start menus


Establish User Role and Authorization ConceptTest User Masters for Job Functions

Test for users to ensure that all necessary activities and transactions can be executed and accessed

Each User Master Record (activity group and generated authorization profile) must be tested

Test if optimum data security has been achieved

Final step before productive operation:

Sign Off Authorization Design



for your attention !

Reference: various pages of help.sap.com

Authorization Concept

Documents

Transcript of Authorization Concept