SAP SECURITY

AUTHORIZATION CONCEPT

 Authorization Object Class

 Authorization Object
 Authorization Profile
 Authorization fields, values

Types of Roles

Single Role - It is container of different transaction codes and reports

Composite Role - It is a combination of different single roles and this role will be created based on the
job type, this role doesn't have any authorization tab, as authorization will be imported from single roles

Master Role - It is container of different transactions and reports it is same as single role, but it will be
treated as master role when menu structure will be derived to child role

Derived Role - It is a single role, and will become a derived role when it inherit the menu structure from
a parent role, we can not add any transaction to this role and transaction tab will be disabled once it
derives authorizations from master role, we will only maintain organization values (company code,
plant, etc ) in this role, authorization will derive it from parent role

Q) What is the user of Master and derived role concept?

Master and derived role concept will be used in case if the organization wanted plant wise and company
code wise and country wise access restrictions, authorization restriction will be done at master role
level. Organization values ( company code) restriction will be done at derived role level

Q) Lets assume that i have maintained a * company code value in organization level, will all the users
will get an full access to all the company code?

A) No users will not get a full access as the organization value restriction will be done on each role leve..
example, 1000 company code role and the restriction will be done in derived role for 1000 company
code and we can not control access at organization level in master role only authorization level access
can be controlled

SAP ECC LANDSCAPE(SAP FI System)

ECC DEV ECC QUA ECC PRD

t
SAP ECC DEV System: Role creation will be done in this system and also we will do the unit testing if no
other client is available in the project

SAP ECC QUA System - UAT (User acceptance testing) will be done in this system by End users

SAP ECC PRD System - this is a live system where display access will be given to everyone except end
users

Transport Path or Route ( ECC DEV-ECC QUA- ECC PRD)

Create Single: ZS:E_FI_AR_SUPERVISOR

Before any role creation, we need to ask ticket/incident to the requestor and ask him to provide
approval from business process owner ( FI) In case if we don't find the approval in the ticket or
incident ( Ticketing tool Remedy or Service now)

Z- Customized role

S- Single

: Special character

E:ECC System

FI: Business Process

AR: Business Sub Process

SUPERVISOR : Free text or it denotes the designation

Please login to ECC DEV 800 Client to create a single role

Step1: Open SAP GUI Logon pad and double click on the system as shown below
Step2: Put user id as grcuser45 and password as grc@344 and click on enter

Step3: Execute PFCG (Role Maintenance)

Step4: Put the single role ZS:E_FI_AR_SUPERVISOR and click on single role

Step5 : Maintain role description and long text(if required)

Step6: Click on Menu and add save

Step7: Click on Transaction tab

Step8: add the transaction codes as given by business and click on Assign transactions

Step9: Click on authorization tab and generate profile

Step10: Click on Change Authorization Tab

Step11: Click on Technical Names On

Step12: Click on Organization values and maintain company code and account
These are
traffic lights

Traffic Lights: Yellow, Green, Red

Yellow: it means Partially maintained

Green: All values Maintained

Red: Organization values not maintained

Authorization Statuses: 4 Types

 Standard
 Changed
 Maintained
 Manually

1) Standard: It means the standard values which got pulled from SU24

2) Changed: If we change any value or add in standard status(Value) then it will be changed to Change
status

3) Manually : Add the object manually in the role

4) Maintened: Maintain the values manually in a blank field

Step13: Now we need to maintain the values 02,03 in the filed ACTVT As shown below
In real-time we need to maintain the values in any field under authorization object as per the business
inputs, normally any role creation will be started as per the security template and new role naming
convention should start as how they are following in their project

During KT (Knowledge Transfer) They will give overview about the project

Step14: Click on Generate once all the values maintained in each field
Steps to Create Composite role:

Login to ECC DEVELOPMENT SYSTEM

Execute PFCG

and Put the composite role name as ZC:E_FI_AR_SUPERVISOR and click on composite role
Step3: Maintain Description for composite role as shown in the below screenshot and click on Roles tab

and add the below single role ZS:E_FI_AR_SUPERVISOR

Step5: Click on Menu and Click on Import menu( read menu) to bring the single role
Steps to Create Master Role: ZM:E_FI_AP_INVOICE_DISP and add transaction codes

Login to ECC DEV System - Execute PFCG - put the master role -click on create single role

Step2: Click on Menu and add transaction codes MIR5,MIR6

Make sure that we should only add the display tcodes into this as the role related to only display
In case if the requestor given other tcodes which needs to be added to this role then send an email to
his manager or business process owner asking for confirmation or ask him to propose another role

Step3: Click on authorization tab and generate profile as shown below

Step4: Click on Change Authorization Data

Step5: Save
Step6: Maintain the values in all the fields as per the data given by business or requestor

click on technical names as well and maintain * value in organization values tab

Authorization data will get pulled from SU24 for all the transaction codes which have been added in role
menu level
Step7: Click on generate

Steps8: Steps to Create Derived role for Australia company code

ZD:E_FI_AP_INVOICE_DISP_AUS

Step1: Login to ECC Developent system execute PFCG - Put the derived role
ZD:E_FI_AP_INVOICE_DISP_AUS and click on Create Single role
Step2: Click on Description tab and put the master role as imparting role ZM:E_FI_AP_INVOICE_DISP and
click on YES
Q) Can we use derived role as single role?

Yes we can use but need to delete inheritance relationship in child role

Q) Can we add transactions into Derived role?

No, Q) Why

A) because it is deriving authorization data from master role

Step3: Click on authorization tab, propose profile name and click on change authorization data
Step4: Click on copy data and all the authorization was maintained in parent role will be copied to
derived role
Step5: now we need to maintain the company code Australia

Once roles has been created in ECC Development system then we need to do the unit testing

normally unit testing will be performed in different client, this is based on the client requirement

If the company has ECC DEV 100 Client is for role creation, ECC DEV 110 is for unit testing
in this case we need to move the role from 100 client to 110 client using SCC1 Tcode

Unit testing means just capturing the roles and added objects into a document

Execute SCC1 and put the source system name as 100 which will be used for unit testing, please find the
screenshot below

Transport Request Management

All the roles will be moved from development system to quality system through the transport requests
in SAP. Transport path is DEV-QUA-PRD. All these transports will be moved by basis team

Types of requests:

 Customizing request: this will be used to movement of roles and any changes which doesnt
effect on other systems
 Workbench request: will be used during SU24 changes and if any data base level and program
level changes required this type of transport request

Below steps needs to be performed to move the roles from Dev system to quality system

Login to Development system

execute PFCG
Click on truck symbol if you are planning to move single role

In case if we bulk roles then we need follow the below steps

Execute PFCG- Click on Utilities - Click on Mass transport

Click on Multiple Selection

If you are not sure how many roles you have created then execute SE16 or /OSE16

Put the table name as AGR_DEFINE, hit enter

To copy the roles ctrl+y and ctrl+c

Click on execute
Also transport single roles for composite roles - this option needs to selected if you wanted to move
single and composite roles

Also transport generated profiles for single roles - if we are moving derived and master roles and singles
roles which are not part of any composite role then we need to select this option

Click on Execute
Do not select user assignment because, who ever has been assigned to this role in development then all
these users will be moved and get access in production system and we should not give any additional
access to any users

Click on Create Request

Enter the description of the role

Click on Save

all the roles has been included in the transport request EC5K900822
Now execute SE09 or SE10 to release sub task of main transport request EC5K900822

Click on display individually and put the transport request number EC5K900822
click ON OK

Click on sub task and release directly as shown below

now the subtask has been moved to main TR

Now send an email to sap basis team (Distribution List -DL) for movement of transport request
EC5K900822

Hi Basis team,
Please move the below transport request from DEV System to Quality system

EC5K900822

Please confirm once these changes have been moved to Quality system

Best Regards

SAP Security Team

Q) Can we add transaction to a Derived role?

No, as it will inherit the menu structure from master role

Q) Can we use Derived role as single role?

Yes, if we delete relationship from master role or break relationship

Q) Can we add another role as master role, once we break relationship with derived role?

No, as the option “Derive from a role” will be disabled in derived role

SU24 : Maintain assignment of authorization objects in both custom and standard sap transactions

It will get updated during upgrade and implementation when we perform SU25

USOBT and USOBX Tables are the reference tables for SU24, These two tables will get update during
upgrade and implementation

USOBX_C and USOBT_C are the customer tables and these are the reference tables for USOBX,USOBT

These two customer tables will get updated during SU24 Changes

SU24 Changes:

Example: F.32 Credit Management - Missing Data

If business requested to make proposal as " YES" for authorization object S_PROGRAM for F.32 in SU24

Then, login to Development system and execute SU24, Put the tcode F.32
Click on Execute

Select the authorization S_PROGRAM and click on Change button

Clikc on Proposal as " YES As shown below
Click on Save

Execute SE16-TABLE_AGR_TCODES to check how any roles has the transaction F.32
Enter and put the tcode as F.32 and execute
Now we need to perform expert mode on a role ZS_MM_CHANGE_MATERIAL in PFCG
Click on read old status and merge with new data to bring the su24 changes to the role

If you don't perform this step then su24 data or additional authorization object will not get pulled into
the role