Authorizations in SAP Software: Design and Configuration
SAP Authorization System Design and Configuration
1st Edition
Published on 28. June 2010
Book
Hardback
684 pages
978-1-59229-342-1 (ISBN)
Description
This book gives you a practical and comprehensive overview of the design and management of authorizations in SAP. You'll learn how to develop a meaningful authorization concept that meets statutory requirements and is tailored to your business processes and how those processes are implemented as authorizations in your SAP system. In addition you'll gain insight into which tools and functions of the change management process in SAP play a role in designing and implementing an authorizations concept, and learn about SAP NetWeaver IdM, CUA, SAP Business Objects Access Control, and the UME. Finally, you'll discover how to implement an authorizations concept in various other SAP applications and components (SAP ERP, HCM, CRM, SRM, and BW).
Highlights:
Organization and permissions
Legal framework
Technical principles of the change management process
System preferences and customizing
Role assignment via Organizational Management
Role Manager
Central User Administration (CUA)
SAP NetWeaver Identity Management (IdM)
SAP BusinessObjects Access Control
User Management Engine (UME)
Authorizations in HCM, CRM, SRM, and BW
Permissions in Financial Accounting
Logistics and administration
More details
Persons
Author
Volker Lehnert has worked at SAP for eight years. He has worked for SAP (Switzerland) AG since 2008, where he is a consultant on all topics concerning the authorization system, and continuously returns the authorization system to its core questions: business functions, organizational concepts, and legal requirements. Within this scope, his consulting work focuses on authorization concepts, SAP BusinessObjects Access Control, and the processes of User Life Cycle Management. Furthermore, Volker Lehnert is co-author of the data privacy guideline of the German-speaking SAP User Group (DSAG).
Katharina Bonitz has worked as a technology consultant at SAP Deutschland AG since 2006, where her work focuses on the authorization concepts in the CRM environment. She works in national and international projects and regularly holds authorization workshops. She received a degree in engineering
from Leipzig University of Applied Sciences, Germany. Katharina Bonitz is the author of Chapter 13, User Management Engine, Chapter 15, Authorizations
in SAP CRM, and Chapter 16, Authorizations in SAP SRM.
Content
1. Introduction . 23
PART I Business Concepts
2. Introduction and Concept Definition . 29
. 2.1 . Methodical Considerations . 30
. 2.2 . Compliance . 33
. 2.3 . Risk . 34
. 2.4 . Corporate Governance . 38
. 2.5 . Technical Versus Business Significance of the Authorization Concept . 40
. 2.6 . Technical Versus Business Roles . 42
3 . Organization and Authorizations . 45
. 3.1 . Example of an Organizational Differentiation . 46
. 3.2 . Introduction . 48
. 3.3 . Institutional Organization Concept . 50
. 3.4 . Instrumental Organization Concept . 54
. 3.5 . Consequences of the Examination of the Organization . 72
. 3.6 . Views of the Organizational Structure in SAP Systems . 73
. 3.7 . Organizational Levels and Structures in SAP ERP . 83
. 3.8 . Information on the Methodology in the Project . 91
. 3.9 . Summary . 93
4 . Legal Framework - Standardization Framework . 95
. 4.1 . Basic Principles of Internal and External Regulations . 96
. 4.2 . Internal Control System . 100
. 4.3 . Sources of Law for External Accounting . 101
. 4.4 . Data Privacy Laws . 107
. 4.5 . General Requirements for Authorization Concepts . 115
. 4.6 . Summary . 121
5 . Authorizations in the Process View . 123
. 5.1 . Process Overview . 123
. 5.2 . The Sales Process . 125
. 5.3 . The Procurement Process . 131
. 5.4 . Support Processes . 136
. 5.5 . Requirements of the Separation of Duties . 139
. 5.6 . Summary . 140
PART II Tools and Authorization Maintenance in the SAP System
6 . Basic Technical Principles of Authorization Maintenance . 145
. 6.1 . User/Authorization ........................................................ 145
. 6.2 . Transaction - Program - Authorization Object . 153
. 6.3 . Role and Role Profiles . 163
. 6.4 . Analysis of Authorization Checks . 193
. 6.5 . Additional Role Types in SAP ERP .................................. 199
. 6.6 . Summary . 202
7 . System Settings and Customizing . 203
. 7.1 . Maintaining and Using the Defaults for the Profile Generator . 204
. 7.2 . Upgrading Authorizations . 218
. 7.3 . Parameters for Password Rules . 223
. 7.4 . Customizing Settings for the Menu Concept . 226
. 7.5 . Authorization Groups . 233
. 7.6 . Parameter and Query Transactions . 246
. 7.7 . Promoting an Authorization Field to an Organizational Level . 254
. 7.8 . Developer and Authorization Trace . 262
. 7.9 . Creating Authorization Fields and Objects . 265
. 7.10 . Further Transactions of the Authorization Administration . 269
. 7.11 . Transferring Roles Between Systems or Clients . 271
. 7.12 . User Master Comparison . 274
8 . Role Assignment via Organizational Management . 277
. 8.1 . Basic Concept of SAP ERP HCM Organizational Management . 278
. 8.2 . Technical Prerequisites . 281
. 8.3 . Technical Implementation . 281
. 8.4 . Conceptual Special Feature . 285
. 8.5 . Summary . 286
9 . Automated Organizational Differentiation: The Role Generator . 289
. 9.1 . Challenge and Solution Approach . 290
. 9.2 . Implementation Example for the Area Role Concept . 298
. 9.3 . Integration, Restrictions, and Prospects . 307
. 9.4 . Summary . 307
10 . Central Administration of Users and Management of Authorizations . 309
. 10.1 . Basic Principles . 310
. 10.2 . Central User Administration . 316
. 10.3 . SAP BusinessObjects Access Control Compliant User Provisioning . 325
. 10.4 . SAP NetWeaver Identity Management . 331
. 10.5 . Summary . 345
. 11 . Authorizations: Standards and Analysis . 347
. 11.1 Standards and Their Analysis . 347
. 11.2 Critical Transactions and Objects . 356
. 11.3 . General Evaluations of Technical Standards . 358
. 11.4 . Summary . 365
12 . SAP BusinessObjects Access Control . 367
. 12.1 . Basic Principles . 367
. 12.2 . Risk Analysis and Remediation . 371
. 12.3 . Enterprise Role Management . 377
. 12.4 . Compliant User Provisioning . 379
. 12.5 . Superuser Privilege Management . 381
. 12.6 . Risk Terminator . 383
. 12.7 . Summary . 384
. 13 . User Management Engine . 385
. 13.1 . Overview of the UME . 386
. 13.2 . Authorization Concept of SAP NetWeaver AS Java . 393
. 13.3 . User and Role Administration Using the UME . 399
. 13.4 . Summary . 406
PART III Authorization in Specific SAP Solutions
14 . Authorizations in SAP ERP HCM . 409
. 14.1 . Basic Principles . 409
. 14.2 . Special Requirements of SAP ERP HCM . 410
. 14.3 . Authorizations and Roles . 412
. 14.4 . Authorization Main Switch . 417
. 14.5 . Organizational Management and Indirect Role Assignment . 420
. 14.6 . Structural Authorizations . 421
. 14.7 . Context-Sensitive Authorizations . 426
. 14.8 . Summary . 429
15 . Authorizations in SAP CRM . 431
. 15.1 . Basic Principles .............................................................. 432
. 15.2 . Dependencies Between Business Role and PFCG Roles . 442
. 15.3 . Creating PFCG Roles Depending on the Business Roles . 443
. 15.4 . Assigning Business Roles and PFCG Roles . 454
. 15.5 . Sample Scenarios for Authorizations in SAP CRM . 463
. 15.6 . Troubleshooting in the CRM Web Client . 491
. 15.7 . Access Control Engine . 494
. 15.8 . Summary . 507
16 . Authorizations in SAP SRM . 509
. 16.1 . Basic Principles . 509
. 16.2 . Authorization Assignment in SAP SRM . 512
. 16.3 . Summary . 531
. Authorizations in SAP NetWeaver BW . 533
. 17.1 . OLTP Authorizations . 534
. 17.2 . Analysis Authorizations . 536
. 17.3 . Modeling Authorizations in SAP NetWeaver BW . 552
. 17.4 . Summary . 554
18 . Processes in SAP ERP - Specific Authorizations . 555
. 18.1 . Basic Principles . 556
. 18.2 . Authorizations in Financial Accounting . 558
. 18.3 . Authorizations in Controlling . 574
. 18.4 . Authorizations in Logistics (General) . 588
. 18.5 . Authorizations in Purchasing . 594
. 18.6 . Authorizations in Sales and Distribution . 601
. 18.7 . Authorizations in Technical Processes . 605
. 18.8 . Summary . 616
19 . Project Concepts and Approaches . 617
. 19.1 . Authorization Concept in the Project Context . 617
. 19.2 . Procedure Model . 620
. 19.3 . SAP Best Practices Template Role Concept . 628
. 19.4 . Content of an Authorization Concept . 636
. 19.5 . Summary . 642
Appendices . 643
. A . List of Abbreviations . 645
. B . Glossary . 649
. C . Bibliography . 661
. D . The Authors .
Index . 665
PART I Business Concepts
2. Introduction and Concept Definition . 29
. 2.1 . Methodical Considerations . 30
. 2.2 . Compliance . 33
. 2.3 . Risk . 34
. 2.4 . Corporate Governance . 38
. 2.5 . Technical Versus Business Significance of the Authorization Concept . 40
. 2.6 . Technical Versus Business Roles . 42
3 . Organization and Authorizations . 45
. 3.1 . Example of an Organizational Differentiation . 46
. 3.2 . Introduction . 48
. 3.3 . Institutional Organization Concept . 50
. 3.4 . Instrumental Organization Concept . 54
. 3.5 . Consequences of the Examination of the Organization . 72
. 3.6 . Views of the Organizational Structure in SAP Systems . 73
. 3.7 . Organizational Levels and Structures in SAP ERP . 83
. 3.8 . Information on the Methodology in the Project . 91
. 3.9 . Summary . 93
4 . Legal Framework - Standardization Framework . 95
. 4.1 . Basic Principles of Internal and External Regulations . 96
. 4.2 . Internal Control System . 100
. 4.3 . Sources of Law for External Accounting . 101
. 4.4 . Data Privacy Laws . 107
. 4.5 . General Requirements for Authorization Concepts . 115
. 4.6 . Summary . 121
5 . Authorizations in the Process View . 123
. 5.1 . Process Overview . 123
. 5.2 . The Sales Process . 125
. 5.3 . The Procurement Process . 131
. 5.4 . Support Processes . 136
. 5.5 . Requirements of the Separation of Duties . 139
. 5.6 . Summary . 140
PART II Tools and Authorization Maintenance in the SAP System
6 . Basic Technical Principles of Authorization Maintenance . 145
. 6.1 . User/Authorization ........................................................ 145
. 6.2 . Transaction - Program - Authorization Object . 153
. 6.3 . Role and Role Profiles . 163
. 6.4 . Analysis of Authorization Checks . 193
. 6.5 . Additional Role Types in SAP ERP .................................. 199
. 6.6 . Summary . 202
7 . System Settings and Customizing . 203
. 7.1 . Maintaining and Using the Defaults for the Profile Generator . 204
. 7.2 . Upgrading Authorizations . 218
. 7.3 . Parameters for Password Rules . 223
. 7.4 . Customizing Settings for the Menu Concept . 226
. 7.5 . Authorization Groups . 233
. 7.6 . Parameter and Query Transactions . 246
. 7.7 . Promoting an Authorization Field to an Organizational Level . 254
. 7.8 . Developer and Authorization Trace . 262
. 7.9 . Creating Authorization Fields and Objects . 265
. 7.10 . Further Transactions of the Authorization Administration . 269
. 7.11 . Transferring Roles Between Systems or Clients . 271
. 7.12 . User Master Comparison . 274
8 . Role Assignment via Organizational Management . 277
. 8.1 . Basic Concept of SAP ERP HCM Organizational Management . 278
. 8.2 . Technical Prerequisites . 281
. 8.3 . Technical Implementation . 281
. 8.4 . Conceptual Special Feature . 285
. 8.5 . Summary . 286
9 . Automated Organizational Differentiation: The Role Generator . 289
. 9.1 . Challenge and Solution Approach . 290
. 9.2 . Implementation Example for the Area Role Concept . 298
. 9.3 . Integration, Restrictions, and Prospects . 307
. 9.4 . Summary . 307
10 . Central Administration of Users and Management of Authorizations . 309
. 10.1 . Basic Principles . 310
. 10.2 . Central User Administration . 316
. 10.3 . SAP BusinessObjects Access Control Compliant User Provisioning . 325
. 10.4 . SAP NetWeaver Identity Management . 331
. 10.5 . Summary . 345
. 11 . Authorizations: Standards and Analysis . 347
. 11.1 Standards and Their Analysis . 347
. 11.2 Critical Transactions and Objects . 356
. 11.3 . General Evaluations of Technical Standards . 358
. 11.4 . Summary . 365
12 . SAP BusinessObjects Access Control . 367
. 12.1 . Basic Principles . 367
. 12.2 . Risk Analysis and Remediation . 371
. 12.3 . Enterprise Role Management . 377
. 12.4 . Compliant User Provisioning . 379
. 12.5 . Superuser Privilege Management . 381
. 12.6 . Risk Terminator . 383
. 12.7 . Summary . 384
. 13 . User Management Engine . 385
. 13.1 . Overview of the UME . 386
. 13.2 . Authorization Concept of SAP NetWeaver AS Java . 393
. 13.3 . User and Role Administration Using the UME . 399
. 13.4 . Summary . 406
PART III Authorization in Specific SAP Solutions
14 . Authorizations in SAP ERP HCM . 409
. 14.1 . Basic Principles . 409
. 14.2 . Special Requirements of SAP ERP HCM . 410
. 14.3 . Authorizations and Roles . 412
. 14.4 . Authorization Main Switch . 417
. 14.5 . Organizational Management and Indirect Role Assignment . 420
. 14.6 . Structural Authorizations . 421
. 14.7 . Context-Sensitive Authorizations . 426
. 14.8 . Summary . 429
15 . Authorizations in SAP CRM . 431
. 15.1 . Basic Principles .............................................................. 432
. 15.2 . Dependencies Between Business Role and PFCG Roles . 442
. 15.3 . Creating PFCG Roles Depending on the Business Roles . 443
. 15.4 . Assigning Business Roles and PFCG Roles . 454
. 15.5 . Sample Scenarios for Authorizations in SAP CRM . 463
. 15.6 . Troubleshooting in the CRM Web Client . 491
. 15.7 . Access Control Engine . 494
. 15.8 . Summary . 507
16 . Authorizations in SAP SRM . 509
. 16.1 . Basic Principles . 509
. 16.2 . Authorization Assignment in SAP SRM . 512
. 16.3 . Summary . 531
. Authorizations in SAP NetWeaver BW . 533
. 17.1 . OLTP Authorizations . 534
. 17.2 . Analysis Authorizations . 536
. 17.3 . Modeling Authorizations in SAP NetWeaver BW . 552
. 17.4 . Summary . 554
18 . Processes in SAP ERP - Specific Authorizations . 555
. 18.1 . Basic Principles . 556
. 18.2 . Authorizations in Financial Accounting . 558
. 18.3 . Authorizations in Controlling . 574
. 18.4 . Authorizations in Logistics (General) . 588
. 18.5 . Authorizations in Purchasing . 594
. 18.6 . Authorizations in Sales and Distribution . 601
. 18.7 . Authorizations in Technical Processes . 605
. 18.8 . Summary . 616
19 . Project Concepts and Approaches . 617
. 19.1 . Authorization Concept in the Project Context . 617
. 19.2 . Procedure Model . 620
. 19.3 . SAP Best Practices Template Role Concept . 628
. 19.4 . Content of an Authorization Concept . 636
. 19.5 . Summary . 642
Appendices . 643
. A . List of Abbreviations . 645
. B . Glossary . 649
. C . Bibliography . 661
. D . The Authors .
Index . 665