Table of Contents

Open all
Close all
Preface
19
Target Audience
19
Structure of This Book
20
Acknowledgments
21
1 Introduction to SAP Authorizations
23
1.1 What Are Authorizations?
24
1.2 User Access in the SAP System
25
1.3 Evolution of Authorizations from SAP ERP to SAP S/4HANA
26
1.3.1 SAP ERP
26
1.3.2 SAP S/4HANA
27
1.3.3 SAP S/4HANA Deployments
30
1.3.4 Other SAP Cloud Solutions
33
1.4 SAP Fiori (Presentation Layer)
34
1.5 Native Authorizations in SAP HANA (Database Layer)
37
1.6 Hybrid System Landscapes and Implications on Authorizations
38
1.6.1 Business Roles and SAP Business Technology Platform
39
1.6.2 SAP Cloud Identity Access Governance
40
1.6.3 Access Provisioning in Hybrid Landscapes
41
1.6.4 Access Risk Analysis in Hybrid Landscapes
43
1.7 Summary
45
2 ABAP Authorization Concept
47
2.1 Influences on the SAP Authorization Concept
48
2.2 Basic Principles for an SAP Authorizations Concept
49
2.3 ABAP Authorizations
51
2.3.1 Components
52
2.3.2 Authorization Default Values
56
2.3.3 Code-Based Namespaces
57
2.3.4 Creating Custom Authorizations
58
2.3.5 Creating Custom Organizational Levels
61
2.4 Roles and Profiles
65
2.4.1 Roles
65
2.4.2 Profiles
67
2.5 Users
70
2.5.1 User Master Record
71
2.5.2 User Buffer
72
2.5.3 User Types and Maintenance
73
2.6 Authority Checks
74
2.6.1 Locking Status Checks
74
2.6.2 Application Start Checks
75
2.6.3 Transaction Start Plausibility Checks
76
2.6.4 Parameter Checks
77
2.6.5 Kernel Checks
78
2.6.6 Program Code Authority Checks
78
2.6.7 SAP System Authorization Check Processing
80
2.6.8 Switchable Authorizations
81
2.6.9 Deactivating Authorization Checks
85
2.7 Critical Authorizations
87
2.7.1 Critical Access Scenarios
88
2.7.2 Audit-Focused Authorization Objects
96
2.8 Authorizations in SAP ERP Human Capital Management
102
2.8.1 Business Transactions and Authorization Components
103
2.8.2 All-Access in SAP ERP Human Capital Management
105
2.9 Different Transaction Types
106
2.9.1 Overview of Available Transactions
107
2.9.2 Creating Custom Transactions
111
2.9.3 Locking and Unlocking Transactions
120
2.10 SAP System Check for Security Flaws
121
2.10.1 System Configuration Analysis
122
2.10.2 Document Analysis
125
2.10.3 Roles Analysis
125
2.10.4 User Analysis
128
2.11 Customizing of SAP Security Settings
130
2.11.1 Table PRGN_CUST
131
2.11.2 Table SSM_CUST
132
2.11.3 Table USR_CUST
133
2.12 Summary
133
3 Designing Authorization Concepts
135
3.1 Role Design Approaches
135
3.2 Role Types
139
3.2.1 Single Roles
139
3.2.2 Composite Roles
141
3.2.3 Enabler Roles
142
3.2.4 Authorization Templates and Standard Roles
143
3.2.5 Comparison of the Role Design Concepts
145
3.3 Segregation of Duties
146
3.4 Determining When to Use Enabler Roles
147
3.5 Role Naming Convention
152
3.6 Summary
154
4 Xiting Authorizations Management Suite
157
4.1 Overview
158
4.2 Xiting Role Designer
159
4.2.1 Capabilities
160
4.2.2 Analysis and Design
161
4.2.3 Reporting Options of Xiting Role Designer
162
4.2.4 Reporting Options for Menu Objects
163
4.2.5 Reporting Options for Business Data
164
4.3 Xiting ABAP Alchemist
165
4.4 Xiting Role Replicator
169
4.4.1 Bulk Processing of Users, Roles, and Authorizations
169
4.4.2 OrgSet Replication
171
4.5 Xiting Role Builder
172
4.6 Xiting Times
174
4.7 Xiting Role Profiler
176
4.8 Xiting Security Architect
179
4.9 Summary
182
5 Transaction SU24: Authorization Default Values
183
5.1 Overview
184
5.1.1 What Are SAP Authorization Default Values?
184
5.1.2 Technical Background of Authorization Default Values
187
5.1.3 Helpful Tables
190
5.1.4 System Layer Alignment
191
5.2 Transaction SU24 Maintenance
192
5.2.1 Instruments of Transaction SU24
192
5.2.2 Proposal and Check Indicator Statuses
194
5.2.3 Maintenance of Default Values and Check Indicators
195
5.2.4 Comparison between SAP Data and Customer Data
199
5.3 Transaction SU24N
200
5.3.1 General Changes
200
5.3.2 Maintaining a Description for Transaction SU24 Data
202
5.3.3 Default Data Variants
202
5.4 Populating Data from Traces
205
5.5 Best Practice Maintenance of Transaction SU24
208
5.5.1 Authorization Field Maintenance
209
5.5.2 List Navigation
214
5.5.3 Menu Navigation
216
5.5.4 Navigation Considerations
220
5.5.5 Cockpit Transactions
220
5.6 Upgrading Authorization Default Values
223
5.6.1 Importance of Upgrading
223
5.6.2 Report SU24_AUTO_REPAIR
225
5.6.3 Related Applications and Tables for a Transaction SU25 Upgrade
227
5.6.4 Performing the Upgrade for Default Values
228
5.6.5 Troubleshooting
238
5.7 Transaction SU24 Optimization Tools
239
5.8 Xiting Authorizations Management Suite: Transaction SU24 Optimization Tools
241
5.8.1 Xiting Role Profiler
241
5.8.2 Xiting ABAP Alchemist
242
5.8.3 Xiting Role Builder SU24 Checkman
242
5.9 Summary
243
6 Role Maintenance in Transaction PFCG
245
6.1 Navigation within Transaction PFCG
247
6.1.1 Initial Screen of Transaction PFCG
247
6.1.2 Single Role Maintenance Options and Tabs
248
6.1.3 Composite Role Maintenance Options and Tabs
254
6.2 Creation of Different Roles
256
6.2.1 Role Building and Naming
257
6.2.2 Single Roles
259
6.2.3 Composite Roles
259
6.2.4 Reference and Derived Roles
261
6.2.5 Customizing Roles
265
6.2.6 Role Templates
268
6.2.7 Assigning and Removing Roles via Transaction PFCG
269
6.3 Role Menu Objects
270
6.3.1 Different Maintainable Applications
270
6.3.2 Using Transaction SU24 Variants
271
6.3.3 Role Menu Comparison
273
6.4 Authorization Maintenance in Roles
274
6.4.1 Authorization Maintenance Buttons
275
6.4.2 Authorization Object Statuses
277
6.4.3 Authorization Object Update Status Texts
281
6.4.4 Maintenance of Organizational Levels
282
6.4.5 Where-Used Lists
285
6.4.6 Authorization Templates and Other Authorization Insert Options
286
6.4.7 Import of Traces to Roles
287
6.5 Sustainable Role Building
290
6.5.1 Best Practice Presettings for Role Maintenance
291
6.5.2 Best Practice Role and Authorization Maintenance
292
6.5.3 Role Profile Generation
296
6.6 Role Versions
297
6.7 Roles Overview Status
299
6.8 Selected Mass Maintenance Options for Roles
301
6.8.1 Mass Role Maintenance
301
6.8.2 Mass Generation of Role Profiles
304
6.8.3 Mass User Comparison of Roles
305
6.9 Transfer of Roles
306
6.10 Xiting Authorizations Management Suite: Virtual Role Design with Xiting Role Designer
308
6.10.1 Project Cockpit
309
6.10.2 Design Cockpit
310
6.10.3 Reports Cockpit
311
6.11 Summary
312
7 Authorization Analysis, Trace Tools, and Authorization Debugging
315
7.1 Overview
316
7.1.1 Analysis Tools
316
7.1.2 Selected Authorization Trace Return Codes
318
7.1.3 Activation of Profile Parameters
319
7.1.4 Trace Tool Use Cases
320
7.2 Transaction SU53
320
7.2.1 Description
321
7.2.2 Authorization Check Failures Evaluation
322
7.3 Transactions ST01/STAUTHTRACE
323
7.3.1 Description
324
7.3.2 Trace Evaluation for an Authorization Error
326
7.4 Transaction STUSOBTRACE
329
7.4.1 Description
329
7.4.2 Authorization Default Value Maintenance
331
7.5 Transaction STUSERTRACE
333
7.5.1 Evaluation of Specific Job Functions
334
7.5.2 Using Transaction STSIMAUTHCHECK
335
7.6 Authorization Debugging
337
7.7 Xiting Authorizations Management Suite: Enhanced Trace Evaluation
344
7.7.1 Description
345
7.7.2 Rapidly Analyze Authorization Failure
346
7.8 Summary
347
8 SAP Fiori Authorizations
349
8.1 Overview
349
8.1.1 Principles of SAP Fiori
349
8.1.2 SAP Fiori End-User Applications
350
8.2 SAP Fiori Architecture
351
8.3 Deployment Options
353
8.3.1 Embedded Deployment
353
8.3.2 Central Hub Deployment
354
8.3.3 SAP Launchpad Service
355
8.4 SAP Fiori Apps Reference Library
356
8.4.1 Overview
356
8.4.2 Technical Components
358
8.5 SAP Fiori Administrative Tools
360
8.5.1 SAP Fiori Launchpad Designer
360
8.5.2 SAP Fiori Launchpad Content Manager
362
8.5.3 SAP Fiori Launchpad App Manager
363
8.5.4 Manage Spaces and Pages App
365
8.6 OData Services
366
8.6.1 Description
366
8.6.2 Activation of OData Services in Backend Servers
367
8.6.3 Overview of Activated Services
369
8.7 SAP Fiori Concept Implementation
369
8.7.1 Technical and Business Catalogs
370
8.7.2 Business Groups
374
8.7.3 Business Spaces and Pages
377
8.7.4 SAP Fiori Launchpad Personalization
378
8.8 Frontend/Backend Server Authorizations
379
8.8.1 SAP Fiori Role Concept
380
8.8.2 Role Building Preparation
382
8.8.3 Role Building for SAP Fiori Applications in the Embedded Deployment
385
8.9 Troubleshooting Tools for SAP Fiori
386
8.10 Xiting Authorizations Management Suite: Tool-Driven SAP Fiori Objects Implementation and Analysis
392
8.10.1 Xiting Role Replicator
392
8.10.2 Xiting Role Profiler
393
8.11 Summary
394
9 User Maintenance
395
9.1 Maintenance of the User Master Record
395
9.1.1 Different User Types
396
9.1.2 Creating and Maintaining a User
397
9.1.3 Copying a User
406
9.1.4 Change Documents for Users
406
9.1.5 Mass User Changes with Transaction SU10
409
9.1.6 Inactive Users
415
9.2 Password Rules
415
9.3 The User Buffer
417
9.4 User Naming Conventions
419
9.5 User Classification
421
9.6 User-Related Tables
421
9.7 User Access Reviews
422
9.8 User Lock Status
423
9.9 Security Policies
423
9.10 Securing Default Accounts
428
9.11 Maintaining User Groups
430
9.12 Central User Administration
432
9.12.1 Overview
432
9.12.2 Distribution Parameters for Fields (Transaction SCUM)
433
9.12.3 Central User Administration-Related Tables
435
9.13 SAP Usage Data for Users
436
9.14 Summary
437
10 Access Governance with SAP Access Control and SAP Cloud Identity Access Governance
439
10.1 SAP Access Control
439
10.2 SAP Cloud Identity Access Governance
443
10.2.1 Core Functionalities
443
10.2.2 Key Capabilities of SAP Cloud Identity Access Governance
447
10.2.3 Integrated Identity Access Governance for Hybrid Landscapes
448
10.3 Understanding the Ruleset
449
10.3.1 Ruleset Components
449
10.3.2 Ruleset Architecture
451
10.3.3 SAP Standard Rulesets
452
10.3.4 Organizational Rules
454
10.3.5 Simulating Risk During Role Building with the Risk Terminator
455
10.4 Segregation of Duties Management Process
456
10.4.1 Phases of Segregation of Duties Management
456
10.4.2 Remediation and Mitigation of Risks
457
10.4.3 Continuous Segregation of Duties Monitoring
462
10.5 Custom Transactions for the Ruleset
463
10.5.1 Analyzing Custom Transactions
463
10.5.2 Enhanced Analysis with Xiting ABAP Alchemist
466
10.6 Business Roles
468
10.7 User Access Review
470
10.8 Roles for Firefighters
471
10.8.1 Defining Appropriate Usage
472
10.8.2 Firefighter Types
473
10.8.3 Provisioning Strategies for Firefighters
474
10.9 Impact to Governance, Risk, and Compliance When Migrating and Upgrading SAP Systems
475
10.10 Summary
476
11 Interface Authorizations and Hardening of Interfaces
477
11.1 Remote Function Call Security
477
11.1.1 Overview
478
11.1.2 Trusted and Untrusted Remote Function Calls
479
11.1.3 Challenges and Risks with Remote System Connections
480
11.1.4 Authorization Objects to Secure Your Remote Connections
481
11.1.5 Remote Function Call Callback Whitelisting
484
11.1.6 Remote Function Call Connections with Logon Data
486
11.2 Best Practices
486
11.2.1 Golden Rules
487
11.2.2 Interface User Best Practices
488
11.2.3 Interface Authorizations Best Practices
489
11.3 SAP Unified Connectivity
491
11.3.1 How Unified Connectivity Works
491
11.3.2 Unified Connectivity and Authorizations
492
11.4 Xiting Authorizations Management Suite: Automated and Risk-Free Role Testing and Go-Live
493
11.5 Summary
494
12 Migrating Authorizations to SAP S/4HANA
497
12.1 Overview
498
12.1.1 Simplifications within SAP S/4HANA
499
12.1.2 SAP S/4HANA Data Management Architecture
502
12.2 SAP HANA Database
504
12.2.1 User Types
505
12.2.2 SAP HANA Authorizations
506
12.3 SAP S/4HANA Deployment Options
507
12.3.1 SAP S/4HANA Cloud
508
12.3.2 SAP S/4HANA Cloud, Extended Edition
509
12.3.3 SAP S/4HANA Cloud, Private Edition
510
12.3.4 SAP S/4HANA: Managed by SAP HANA Enterprise Cloud
511
12.3.5 SAP S/4HANA: On-Premise or Managed by Hyperscale Cloud Providers
512
12.3.6 Comparison of SAP S/4HANA Deployment Options
513
12.4 Business Process Changes through SAP S/4HANA
516
12.5 Core Data Services in SAP S/4HANA
519
12.5.1 ABAP versus SAP HANA Core Data Services Views
520
12.5.2 Security in ABAP Core Data Services
521
12.5.3 ABAP Core Data Services View Troubleshooting
523
12.6 Preparing for an SAP S/4HANA Migration
527
12.6.1 Migration Considerations
527
12.6.2 SAP S/4HANA Approaches
528
12.6.3 Simplification Item Check
532
12.6.4 SAP Readiness Check
533
12.6.5 SAP Best Practices Explorer
534
12.6.6 SAP S/4HANA Migration Cockpit
535
12.6.7 Custom Code Validation
536
12.6.8 Regulatory Requirements and Compliance
539
12.7 Migrating Authorizations to SAP S/4HANA with Standard SAP Tools
541
12.7.1 Project Administration and Basis Activities
542
12.7.2 Analyzing Current Role Concepts
544
12.7.3 Upgrading and Maintaining Authorization Default Values
548
12.7.4 Analyzing SAP S/4HANA-Related Role Changes
550
12.7.5 Evaluating and Defining Job Function Roles
551
12.7.6 Transition and Enhancement of Roles for SAP S/4HANA
553
12.7.7 Testing Your Authorization Concept
556
12.7.8 Go-Live and Project Documentation
561
12.8 Xiting Authorizations Management Suite: Helpful SAP S/4HANA Migration Features
563
12.8.1 Comprehensive Usage Data Collection
563
12.8.2 Role Changes through the Simplification List
564
12.8.3 Security Concept
565
12.9 Summary
566
13 Migrating Authorizations to SAP S/4HANA with the Xiting Authorizations Management Suite
567
13.1 SAP S/4HANA Migration Strategies with the Xiting Authorizations Management Suite
568
13.1.1 Greenfield Migrations
569
13.1.2 Brownfield Migrations
572
13.2 Preparation Phase: Role Concept Validation
574
13.2.1 Verifying Role Concept Quality
575
13.2.2 Authorization Default Values Compliance
578
13.2.3 Consistency Verification of the Inheritance Concept
583
13.3 Design Phase: Conceptual Role Migration
583
13.3.1 Virtual Role Concept Design
584
13.3.2 Analyzing SAP S/4HANA-Related Role Changes
585
13.3.3 SAP Fiori Analysis
587
13.4 Implementation Phase: SAP S/4HANA Role Implementation
588
13.4.1 Role Migration to SAP S/4HANA
589
13.4.2 Extension of Roles with New SAP S/4HANA Functions
591
13.4.3 Template Roles Replication
595
13.5 Validation Phase: SAP S/4HANA Role Concept Analysis
599
13.5.1 Defining and Preparing Test Scenarios
600
13.5.2 Evaluating and Implementing of Test Results
601
13.6 Activation Phase: Role Concept-Protected Go-Live
605
13.6.1 End-User Cloning
605
13.6.2 Authorization Backups
607
13.7 Summary
609
The Authors
611
Index
613