2 Introduction and Concept Definition

29

2.1 Methodical Considerations

30

2.1.1 Approaches for the Business Authorization Concept

30

2.1.2 Persons Involved in the Authorization Concept

33

2.2 Compliance

33

2.3 Risk

34

2.4 Corporate Governance

38

2.5 Technical Versus Business Significance of the Authorization Concept

40

2.6 Technical Versus Business Roles

42

3 Organization and Authorizations

45

3.1 Example of an Organizational Differentiation

46

3.2 Introduction

48

3.3 Institutional Organization Concept

50

3.3.1 Object of the Organization

51

3.3.2 Legal Forms of the Organization

51

3.3.3 Organization and Environment

52

3.3.4 Summary

53

3.4 Instrumental Organization Concept

54

3.4.1 Specialization (Division of Labor)

55

3.4.2 Organizational Structure

58

3.4.3 Task Analysis

68

3.5 Consequences of the Examination of the Organization

72

3.6 Views of the Organizational Structure in SAP Systems

73

3.6.1 Organizational Management

74

3.6.2 Organization View of External Accounting

76

3.6.3 Organization View of Funds Management

77

3.6.4 Organization View of the Standard Cost Center Hierarchy

78

3.6.5 Organization View of the Profit Center Hierarchy

79

3.6.6 Enterprise Organization

80

3.6.7 Organization View in the Project System

81

3.6.8 Logistical Organization View

82

3.6.9 Integration of the Organization Views with the Authorization Concept

82

3.7 Organizational Levels and Structures in SAP ERP

83

3.7.1 Organizational Level “Client”

84

3.7.2 Relevant Organizational Levels of Accounting

84

3.7.3 Relevant Organizational Levels in MM

88

3.7.4 Relevant Organizational Levels in Sales and Distribution

89

3.7.5 Relevant Organizational Levels in Warehouse Management

89

3.7.6 Integration of the Organizational Levels with the Authorization Concept

90

3.8 Information on the Methodology in the Project

91

3.9 Summary

93

4 Legal Framework — Standardization Framework

95

4.1 Basic Principles of Internal and External Regulations

96

4.2 Internal Control System

100

4.3 Sources of Law for External Accounting

101

4.3.1 Sources of Law and Effects for the Private Sector

103

4.3.2 Concrete Requirements for the Authorization Concept

106

4.4 Data Privacy Laws

107

4.4.1 Legal Definitions Relating to Data Processing

110

4.4.2 Rights of the Person Affected

111

4.4.3 Recommendations Relating to the ICS

112

4.4.4 Concrete Requirements for the Authorization Concept

113

4.4.5 Compliance versus Data Privacy

113

4.5 General Requirements for Authorization Concepts

115

4.5.1 Identity Principle

116

4.5.2 Minimal Principle

117

4.5.3 Job Principle

117

4.5.4 Document Principle in Financial Accounting

118

4.5.5 Document Principle in Authorization Management

118

4.5.6 Separation of Duties Principle

119

4.5.7 Approval Principle

119

4.5.8 Standard Principle

120

4.5.9 Written-Form Principle

120

4.5.10 Control Principle

120

4.6 Summary

121

5 Authorizations in the Process View

123

5.1 Process Overview

123

5.2 The Sales Process

125

5.3 The Procurement Process

131

5.4 Support Processes

136

5.5 Requirements of the Separation of Duties

139

5.6 Summary

140

6 Basic Technical Principles of Authorization Maintenance

145

6.1 User/Authorization

145

6.1.1 User

146

6.1.2 User Maintenance (ABAP)

147

6.2 Transaction — Program — Authorization Object

153

6.2.1 Transaction

153

6.2.2 Check in the Program Flow

155

6.2.3 Authorization Object

158

6.3 Role and Role Profiles

163

6.3.1 Authorization Profiles

163

6.3.2 Creating and Maintaining Roles

164

6.4 Analysis of Authorization Checks

193

6.4.1 Evaluation of the Authorization Check

193

6.4.2 Analysis in the Program Flow — System Trace/Authorization Trace

195

6.4.3 Program Check

197

6.5 Additional Role Types in SAP ERP

199

6.5.1 Composite Role

200

6.5.2 Value Role/Functional Role

201

6.6 Summary

202

7 System Settings and Customizing

203

7.1 Maintaining and Using the Defaults for the Profile Generator

204

7.1.1 Functions for the Profile Generator

206

7.1.2 Function in the Upgrade

208

7.1.3 Normative Use

208

7.1.4 Using Default Values for Risk Analyses and External Role Maintenance Tools

210

7.1.5 Original State and Maintenance of Default Values

211

7.2 Upgrading Authorizations

218

7.3 Parameters for Password Rules

223

7.4 Customizing Settings for the Menu Concept

226

7.5 Authorization Groups

233

7.5.1 Optional Authorization Checks for Authorization Groups

236

7.5.2 Table Authorizations

241

7.5.3 Authorization Groups as Organizational Levels

244

7.6 Parameter and Query Transactions

246

7.6.1 Parameter Transaction for Maintaining Tables via Defined Views

248

7.6.2 Parameter Transaction for Viewing Tables

250

7.6.3 Implementing Queries in Transactions

251

7.7 Promoting an Authorization Field to an Organizational Level

254

7.7.1 Effects Analysis

254

7.7.2 Procedure for Promoting a Field to an Organizational Level

258

7.7.3 Promoting the Area of Responsibility to an Organizational Level

259

7.8 Developer and Authorization Trace

262

7.8.1 Procedure for the Developer and Authorization Trace

262

7.9 Creating Authorization Fields and Objects

265

7.9.1 Creating Authorization Fields

265

7.9.2 Creating Authorization Objects

267

7.10 Further Transactions of the Authorization Administration

269

7.11 Transferring Roles Between Systems or Clients

271

7.11.1 Downloading/Uploading Roles

271

7.11.2 Transporting Roles

272

7.12 User Master Comparison

274

7.13 Summary

274

8 Role Assignment via Organizational Management

277

8.1 Basic Concept of SAP ERP HCM Organizational Management

278

8.2 Technical Prerequisites

281

8.3 Technical Implementation

281

8.3.1 Prerequisites

282

8.3.2 Technical Basics of SAP ERP HCM Organizational Management

282

8.3.3 Assigning Roles

283

8.3.4 Evaluation Path

284

8.3.5 User Master Comparison

285

8.4 Conceptual Special Feature

285

8.5 Summary

286

9 Automated Organizational Differentiation: The Role Generator

289

9.1 Challenge and Solution Approach

290

9.1.1 Role Generator OM

292

9.1.2 Area Role Concept

295

9.1.3 Combining Area Roles and OM

298

9.2 Implementation Example for the Area Role Concept

298

9.3 Integration, Restrictions, and Prospects

307

9.4 Summary

307

10 Central Administration of Users and Management of Authorizations

309

10.1 Basic Principles

310

10.1.1 Business Background

310

10.1.2 User Lifecycle Management

313

10.1.3 SAP Solutions for the Central Administration of Users

315

10.2 Central User Administration

316

10.2.1 Procedure for Setting up the CUA

318

10.2.2 Integration with Organizational Management of SAP ERP HCM

323

10.2.3 Integration with SAP BusinessObjects Access Control

324

10.3 SAP BusinessObjects Access Control Compliant User Provisioning

325

10.4 SAP NetWeaver Identity Management

331

10.4.1 Relevant Technical Details

332

10.4.2 Functionality

333

10.4.3 Technical Architecture

340

10.4.4 Integration of SAP BusinessObjects Access Control

343

10.5 Summary

345

11 Authorizations: Standards and Analysis

347

11.1 Standards and Their Analysis

347

11.1.1 Role Instead of Profile

347

11.1.2 Definition of the Role Through Transactions

349

11.1.3 Using Defaults

351

11.1.4 Table Authorizations

351

11.1.5 Program Execution Authorizations

352

11.1.6 Derivation

353

11.1.7 Programming — Programming Guideline

354

11.2 Critical Transactions and Objects

356

11.3 General Evaluations of Technical Standards

358

11.3.1 User Information System

358

11.3.2 Table-Based Analysis of Authorizations

361

11.4 Summary

365

12 SAP BusinessObjects Access Control

367

12.1 Basic Principles

367

12.2 Risk Analysis and Remediation

371

12.3 Enterprise Role Management

377

12.4 Compliant User Provisioning

379

12.5 Superuser Privilege Management

381

12.6 Risk Terminator

383

12.7 Summary

384

13 User Management Engine

385

13.1 Overview of the UME

386

13.1.1 UME Functions

386

13.1.2 UME Architecture

387

13.1.3 User Interface of the UME

389

13.1.4 Configuration of the UME

390

13.2 Authorization Concept of SAP NetWeaver AS Java

393

13.2.1 UME Roles

394

13.2.2 UME Actions

394

13.2.3 UME Group

396

13.2.4 J2EE Security Roles

397

13.3 User and Role Administration Using the UME

399

13.3.1 Prerequisites for User and Role Administration

399

13.3.2 Administration of Users

400

13.3.3 User Types

401

13.3.4 Administration of UME Roles

402

13.3.5 Administration of UME Groups

403

13.3.6 Tracing and Logging

403

13.4 Summary

406

14 Authorizations in SAP ERP HCM

409

14.1 Basic Principles

409

14.2 Special Requirements of SAP ERP HCM

410

14.3 Authorizations and Roles

412

14.3.1 Authorization-Relevant Attributes in SAP ERP HCM

412

14.3.2 Personnel Action Example

414

14.4 Authorization Main Switch

417

14.5 Organizational Management and Indirect Role Assignment

420

14.6 Structural Authorizations

421

14.6.1 The Structural Authorization Profile

422

14.6.2 Evaluation Path

424

14.6.3 Structural Authorizations and Performance

426

14.7 Context-Sensitive Authorizations

426

14.8 Summary

429

15 Authorizations in SAP CRM

431

15.1 Basic Principles

432

15.1.1 The SAP CRM User Interface: CRM Web Client

432

15.1.2 Creating Business Roles for the CRM Web Client

440

15.2 Dependencies Between Business Role and PFCG Roles

442

15.3 Creating PFCG Roles Depending on the Business Roles

443

15.3.1 Prerequisites for Creating PFCG Roles

444

15.3.2 Creating PFCG Roles

449

15.4 Assigning Business Roles and PFCG Roles

454

15.5 Sample Scenarios for Authorizations in SAP CRM

463

15.5.1 Authorizing Interface Components

464

15.5.2 Authorizing Transaction Launcher Links

473

15.5.3 Authorizing Master Data

475

15.5.4 Authorizing Business Transactions

478

15.5.5 Authorizing Attribute Sets

488

15.5.6 Authorizing Marketing Elements

489

15.6 Troubleshooting in the CRM Web Client

491

15.7 Access Control Engine

494

15.8 Summary

507

16 Authorizations in SAP SRM

509

16.1 Basic Principles

509

16.2 Authorization Assignment in SAP SRM

512

16.2.1 Authorizations of User Interface Menus

515

16.2.2 Authorizations of Typical Business Processes

517

16.3 Summary

531

17 Authorizations in SAP NetWeaver BW

533

17.1 OLTP Authorizations

534

17.2 Analysis Authorizations

536

17.2.1 Basic Principles

537

17.2.2 Barrier Principle

538

17.2.3 Transaction RSECADMIN

539

17.2.4 Authorization Maintenance

539

17.2.5 Assignment to Users: Transactions RSU01 and SU01

542

17.2.6 Analysis and Authorization Log

546

17.2.7 Generation

549

17.2.8 Authorization Migration

551

17.3 Modeling Authorizations in SAP NetWeaver BW

552

17.3.1 InfoProvider-Based Models

553

17.3.2 Characteristic-Based Models

553

17.3.3 Mixed Models

554

17.4 Summary

554

18 Processes in SAP ERP — Specific Authorizations

555

18.1 Basic Principles

556

18.1.1 Master and Transaction Data

556

18.1.2 Organizational Levels

557

18.2 Authorizations in Financial Accounting

558

18.2.1 Organizational Differentiation Criteria

559

18.2.2 Master Data

561

18.2.3 Postings

568

18.2.4 Payment Run

572

18.3 Authorizations in Controlling

574

18.3.1 Organizational Differentiation Criteria

575

18.3.2 Maintaining Master Data

576

18.3.3 Postings

585

18.3.4 Old and New Authorization Concept in Controlling

588

18.4 Authorizations in Logistics (General)

588

18.4.1 Organizational Differentiation Criteria

588

18.4.2 Material Master/Material Type

590

18.5 Authorizations in Purchasing

594

18.5.1 Maintaining Master Data

594

18.5.2 Procurement Processing

594

18.6 Authorizations in Sales and Distribution

601

18.6.1 Maintaining Master Data

601

18.6.2 Sales Processing

602

18.7 Authorizations in Technical Processes

605

18.7.1 Segregation of Duties in Authorization Management

606

18.7.2 Segregation of Duties in the Transport System

610

18.7.3 RFC Authorizations

612

18.7.4 Debugging Authorizations

613

18.7.5 Client Change

613

18.7.6 Change Logging

615

18.7.7 Batch Authorizations

615

18.8 Summary

616

19 Project Concepts and Approaches

617

19.1 Authorization Concept in the Project Context

617

19.2 Procedure Model

620

19.2.1 Logical Approach

621

19.2.2 Implementation

622

19.2.3 Redesign

624

19.2.4 Concrete Procedure

625

19.3 SAP Best Practices Template Role Concept

628

19.3.1 SAP Best Practices

629

19.3.2 SAP Template Roles

629

19.3.3 Methodical Procedure of the SAP Best Practices Role Concept

631

19.3.4 Combination with SAP BusinessObjects Access Control

635

19.4 Content of an Authorization Concept

636

19.4.1 Introduction and Standardization Framework of the Concept

637

19.4.2 Technical Context

638

19.4.3 Risk Evaluation

638

19.4.4 Person — User — Authorization

639

19.4.5 Authorization Management

640

19.4.6 Organizational Differentiation

641

19.4.7 Process Documentation

641

19.4.8 Role Documentation

642

19.5 Summary

642

Appendices

643

A List of Abbreviations

645

B Glossary

649

C Bibliography

661

D The Authors

663