Basic Concepts
The introductory article gave a glimpse of one of the thousands of SAP applications delivered as part of a SAP standard package. This article follows on from there and starts our journey on SAP security. It tries to answer three basic questions: What is security? Why do we need security? and How does SAP implement security?
Q. What is Security?
A. Security in the context of IT denotes giving access to users to only those sytem resources which they require to perform their jobs. in SAP, these resources generally take the form of either business application or administation tools through transactions, screens, tables, programs, reports, web services, etc.
Q. Why do we need Security?
A. SAP being an ERP solutions comes loaded with a huge number of applications which can be configured to map the business processes of an organization like procurement, manufacturing, sales, financial accounting, controlling and human resource mangement. It is imperative that only actual employees/business partners get access to the SAP system (Authentication). Further, each user using the SAP system should only have access to the applications relevant to their jobs (Authorization). For example, we certainly do not want an employee working on the shop floor to get access to see and update the bank details for other employees, a job typically reserved for the HR department.
Q. How does SAP implement security?
A. Authentication
Authentication is ensured by having an unique user-id and password for each user maintained as part of the user master record. Any user trying to access a SAP system should have a valid User Master Record. In addition to the user id and password, a user master record also lists the user’s name, email, telephone and the roles which allow access to different applications.
Authorization
Auhtorizations are implement through roles (or the older term activity groups) and typically assigned to users through their user master record. Each role also has one or more corresponding authorization profiles with different authorizations. Its the authorization profiles which actually give access to users.
Thanks for creating this site.I was very much impressed for this site.
Could you please explain me with an example for the below sentence.
“Each role also has one or more corresponding authorisation profiles with different authorisations.
Thanks in advance
Once you generate a role in PFCG, SAP will take the latest authorization values maintained in the role and create an authorization profile for the role. Depending on the number of distinnct authorization object value combinations (authorizations) in a role, PFCG might create more than one profile for a role.
What are the maximum number of authorizations that a profile can contain ?
There is a limit but I am not sure of the exact number. A simple google search should give you the answer.
There are 150 authorizations a profile can contain.
Hi,
A profile can contain max 150 Authorizations.
thanks
Zak
Correction : it’s 170 not 150.
Correct number is 312
Can you give some examples of this kind of Roles where PFCG might create more than one profile for a role?
Thanks.
Hi Rani,
Since roles are created for clients, my roles will be different from yours. So I would not be able to give you an example. If you end up ever creating a role similar to SAP all but with some specific restrictions you will run into the case, where a single role has multiple profiles.
Aninda
Hi Aninda ,
Just wanted to check how do we apply trace for the user in different instance in ST01 tcode.
Can you please advise us in detail.
Thanking you in advance.
Regards,
Vidhu Bhushan A.N
Hi Vidhu,
Use SM51 to check the different app servers. You can select each app server from the same screen and check the users logged in. Once you know the app server, you will be able to select and login from the same SM51 screen.
Regards,
Aninda
Thanks,:)
Hi Sir,
I am glad that somebody is really interesting in sharing the knowledge, in real way. I mean, without money/asking for subscription and all. Please dn’t make this site chargeable in near future as well.
All people out there cant afford so many things in life.
Hi Aninda,
Your website is very useful to learn sap security concepts. Do you maintain any separate page for GRC as well. If so please let me know the page and I also request you to provide any other website details where i can learn GRC easily and for free.
Regards,
Teja.
It ua is very useful website and best for the feathers who want to learn SAP security.
Thank you