Volker Lehnert, Katharina Bonitz, and Larry Justice

Authorizations in SAP8 Software

Design and Configuration

•, ^®

^» ..

Galileo Press

Bonn • Boston

Contents

Foreword 19

Acknowledgments 22

PART I Business Concepts

2.1 Methodical Considerations 30

2.1.1 Approaches for the Business Authorization

Concept 30

2.1.2 Persons Involved in the Authorization

Concept 33

2.2 Compliance 33

2.3 Risk 34

2.4 Corporate Governance 38

2.5 Technical Versus Business Significance of the

Authorization Concept 40

2.6 Technical Versus Business Roles 42

3.1 Example of an Organizational Differentiation 46

3.2 Introduction 48

3.3 Institutional Organization Concept 50

3.3.1 Object of the Organization 51

3.3.2 Legal Forms of the Organization 51

3.3.3 Organization and Environment 52

3.3.4 Summary 53

3.4 Instrumental Organization Concept 54

3.4.1 Specialization (Division of Labor) 55

3.4.2 Organizational Structure 58

3.4.3 Task Analysis 68

7

Contents

3.5 Consequences of the Examination of the Organization ...72

3.6 Views of the Organizational Structure in SAP Systems ...73

3.6.1 Organizational Management 74

3.6.2 Organization View of External Accounting 76

3.6.3 Organization View of Funds Management 77

3.6.4 Organization View of the Standard Cost

Center Hierarchy 78

3.6.5 Organization View of the Profit Center

Hierarchy 79

3.6.6 Enterprise Organization 80

3.6.7 Organization View in the Project System 81

3.6.8 Logistical Organization View 82

3.6.9 Integration of the Organization Views with the

Authorization Concept 82

3.7 Organizational Levels and Structures in SAP ERP 83

3.7.1 Organizational Level "Client" 84

3.7.2 Relevant Organizational Levels of Accounting ...84

3.7.3 Relevant Organizational Levels in MM 88

3.7.4 Relevant Organizational Levels in Sales and

Distribution 89

3.7.5 Relevant Organizational Levels in Warehouse

Management 89

3.7.6 Integration of the Organizational Levels

with the Authorization Concept 90

3.8 Information on the Methodology in the Project 91

3.9 Summary 93

^^^^^^S^^E^^^^^uL^^^^^^^E^E^^S^^B^E^^^^^ffl^^^^^^^^^H

4.1 Basic Principles of Internal and External Regulations 96

4.2 Internal Control System 100

4.3 Sources of Law for External Accounting 101

4.3.1 Sources of Law and Effects for the Private

Sector 103

4.3.2 Concrete Requirements for the

Authorization Concept 106

4.4 Data Privacy Laws 107

4.4.1 Legal Definitions Relating to Data Processing ... 110

4.4.2 Rights of the Person Affected 111

8

4.4.3 Recommendations Relating to the ICS 112

4.4.4 Concrete Requirements for the

Authorization Concept 113

4.4.5 Compliance versus Data Privacy 113

4.5 General Requirements for Authorization Concepts 115

4.5.1 Identity Principle 116

4.5.2 Minimal Principle 117

4.5.3 Job Principle 117

4.5.4 Document Principle in Financial Accounting 118

4.5.5 Document Principle in Authorization

Management 118

4.5.6 Separation of Duties Principle 119

4.5.7 Approval Principle 119

4.5.8 Standard Principle 120

4.5.9 Written-Form Principle 120

4.5.10 Control Principle 120

4.6 Summary 121

5.1 Process Overview 123

5.2 The Sales Process 125

5.3 The Procurement Process 131

5.4 Support Processes 136

5.5 Requirements of the Separation of Duties 139

5.6 Summary 140

PART II Tools and Authorization Maintenance in the

SAP System

6.1 User/Authorization 145

6.1.1 User 146

6.1.2 User Maintenance (ABAP) 147

6.2 Transaction — Program — Authorization Object 153

6.2.1 Transaction 153

9

Contents

6.2.2 Check in the Program Flow 155

6.2.3 Authorization Object 158

6.3 Role and Role Profiles 163

6.3.1 Authorization Profiles 163

6.3.2 Creating and Maintaining Roles 164

6.4 Analysis of Authorization Checks 193

6.4.1 Evaluation of the Authorization Check 193

6.4.2 Analysis in the Program Flow — System Trace/

Authorization Trace 195

6.4.3 Program Check 197

6.5 Additional Role Types in SAP ERP 199

6.5.1 Composite Role 200

6.5.2 Value Role/Functional Role 201

6.6 Summary 202

7.1 Maintaining and Using the Defaults for the

Profile Generator 204

7.1.1 Functions for the Profile Generator 206

7.1.2 Function in the Upgrade 208

7.1.3 Normative Use 208

7.1.4 Using Default Values for Risk Analyses and

External Role Maintenance Tools 210

7.1.5 Original State and Maintenance of Default

Values 211

7.2 Upgrading Authorizations 218

7.3 Parameters for Password Rules 223

7.4 Customizing Settings for the Menu Concept 226

7.5 Authorization Groups 233

7.5.1 Optional Authorization Checks for

Authorization Groups 236

7.5.2 Table Authorizations 241

7.5.3 Authorization Groups as OrganizationalLevels 244

7.6 Parameter and Query Transactions 246

7.6.1 Parameter Transaction for Maintaining

Tables via Defined Views 248

10

Contents

7.6.2 Parameter Transaction for Viewing Tables 250

7.6.3 Implementing Queries in Transactions 251

7.7 Promoting an Authorization Field to an

Organizational Level 254

7.7.1 Effects Analysis 254

7.7.2 Procedure for Promoting a Field to an

Organizational Level 258

7.7.3 Promoting the Area of Responsibility to an

Organizational Level 259

7.8 Developer and Authorization Trace 262

7.8.1 Procedure for the Developer and

Authorization Trace 262

7.9 Creating Authorization Fields and Objects 265

7.9.1 Creating Authorization Fields 265

7.9.2 Creating Authorization Objects 267

7.10 Further Transactions of the Authorization

Administration 269

7.11 Transferring Roles Between Systems or Clients 271

7.11.1 Downloading/Uploading Roles 271

7.11.2 Transporting Roles 272

7.12 User Master Comparison 274

7.13 Summary 274

^^^^Ul^^^Hfe«ttM^MM^^»^^^Wi^^^fc^^^^Bi^^^^Mw^^^^^M

8.1 Basic Concept of SAP ERP HCM

Organizational Management 278

8.2 Technical Prerequisites 281

8.3 Technical Implementation 281

8.3.1 Prerequisites 282

8.3.2 Technical Basics of SAP ERP HCM

Organizational Management 282

8.3.3 Assigning Roles 283

8.3.4 Evaluation Path 284

8.3.5 User Master Comparison 285

8.4 Conceptual Special Feature 285

8.5 Summary 286

11

Contents

^filiEllss^^HMl^y MM

9.1 Challenge and Solution Approach 290

9.1.1 Role Generator OM 292

9.12 Area Role Concept 295

9.1.3 Combining Area Roles and OAA 298

9.2 Implementation Example for the Area Role Concept 298

9.3 Integration, Restrictions, and Prospects 307

9.4 Summary 307

[tK^^ffi^SM^^IjB^ttS^SiL^^^^^ME^^^^^^^SK^^^^^^^S^^^Ey I

^^B^^SH^^H^sl^S^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ffl

10.1 Basic Principles 310

10.1.1 Business Background 310

10.1.2 User Lifecycle Management 313

10.1.3 SAP Solutions for the Central Administration

of Users 315

10.2 Central User Administration 316

10.2.1 Procedure for Setting up the CUA 318

10.2.2 Integration with Organizational Managementof SAP ERP HCM 323

10.2.3 Integration with SAP BusinessObjects

Access Control 324

10.3 SAP BusinessObjects Access Control Compliant User

Provisioning 325

10.4 SAP NetWeaver Identity Management 331

10.4.1 Relevant Technical Details 332

10.4.2 Functionality 333

10.4.3 Technical Architecture 340

10.4.4 Integration of SAP BusinessObjects Access

Control 343

10.5 Summary 345

IIIIk^^

11.1 Standards and Their Analysis 347

12

11.1.1 Role Instead of Profile 347

11.1.2 Definition of the Role Through Transactions 349

11.1.3 Using Defaults 351

11.1.4 Table Authorizations 351

11.1.5 Program Execution Authorizations 352

11.1.6 Derivation 353

11.1.7 Programming — Programming Guideline 354

11.2 Critical Transactions and Objects 356

11.3 General Evaluations of Technical Standards 358

11.3.1 User Information System 358

11.3.2 Table-Based Analysis of Authorizations 361

11.4 Summary 365

12.1 Basic Principles 367

12.2 Risk Analysis and Remediation 371

12.3 Enterprise Role Management 377

12.4 Compliant User Provisioning 379

12.5 Superuser Privilege Management 381

12.6 Risk Terminator 383

12.7 Summary 384

13 User Management Engine 385

13.1 Overview of the UME 386

13.1.1 UME Functions 386

13.1.2 UME Architecture 387

13.1.3 User Interface of the UME 389

13.1.4 Configuration of the UME 390

13.2 Authorization Concept of SAP NetWeaver AS Java 393

13.2.1 UME Roles 394

13.2.2 UME Actions 394

13.2.3 UME Group 396

13.2.4 J2EE Security Roles 397

13.3 User and Role Administration Using the UME 399

13.3.1 Prerequisites for User and Role

Administration 399

13

Contents

13.3.2 Administration of Users 400

13.3.3 User Types 401

13.3.4 Administration of UME Roles 402

13.3.5 Administration of UME Groups 403

13.3.6 Tracing and Logging 403

13.4 Summary 406

PART III Authorization in Specific SAP Solutions

^^^^^^^^^^^^^^^^^^^^^^m . -,,,. , Rg3

14.1 Basic Principles 409

14.2 Special Requirements of SAP ERP HCM 410

14.3 Authorizations and Roles 412

14.3.1 Authorization-Relevant Attributes in SAP

ERP HCM 412

14.3.2 Personnel Action Example 414

14.4 Authorization Main Switch 417

14.5 Organizational Management and Indirect Role

Assignment 420

14.6 Structural Authorizations 421

14.6.1 The Structural Authorization Profile 422

14.6.2 Evaluation Path 424

14.6.3 Structural Authorizations and Performance 426

14.7 Context-Sensitive Authorizations 426

14.8 Summary 429

15.1 Basic Principles 432

15.1.1 The SAP CRM User Interface: CRM Web

Client 432

15.1.2 Creating Business Roles fortheCRMWeb

Client 440

15.2 Dependencies Between Business Role and PFCG

Roles 442

15.3 Creating PFCG Roles Depending on the Business

Roles 443

14

Contents

15.3.1 Prerequisites for Creating PFCG Roles 444

15.3.2 Creating PFCG Roles 449

15.4 Assigning Business Roles and PFCG Roles 454

15.5 Sample Scenarios for Authorizations in SAP CRM 463

15.5.1 Authorizing Interface Components 464

15.5.2 Authorizing Transaction Launcher Links 473

15.5.3 Authorizing Master Data 475

15.5.4 Authorizing Business Transactions 478

15.5.5 Authorizing Attribute Sets 488

15.5.6 Authorizing Marketing Elements 489

15.6 Troubleshooting in the CRM Web Client 491

15.7 Access Control Engine 494

15.8 Summary 507

s

16.1 Basic Principles 509

16.2 Authorization Assignment in SAP SRM 512

16.2.1 Authorizations of User Interface Menus 515

16.2.2 Authorizations of Typical Business Processes 517

16.3 Summary 531

s

17.1 OLTP Authorizations 534

17.2 Analysis Authorizations 536

17.2.1 Basic Principles 537

17.2.2 Barrier Principle 538

17.2.3 Transaction RSECADMIN 539

17.2.4 Authorization Maintenance 539

17.2.5 Assignment to Users: Transactions RSU01

andSUOl 542

17.2.6 Analysis and Authorization Log 546

17.2.7 Generation 549

17.2.8 Authorization Migration 551

17.3 Modeling Authorizations in SAP NetWeaver BW 552

17.3.1 InfoProvider-Based Models 553

17.3.2 Characteristic-Based Models 553

15

Contents

17.3.3 Mixed Models 554

17.4 Summary 554

18.1 Basic Principles 556

18.1.1 Master and Transaction Data 556

18.1.2 Organizational Levels 557

18.2 Authorizations in Financial Accounting 558

18.2.1 Organizational Differentiation Criteria 559

18.2.2 Master Data 561

18.2.3 Postings 568

18.2.4 Payment Run 572

18.3 Authorizations in Controlling 574

18.3.1 Organizational Differentiation Criteria 575

18.3.2 Maintaining Master Data 576

18.3.3 Postings 585

18.3.4 Old and New Authorization Concept in

Controlling 588

18.4 Authorizations in Logistics (General) 588

18.4.1 Organizational Differentiation Criteria 588

18.4.2 Material Master/Material Type 590

18.5 Authorizations in Purchasing 594

18.5.1 Maintaining Master Data 594

18.5.2 Procurement Processing 594

18.6 Authorizations in Sales and Distribution 601

18.6.1 Maintaining Master Data 601

18.6.2 Sales Processing 602

18.7 Authorizations in Technical Processes 605

18.7.1 Segregation of Duties in Authorization

Management 606

18.7.2 Segregation of Duties in the Transport System ... 610

18.7.3 RFC Authorizations 612

18.7.4 Debugging Authorizations 613

18.7.5 Client Change 613

18.7.6 Change Logging 615

18.7.7 Batch Authorizations 615

18.8 Summary 616

16

19.1 Authorization Concept in the Project Context 617

19.2 Procedure Model 620

19.2.1 Logical Approach 621

19.2.2 Implementation 622

19.2.3 Redesign 624

19.2.4 Concrete Procedure 625

19.3 SAP Best Practices Template Role Concept 628

19.3.1 SAP Best Practices 629

19.3.2 SAP Template Roles 629

19.3.3 Methodical Procedure of the SAP Best

Practices Role Concept 631

19.3.4 Combination with SAP BusinessObjects

Access Control 635

19.4 Content of an Authorization Concept 636

19.4.1 Introduction and Standardization Framework

of the Concept 637

19.4.2 Technical Context 638

19.4.3 Risk Evaluation 638

19.4.4 Person — User — Authorization 639

19.4.5 Authorization Management 640

19.4.6 Organizational Differentiation 641

19.4.7 Process Documentation 641

19.4.8 Role Documentation 642

19.5 Summary 642

^3M^^^E^^^^^^^^^^^^^^^^^^^^^^^S^^^^^^ffl^P^ff,fl|:i%^^ff^3^^

A List of Abbreviations 645

B Glossary 649

C Bibliography 661

D The Authors 663

Index 665

17