Authorizations in SAP Software: Design and Configuration / Security and Identity Management / Книги SAP Press / SAPLand

Вернуться

Authorizations in SAP Software: Design and Configuration

Авторы: Volker Lehnert, Katharina Bonitz, Larry Justice
Издательство:
Страниц: 669
ISBN: 978-1-59229-342-1

Пока никому не понравилось

Нравится Не нравится

4663

Авторы

Volker Lehnert, Katharina Bonitz, Larry Justice

Аннотация

Authorizations aren't easy, but this book is here to help. Learn how to develop a meaningful authorization concept that meets statutory requirements and is tailored to your business processes. Explore the SAP tools and functions that play a role in designing and implementing an authorizations concept. In addition to discussions of SAP IdM, CUA, SAP Access Control, and the UME, you’ll learn about authorizations across the entire SAP landscape (SAP ERP, HCM, CRM, SRM, and BW).

ISBN

978-1-59229-342-1

Обложка

Hardcover

Объём

669 страниц

... Foreword ... 19
... Acknowledgments ... 21
1 ... Introduction ... 23
PART I ... Business Concepts ... 27
2 ... Introduction and Concept Definition ... 29
2.1 ... Methodical Considerations ... 30
2.1.1 ... Approaches for the Business Authorization Concept ... 30
2.1.2 ... Persons Involved in the Authorization Concept ... 33
2.2 ... Compliance ... 33
2.3 ... Risk ... 34
2.4 ... Corporate Governance ... 38
2.5 ... Technical Versus Business Significance of the Authorization Concept ... 40
2.6 ... Technical Versus Business Roles ... 42
3 ... Organization and Authorizations ... 45
3.1 ... Example of an Organizational Differentiation ... 46
3.2 ... Introduction ... 48
3.3 ... Institutional Organization Concept ... 50
3.3.1 ... Object of the Organization ... 51
3.3.2 ... Legal Forms of the Organization ... 51
3.3.3 ... Organization and Environment ... 52
3.3.4 ... Summary ... 53
3.4 ... Instrumental Organization Concept ... 54
3.4.1 ... Specialization (Division of Labor) ... 55
3.4.2 ... Organizational Structure ... 58
3.4.3 ... Task Analysis ... 68
3.5 ... Consequences of the Examination of the Organization ... 72
3.6 ... Views of the Organizational Structure in SAP Systems ... 73
3.6.1 ... Organizational Management ... 74
3.6.2 ... Organization View of External Accounting ... 76
3.6.3 ... Organization View of Funds Management ... 77
3.6.4 ... Organization View of the Standard Cost Center Hierarchy ... 78
3.6.5 ... Organization View of the Profit Center Hierarchy ... 79
3.6.6 ... Enterprise Organization ... 80
3.6.7 ... Organization View in the Project System ... 81
3.6.8 ... Logistical Organization View ... 82
3.6.9 ... Integration of the Organization Views with the Authorization Concept ... 82
3.7 ... Organizational Levels and Structures in SAP ERP ... 83
3.7.1 ... Organizational Level “Client” ... 84
3.7.2 ... Relevant Organizational Levels of Accounting ... 84
3.7.3 ... Relevant Organizational Levels in MM ... 88
3.7.4 ... Relevant Organizational Levels in Sales and Distribution ... 89
3.7.5 ... Relevant Organizational Levels in Warehouse Management ... 89
3.7.6 ... Integration of the Organizational Levels with the Authorization Concept ... 90
3.8 ... Information on the Methodology in the Project ... 91
3.9 ... Summary ... 93
4 ... Legal Framework — Standardization Framework ... 95
4.1 ... Basic Principles of Internal and External Regulations ... 96
4.2 ... Internal Control System ... 100
4.3 ... Sources of Law for External Accounting ... 101
4.3.1 ... Sources of Law and Effects for the Private Sector ... 103
4.3.2 ... Concrete Requirements for the Authorization Concept ... 106
4.4 ... Data Privacy Laws ... 107
4.4.1 ... Legal Definitions Relating to Data Processing ... 110
4.4.2 ... Rights of the Person Affected ... 111
4.4.3 ... Recommendations Relating to the ICS ... 112
4.4.4 ... Concrete Requirements for the Authorization Concept ... 113
4.4.5 ... Compliance versus Data Privacy ... 113
4.5 ... General Requirements for Authorization Concepts ... 115
4.5.1 ... Identity Principle ... 116
4.5.2 ... Minimal Principle ... 117
4.5.3 ... Job Principle ... 117
4.5.4 ... Document Principle in Financial Accounting ... 118
4.5.5 ... Document Principle in Authorization Management ... 118
4.5.6 ... Separation of Duties Principle ... 119
4.5.7 ... Approval Principle ... 119
4.5.8 ... Standard Principle ... 120
4.5.9 ... Written-Form Principle ... 120
4.5.10 ... Control Principle ... 120
4.6 ... Summary ... 121
5 ... Authorizations in the Process View ... 123
5.1 ... Process Overview ... 123
5.2 ... The Sales Process ... 125
5.3 ... The Procurement Process ... 131
5.4 ... Support Processes ... 136
5.5 ... Requirements of the Separation of Duties ... 139
5.6 ... Summary ... 140
PART II ... Tools and Authorization Maintenance in the SAP System ... 143
6 ... Basic Technical Principles of Authorization Maintenance ... 145
6.1 ... User/Authorization ... 145
6.1.1 ... User ... 146
6.1.2 ... User Maintenance (ABAP) ... 147
6.2 ... Transaction — Program — Authorization Object ... 153
6.2.1 ... Transaction ... 153
6.2.2 ... Check in the Program Flow ... 155
6.2.3 ... Authorization Object ... 158
6.3 ... Role and Role Profiles ... 163
6.3.1 ... Authorization Profiles ... 163
6.3.2 ... Creating and Maintaining Roles ... 164
6.4 ... Analysis of Authorization Checks ... 193
6.4.1 ... Evaluation of the Authorization Check ... 193
6.4.2 ... Analysis in the Program Flow — System Trace/Authorization Trace ... 195
6.4.3 ... Program Check ... 197
6.5 ... Additional Role Types in SAP ERP ... 199
6.5.1 ... Composite Role ... 200
6.5.2 ... Value Role/Functional Role ... 201
6.6 ... Summary ... 202
7 ... System Settings and Customizing ... 203
7.1 ... Maintaining and Using the Defaults for the Profile Generator ... 204
7.1.1 ... Functions for the Profile Generator ... 206
7.1.2 ... Function in the Upgrade ... 208
7.1.3 ... Normative Use ... 208
7.1.4 ... Using Default Values for Risk Analyses and External Role Maintenance Tools ... 210
7.1.5 ... Original State and Maintenance of Default Values ... 211
7.2 ... Upgrading Authorizations ... 218
7.3 ... Parameters for Password Rules ... 223
7.4 ... Customizing Settings for the Menu Concept ... 226
7.5 ... Authorization Groups ... 233
7.5.1 ... Optional Authorization Checks for Authorization Groups ... 236
7.5.2 ... Table Authorizations ... 241
7.5.3 ... Authorization Groups as Organizational Levels ... 244
7.6 ... Parameter and Query Transactions ... 246
7.6.1 ... Parameter Transaction for Maintaining Tables via Defined Views ... 248
7.6.2 ... Parameter Transaction for Viewing Tables ... 250
7.6.3 ... Implementing Queries in Transactions ... 251
7.7 ... Promoting an Authorization Field to an Organizational Level ... 254
7.7.1 ... Effects Analysis ... 254
7.7.2 ... Procedure for Promoting a Field to an Organizational Level ... 258
7.7.3 ... Promoting the Area of Responsibility to an Organizational Level ... 259
7.8 ... Developer and Authorization Trace ... 262
7.8.1 ... Procedure for the Developer and Authorization Trace ... 262
7.9 ... Creating Authorization Fields and Objects ... 265
7.9.1 ... Creating Authorization Fields ... 265
7.9.2 ... Creating Authorization Objects ... 267
7.10 ... Further Transactions of the Authorization Administration ... 269
7.11 ... Transferring Roles Between Systems or Clients ... 271
7.11.1 ... Downloading/Uploading Roles ... 271
7.11.2 ... Transporting Roles ... 272
7.12 ... User Master Comparison ... 274
7.13 ... Summary ... 274
8 ... Role Assignment via Organizational Management ... 277
8.1 ... Basic Concept of SAP ERP HCM Organizational Management ... 278
8.2 ... Technical Prerequisites ... 281
8.3 ... Technical Implementation ... 281
8.3.1 ... Prerequisites ... 282
8.3.2 ... Technical Basics of SAP ERP HCM Organizational Management ... 282
8.3.3 ... Assigning Roles ... 283
8.3.4 ... Evaluation Path ... 284
8.3.5 ... User Master Comparison ... 285
8.4 ... Conceptual Special Feature ... 285
8.5 ... Summary ... 286
9 ... Automated Organizational Differentiation: The Role Generator ... 289
9.1 ... Challenge and Solution Approach ... 290
9.1.1 ... Role Generator OM ... 292
9.1.2 ... Area Role Concept ... 295
9.1.3 ... Combining Area Roles and OM ... 298
9.2 ... Implementation Example for the Area Role Concept ... 298
9.3 ... Integration, Restrictions, and Prospects ... 307
9.4 ... Summary ... 307
10 ... Central Administration of Users and Management of Authorizations ... 309
10.1 ... Basic Principles ... 310
10.1.1 ... Business Background ... 310
10.1.2 ... User Lifecycle Management ... 313
10.1.3 ... SAP Solutions for the Central Administration of Users ... 315
10.2 ... Central User Administration ... 316
10.2.1 ... Procedure for Setting up the CUA ... 318
10.2.2 ... Integration with Organizational Management of SAP ERP HCM ... 323
10.2.3 ... Integration with SAP BusinessObjects Access Control ... 324
10.3 ... SAP BusinessObjects Access Control Compliant User Provisioning ... 325
10.4 ... SAP NetWeaver Identity Management ... 331
10.4.1 ... Relevant Technical Details ... 332
10.4.2 ... Functionality ... 333
10.4.3 ... Technical Architecture ... 340
10.4.4 ... Integration of SAP BusinessObjects Access Control ... 343
10.5 ... Summary ... 345
11 ... Authorizations: Standards and Analysis ... 347
11.1 ... Standards and Their Analysis ... 347
11.1.1 ... Role Instead of Profile ... 347
11.1.2 ... Definition of the Role Through Transactions ... 349
11.1.3 ... Using Defaults ... 351
11.1.4 ... Table Authorizations ... 351
11.1.5 ... Program Execution Authorizations ... 352
11.1.6 ... Derivation ... 353
11.1.7 ... Programming — Programming Guideline ... 354
11.2 ... Critical Transactions and Objects ... 356
11.3 ... General Evaluations of Technical Standards ... 358
11.3.1 ... User Information System ... 358
11.3.2 ... Table-Based Analysis of Authorizations ... 361
11.4 ... Summary ... 365
12 ... SAP BusinessObjects Access Control ... 367
12.1 ... Basic Principles ... 367
12.2 ... Risk Analysis and Remediation ... 371
12.3 ... Enterprise Role Management ... 377
12.4 ... Compliant User Provisioning ... 379
12.5 ... Superuser Privilege Management ... 381
12.6 ... Risk Terminator ... 383
12.7 ... Summary ... 384
13 ... User Management Engine ... 385
13.1 ... Overview of the UME ... 386
13.1.1 ... UME Functions ... 386
13.1.2 ... UME Architecture ... 387
13.1.3 ... User Interface of the UME ... 389
13.1.4 ... Configuration of the UME ... 390
13.2 ... Authorization Concept of SAP NetWeaver AS Java ... 393
13.2.1 ... UME Roles ... 394
13.2.2 ... UME Actions ... 394
13.2.3 ... UME Group ... 396
13.2.4 ... J2EE Security Roles ... 397
13.3 ... User and Role Administration Using the UME ... 399
13.3.1 ... Prerequisites for User and Role Administration ... 399
13.3.2 ... Administration of Users ... 400
13.3.3 ... User Types ... 401
13.3.4 ... Administration of UME Roles ... 402
13.3.5 ... Administration of UME Groups ... 403
13.3.6 ... Tracing and Logging ... 403
13.4 ... Summary ... 406
PART III ... Authorizations in Specific SAP Solutions ... 407
14 ... Authorizations in SAP ERP HCM ... 409
14.1 ... Basic Principles ... 409
14.2 ... Special Requirements of SAP ERP HCM ... 410
14.3 ... Authorizations and Roles ... 412
14.3.1 ... Authorization-Relevant Attributes in SAP ERP HCM ... 412
14.3.2 ... Personnel Action Example ... 414
14.4 ... Authorization Main Switch ... 417
14.5 ... Organizational Management and Indirect Role Assignment ... 420
14.6 ... Structural Authorizations ... 421
14.6.1 ... The Structural Authorization Profile ... 422
14.6.2 ... Evaluation Path ... 424
14.6.3 ... Structural Authorizations and Performance ... 426
14.7 ... Context-Sensitive Authorizations ... 426
14.8 ... Summary ... 429
15 ... Authorizations in SAP CRM ... 431
15.1 ... Basic Principles ... 432
15.1.1 ... The SAP CRM User Interface: CRM Web Client ... 432
15.1.2 ... Creating Business Roles for the CRM Web Client ... 440
15.2 ... Dependencies Between Business Role and PFCG Roles ... 442
15.3 ... Creating PFCG Roles Depending on the Business Roles ... 443
15.3.1 ... Prerequisites for Creating PFCG Roles ... 444
15.3.2 ... Creating PFCG Roles ... 449
15.4 ... Assigning Business Roles and PFCG Roles ... 454
15.5 ... Sample Scenarios for Authorizations in SAP CRM ... 463
15.5.1 ... Authorizing Interface Components ... 464
15.5.2 ... Authorizing Transaction Launcher Links ... 473
15.5.3 ... Authorizing Master Data ... 475
15.5.4 ... Authorizing Business Transactions ... 478
15.5.5 ... Authorizing Attribute Sets ... 488
15.5.6 ... Authorizing Marketing Elements ... 489
15.6 ... Troubleshooting in the CRM Web Client ... 491
15.7 ... Access Control Engine ... 494
15.8 ... Summary ... 507
16 ... Authorizations in SAP SRM ... 509
16.1 ... Basic Principles ... 509
16.2 ... Authorization Assignment in SAP SRM ... 512
16.2.1 ... Authorizations of User Interface Menus ... 515
16.2.2 ... Authorizations of Typical Business Processes ... 517
16.3 ... Summary ... 531
17 ... Authorizations in SAP NetWeaver BW ... 533
17.1 ... OLTP Authorizations ... 534
17.2 ... Analysis Authorizations ... 536
17.2.1 ... Basic Principles ... 537
17.2.2 ... Barrier Principle ... 538
17.2.3 ... Transaction RSECADMIN ... 539
17.2.4 ... Authorization Maintenance ... 539
17.2.5 ... Assignment to Users: Transactions RSU01 and SU01 ... 542
17.2.6 ... Analysis and Authorization Log ... 546
17.2.7 ... Generation ... 549
17.2.8 ... Authorization Migration ... 551
17.3 ... Modeling Authorizations in SAP NetWeaver BW ... 552
17.3.1 ... InfoProvider-Based Models ... 553
17.3.2 ... Characteristic-Based Models ... 553
17.3.3 ... Mixed Models ... 554
17.4 ... Summary ... 554
18 ... Processes in SAP ERP — Specific Authorizations ... 555
18.1 ... Basic Principles ... 556
18.1.1 ... Master and Transaction Data ... 556
18.1.2 ... Organizational Levels ... 557
18.2 ... Authorizations in Financial Accounting ... 558
18.2.1 ... Organizational Differentiation Criteria ... 559
18.2.2 ... Master Data ... 561
18.2.3 ... Postings ... 568
18.2.4 ... Payment Run ... 572
18.3 ... Authorizations in Controlling ... 574
18.3.1 ... Organizational Differentiation Criteria ... 575
18.3.2 ... Maintaining Master Data ... 576
18.3.3 ... Postings ... 585
18.3.4 ... Old and New Authorization Concept in Controlling ... 588
18.4 ... Authorizations in Logistics (General) ... 588
18.4.1 ... Organizational Differentiation Criteria ... 588
18.4.2 ... Material Master/Material Type ... 590
18.5 ... Authorizations in Purchasing ... 594
18.5.1 ... Maintaining Master Data ... 594
18.5.2 ... Procurement Processing ... 594
18.6 ... Authorizations in Sales and Distribution ... 601
18.6.1 ... Maintaining Master Data ... 601
18.6.2 ... Sales Processing ... 602
18.7 ... Authorizations in Technical Processes ... 605
18.7.1 ... Segregation of Duties in Authorization Management ... 606
18.7.2 ... Segregation of Duties in the Transport System ... 610
18.7.3 ... RFC Authorizations ... 612
18.7.4 ... Debugging Authorizations ... 613
18.7.5 ... Client Change ... 613
18.7.6 ... Change Logging ... 615
18.7.7 ... Batch Authorizations ... 615
18.8 ... Summary ... 616
19 ... Project Concepts and Approaches ... 617
19.1 ... Authorization Concept in the Project Context ... 617
19.2 ... Procedure Model ... 620
19.2.1 ... Logical Approach ... 621
19.2.2 ... Implementation ... 622
19.2.3 ... Redesign ... 624
19.2.4 ... Concrete Procedure ... 625
19.3 ... SAP Best Practices Template Role Concept ... 628
19.3.1 ... SAP Best Practices ... 629
19.3.2 ... SAP Template Roles ... 629
19.3.3 ... Methodical Procedure of the SAP Best Practices Role Concept ... 631
19.3.4 ... Combination with SAP BusinessObjects Access Control ... 635
19.4 ... Content of an Authorization Concept ... 636
19.4.1 ... Introduction and Standardization Framework of the Concept ... 637
19.4.2 ... Technical Context ... 638
19.4.3 ... Risk Evaluation ... 638
19.4.4 ... Person — User — Authorization ... 639
19.4.5 ... Authorization Management ... 640
19.4.6 ... Organizational Differentiation ... 641
19.4.7 ... Process Documentation ... 641
19.4.8 ... Role Documentation ... 642
19.5 ... Summary ... 642
... Appendices ... 643
A ... List of Abbreviations ... 645
B ... Glossary ... 649
C ... Bibliography ... 661
D ... The Authors ... 663
... Index ... 665