0% found this document useful (0 votes)
170 views24 pages

Authorization in @SAP Gui

Uploaded by

Raju Raj Raj
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
170 views24 pages

Authorization in @SAP Gui

Uploaded by

Raju Raj Raj
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 24

Authorization in @SAP gui

Mickael QUESNOT ©
Motivation for change

Solution proposal

Objectives Directive

System Steps

Troubleshooting
• Due to timing constraints during the Picard and Fnac
implementations the approach regarding security was to
manage accesses via the FIORI front end (apps/catalogue)
• This model facilitates the restriction of authorisation,
by the assignment of only the required applications per
functional area to the FIORI catalogue
• The SAP S4 “backend” systems authorisations
restrictions are not necessary in this model
(assignment of SAP_ALL)
• The initial premise was that only the FIORI UX would
be used, therefore making this model sustainable

Motivation • The limitations of this approach only become material when


the S4 GUI “back end” is used

for Change • Due to the change in approach from using solely the FIORI
UX, to the additional use of the S4 GUI the requirement to
manage authorizations has become necessary and urgent
• SAP’s audit findings will recommend that the SAP_ALL
Access be removed
• The proposed solution can be implemented in a relatively
short time frame
• The Best Practice SAP standard roles are to be
identified per functional area:
• Finance
• Store Operations
• Buyer – (Pricing & Purchasing)
• Master Data

Solution • DC Operations
• Custom composite “shell” roles will be created per
Proposal functional area and contain the SAP Best Practice
roles
• Analysis will be done to ensure that only low risk
transactions overlap the functional areas, e.g.
display transactions
• Organization area segregation is not critical at this
point of time (no separation between Fnac and
Picard, except store operations managed via FIORI)
• Identify SAP authorizations into 5 high level areas,
the approach was taken as to avoid future
authorization issues, due to changing business
requirements
• Per operational area the SAP Standard Roles were
identified, this was done in the following way,
extract all roles from Table AGR_1251 (single roles
only), (AGR_TCODES can be used to the
transaction assignment)
Directive • Roles were identified with based on role name,
e.g. *FI*, *CO*, *BUYER*
• An additional step was to ensure these roles have
the required transactions per operational are
• Other helpful tools T/Code SUIM
System Steps

• The SAP standard roles are not delivered


completed, the reason is because they are not
supposed to be used, but should be used only as a
reference
• Incomplete SAP Role, e.g.
System Steps

• See SAP Note 440231, this note will


explain why T/Code SU25 should be
executed after a system install or
upgrade
• This tool attempts to complete
the SAP Standard roles, by
assigning the missing profiles
and generating the role
• This tool is required to be run
in all systems
• Including the gateway
System Steps

▪Once SU25 has run the SAP roles should be completed (60%)
▪Next make copies of the SAP standard roles, this is best practice as the SAP standard roles
might change with an upgrade
▪This is done using T/Code PFCG (or mass program - ZZ_PAUL_COPY_PFCG)
SAP_MM_PUR_LIS_GENERAL

Z_MM_PUR_LIS_GENERAL
System Steps

• Next a mass generations is required for the still missing


profiles, T/Code PFCG:

• The remainder must be done manually (those that do not


generate during the Mass run)
• Next step, Mass comparison
• A user comparison is always required once role changes
have taken place
System Steps

▪Next depending on the clients requirements, Organization objects need to be managed


▪Possibilities:

Derived Role Z_MM_PUR_LIS_GENERAL

Company Code split Z_MM_PUR_LIS_GENERAL_1000 Z_MM_PUR_LIS_GENERAL_2000

OR CC and Site split Z_MM_PUR_LIS_GENERAL_1001 Z_MM_PUR_LIS_GENERAL_1002


System Steps – SAP Solution

▪The Organizational split was not a requirement


▪Next all operational roles were added to a Composite role per operational area, this reduces
the maintenance time, e.g. FI +/- 340 roles
Z_APPROVISIONNEMENT

Z_BPR_BUYER_16

Z_ISR_PUR_PURCHASEORDER

Z_ISR_PROMOTION_ADMIN

Z_MM_PUR_CONDITIONS

Z_MM_IM_REPORTS
System Steps – SAP Solution

• The creation of a Composite Role is


done in T/Code PFCG, once created
all roles must be assigned:
• Z_APPROVISIONNEMENT
• Z_DONNEES_MAITRES
• Z_ENTREPOT
• Z_FINANCE
• Z_OPERATIONS_MAGASIN
System Steps – SAP Solution

• Next the menu must be generated,


by importing the menu (this can be
customized on this screen)
System Steps – SAP
Solution

• The user must be assigned, this can be done


in the next tab, once done a User
Comparison must be run to finally complete
the authorization assignment to the user:

• ystem Steps – SAP Solution


• First S4 Roles need to be assigned, (remember to complete
the roles):
• SAP_S_RFCACL
• SAP_UI2_ADMIN_750 (check which version you have)
• SAP_UI2_USER_750 (check which version you have)
• Next FIORI roles need to assigned if a gateway is used:
• SAP_S_RFCACL
• SAP_UI2_PAGEBUILDER_CUST
• SAP_UI2_USER_750 (check which version you have)
System Steps • Additional steps need to be followed for roles below, see
SAP Help – Configuring Authorization Roles - SAP Fiori
– Fiori launchpad (as an end user)
• SAP_UI2_PAGEBUILDER_CUST
• SAP_UI2_USER_750

• https://help.sap.com/saphelp_ewm92/helpdata/en/85
/be3fff35604fa09a1668dd97ef4407/frameset.htm
Troubleshooting

▪A user experiences missing authorization:


▪First determine if the user should have access to the transaction, here are the rules:

• ME21N
• ME22N
Master • MIRO
Finance Logistics Purchasing • MIGO
Data

▪This was a Finance user that received this error and if the business decides that the Finance
user must create articles, assign the Master Data composite role to this user only
• There are 2 possible issues why authorization is
missing
• The user does not have the transaction because
none of the roles assigned to the user contain
the transaction
• To resolve - high level – Find a role with the
required auths an assign to user /
Composite role
Troubleshooting • The user has the transaction contained in a role
already assigned, this scenario is a little more
difficult to resolve
• See next steps
Troubleshooting

▪If the Master User is missing this authorization, the following steps will assist in correcting
the missing authorization:
▪Is the transaction an operational specific sensitive transaction, e.g. MM41
▪If this is the case the transaction must be only assigned to the composite role of the
operational area, here Z_DONNEES_MAITRES
▪Always ask the user to run T/Code SU53, directly after the authorization error:
▪The users SU53 can be viewed by you by
clicking
Troubleshooting

• Go to T/Code SUIM, this step is to


confirm that the transaction is not
assigned to the user:
Troubleshooting

• Next step is to find which roles assigned


to the user, T/Code SUIM, Copy all
roles:
Troubleshooting

• Now, find the role with the transaction


in question, T/Code SUIM:
Troubleshooting

• Next copy role and go to T/Code PFCG


(or double click on the role), click
change and go to Authorizations tab
then Change Authorizations

• Based on the SU53 copy the affected


Object (M_BEST_EKG), use the SAP
search functionality to find the object:
Repeat If the user is allowed access to the transaction and does not
currently have access, repeat the process as above:

Find a SAP standard role with the required authorizations, but


Find that does not allow authorizations forbidden for the operational
area (SUIM)

Troubleshooting Copy Copy role Z_ (PFCG)

Complete Complete Role (PFCG)

Add Add role to Composite role (PFCG)


Troubleshooting

• Next step is to find which role assigned


to the user that is problematic, only
flag Composite:

You might also like