Scribd Logo
Încărcați

Bine ați venit la Scribd!

  • Role Creation Based On Functional Input Received

    Încărcat de

    radhathota
    48 vizualizări6 pagini
    sap security

    Titlu original

    Role Creation Based on Functional Input Received

    Drepturi de autor

    © © All Rights Reserved

    Formate disponibile

    DOC, PDF, TXT sau citiți online pe Scribd

    Vi se pare util acest document?

    Este necorespunzător acest conținut?

    Raportați acest document
    sap security

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca DOC, PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    48 vizualizări6 pagini

    Role Creation Based On Functional Input Received

    Încărcat de

    radhathota
    sap security

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca DOC, PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    din 6

    SAP Security FastTrak on

    Netweaver 7.3

    Role Creation Based on Functional Input


    Received

    2013
    Scenario 1
    You have received a mail from the business; the user is not able to see the
    table USR40 and he is getting the following error while trying to execute that
    table USR40.
    When user log on and trying to execute the table USR40 he/she got the error
    shown below

    Fig: User gets authorization error

    User runs su53 dump and send the above screenshot to the administrator.

    IBM Confidential 2013


    Page 1

    SAP Security FastTrak on


    Netweaver 7.3

    Role Creation Based on Functional Input


    Received

    2013

    Fig: SU53 dump sent by user

    Solution:
    Log in as user security1 (super user) and do the following activities
    1. Execute the transaction PFCG.
    2. Get into the role in which the business user a part of. Go to
    the specified Authorization object
    3. Add the specific authorization group to the object field value.
    4. Save the Role and generate the Profile.
    5. Assign the user to the role and do user comparison.
    6. Login as the user XXX
    7. Run SE16 and see whether that table can be executed or
    not.
    8. Also run SU53 dump if needed.

    IBM Confidential 2013


    Page 2

    SAP Security FastTrak on


    Netweaver 7.3

    Role Creation Based on Functional Input


    Received

    2013

    Fig: Authorization profile for the role Z:TESTROLE1

    Solution:
    1 Execute the transaction PFCG.
    2 Open the role in edit mode - YYYY.
    3 Click on the authorization tab, expand the Object Class
    BC_A
    Youll find the authorization S_TABU_DIS (or you can also
    search the authorization object directly) in the
    authorization groupfield insert the value SUSR in
    addition to SUGR
    4 Save the Role and generate the Profile
    5 Assign the user to the role and do user comparison.
    6 Login as the user XXX.
    7 Run SE16 and try to execute table USR40.

    IBM Confidential 2013


    Page 3

    SAP Security FastTrak on


    Netweaver 7.3

    Role Creation Based on Functional Input


    Received

    2013

    Fig: Adding SUSR authorization Group.

    Check again by running SE16 to access USR40

    Fig: Successful display of USR40 table

    IBM Confidential 2013


    Page 4

    SAP Security FastTrak on


    Netweaver 7.3

    Role Creation Based on Functional Input


    Received

    2013
    USR40:
    You can prevent users from choosing passwords that you do not want
    to allow. To prohibit the use of a password, enter it in table USR40. You can
    maintain table USR40 with Transaction SM30.
    In USR40, you can specify impermissible passwords generically if you want.
    There are two wildcard characters:

    ? stands for a single character

    * stands for a sequence of any combination characters of any length

    Question 1.
    a. What is the use of S_TABU_DIS?
    With this authorization object you can, for example, restrict access just to
    data in table entries defined in this object; even if the user who wants to
    access the data has authorization for transaction SE16 (and therefore for all
    ABAP Dictionary objects). In this way, you can prevent system administrators
    from accessing application data. Once you implement this authorization
    object, only those table entries can be modified or displayed that have been
    given the appropriate authorization in S_TABU_DIS.
    b. What is the difference between Expert mode and Change
    mode?
    Both Change auth data and Expert Mode are used to change authorization
    data.

    IBM Confidential 2013


    Page 5

    SAP Security FastTrak on


    Netweaver 7.3

    Role Creation Based on Functional Input


    Received

    2013
    Change auth data option is similar to edit old status option of expert mode
    Where expert mode provides you more options as explained below.
    1. Delete and recreate profile and authorizations
    All authorizations are recreated. Values which had previously been
    maintained, changed or entered manually are lost. Only the maintained
    values for organizational levels remain.
    2. Edit old status
    The last saved authorization data for the role is displayed. This is not useful,
    if transactions in the role menu have been changed.
    3. Read old status and compare with new data
    If you change transactions in the role menu, this option is the preconfigured.
    The profile generator compares the existing authorization data with the
    authorization default values for the menu transactions. If new authorizations
    are added during this process, they receive the status New. Authorizations
    that already existed receive the status Old.
    c. How we can see the defined authorization groups are listed?
    Table -- TPGP
    d. What is the use of TRDIR table?
    We can see the authorization groups assigned to ABAP Reports in table
    TRDIR.

    e. How you can determine which authorization group is responsible


    for a particular table?
    TableTDDAT

    IBM Confidential 2013


    Page 6

    S-ar putea să vă placă și