SAP BASIS AND SECURITY TUTORIAL

  SAP BASIS: Client Administration Client copy is used to create new clients for training, test and production environments. The new clients are created using 000 client as reference. Administrator can choose what content to copy while doing client copy. For example if SAP_USER profile is selected, it copies all the user master data. The new client is created using SCC4 transaction code. For the newly created client, SAP* and password "PASS" is used to login and perform client copy. There are three types of client copies. 1. Local Client copy: It is the process of copying clients within the system. 2. Remote Client copy: In this process, clients are copied from another system. 3. Client Transport: It is the process of copying clients from another system. The difference between remote copy and client transport is, in client transport, transport tools are used to perform the copy. Client copy process copies the three components like user master data, customizing data and cross-

SAP Security: Critical Authorization Objects 1. S_TABU_DIS: This authorization object enables authorization check for displaying or modifying the table content. For accessing the table data, users use SE16, SM30 or SM31 transaction codes. This object contains two fields, DICBERCLS (authorization group) and ACTCT. 2. S_RFC: This authorization object enables authorization check for remote function call to access program modules (function modules). This authorization object contains three fields, RFC_TYPE, RFC_NAME and ACTCT. 3. S_DATASET: This authorization object enable file access at operating system level. This gives permission to access files from ABAP programs. This object contains three fields, File name, Program and Activity. 4. S_ADMI_FCD: This authorization objects enable access to various administrator activities like system monitoring, spool administration, client creations, update administration etc. This object contains one field, system administration functions. 5. S_DE

SAP GRC Security Consultant Roles and Responsibilities 1. SAP GRC Consultant should have a knowledge on Governance, Risk and Compliance products. 2. Should have a thorough knowledge as well as experience in relation between ERP and GRC systems. 3. Should have an experience in configuring and supporting of GRC components like ARA, ARM, BRM and EAM. 4. GRC consultant should be having good understanding of GRC architecture. 5. Should be having hands on experience in user provisioning, role management, risk analysis, emergency access management and monitoring. 6. Should have experience in pre installation, post installation, connector settings, rule building and MSMP workflows and BRF+ in the ARM and BRM components. 7. Should have experience in end to end implementation of GRC Access Controls. 8. Should have experience in designing and developing the SAP business process. 9. Should be able to gather business requirements and implement the same in the GRC AC modules like ARA, ARM, BRM and E

SAP Security Administrator Roles and Responsibilities 1. Managing day to day operational security activities independently. 2. SAP Security administrator should have a thorough understanding of business process and segregation of duties concept in SAP. 3. Administrator should be having a hands on experience on role designing, developing, testing and deploying to production environments in SAP. 4.  Should have a good understanding of SAP security processes on multiple applications like HR, BW, HANA and Fiori. 5. Should have hands on experience in user administration like user creation , modification, deletion, password resets, user lock/unlock, user groups and mass user changes. 6. Should have hand on experience in troubleshooting the authorization errors using various troubleshooting tools in SAP. 7. Should have experience in role transports like creating the transport request and releasing it to other system. 8. Should have experience in security audit activities. 9. Should have exp

SAP Security: Troubleshooting SAP Authorization Errors SAP has provided some important tools for troubleshooting or analyzing the authorization errors. Those are system trace (ST01) and authorization error analysis (SU53). These two tools are most frequently used to determine the authorization errors. System Trace (ST01): ST01 transaction code is used to execute the system trace functionality. This will record the authorization checks for the users. The system trace option is executed in the application server where the transaction code is executing by the user. Basically trace and transaction to be traced should be on the same application server. The system trace records each and every authorization object, fields and field values.  To use system trace functionality Go to Tools-->Administration-->Monitoring-->Trace-->System Trace or execute transaction ST01. Select the Authorization check box under the Trace Components to record the security authorizations. There is an opt

 Authorization Concept in SAP System Authorization concept in the SAP system is all about protecting programs, transaction codes, reports and other services.  Security Administrators/User Administrators assign any authorizations to users based on this concept. These authorizations determine what actions user can perform in the SAP system. Transactions or programs are protected by authorization objects, so user requires corresponding authorization objects for executing transactions or programs. Authorization profile is a combination of authorizations which is associated with the role. Role is assigned to users, so the user can then get access to the authorizations. Overview of the elements of SAP Authorization Objects 1. Authorization Object Class: It is a logical grouping of authorization objects. Example all authorization objects for class FI starts with “F_” and for class MM starts with "M_". 2. Authorization Object: It is a group of 1 to 10 authorization fields. Authoriz