SAP Security: Role Administration

Role Administration

Functions of the role administration is managing roles and managing authorization data. Transaction code PFCG (Profile Generator) is used for maintaining the roles, profiles and authorizations. 
The roles are link between the user and authorizations. Basically the authorizations are stored in the system as objects.
User menu is assigned to the users with the roles and it is displayed when the user logon the system. Roles contains transactions, reports and web based applications.
With the role administration user can create roles and assign to users, change roles, delete roles, derive roles, compare roles and transport roles. In this blog i will be explaining about how to creating single roles in SAP using PFCG transaction code.

Basic process of role administration:


1. Prepare a role matrix based on job description. Menu paths and transactions should be determined for each job position and determine the required authorizations like change, display, delete. 

2. Create the roles based on the job description using the PFCG transaction.

3. Next step is to generate the roles and modify any authorization profiles.

4. Next step is to assign the roles to the users.

5. Final step is to update the user master record by doing user comparison. There is a background job that needs to be scheduled on a regular basis for updating the user master records.

Role includes role name, description, menu, authorization, user and personalization data.

Procedure for creating single role


If none of the SAP delivered roles meets your requirement, then it is best to create role with your requirements.

a. Go to Tools-->Administration-->User Maintenance-->Role Administration-->Roles or execute transaction code PFCG.

b. Enter the role name, SAP suggests to use the role name that starts with "Y_" or "Z_" instead of using the SAP namespace that is "SAP_".

c. Click on the create button.

d. Enter the detail description of the role like approvals, ticket number etc which helps in security audit.

e. Go to the Menu tab and assign the transactions, reports etc based on the job description. System will pull the authorization data automatically from the transactions that is there in the menu. These authorizations can be adjusted in the authorizations tab.

f. Go to the authorizations tab and generate the profile for the role. Authorizations that are proposed are displayed here. Some authorizations contains default values. 

Authorizations are manually adjusted where ever the traffic lights appears. If there is any red traffic light that means there are organizational levels with out any value. It should be maintained with the proper values. Select the generate button to generate the role.

g. Assign the roles to the users and save.

Watch my demo video on how to create single role in SAP using PFCG transaction code.







Location: Chicago, IL, USA

Comments

Post a Comment

Popular posts from this blog

SAP Security: Critical Authorization Objects

SAP Security: Critical Authorization Objects 1. S_TABU_DIS: This authorization object enables authorization check for displaying or modifying the table content. For accessing the table data, users use SE16, SM30 or SM31 transaction codes. This object contains two fields, DICBERCLS (authorization group) and ACTCT. 2. S_RFC: This authorization object enables authorization check for remote function call to access program modules (function modules). This authorization object contains three fields, RFC_TYPE, RFC_NAME and ACTCT. 3. S_DATASET: This authorization object enable file access at operating system level. This gives permission to access files from ABAP programs. This object contains three fields, File name, Program and Activity. 4. S_ADMI_FCD: This authorization objects enable access to various administrator activities like system monitoring, spool administration, client creations, update administration etc. This object contains one field, system administration functions. 5. S_DE
Read more

SAP Security: How to set auto Logoff for Inactive users in SAP

Image
How to set auto Logoff for Inactive users in SAP SAP provides an options for logging of inactive users in SAP automatically. Inactive means if there is no activity for a specific period of time. By setting the auto logoff improves the security in the SAP system. The auto logoff options is not active in the system by default. This needs to be activated using the profile parameter called rdisp/gui_auto_logout. The value for this parameter should be set in the form of seconds. The inactive users are logout of the system after the specific time period that is set in the parameter. The SAP system doesn't save the data before auto logoff and it does not popup any prompt before auto logoff. Procedure to set the value in the Profile parameter: Execute transaction code RZ10 Select the DEFAULT profile from the selection menu. Select the Extended maintenance and click on change icon. Click on the create parameter icon as shown below. Enter the new parameter name as rdisp/gui_auto_logout and c
Read more

SAP GRC Security Consultant Roles and Responsibilities

SAP GRC Security Consultant Roles and Responsibilities 1. SAP GRC Consultant should have a knowledge on Governance, Risk and Compliance products. 2. Should have a thorough knowledge as well as experience in relation between ERP and GRC systems. 3. Should have an experience in configuring and supporting of GRC components like ARA, ARM, BRM and EAM. 4. GRC consultant should be having good understanding of GRC architecture. 5. Should be having hands on experience in user provisioning, role management, risk analysis, emergency access management and monitoring. 6. Should have experience in pre installation, post installation, connector settings, rule building and MSMP workflows and BRF+ in the ARM and BRM components. 7. Should have experience in end to end implementation of GRC Access Controls. 8. Should have experience in designing and developing the SAP business process. 9. Should be able to gather business requirements and implement the same in the GRC AC modules like ARA, ARM, BRM and E
Read more