Management of Users, Authorizations, and Roles SAP BASIS

The users of the SAP systems are defined internally within the same SAP systems and there is no need for user management at the operating system or database level, except for those special users defined in the standard installations, such as <sid>adm, SAPServices<adm>, ora<dbsid>,or others, depending on the operating system and database platform. The users are defined and maintained, and the security of the system is enforced in the user master records with the use of the SAP authorizations and role concept. The following sections deal with the general management of user master records and the most important available fields and options, just on the SAP Web Application Server with the ABAP engine.

But the main concern for system administrators and project managers when implementing the SAP solutions is how to enforce the right security methods for users' access to the business information. As we have seen in the first part of this chapter, the SAP system provides a comprehensive and flexible way to protect data and transactions against unauthorized use. In the user master records, users are assigned one or more roles and authorization profiles. These authorization profiles are made of a set of authorizations, which give access privileges for the different elements of the system. Further down, authorizations refer to authorization objects, which contain a range of permitted values for different system or business entities within SAP systems.

Managing roles, profiles, and authorizations is a complex and time-consuming task within SAP implementation projects and later maintenance and support. SAP has designed a tool that reduces the time needed for implementing and managing the authorizations, thus decreasing the implementation costs. This tool is known as the Role Maintenance based on the classical Profile Generator. The Profile Generator is a SAP utility available since release 3.0F of the R/3 Basis kernel, with the goal of making easier the configuration and management of authorizations, profiles, and roles. It can be used for automatically creating roles, authorizations, and profiles and assigning them easily to users. The definition of profiles using the Profile Generator is based on the possibility of grouping functions by roles (known as activity groups in releases of SAP Basis before 4.6C) in a company menu. This menu will be generated using customizing settings and will only include those functions selected by the customers.

Roles form a set of tasks or activities that can be performed in the system, such as running programs, transactions, and other functions that generally represent a job description or job role. In the following sections, all the concepts are introduced with some practical examples dealing with the process of granting access rights and protecting the system elements. A final section of the chapter covers the topic of organizing the user master record management from the point of view of tasks involved in granting access rights to the users.

All rights reserved © 2018 Wisdom IT Services India Pvt. Ltd Protection Status