We
require authorizations in order to achieve the following;
·
To protect sensitive business data
·
To ensure the smooth running of the business
process
·
To determine the cost – benefit relation
When developing a security concept we tend to seek out; what
is to be protected (ASSETS), Against what (THREATS) and how do we achieve
maximum protection (MEASURES).
FACTORS TO CONSIDER WHEN PROTECTING AN SAP SYSTEM
·
Security must be implemented at all levels; this
is because most time an attack could come from the weakest point within the
system.
·
Complex authorization is just one aspect of a
security concept.
SYSTEM ACCESS CONTROL AND ROLE BASED ACCESS CONTROL
System access control has to deal with users identifying
themselves in the system using a valid user ID and a password; Access control
has to deal with authority checks for programs and transactions.
Access control is a security technique that can be used to
regulate who or what can view or use resources in a computing environment. In
order to work in an sap system, users require a valid USER ID and a user master
record must be created for each system user. Authorizations are assigned to a
user using profiles in the form of roles which are entered into the user master
record
DEFINITION OF TERMS
i.
Roles:- It is a group of activities performed
within a business scenario
ii.
Profile:- It is a container for authorizations
Business
Scenario: - It is a group of activities performed by employees in their various
roles
NOTE: A role consists or contains one or more activities in
the business scenario; a single role could be involved in different business
scenarios.
When creating roles we use the tcode PFCG; the four core
elements of a role include
·
TRANSACTION
·
MENU
·
AUTHORIZATION
·
USER ASSIGNMENT
To view the report on SAP roles use RSUSR070 and enter SAP*
to display all the roles supplied by SAP.
