Show TOC

 Security in System GroupsLocate this document in the navigation structure

The development system

When the development system is first installed, the users are mainly the project team members, including developers and system administrators. Most users of a newly-installed SAP system initially have the authorization profile SAP_ALL  in their user master record, which allows them to perform all tasks in the system. As the project progresses it is necessary to restrict user access. Development system users usually have greater access rights as quality assurance or production system users.

Authorization administrators should make themselves acquainted with the SAP authorization concept in this phase. We recommend that you use SAP_ALL as a template and first define the role or profile <company>_ALL without the superuser authorizations. To do this, proceed as follows:

  1. Create a role with Tools → Administration → User maintenance → Roles.
  2. Do not enter any transactions, choose the Authorizations tab page nd then Change authorization data.
  3. Do not copy any templates, choose Edit → Add authorization. → Full authorization.
  4. Expand theBasis administration object class.

    Here you find the authorizations which are generally regarded as critical.

  5. Deactivate all authorizations which begin with User master maintenance or have S_USER_* in the object name, and any others which you regard as critical.
  6. Using the role administration tool, generate a new profile and save it under a new name.

You can assign the role that you have just created to the relevant users in user maintenance. See Assigning roles .

This control ensures the integrity and stability of the system.

The Basis authorization objects are documented in the transaction AUTH_DISPLAY_OBJECTS. The authorization objects in the object class Basis - Administration are called S_USER_*. Place the cursor on an authorization object and choose Information.

Note

For more information about Basis system and SAP work area authorizations, see Tools → AcceleratedSAP → Customizing →  Edit project and choose the SAP Reference IMGbutton. Search for the entries Useror Authorization to call the authorization sections.

The authorization administrator creates the roles for end users in the development system. These roles are transported to the final test in the quality assurance system before being put in the production system. The user master records are usually created in the production system shortly before it goes live. The roles are assigned to the end users in the production system together with the transported authorization data, as required.

The authorization administrator must know which clients are to be created in the customer systems. Roles are not automatically copied when new clients are created. As users, roles, authorization profiles, and authorizations are client-specific, the client copy administrator must also know which user master records are to be copied.

The quality assurance system

The authorization administrator can start to transport the roles from the development system into the quality assurance system when it has been setup.

For example a member of the FI project team can check the following in the accounts payable accounting with a model user ID:

Whether the user has access to the transactions in the roles assigned to him or her

Whether these transactions correspond to the role defined by the company for the accounts payable accounting

Whether the model user ID has unallowed access authorization for certain transactions

The end users can logon in a test environment and simulate production processing to test the user authorizations.

A training client is usually created in the quality assurance system because it contains the newest configuration. Larger installations have a separate training system.

The production system

When the roles and authorization profiles have been completely tested in the quality assurance system and approved by the end users or project team, the roles can be transported into the production system. The user IDs can then be created.

You should never make changes to a production SAP system. You should therefore not assign following authorizations to users in a production system:

  • Authorizations for the ABAP Workbench (authorization objects ABAP Workbench (S_DEVELOP) andTransport Organizer (S_TRANSPRT))
  • SAP system operating system command execution authorizations (transaction SM52) (System Authorizations (S_ADMI_FCD) value UNIX).
  • Authorizations to deactivate authorization checks (transaction AUTH_SWITCH_OBJECTS) with the authorization object S_USER_OBJ.