Security in System Groups (SAP Library - Users and Roles (BC-CCM-USR))

Security in System Groups

The development system

When the development system is first installed the R/3 users are mainly the project team members, including developers and system administrators. Most users of a newly-installed SAP System initially have the authorization profile SAP_ALL, which allows them to perform all R/3 tasks, in their user master record. As the R/3 project progresses it is necessary to restrict user access. Development system users usually have greater access rights as quality assurance or production system users.

Authorization administrators should make themselves acquainted with the SAP authorization concept in this phase. First define the role or profile <company>_ALL based on SAP_ALL without superuser authorization, as follows:

Create a role with Tools ® Administration ® User maintenance ® Roles.

Do not enter any transactions, choose Authorizations and then Change authorization data.

Do not copy any templates, choose Edit ® Add authorization. ® Full authorization.

Expand the Basis administration object class.
Here you find the authorizations which are generally regarded as critical.

Deactivate all authorizations which begin with User master maintenance or have S_USER_* in the object name, and any others which you regard as critical.

Generate a new profile with the Profile Generator and save it under a new name (see Predefined profile: Naming convention).

You can assign the role you have just created to the user in user maintenance. See Assigning roles.

This control ensures the integrity and stability of the system.

The Basis authorization objects are documented in the transaction AUTH_OBJECTS_DISPLAY. The authorization objects in the object class Basis - Administration are called S_USER_*. Position the cursor on an authorization object and choose Information.

For further information about Basis System and SAP work area authorizations, see Tools ® AcceleratedSAP ® Customizing ® Edit project and the SAP Reference IMG pushbutton. Search for the entries User or Authorization to call the authorization sections.

The following standard roles are delivered:

Basis: Authorization data administrator
Basis: Authorization profile administrator
Basis: User administrator
Basis: System administrator
Basis: Batch administrator
Basis: Database administrator
Basis: Customizing project member
Basis : ABAP developer
Basis: Uncritical basis authorizations for all users

The authorization administrator creates profiles and authorizations for end users in the development system. These authorizations and profiles are transported to the final test in the quality assurance system before being put in the production system. The user master records are usually created in the production system shortly before it goes live. The roles are assigned to the end users in the production system together with the transported authorization data, as required.

The authorization administrator must know which clients are to be created in the customer systems. Roles are not automatically copied when new clients are created. As users, roles, authorization profiles and authorizations are client-specific, the client copy administrator must also know which user master records are to be copied.

If the SAP standard changes and user developments are made, you must clarify:

Which development classes are to be created?

Which authorization groups are to be created for programs?

When are development requests transported?

Into which clients are they transported?

etc.

SAP Standard changes (BC) contains information about how to proceed with new developments and changes to the SAP Standard.

New customer program code should be assigned to an authorization group in the ABAP Editor (SE38) Program attributes screen. Use the authorization object ABAP Development Workbench (S_DEVELOP) to assign an authorization group for programs to users.

The quality assurance system

The authorization administrator can start to transport the roles from the development system into the quality assurance system when it has been setup.

For example a member of the FI project team can check the following in the accounts payable accounting with a model user ID:

whether the user has access to the transactions in the roles assigned to him or her
whether these transactions correspond to the role defined by the company for the accounts payable accounting
whether the model user ID has unallowed access authorization for certain transactions

The end users can logon in a test environment and simulate production processing to test the user authorizations.

A training client is usually created in the quality assurance system because it contains the newest configuration. Larger installations have a separate training system. In both cases the authorization administrator should contact the project team members responsible for training to familiarize him or herself with the creation of user IDs and roles.

The production system

When the roles and authorization profiles have been completely tested in the quality assurance system and approved by the end users or project team, the roles can be transported into the production system. The user IDs can then be created. A form is distributed to all departments. When all the information required for the creation of user IDs has been entered, it is signed by all relevant persons.

You should never make changes to a production R/3 System. You should therefore not assign following authorizations to users in a production system:

Authorizations for the ABAP Development Workbench (authorization objects ABAP Development Workbench (S_DEVELOP) and Transport Organizer (S_TRANSPRT))

SAP System operating system command execution authorizations (transaction SM52) (System Authorizations (S_ADMI_FCD) value UNIX).

Authorizations to deactivate authorization checks (transaction AUTH_SWITCH_OBJECTS) with the authorization object S_USER_OBJ.