Role Administration in SAP

Role Creation and Maintenance in SAP:

A user may need several authorizations to perform an operation in the SAP system.

The SAP authorization concept, based on authorization objects, has been realized to provide an understandable and simple procedure.

Users are assigned Roles and Profiles which contain Authorization Objects

Profiles contain Authorization Objects and Roles contain Profiles.

We can Create Roles using T-code PFCG.

Three Types of Roles available in SAP.

1) Single Roles

2) Composite Roles

3) Derived Roles

1) Single Roles:  Roles which contain authorization data and profile.

2) Composite Roles: collection of roles will call as composite roles. These roles don’t contain any authorization data.

3) Derived Roles: Master role inherits child role to maintain Organizational data.

Transaction codes required for SAP SECURITY CONSULTANT

To work in SAP as a Security Consultant , require below T-codes .
First will discuss what SAP S&A team will work in SAP System.
1)user Administration
2)Role Administration
3)Trouble shooting
4)Trace
5)Find out Users information
6)Users related information using Tables
7)Roles related information using Tables.
8)Transport request status
Find below for Transaction codes

User Administration or User set up or User ID creation in SAP Security

To log in to SAP, each user needs User account or ID to be existing in the system. Then only functional or developer can develop the objects in systems.

To get the access to SAP, requester should contact Security & Authorizations team.

S&A team will take necessary actions (approvals) from respective team and then they will set up the user.

Users must be assigned to relevant roles to their user master records before user can use the SAP System.

A user can only log on to the system if he or she has a user master record.

To set up users T-code is SU01.

To set up user below information is required.

·         Last name , password & user type

How to find out Open status Authorizations in Z* Roles in SAP…..?

First of all what is mean by open authorizations ?

What will happen if open authorizations exist in roles?

In SAP ,we are restricting users by giving authorizations(T-codes,fields&activities).

These authorizations we are maintaining in roles and assigning these roles to users …

Authorizations hierarchy is

Authorization class (ex:BC_C)

Authorization object(S_DEVELOP)

Authorization fields (ACTVT,PACKAGE)

Activities(ACTVT)

Values(16)

These objects will come up in roles by default based on SU24. If we haven't updated authorization data for any t-code completely in SU24 ,those objects will reflect as empty means open status.

Or if we wont maintain the authorizations manually in roles,authorization data then also shown as yellow color.these are called as open status authorizations.

For example we have authorization object S_DATASET and fields are Activity,physical file name &  program name.

SUIM User Information System in SAP and Use

To find out users and Roles data in SAP ,we have many options to get it.

We can get by using Tables,Reports. we can get this data by using T-code also . i.e., SUIM.

SUIM gives data of users,Roles, Authorization objects,Users /Roles Change history and we can compare the users & Roles authorization across systems.

In SUIM below options available.

Users
Roles
Profiles
Authorizations
Authorization Objects
Transactions
Comparisons
Where used list
Change documents

FYI.. PFB screenshots.

USR* and AGR* TABLES in SAP

In SAP all the data will be stored under tables. we can get the data from standard SAP Tables.

as well as all the Users & Roles data also will be stored under tables.

As a SAP Security Consultant we should know the users and Roles related tables in SAP.

Here we are discussing about User Tables called as USR* tables and Roles Tables called as AGR* tables.

We can get the users change history information also by using USH* tables.

Check and Execute these tables in SE16 T-code.