VIDEO
HIGHLIGHT
Log InSign up
Day 4 - SAP Authorization Concept
SummaryTranscriptChat

Day 4 - SAP Authorization Concept

Understanding Authorization and Authentication in SAP Security

Introduction to Authorization and Authentication

  • The discussion begins with the importance of authorization from a security perspective, highlighting its critical role.
  • A distinction is made between authentication (identity verification) and authorization (permissions to perform activities).

Authentication Explained

  • Authentication checks identity through user credentials, typically a username and password.
  • The process involves multiple layers of security, including firewalls and networks, before accessing the SAP system.
  • As an SAP security consultant, the focus is primarily on logging into the SAP system rather than managing firewalls or network security.

Understanding Authorization

  • Once logged into the system, authorization determines what actions users can perform based on their roles.
  • The key difference: authentication occurs outside the system while authorization takes place within it.

Weaknesses in Current Authentication Methods

  • Current identity checks using usernames and passwords are considered weak; if someone knows these credentials, they can access the system.
  • Stronger authentication methods include biometric checks like fingerprints which cannot be easily replicated.

Future of Authentication in SAP

  • There is potential for future integration of stronger authentication methods such as fingerprint scanning in SAP systems.

Variability of Authorization Among Users

  • Every user receives basic authentication; however, authorization varies significantly based on user roles (e.g., HR vs. Finance).

Structure of Authorization in SAP

  • Authorization is defined by specific fields and objects that dictate what actions users can take within the system.
  • An authorization object consists of up to ten authorization fields, forming a structured table format for permissions.

Conclusion on Authorization Objects

  • Each authorization object contains various fields with associated values that define user permissions within SAP systems.

Understanding SAP Authorization Objects

Overview of T Code SU21

  • The T code SU21 is used to check authorization objects in the SAP system, specifically for GUI activities.
  • The object name S underscore GUI relates to a class called BC underscore year, indicating its association with basis administration.

Authorization Fields and Activities

  • The authorization fields contain only one field named actvt, which represents activity. Possible values include:
  • 61: Download
  • 60: Upload

Exploring Object Classes

  • In the SAP system, folders represent object classes, categorized by areas such as financial services and HR.
  • Each folder contains authorization objects relevant to its domain; for example, HR-related objects are found under the HR folder.

Specific Example: S_GUI Object

  • The object S underscore GUI has a single field for activity and allows users to save lists locally (download).
  • Documentation within the system provides details on how this object can be utilized for file access.

Role Creation Process

  • Users may request access to various functionalities like appraisals or payroll data. It is essential to identify corresponding authorization objects.
  • Once identified, these objects must be grouped together into a role that can then be assigned to the user.

Role Management in SAP

Understanding T Code SU01

  • The T code SU01 is crucial for client user administration, allowing actions such as creating, modifying, displaying, deleting users, and managing passwords.

Necessary Authorization Objects for User Management

  • Key authorization objects associated with SU01 include:
  • S underscore user underscore GRP: For creating users.
  • S underscore user underscore A GR: For assigning roles.
  • S underscore user underscore PRO: For assigning profiles (not permitted for all users).

Scenarios of User Access Control

Understanding Authorization Objects and T Codes in SAP

The Role of T Codes and Authorization Objects

  • Users with access to a transaction code (T code) but without assigned authorization objects cannot perform any activities under SU01. T codes serve as an interface for executing functions.
  • Actions such as creation, modification, deletion, copying, locking, unlocking, and password resets are governed by authorization objects. These objects are standard and fixed within the system.
  • Each action has a corresponding authorization object that must be identified for proper access management. This identification is crucial for fulfilling user requests effectively.

Identifying Relevant Authorization Objects

  • When users request access to specific files or functionalities (e.g., accessing a file named XYZ), it is essential to determine the related authorization object necessary for that access.
  • Users typically describe their needs without specifying object names; thus, it is the responsibility of the administrator to identify the correct authorization objects linked to user requests.

Linking T Codes with Authorization Objects

  • The relationship between T codes and authorization objects can be explored using SU24. This transaction provides insights into which authorization objects are required for specific T codes.
  • By entering a T code in SU24 (e.g., SU01), administrators can view all associated authorization objects. It’s not necessary to memorize these; filtering options help manage them efficiently.

Exploring Specific Examples of T Codes

  • In SAP, there are over one lakh T codes available. For instance, SCC4 has only one relevant object controlling its functionality: S_TABU_DIS.
  • Accessing certain functionalities requires both the appropriate T code and its corresponding authorization object; lacking either will prevent users from performing tasks like client creation.

Gathering User Requirements and Creating Roles

  • When users request access (e.g., sales order creation or payroll viewing), it's vital first to gather information about which T codes they use for those actions.
  • Once the relevant T codes are identified (like VA01 for sales orders), administrators can retrieve associated data from SU24 to prepare roles that encompass these permissions effectively.

Understanding T Codes and Role Assignments in SAP

Role Assignment Limitations

  • Users cannot assign transaction codes (T codes) directly; they must be placed under a role, which is then assigned to the user.
  • The inability to assign T codes or authorization objects directly to users necessitates their organization under roles for proper access management.

Customizing User Access

  • If a user requires specific access, create a role containing only the relevant T code and associated objects. For example, if access is needed solely for sales creation, include only that T code in the role.

Key Transaction Codes

  • Two important T codes discussed are:
  • SU21: Used for managing authorization objects.
  • SU24: Helps find authorization objects related to any given T code in SAP.

Understanding Transaction Codes (T Codes)

  • A transaction code (T code) serves as a shortcut to execute programs within SAP. It simplifies accessing complex program names.
  • When entering a T code like SU01 or SCC4, the system executes an underlying program that displays the corresponding screen.

Finding Program Information

  • To discover the program linked with a specific command like SU01, use the command SE93. This allows maintenance of commands including creating and modifying them.

Historical Context of T Codes

  • Initially, users had to remember long program names; thus, T codes were introduced as shortcuts for easier navigation within SAP systems.

Maintenance of Transaction Codes

  • There are approximately 100,000 T codes in SAP. New ones can be created using SE93 by writing corresponding programs through ABAP teams.

Commands for Program Execution

  • SC38 and SA38 are two commands used for executing programs:
  • SC38: Allows creating, modifying, deleting, and executing programs.
  • SA38: Limited to executing programs only.

Differences Between SC38 and SA38

  • SC38 provides comprehensive options including display and modification capabilities while SA38 focuses solely on execution tasks.

What is the Difference Between S E38 and S A38?

Understanding T Codes in SAP

  • The speaker poses a question regarding the difference between S E38 and S A38, indicating that this is a common interview question.
  • SU21 is introduced as a T code related to authorization objects, while SU24 helps find authorization objects linked to any T code in SAP.
  • The distinction between S A38 and SC38 is clarified: S A38 allows only program execution, whereas SC38 permits maintenance actions such as creating, modifying, deleting, and executing programs.

Overview of Authorization Components

  • The speaker mentions sending out a document summarizing today's discussion on authorization components, including an overview of authorization objects and roles.
  • Participants are instructed to study pages 12 to 26 of the provided document for detailed insights into components like profiles, activity groups, and roles related to authorization objects.

Key Insights on Authorization Objects

  • A hint about naming conventions for authorization objects is shared: names starting with 'S' relate to basis functions while those starting with 'P' pertain to human resources.
Playlists: SAP Security by Sridhar Gajulapalli
Video description

SAP Security - Authorization Concept For Complete course you can contact me Sridhar Gajulapalli +91 7702409393 sridhar.gajulapalli@gmail.com