1

SAP Security Notes

SAP Security: SAP Security is used for providing right access to end/Business users according to
their roles and responsibilities. It is used to restrict the access beyond their roles to prevent the
fraud to the business.
SAP Security is used for all functional modules like SAP MM, SAP SD, SAP FICO, SAP WM ETC...
Below is the one of the examples of business flow process of SD Modules

P2P (Procure to Pay Cycle):

 2

O2C (Order to Cash Cycle):

Below is the where the SAP Security is mainly used

 3

Sap xml files is used to get multiple system ids names and ips address to our sap gui logon tab
instantly we can get this by in saplog on click menu click sap logon options and copy
configuration files paste this beside search and replace the existing files

The standard clients in in SAP are 000,001,066 and basis install standard clients for business
using custom clients and we should not do any development in standard clients.

Client independent data: data/table is shared across all clients if we change in one system will
get changed in all systems
Client dependent data: data/table will reside in one client.
 4

RZ11 tcode to maintain profile parameters

RZ10 tcode to create/change profile parameters.
Security consultant will see and identifies password profile parameters and basis implements
the changes
Security will have access to rz11 and basis will have access to rz10

T-Code: is a command used to launch a screen in SAP

/n: closes current screen and opens new screen
/o: will not close current screen and opens new screen in another tab.
Application server: it is a collection of multiple work process
Dialog: where users logon and work in other words we can say interactive-live session
Background: work will process in background mode system will allocate some memory space
for it
Spool: used for printing
Enque: used to lock on objects to preserve objects integrity example railway ticket booking
system it will not allow another user to book same seat while the other user is working on it

ECC system on HANA is called S4HANA

NetWeaver: sap platform on which different components are deployed
Basis will deploy components according to business needs
 5

Netweaver is common in all the systems

For GRC NW+GRC and BI NW+BI
User Administration our job is creating new users, providing access, deleting existing user,
modifying existing user, password reset, locking & unlocking

To create new user tcode is SU01 and below is things needed for it
 6

Types of users
Dialog: every business user or tech or functional user comes under it who performs their jobs
day to day activities
Service ids: used for firefighter or by QA tester
System: used for background jobs running used for RFC for SAP to another SAP system
Communication: used for background jobs running used for RFC for SAP to another system
(oracle, Sybase etc.)
Reference: used to provide access to person using reference of already created user

User groups: used to club same category users in one group example security,basis,abap etc
Sugr tcode is used to create user group.
 7

SSO is single sign on

SSO is an authencation concept where user have to enter password only once i.e. at the time of
logging in to windows this password id applicable to all other applications which are on SSO
enabled
 8

Su01 is used for 1 user creation sso

SNC1 is used to create mass SSO’s.

For non-dialog we can assign sap_all with proper approval

A role can have one or more profiles
Access in sap = tcodes+auth obj+auth field values+org field values
 9

Rsusr003 tcode to check standard users in sap

 10

e-catt/ creation

To do ecatt client settings should be open it is done by basis

Below scc4 is tcode to do setting open
 11

To check list of tcodes available in system is TSTC tcode

 12

Eg zcreateusers
Next select application component Basis under security under user administration under that
user and administration component
 13

Click on pattern

And record su01 screen click back button and save recording and double click on su01_1

Click dynpro under that field values and give fiels value names
 14

After giving all field names click on save and g back select test configuration
And give name and provide tittle and application component and click on variants-
>configurations ->test script->give script name click save and download variants

Provide user names and password in downloaded variant scripts save it and click on variant-
>external variant->select path and click excute and select no error behaviur and no break points
and select execute
 15

Authorization concept

SU24 tcode is where tcode and related auth objects are linked,it is copied from SU22 -contains
both standard and custom tcodes
SU22 SAP provided tcodes and their related auth objects
Whenever you adda tocode in pfcg tcode and related uth objects are pulled from su24
SU24 get its content from SU22
We copy data in to su24 using su25 tcode at the time of implementation
16
17
 18

Even if you add tcode manually under S_tcode user will not access to tcode because the link to
su24 is not there
 19

= means directly assigned and other is indirectly assigned

Never assign master role to a user

 20

parent child relation ship

 21

If authority check statement is written in code then only the authority objects in su24 will work
otherwise it won’t work even though you put restriction in pfcg also

Authorization obj class : is collection of similar authorization objects

22
23
 24

SUPC is tcode for profile generation.

Se03 is tcode which tr got moved to prd
25
 26

RHAUTUPD_NEW is the program for usermaster comparision

During upgrade the expert mode will generate thebelow

 27

New tcode has been developed for mass maintenance of authorization values i.e
PFCGMASSVAL
 28

AL08 tcode shows active application servers for users

Audit log will show tcodes executed by users
SM19 basis will active it and it will be always in ON mode
SM20 tcode you can read audit log, in this you can see one user audit log or all users audit log
but you cannot see audit log of specified users
 29

Table restriction concept

Critical auth obj for some tcodes

To give access to se16 below steps

 30

User can access any table under S_Tabu_Dis-Auth group

User can access any table under S_Tabu_Nam-Auth group
User cannot access any table which are not mentioned in any other steps
T000 is cross client setting
S_TABU-DIS = restrict table access-view/change/auth group
S_TABU_NAM = restrict table access-view/change/table name
S_TABU_CLI= restrict table access-change by whether table is client dependent or independent
S_TABU_LIN = restriction for org level access
Tddat is table for checking auth groups

Its not possible

To do this
 31

TADIR = program Auth group vs programs

Don’t give access to se38/sa38 access to programs
Instead create a custom tcode and provide access according to their needs

CUA = central user administration

It helps in creating/deleting/modification of users for multiple connected ecc systems
 32

Tcodes used in CUA systems are

SCUA = you can see distribution model add system/remove system(it will show you what child
system are connected to CUA
SCUG = users in child systems are transferred to CUA tables,not USR tables of CUA system(only
reference users are copied to CUA)
SCUL = troubleshooting pending IDOC packets of data thet are pushed from CUA to child system
over RFC connection
SCUM = CUA settings where you can manage settings in CUA
 33

Make sure you are on child system you can confirm it by

In SU01 tcode you cannot find system tab in it,add or create button is disabled
In central = In SCUA you can find whole CUA landscape
In child = you can only view the central system distribution model
To disconnect from CUA logon to child system and run RSDELCUA program
Upon successful disconnection in SU01 tcode you can see create button is enabled in child
system
Reconnecting to CUA:
 34

Interview question
Created a role in child system but cannot find in central system for assigning to users
Ans: roles created in child system are not known to central system
Inorder to let the central system know about roles created in child system
Do Text comparision either from CUA->SU01 roles tab
From child system PFCG
Only the roles index will get pushed to CUA and roles get updated in CUA tables USLA004
 35

USLA04 – role info is stored in CUA system

USL04 – user info is stored in CUA
 36

SU24-HISTORY is tcode to see who made changes in SU24

BI Security Intro:
37
 38

All infoarea,info object are put in to one together called as infocubes

 39

S_RS_COMP
S_RS_COMP1
 40

For new restriction check this below

Go to RSD1 provide the obj and check authorizations is checked or not if not ask developer to
check it
 41

Tcode RSECADMIN to crate analysis authorization

Go to individual maintainence and give object name z*(custom name)

The transport is workbench request

In BI security SAP_ALL will not work only BI_ALL will work
42