Table of Contents

Open all
Close all
Foreword
19
Acknowledgments
21
1 Introduction
23
PART I Business Concepts
27
2 Introduction and Concept Definition
29
2.1 Methodical Considerations
30
2.1.1 Approaches for the Business Authorization Concept
30
2.1.2 Persons Involved in the Authorization Concept
33
2.2 Compliance
33
2.3 Risk
34
2.4 Corporate Governance
38
2.5 Technical Versus Business Significance of the Authorization Concept
40
2.6 Technical Versus Business Roles
42
3 Organization and Authorizations
45
3.1 Example of an Organizational Differentiation
46
3.2 Introduction
48
3.3 Institutional Organization Concept
50
3.3.1 Object of the Organization
51
3.3.2 Legal Forms of the Organization
51
3.3.3 Organization and Environment
52
3.3.4 Summary
53
3.4 Instrumental Organization Concept
54
3.4.1 Specialization (Division of Labor)
55
3.4.2 Organizational Structure
58
3.4.3 Task Analysis
68
3.5 Consequences of the Examination of the Organization
72
3.6 Views of the Organizational Structure in SAP Systems
73
3.6.1 Organizational Management
74
3.6.2 Organization View of External Accounting
76
3.6.3 Organization View of Funds Management
77
3.6.4 Organization View of the Standard Cost Center Hierarchy
78
3.6.5 Organization View of the Profit Center Hierarchy
79
3.6.6 Enterprise Organization
80
3.6.7 Organization View in the Project System
81
3.6.8 Logistical Organization View
82
3.6.9 Integration of the Organization Views with the Authorization Concept
82
3.7 Organizational Levels and Structures in SAP ERP
83
3.7.1 Organizational Level “Client”
84
3.7.2 Relevant Organizational Levels of Accounting
84
3.7.3 Relevant Organizational Levels in MM
88
3.7.4 Relevant Organizational Levels in Sales and Distribution
89
3.7.5 Relevant Organizational Levels in Warehouse Management
89
3.7.6 Integration of the Organizational Levels with the Authorization Concept
90
3.8 Information on the Methodology in the Project
91
3.9 Summary
93
4 Legal Framework — Standardization Framework
95
4.1 Basic Principles of Internal and External Regulations
96
4.2 Internal Control System
100
4.3 Sources of Law for External Accounting
101
4.3.1 Sources of Law and Effects for the Private Sector
103
4.3.2 Concrete Requirements for the Authorization Concept
106
4.4 Data Privacy Laws
107
4.4.1 Legal Definitions Relating to Data Processing
110
4.4.2 Rights of the Person Affected
111
4.4.3 Recommendations Relating to the ICS
112
4.4.4 Concrete Requirements for the Authorization Concept
113
4.4.5 Compliance versus Data Privacy
113
4.5 General Requirements for Authorization Concepts
115
4.5.1 Identity Principle
116
4.5.2 Minimal Principle
117
4.5.3 Job Principle
117
4.5.4 Document Principle in Financial Accounting
118
4.5.5 Document Principle in Authorization Management
118
4.5.6 Separation of Duties Principle
119
4.5.7 Approval Principle
119
4.5.8 Standard Principle
120
4.5.9 Written-Form Principle
120
4.5.10 Control Principle
120
4.6 Summary
121
5 Authorizations in the Process View
123
5.1 Process Overview
123
5.2 The Sales Process
125
5.3 The Procurement Process
131
5.4 Support Processes
136
5.5 Requirements of the Separation of Duties
139
5.6 Summary
140
PART II Tools and Authorization Maintenance in the SAP System
143
6 Basic Technical Principles of Authorization Maintenance
145
6.1 User/Authorization
145
6.1.1 User
146
6.1.2 User Maintenance (ABAP)
147
6.2 Transaction — Program — Authorization Object
153
6.2.1 Transaction
153
6.2.2 Check in the Program Flow
155
6.2.3 Authorization Object
158
6.3 Role and Role Profiles
163
6.3.1 Authorization Profiles
163
6.3.2 Creating and Maintaining Roles
164
6.4 Analysis of Authorization Checks
193
6.4.1 Evaluation of the Authorization Check
193
6.4.2 Analysis in the Program Flow — System Trace/Authorization Trace
195
6.4.3 Program Check
197
6.5 Additional Role Types in SAP ERP
199
6.5.1 Composite Role
200
6.5.2 Value Role/Functional Role
201
6.6 Summary
202
7 System Settings and Customizing
203
7.1 Maintaining and Using the Defaults for the Profile Generator
204
7.1.1 Functions for the Profile Generator
206
7.1.2 Function in the Upgrade
208
7.1.3 Normative Use
208
7.1.4 Using Default Values for Risk Analyses and External Role Maintenance Tools
210
7.1.5 Original State and Maintenance of Default Values
211
7.2 Upgrading Authorizations
218
7.3 Parameters for Password Rules
223
7.4 Customizing Settings for the Menu Concept
226
7.5 Authorization Groups
233
7.5.1 Optional Authorization Checks for Authorization Groups
236
7.5.2 Table Authorizations
241
7.5.3 Authorization Groups as Organizational Levels
244
7.6 Parameter and Query Transactions
246
7.6.1 Parameter Transaction for Maintaining Tables via Defined Views
248
7.6.2 Parameter Transaction for Viewing Tables
250
7.6.3 Implementing Queries in Transactions
251
7.7 Promoting an Authorization Field to an Organizational Level
254
7.7.1 Effects Analysis
254
7.7.2 Procedure for Promoting a Field to an Organizational Level
258
7.7.3 Promoting the Area of Responsibility to an Organizational Level
259
7.8 Developer and Authorization Trace
262
7.8.1 Procedure for the Developer and Authorization Trace
262
7.9 Creating Authorization Fields and Objects
265
7.9.1 Creating Authorization Fields
265
7.9.2 Creating Authorization Objects
267
7.10 Further Transactions of the Authorization Administration
269
7.11 Transferring Roles Between Systems or Clients
271
7.11.1 Downloading/Uploading Roles
271
7.11.2 Transporting Roles
272
7.12 User Master Comparison
274
7.13 Summary
274
8 Role Assignment via Organizational Management
277
8.1 Basic Concept of SAP ERP HCM Organizational Management
278
8.2 Technical Prerequisites
281
8.3 Technical Implementation
281
8.3.1 Prerequisites
282
8.3.2 Technical Basics of SAP ERP HCM Organizational Management
282
8.3.3 Assigning Roles
283
8.3.4 Evaluation Path
284
8.3.5 User Master Comparison
285
8.4 Conceptual Special Feature
285
8.5 Summary
286
9 Automated Organizational Differentiation: The Role Generator
289
9.1 Challenge and Solution Approach
290
9.1.1 Role Generator OM
292
9.1.2 Area Role Concept
295
9.1.3 Combining Area Roles and OM
298
9.2 Implementation Example for the Area Role Concept
298
9.3 Integration, Restrictions, and Prospects
307
9.4 Summary
307
10 Central Administration of Users and Management of Authorizations
309
10.1 Basic Principles
310
10.1.1 Business Background
310
10.1.2 User Lifecycle Management
313
10.1.3 SAP Solutions for the Central Administration of Users
315
10.2 Central User Administration
316
10.2.1 Procedure for Setting up the CUA
318
10.2.2 Integration with Organizational Management of SAP ERP HCM
323
10.2.3 Integration with SAP BusinessObjects Access Control
324
10.3 SAP BusinessObjects Access Control Compliant User Provisioning
325
10.4 SAP NetWeaver Identity Management
331
10.4.1 Relevant Technical Details
332
10.4.2 Functionality
333
10.4.3 Technical Architecture
340
10.4.4 Integration of SAP BusinessObjects Access Control
343
10.5 Summary
345
11 Authorizations: Standards and Analysis
347
11.1 Standards and Their Analysis
347
11.1.1 Role Instead of Profile
347
11.1.2 Definition of the Role Through Transactions
349
11.1.3 Using Defaults
351
11.1.4 Table Authorizations
351
11.1.5 Program Execution Authorizations
352
11.1.6 Derivation
353
11.1.7 Programming — Programming Guideline
354
11.2 Critical Transactions and Objects
356
11.3 General Evaluations of Technical Standards
358
11.3.1 User Information System
358
11.3.2 Table-Based Analysis of Authorizations
361
11.4 Summary
365
12 SAP BusinessObjects Access Control
367
12.1 Basic Principles
367
12.2 Risk Analysis and Remediation
371
12.3 Enterprise Role Management
377
12.4 Compliant User Provisioning
379
12.5 Superuser Privilege Management
381
12.6 Risk Terminator
383
12.7 Summary
384
13 User Management Engine
385
13.1 Overview of the UME
386
13.1.1 UME Functions
386
13.1.2 UME Architecture
387
13.1.3 User Interface of the UME
389
13.1.4 Configuration of the UME
390
13.2 Authorization Concept of SAP NetWeaver AS Java
393
13.2.1 UME Roles
394
13.2.2 UME Actions
394
13.2.3 UME Group
396
13.2.4 J2EE Security Roles
397
13.3 User and Role Administration Using the UME
399
13.3.1 Prerequisites for User and Role Administration
399
13.3.2 Administration of Users
400
13.3.3 User Types
401
13.3.4 Administration of UME Roles
402
13.3.5 Administration of UME Groups
403
13.3.6 Tracing and Logging
403
13.4 Summary
406
PART III Authorizations in Specific SAP Solutions
407
14 Authorizations in SAP ERP HCM
409
14.1 Basic Principles
409
14.2 Special Requirements of SAP ERP HCM
410
14.3 Authorizations and Roles
412
14.3.1 Authorization-Relevant Attributes in SAP ERP HCM
412
14.3.2 Personnel Action Example
414
14.4 Authorization Main Switch
417
14.5 Organizational Management and Indirect Role Assignment
420
14.6 Structural Authorizations
421
14.6.1 The Structural Authorization Profile
422
14.6.2 Evaluation Path
424
14.6.3 Structural Authorizations and Performance
426
14.7 Context-Sensitive Authorizations
426
14.8 Summary
429
15 Authorizations in SAP CRM
431
15.1 Basic Principles
432
15.1.1 The SAP CRM User Interface: CRM Web Client
432
15.1.2 Creating Business Roles for the CRM Web Client
440
15.2 Dependencies Between Business Role and PFCG Roles
442
15.3 Creating PFCG Roles Depending on the Business Roles
443
15.3.1 Prerequisites for Creating PFCG Roles
444
15.3.2 Creating PFCG Roles
449
15.4 Assigning Business Roles and PFCG Roles
454
15.5 Sample Scenarios for Authorizations in SAP CRM
463
15.5.1 Authorizing Interface Components
464
15.5.2 Authorizing Transaction Launcher Links
473
15.5.3 Authorizing Master Data
475
15.5.4 Authorizing Business Transactions
478
15.5.5 Authorizing Attribute Sets
488
15.5.6 Authorizing Marketing Elements
489
15.6 Troubleshooting in the CRM Web Client
491
15.7 Access Control Engine
494
15.8 Summary
507
16 Authorizations in SAP SRM
509
16.1 Basic Principles
509
16.2 Authorization Assignment in SAP SRM
512
16.2.1 Authorizations of User Interface Menus
515
16.2.2 Authorizations of Typical Business Processes
517
16.3 Summary
531
17 Authorizations in SAP NetWeaver BW
533
17.1 OLTP Authorizations
534
17.2 Analysis Authorizations
536
17.2.1 Basic Principles
537
17.2.2 Barrier Principle
538
17.2.3 Transaction RSECADMIN
539
17.2.4 Authorization Maintenance
539
17.2.5 Assignment to Users: Transactions RSU01 and SU01
542
17.2.6 Analysis and Authorization Log
546
17.2.7 Generation
549
17.2.8 Authorization Migration
551
17.3 Modeling Authorizations in SAP NetWeaver BW
552
17.3.1 InfoProvider-Based Models
553
17.3.2 Characteristic-Based Models
553
17.3.3 Mixed Models
554
17.4 Summary
554
18 Processes in SAP ERP — Specific Authorizations
555
18.1 Basic Principles
556
18.1.1 Master and Transaction Data
556
18.1.2 Organizational Levels
557
18.2 Authorizations in Financial Accounting
558
18.2.1 Organizational Differentiation Criteria
559
18.2.2 Master Data
561
18.2.3 Postings
568
18.2.4 Payment Run
572
18.3 Authorizations in Controlling
574
18.3.1 Organizational Differentiation Criteria
575
18.3.2 Maintaining Master Data
576
18.3.3 Postings
585
18.3.4 Old and New Authorization Concept in Controlling
588
18.4 Authorizations in Logistics (General)
588
18.4.1 Organizational Differentiation Criteria
588
18.4.2 Material Master/Material Type
590
18.5 Authorizations in Purchasing
594
18.5.1 Maintaining Master Data
594
18.5.2 Procurement Processing
594
18.6 Authorizations in Sales and Distribution
601
18.6.1 Maintaining Master Data
601
18.6.2 Sales Processing
602
18.7 Authorizations in Technical Processes
605
18.7.1 Segregation of Duties in Authorization Management
606
18.7.2 Segregation of Duties in the Transport System
610
18.7.3 RFC Authorizations
612
18.7.4 Debugging Authorizations
613
18.7.5 Client Change
613
18.7.6 Change Logging
615
18.7.7 Batch Authorizations
615
18.8 Summary
616
19 Project Concepts and Approaches
617
19.1 Authorization Concept in the Project Context
617
19.2 Procedure Model
620
19.2.1 Logical Approach
621
19.2.2 Implementation
622
19.2.3 Redesign
624
19.2.4 Concrete Procedure
625
19.3 SAP Best Practices Template Role Concept
628
19.3.1 SAP Best Practices
629
19.3.2 SAP Template Roles
629
19.3.3 Methodical Procedure of the SAP Best Practices Role Concept
631
19.3.4 Combination with SAP BusinessObjects Access Control
635
19.4 Content of an Authorization Concept
636
19.4.1 Introduction and Standardization Framework of the Concept
637
19.4.2 Technical Context
638
19.4.3 Risk Evaluation
638
19.4.4 Person — User — Authorization
639
19.4.5 Authorization Management
640
19.4.6 Organizational Differentiation
641
19.4.7 Process Documentation
641
19.4.8 Role Documentation
642
19.5 Summary
642
Appendices
643
A List of Abbreviations
645
B Glossary
649
C Bibliography
661
D The Authors
663
Index
665