This comprehensive guide shows you how to develop and implement an authorization concept that will withstand the toughest demands. Permissions are covered extensively, with a focus on the relationship between organizational performance and the necessities of legal and regulatory compliance. You will learn how the tools and functions of the change management process play a critical role in the performance of an SAP system, and how various permissions in SAP solutions and processes function in detail.

Organizational Permissions
Learn how to develop a systematic differentiation of roles and permissions in SAP ERP. You’ll also learn how to assign roles for the organizational management of SAP ERP HCM.

Legal Frameworks
Discover the legal and regulatory scenarios (i.e., accounting law and data governance) that are relevant to your business, and how they fit into the authorization concept.

SAP Tools for Change Management
Master the essential tools for authorizations management, including the Role Manager, CUA, SAP BusinessObjects Access Control, SAP Net-Weaver IdM, UME, and more.

Technical Basics and Customizing
Learn which features are relevant to user maintenance and the basic settings necessary for a meaningful functional separation.

Authorizations in SAP Systems
Gain an in-depth understanding of the core processes of SAP ERP, as well as the specific requirements of SAP ERP HCM, SAP CRM, SAP SRM and SAP NetWeaver.

Highlights

· Organization and permissions
· Legal framework
· Technical principles of the change management process
· System preferences and customizing
· Role assignment via Organizational Manager
· Role Manager
· Central User Administration (CUA)
· SAP NetWeaver Identity Management (IdM)
· SAP BusinessObjects Access Control
· User Management Engine (UME)
· Authorizations in HCM, CRM, SRM, and BW
· Permissions in Financial Accounting
· Logistics and administration

The Authors

Volker Lehnert has worked for eight years at SAP, and advises on issues surrounding the authorization system. Katharina Bonitz has worked since 2006 as a technology consultant for SAP. Larry Justice is a GRC Lead Technical Architect for SAP America.

Table of Contents

• ... Foreword ... 19
• ... Acknowledgments ... 21
• 1 ... Introduction ... 23
• PART I ... Business Concepts ... 27
• 2 ... Introduction and Concept Definition ... 29
• 2.1 ... Methodical Considerations ... 30
• 2.1.1 ... Approaches for the Business Authorization Concept ... 30
• 2.1.2 ... Persons Involved in the Authorization Concept ... 33
• 2.2 ... Compliance ... 33
• 2.3 ... Risk ... 34
• 2.4 ... Corporate Governance ... 38
• 2.5 ... Technical Versus Business Significance of the Authorization Concept ... 40
• 2.6 ... Technical Versus Business Roles ... 42
• 3 ... Organization and Authorizations ... 45
• 3.1 ... Example of an Organizational Differentiation ... 46
• 3.2 ... Introduction ... 48
• 3.3 ... Institutional Organization Concept ... 50
• 3.3.1 ... Object of the Organization ... 51
• 3.3.2 ... Legal Forms of the Organization ... 51
• 3.3.3 ... Organization and Environment ... 52
• 3.3.4 ... Summary ... 53
• 3.4 ... Instrumental Organization Concept ... 54
• 3.4.1 ... Specialization (Division of Labor) ... 55
• 3.4.2 ... Organizational Structure ... 58
• 3.4.3 ... Task Analysis ... 68
• 3.5 ... Consequences of the Examination of the Organization ... 72
• 3.6 ... Views of the Organizational Structure in SAP Systems ... 73
• 3.6.1 ... Organizational Management ... 74
• 3.6.2 ... Organization View of External Accounting ... 76
• 3.6.3 ... Organization View of Funds Management ... 77
• 3.6.4 ... Organization View of the Standard Cost Center Hierarchy ... 78
• 3.6.5 ... Organization View of the Profit Center Hierarchy ... 79
• 3.6.6 ... Enterprise Organization ... 80
• 3.6.7 ... Organization View in the Project System ... 81
• 3.6.8 ... Logistical Organization View ... 82
• 3.6.9 ... Integration of the Organization Views with the Authorization Concept ... 82
• 3.7 ... Organizational Levels and Structures in SAP ERP ... 83
• 3.7.1 ... Organizational Level “Client” ... 84
• 3.7.2 ... Relevant Organizational Levels of Accounting ... 84
• 3.7.3 ... Relevant Organizational Levels in MM ... 88
• 3.7.4 ... Relevant Organizational Levels in Sales and Distribution ... 89
• 3.7.5 ... Relevant Organizational Levels in Warehouse Management ... 89
• 3.7.6 ... Integration of the Organizational Levels with the Authorization Concept ... 90
• 3.8 ... Information on the Methodology in the Project ... 91
• 3.9 ... Summary ... 93
• 4 ... Legal Framework — Standardization Framework ... 95
• 4.1 ... Basic Principles of Internal and External Regulations ... 96
• 4.2 ... Internal Control System ... 100
• 4.3 ... Sources of Law for External Accounting ... 101
• 4.3.1 ... Sources of Law and Effects for the Private Sector ... 103
• 4.3.2 ... Concrete Requirements for the Authorization Concept ... 106
• 4.4 ... Data Privacy Laws ... 107
• 4.4.1 ... Legal Definitions Relating to Data Processing ... 110
• 4.4.2 ... Rights of the Person Affected ... 111
• 4.4.3 ... Recommendations Relating to the ICS ... 112
• 4.4.4 ... Concrete Requirements for the Authorization Concept ... 113
• 4.4.5 ... Compliance versus Data Privacy ... 113
• 4.5 ... General Requirements for Authorization Concepts ... 115
• 4.5.1 ... Identity Principle ... 116
• 4.5.2 ... Minimal Principle ... 117
• 4.5.3 ... Job Principle ... 117
• 4.5.4 ... Document Principle in Financial Accounting ... 118
• 4.5.5 ... Document Principle in Authorization Management ... 118
• 4.5.6 ... Separation of Duties Principle ... 119
• 4.5.7 ... Approval Principle ... 119
• 4.5.8 ... Standard Principle ... 120
• 4.5.9 ... Written-Form Principle ... 120
• 4.5.10 ... Control Principle ... 120
• 4.6 ... Summary ... 121
• 5 ... Authorizations in the Process View ... 123
• 5.1 ... Process Overview ... 123
• 5.2 ... The Sales Process ... 125
• 5.3 ... The Procurement Process ... 131
• 5.4 ... Support Processes ... 136
• 5.5 ... Requirements of the Separation of Duties ... 139
• 5.6 ... Summary ... 140
• PART II ... Tools and Authorization Maintenance in the SAP System ... 143
• 6 ... Basic Technical Principles of Authorization Maintenance ... 145
• 6.1 ... User/Authorization ... 145
• 6.1.1 ... User ... 146
• 6.1.2 ... User Maintenance (ABAP) ... 147
• 6.2 ... Transaction — Program — Authorization Object ... 153
• 6.2.1 ... Transaction ... 153
• 6.2.2 ... Check in the Program Flow ... 155
• 6.2.3 ... Authorization Object ... 158
• 6.3 ... Role and Role Profiles ... 163
• 6.3.1 ... Authorization Profiles ... 163
• 6.3.2 ... Creating and Maintaining Roles ... 164
• 6.4 ... Analysis of Authorization Checks ... 193
• 6.4.1 ... Evaluation of the Authorization Check ... 193
• 6.4.2 ... Analysis in the Program Flow — System Trace/Authorization Trace ... 195
• 6.4.3 ... Program Check ... 197
• 6.5 ... Additional Role Types in SAP ERP ... 199
• 6.5.1 ... Composite Role ... 200
• 6.5.2 ... Value Role/Functional Role ... 201
• 6.6 ... Summary ... 202
• 7 ... System Settings and Customizing ... 203
• 7.1 ... Maintaining and Using the Defaults for the Profile Generator ... 204
• 7.1.1 ... Functions for the Profile Generator ... 206
• 7.1.2 ... Function in the Upgrade ... 208
• 7.1.3 ... Normative Use ... 208
• 7.1.4 ... Using Default Values for Risk Analyses and External Role Maintenance Tools ... 210
• 7.1.5 ... Original State and Maintenance of Default Values ... 211
• 7.2 ... Upgrading Authorizations ... 218
• 7.3 ... Parameters for Password Rules ... 223
• 7.4 ... Customizing Settings for the Menu Concept ... 226
• 7.5 ... Authorization Groups ... 233
• 7.5.1 ... Optional Authorization Checks for Authorization Groups ... 236
• 7.5.2 ... Table Authorizations ... 241
• 7.5.3 ... Authorization Groups as Organizational Levels ... 244
• 7.6 ... Parameter and Query Transactions ... 246
• 7.6.1 ... Parameter Transaction for Maintaining Tables via Defined Views ... 248
• 7.6.2 ... Parameter Transaction for Viewing Tables ... 250
• 7.6.3 ... Implementing Queries in Transactions ... 251
• 7.7 ... Promoting an Authorization Field to an Organizational Level ... 254
• 7.7.1 ... Effects Analysis ... 254
• 7.7.2 ... Procedure for Promoting a Field to an Organizational Level ... 258
• 7.7.3 ... Promoting the Area of Responsibility to an Organizational Level ... 259
• 7.8 ... Developer and Authorization Trace ... 262
• 7.8.1 ... Procedure for the Developer and Authorization Trace ... 262
• 7.9 ... Creating Authorization Fields and Objects ... 265
• 7.9.1 ... Creating Authorization Fields ... 265
• 7.9.2 ... Creating Authorization Objects ... 267
• 7.10 ... Further Transactions of the Authorization Administration ... 269
• 7.11 ... Transferring Roles Between Systems or Clients ... 271
• 7.11.1 ... Downloading/Uploading Roles ... 271
• 7.11.2 ... Transporting Roles ... 272
• 7.12 ... User Master Comparison ... 274
• 7.13 ... Summary ... 274
• 8 ... Role Assignment via Organizational Management ... 277
• 8.1 ... Basic Concept of SAP ERP HCM Organizational Management ... 278
• 8.2 ... Technical Prerequisites ... 281
• 8.3 ... Technical Implementation ... 281
• 8.3.1 ... Prerequisites ... 282
• 8.3.2 ... Technical Basics of SAP ERP HCM Organizational Management ... 282
• 8.3.3 ... Assigning Roles ... 283
• 8.3.4 ... Evaluation Path ... 284
• 8.3.5 ... User Master Comparison ... 285
• 8.4 ... Conceptual Special Feature ... 285
• 8.5 ... Summary ... 286
• 9 ... Automated Organizational Differentiation: The Role Generator ... 289
• 9.1 ... Challenge and Solution Approach ... 290
• 9.1.1 ... Role Generator OM ... 292
• 9.1.2 ... Area Role Concept ... 295
• 9.1.3 ... Combining Area Roles and OM ... 298
• 9.2 ... Implementation Example for the Area Role Concept ... 298
• 9.3 ... Integration, Restrictions, and Prospects ... 307
• 9.4 ... Summary ... 307
• 10 ... Central Administration of Users and Management of Authorizations ... 309
• 10.1 ... Basic Principles ... 310
• 10.1.1 ... Business Background ... 310
• 10.1.2 ... User Lifecycle Management ... 313
• 10.1.3 ... SAP Solutions for the Central Administration of Users ... 315
• 10.2 ... Central User Administration ... 316
• 10.2.1 ... Procedure for Setting up the CUA ... 318
• 10.2.2 ... Integration with Organizational Management of SAP ERP HCM ... 323
• 10.2.3 ... Integration with SAP BusinessObjects Access Control ... 324
• 10.3 ... SAP BusinessObjects Access Control Compliant User Provisioning ... 325
• 10.4 ... SAP NetWeaver Identity Management ... 331
• 10.4.1 ... Relevant Technical Details ... 332
• 10.4.2 ... Functionality ... 333
• 10.4.3 ... Technical Architecture ... 340
• 10.4.4 ... Integration of SAP BusinessObjects Access Control ... 343
• 10.5 ... Summary ... 345
• 11 ... Authorizations: Standards and Analysis ... 347
• 11.1 ... Standards and Their Analysis ... 347
• 11.1.1 ... Role Instead of Profile ... 347
• 11.1.2 ... Definition of the Role Through Transactions ... 349
• 11.1.3 ... Using Defaults ... 351
• 11.1.4 ... Table Authorizations ... 351
• 11.1.5 ... Program Execution Authorizations ... 352
• 11.1.6 ... Derivation ... 353
• 11.1.7 ... Programming — Programming Guideline ... 354
• 11.2 ... Critical Transactions and Objects ... 356
• 11.3 ... General Evaluations of Technical Standards ... 358
• 11.3.1 ... User Information System ... 358
• 11.3.2 ... Table-Based Analysis of Authorizations ... 361
• 11.4 ... Summary ... 365
• 12 ... SAP BusinessObjects Access Control ... 367
• 12.1 ... Basic Principles ... 367
• 12.2 ... Risk Analysis and Remediation ... 371
• 12.3 ... Enterprise Role Management ... 377
• 12.4 ... Compliant User Provisioning ... 379
• 12.5 ... Superuser Privilege Management ... 381
• 12.6 ... Risk Terminator ... 383
• 12.7 ... Summary ... 384
• 13 ... User Management Engine ... 385
• 13.1 ... Overview of the UME ... 386
• 13.1.1 ... UME Functions ... 386
• 13.1.2 ... UME Architecture ... 387
• 13.1.3 ... User Interface of the UME ... 389
• 13.1.4 ... Configuration of the UME ... 390
• 13.2 ... Authorization Concept of SAP NetWeaver AS Java ... 393
• 13.2.1 ... UME Roles ... 394
• 13.2.2 ... UME Actions ... 394
• 13.2.3 ... UME Group ... 396
• 13.2.4 ... J2EE Security Roles ... 397
• 13.3 ... User and Role Administration Using the UME ... 399
• 13.3.1 ... Prerequisites for User and Role Administration ... 399
• 13.3.2 ... Administration of Users ... 400
• 13.3.3 ... User Types ... 401
• 13.3.4 ... Administration of UME Roles ... 402
• 13.3.5 ... Administration of UME Groups ... 403
• 13.3.6 ... Tracing and Logging ... 403
• 13.4 ... Summary ... 406
• PART III ... Authorizations in Specific SAP Solutions ... 407
• 14 ... Authorizations in SAP ERP HCM ... 409
• 14.1 ... Basic Principles ... 409
• 14.2 ... Special Requirements of SAP ERP HCM ... 410
• 14.3 ... Authorizations and Roles ... 412
• 14.3.1 ... Authorization-Relevant Attributes in SAP ERP HCM ... 412
• 14.3.2 ... Personnel Action Example ... 414
• 14.4 ... Authorization Main Switch ... 417
• 14.5 ... Organizational Management and Indirect Role Assignment ... 420
• 14.6 ... Structural Authorizations ... 421
• 14.6.1 ... The Structural Authorization Profile ... 422
• 14.6.2 ... Evaluation Path ... 424
• 14.6.3 ... Structural Authorizations and Performance ... 426
• 14.7 ... Context-Sensitive Authorizations ... 426
• 14.8 ... Summary ... 429
• 15 ... Authorizations in SAP CRM ... 431
• 15.1 ... Basic Principles ... 432
• 15.1.1 ... The SAP CRM User Interface: CRM Web Client ... 432
• 15.1.2 ... Creating Business Roles for the CRM Web Client ... 440
• 15.2 ... Dependencies Between Business Role and PFCG Roles ... 442
• 15.3 ... Creating PFCG Roles Depending on the Business Roles ... 443
• 15.3.1 ... Prerequisites for Creating PFCG Roles ... 444
• 15.3.2 ... Creating PFCG Roles ... 449
• 15.4 ... Assigning Business Roles and PFCG Roles ... 454
• 15.5 ... Sample Scenarios for Authorizations in SAP CRM ... 463
• 15.5.1 ... Authorizing Interface Components ... 464
• 15.5.2 ... Authorizing Transaction Launcher Links ... 473
• 15.5.3 ... Authorizing Master Data ... 475
• 15.5.4 ... Authorizing Business Transactions ... 478
• 15.5.5 ... Authorizing Attribute Sets ... 488
• 15.5.6 ... Authorizing Marketing Elements ... 489
• 15.6 ... Troubleshooting in the CRM Web Client ... 491
• 15.7 ... Access Control Engine ... 494
• 15.8 ... Summary ... 507
• 16 ... Authorizations in SAP SRM ... 509
• 16.1 ... Basic Principles ... 509
• 16.2 ... Authorization Assignment in SAP SRM ... 512
• 16.2.1 ... Authorizations of User Interface Menus ... 515
• 16.2.2 ... Authorizations of Typical Business Processes ... 517
• 16.3 ... Summary ... 531
• 17 ... Authorizations in SAP NetWeaver BW ... 533
• 17.1 ... OLTP Authorizations ... 534
• 17.2 ... Analysis Authorizations ... 536
• 17.2.1 ... Basic Principles ... 537
• 17.2.2 ... Barrier Principle ... 538
• 17.2.3 ... Transaction RSECADMIN ... 539
• 17.2.4 ... Authorization Maintenance ... 539
• 17.2.5 ... Assignment to Users: Transactions RSU01 and SU01 ... 542
• 17.2.6 ... Analysis and Authorization Log ... 546
• 17.2.7 ... Generation ... 549
• 17.2.8 ... Authorization Migration ... 551
• 17.3 ... Modeling Authorizations in SAP NetWeaver BW ... 552
• 17.3.1 ... InfoProvider-Based Models ... 553
• 17.3.2 ... Characteristic-Based Models ... 553
• 17.3.3 ... Mixed Models ... 554
• 17.4 ... Summary ... 554
• 18 ... Processes in SAP ERP — Specific Authorizations ... 555
• 18.1 ... Basic Principles ... 556
• 18.1.1 ... Master and Transaction Data ... 556
• 18.1.2 ... Organizational Levels ... 557
• 18.2 ... Authorizations in Financial Accounting ... 558
• 18.2.1 ... Organizational Differentiation Criteria ... 559
• 18.2.2 ... Master Data ... 561
• 18.2.3 ... Postings ... 568
• 18.2.4 ... Payment Run ... 572
• 18.3 ... Authorizations in Controlling ... 574
• 18.3.1 ... Organizational Differentiation Criteria ... 575
• 18.3.2 ... Maintaining Master Data ... 576
• 18.3.3 ... Postings ... 585
• 18.3.4 ... Old and New Authorization Concept in Controlling ... 588
• 18.4 ... Authorizations in Logistics (General) ... 588
• 18.4.1 ... Organizational Differentiation Criteria ... 588
• 18.4.2 ... Material Master/Material Type ... 590
• 18.5 ... Authorizations in Purchasing ... 594
• 18.5.1 ... Maintaining Master Data ... 594
• 18.5.2 ... Procurement Processing ... 594
• 18.6 ... Authorizations in Sales and Distribution ... 601
• 18.6.1 ... Maintaining Master Data ... 601
• 18.6.2 ... Sales Processing ... 602
• 18.7 ... Authorizations in Technical Processes ... 605
• 18.7.1 ... Segregation of Duties in Authorization Management ... 606
• 18.7.2 ... Segregation of Duties in the Transport System ... 610
• 18.7.3 ... RFC Authorizations ... 612
• 18.7.4 ... Debugging Authorizations ... 613
• 18.7.5 ... Client Change ... 613
• 18.7.6 ... Change Logging ... 615
• 18.7.7 ... Batch Authorizations ... 615
• 18.8 ... Summary ... 616
• 19 ... Project Concepts and Approaches ... 617
• 19.1 ... Authorization Concept in the Project Context ... 617
• 19.2 ... Procedure Model ... 620
• 19.2.1 ... Logical Approach ... 621
• 19.2.2 ... Implementation ... 622
• 19.2.3 ... Redesign ... 624
• 19.2.4 ... Concrete Procedure ... 625
• 19.3 ... SAP Best Practices Template Role Concept ... 628
• 19.3.1 ... SAP Best Practices ... 629
• 19.3.2 ... SAP Template Roles ... 629
• 19.3.3 ... Methodical Procedure of the SAP Best Practices Role Concept ... 631
• 19.3.4 ... Combination with SAP BusinessObjects Access Control ... 635
• 19.4 ... Content of an Authorization Concept ... 636
• 19.4.1 ... Introduction and Standardization Framework of the Concept ... 637
• 19.4.2 ... Technical Context ... 638
• 19.4.3 ... Risk Evaluation ... 638
• 19.4.4 ... Person — User — Authorization ... 639
• 19.4.5 ... Authorization Management ... 640
• 19.4.6 ... Organizational Differentiation ... 641
• 19.4.7 ... Process Documentation ... 641
• 19.4.8 ... Role Documentation ... 642
• 19.5 ... Summary ... 642
• ... Appendices ... 643
• A ... List of Abbreviations ... 645
• B ... Glossary ... 649
• C ... Bibliography ... 661
• D ... The Authors ... 663
• ... Index ... 665