Banzer, AlessandroAlessandro Banzer is the chief executive officer of Xiting. He has worked in information technology since 2004, specializing in SAP in 2009. Since then, Alessandro has been involved with global SAP projects in various roles. Alessandro is an active contributor and moderator in the governance, risk, and compliance space on SAP Community, as well as a speaker at SAPPHIRE, ASUG, SAPinsider, and other SAP-related events. He holds a degree in business information technology, as well as an Executive Master of Business Administration from Hult International Business School in London, UK.Sambill, AlexanderAlexander Sambill is a senior SAP security consultant and certified SAP trainer at Xiting Germany. He is a security-minded professional with consulting and sales experience in many industries. During his years of work within SAP security, he specialized himself for SAP authorizations in SAP ERP and SAP S/4HANA with SAP Fiori. Alexander leads authorization migration and redesign projects for small and large enterprises, educates customers, and solves individual custom use cases. He is also a federally certified instructor (IHK) in commerce and industry.Alexander is a passionate writer and active blogger of technical and scientific articles, e-books, white papers, surveys, and more about SAP security and authorizations. He is also the content manager of publications for SAP authorizations at Xiting AG. Before starting work for Xiting, he received his master of business administration from the Technical University of Bergakademie Freiberg, Germany.

Maintain system users, manage roles with SAP Access Control, and more

... Preface ... 19

... Target Audience ... 19

... Structure of This Book ... 20

... Acknowledgments ... 21

1 ... Introduction to SAP Authorizations ... 23

1.1 ... What Are Authorizations? ... 24

1.2 ... User Access in the SAP System ... 25

1.3 ... Evolution of Authorizations from SAP ERP to SAP S/4HANA ... 26

1.4 ... SAP Fiori (Presentation Layer) ... 34

1.5 ... Native Authorizations in SAP HANA (Database Layer) ... 37

1.6 ... Hybrid System Landscapes and Implications on Authorizations ... 38

1.7 ... Summary ... 45

2 ... ABAP Authorization Concept ... 47

2.1 ... Influences on the SAP Authorization Concept ... 48

2.2 ... Basic Principles for an SAP Authorizations Concept ... 49

2.3 ... ABAP Authorizations ... 51

2.4 ... Roles and Profiles ... 65

2.5 ... Users ... 70

2.6 ... Authority Checks ... 74

2.7 ... Critical Authorizations ... 87

2.8 ... Authorizations in SAP ERP Human Capital Management ... 102

2.9 ... Different Transaction Types ... 106

2.10 ... SAP System Check for Security Flaws ... 121

2.11 ... Customizing of SAP Security Settings ... 130

2.12 ... Summary ... 133

3 ... Designing Authorization Concepts ... 135

3.1 ... Role Design Approaches ... 135

3.2 ... Role Types ... 139

3.3 ... Segregation of Duties ... 146

3.4 ... Determining When to Use Enabler Roles ... 147

3.5 ... Role Naming Convention ... 152

3.6 ... Summary ... 154

4 ... Xiting Authorizations Management Suite ... 157

4.1 ... Overview ... 158

4.2 ... Xiting Role Designer ... 159

4.3 ... Xiting ABAP Alchemist ... 165

4.4 ... Xiting Role Replicator ... 169

4.5 ... Xiting Role Builder ... 172

4.6 ... Xiting Times ... 174

4.7 ... Xiting Role Profiler ... 176

4.8 ... Xiting Security Architect ... 179

4.9 ... Summary ... 182

5 ... Transaction SU24: Authorization Default Values ... 183

5.1 ... Overview ... 184

5.2 ... Transaction SU24 Maintenance ... 192

5.3 ... Transaction SU24N ... 200

5.4 ... Populating Data from Traces ... 205

5.5 ... Best Practice Maintenance of Transaction SU24 ... 208

5.6 ... Upgrading Authorization Default Values ... 223

5.7 ... Transaction SU24 Optimization Tools ... 239

5.8 ... Xiting Authorizations Management Suite: Transaction SU24 Optimization Tools ... 241

5.9 ... Summary ... 243

6 ... Role Maintenance in Transaction PFCG ... 245

6.1 ... Navigation within Transaction PFCG ... 247

6.2 ... Creation of Different Roles ... 256

6.3 ... Role Menu Objects ... 270

6.4 ... Authorization Maintenance in Roles ... 274

6.5 ... Sustainable Role Building ... 290

6.6 ... Role Versions ... 297

6.7 ... Roles Overview Status ... 299

6.8 ... Selected Mass Maintenance Options for Roles ... 301

6.9 ... Transfer of Roles ... 306

6.10 ... Xiting Authorizations Management Suite: Virtual Role Design with Xiting Role Designer ... 308

6.11 ... Summary ... 312

7 ... Authorization Analysis, Trace Tools, and Authorization Debugging ... 315

7.1 ... Overview ... 316

7.2 ... Transaction SU53 ... 320

7.3 ... Transactions ST01/STAUTHTRACE ... 323

7.4 ... Transaction STUSOBTRACE ... 329

7.5 ... Transaction STUSERTRACE ... 333

7.6 ... Authorization Debugging ... 337

7.7 ... Xiting Authorizations Management Suite: Enhanced Trace Evaluation ... 344

7.8 ... Summary ... 347

8 ... SAP Fiori Authorizations ... 349

8.1 ... Overview ... 349

8.2 ... SAP Fiori Architecture ... 351

8.3 ... Deployment Options ... 353

8.4 ... SAP Fiori Apps Reference Library ... 356

8.5 ... SAP Fiori Administrative Tools ... 360

8.6 ... OData Services ... 366

8.7 ... SAP Fiori Concept Implementation ... 369

8.8 ... Frontend/Backend Server Authorizations ... 379

8.9 ... Troubleshooting Tools for SAP Fiori ... 386

8.10 ... Xiting Authorizations Management Suite: Tool-Driven SAP Fiori Objects Implementation and Analysis ... 392

8.11 ... Summary ... 394

9 ... User Maintenance ... 395

9.1 ... Maintenance of the User Master Record ... 395

9.2 ... Password Rules ... 415

9.3 ... The User Buffer ... 417

9.4 ... User Naming Conventions ... 419

9.5 ... User Classification ... 421

9.6 ... User-Related Tables ... 421

9.7 ... User Access Reviews ... 422

9.8 ... User Lock Status ... 423

9.9 ... Security Policies ... 423

9.10 ... Securing Default Accounts ... 428

9.11 ... Maintaining User Groups ... 430

9.12 ... Central User Administration ... 432

9.13 ... SAP Usage Data for Users ... 436

9.14 ... Summary ... 437

10 ... Access Governance with SAP Access Control and SAP Cloud Identity Access Governance ... 439

10.1 ... SAP Access Control ... 439

10.2 ... SAP Cloud Identity Access Governance ... 443

10.3 ... Understanding the Ruleset ... 449

10.4 ... Segregation of Duties Management Process ... 456

10.5 ... Custom Transactions for the Ruleset ... 463

10.6 ... Business Roles ... 468

10.7 ... User Access Review ... 470

10.8 ... Roles for Firefighters ... 471

10.9 ... Impact to Governance, Risk, and Compliance When Migrating and Upgrading SAP Systems ... 475

10.10 ... Summary ... 476

11 ... Interface Authorizations and Hardening of Interfaces ... 477

11.1 ... Remote Function Call Security ... 477

11.2 ... Best Practices ... 486

11.3 ... SAP Unified Connectivity ... 491

11.4 ... Xiting Authorizations Management Suite: Automated and Risk-Free Role Testing and Go-Live ... 493

11.5 ... Summary ... 494

12 ... Migrating Authorizations to SAP S/4HANA ... 497

12.1 ... Overview ... 498

12.2 ... SAP HANA Database ... 504

12.3 ... SAP S/4HANA Deployment Options ... 507

12.4 ... Business Process Changes through SAP S/4HANA ... 516

12.5 ... Core Data Services in SAP S/4HANA ... 519

12.6 ... Preparing for an SAP S/4HANA Migration ... 527

12.7 ... Migrating Authorizations to SAP S/4HANA with Standard SAP Tools ... 541

12.8 ... Xiting Authorizations Management Suite: Helpful SAP S/4HANA Migration Features ... 563

12.9 ... Summary ... 566

13 ... Migrating Authorizations to SAP S/4HANA with the Xiting Authorizations Management Suite ... 567

13.1 ... SAP S/4HANA Migration Strategies with the Xiting Authorizations Management Suite ... 568

13.2 ... Preparation Phase: Role Concept Validation ... 574

13.3 ... Design Phase: Conceptual Role Migration ... 583

13.4 ... Implementation Phase: SAP S/4HANA Role Implementation ... 588

13.5 ... Validation Phase: SAP S/4HANA Role Concept Analysis ... 599

13.6 ... Activation Phase: Role Concept-Protected Go-Live ... 605

13.7 ... Summary ... 609

... The Authors ... 611

... Index ... 613