SAP Audit Information and ApproachAuthoriizatioon Exaample1. Userr Mastter ReecordUser: FFrank W. LyyonsProfilee: Exaample2. Proffile: Exammple Objject: Autthorizzationns: S_PPrograam AABAP: 3. Authhorizaation: ABAPP: Objecct: S_Progrram Vallues: FFieldss: *Progrram Grroup SUBBMIT, VARIAANTActivvityAuthoriizatioon Sysstem:1.ProffilesOne oor morre asssignedd to aa userr2.ObjeectsMust be unnique namess withh one or moore fieldds3.FielldsContaain vaalues for aauthorrity ccheckiing4.AuthhorizaationssCan hhave tthe saame naames aas theey aree physiicallyy and physiicallyy linkked too an oobjecttField ggroup for aan objject hhas muultiplle vallues aand caan be shareed acrross oobjecttsInitiall Defaaults1.Inittial CClientts Client 000Standdard mmodel Client 001Modell for user definned cllientss. (teemplatte)2.Inittial UUser IIds SAP*Deefaultt supeer useer. AA userr mastter reecord is crreatedd duriing innstalllationn but it iss not needeed by SAP* to acccess the ccompleete syystem. If the SSAP* mmasterr recoord iss deleeted, the SSAP* aaccounnt hass the folloowing speciial prrivileeges: It is nnot suubjectt to aauthorrizatiion chhecks and tthereffore hhas alll autthorizzationns It has the ppasswoord “PPASS”, whicch cann not be chhangedd withhout ccreatiing a new uuser mmasterr recoord. To prevvent ddeletiion, aassignn SAP* userr to aa grouup callled SSUPER and oonly ssuper user shoulld be able to maaintaiin useer grooup SUUPER.3.Inittial SSecuriity Paarametters Parametters ffor usser loogon login/mmin_paassworrd/lngg Minimumm passsword lengtth deffault is (33) login/ppasswoord_exxpirattion_ttime Number of daays affter wwhich a passswordd mustt be cchangeed. TThe deefaultt is zzero, whichh doess not enforrce paassworrd chaanges. Reccommennded vvalue = 45. login/ffails_to_seessionn_end Number of tiimes aa userr can enterr an iincorrrect ppasswoord beefore the ssystemm endss the loginn atteempt. The defauult iss (3). login/ffails_to_usser_loock Number of tiimes aa userr can enterr an iincorrrect ppasswoord beefore the ssystemm lockks thee userr agaiinst ffurtheer loggon atttemptts. TThe deefaultt is (12). Recoommendd (3). Wheen a ppasswoord iss lockked inn thiss mannner, iit is autommaticaally uunlockked byy the systeem at the sstart of thhe nexxt dayy (middnightt). Adding Userss1. Eacch useer musst havve a mmasterr recoord.2.Eachh userr mastter reecord referrs to one oor morre proofiless thatt deteerminee the aaccesss righhts foor thee userr.3.Mastter reecord contaains: User IDD Passworrd User grroups User tyype Period of vaaliditty referennces tto autthorizzationn proffilesMaster recorrds caan be deletted buut it will affecct thee audiit traail. Betteer to lock the uuserss mastter reecord Menu Path: Toolls - AAdminiistrattion - Userr Mainntenannce - User - Locck/Unllock.4.Userr Grouup If a peerson is asssigneed to a useer grooup, oonly tthe addminisstratoors whho aree authhorizeed forr thatt userr grouup cann alteer useer masster rrecordds. IIf a uuser iis nott assiigned to a groupp thenn any user adminnistraator ccan allter tthe usser maaster recorrd.Adding ProfiilesProfilees andd Authhorizaationss exisst in both mainttenancce andd actiive veersionns. AAllowss for updattes too mainntenannce beefore it iss actiivatedd. Seeparattion oof maiintenaance aand acctivattion ffunctiions.1.Systtem PrrofileesSAP Staandardd and Superr Userr ProffilesS_A.SYSSTEMUnlimitted acccess to alll useers, pprofilles, aand auuthoriizatioonsS_A.ADMMINAuthoriizatioons foor SAPP systtem addminisstratiion. TThis iincluddes alll autthorizzationns exccept ffor: Maintennance of ussers iin useer grooup SUUPER Maintennance of prrofilees andd authhorizaationss withh namees begginninng “S_A.”S_A.CUSSTOMIZZAuthoriizatioons foor usee in tthe SAAP Cusstomizzing ssystemmS_A.DEVVELOPAuthoriizatioons foor usee in tthe SAAP Devvelopmment eenviroonmentt (exccludess any user or prrofilee authhorizaationss)S_A.USEERBasis ssystemm authhorizaationss for end-uusers (e.g., S_PPrograam, S_DBC_MMONI, etc.2.Starrtup PProfillesProfilee NameeDescripptionS_ABAP_ALLAll ABAAP/4 aauthorrizatiionsS_ADMI_ALLAll sysstem aadminiistrattion ffunctiionsS_BDC_AALLAll battch innput aactiviitiesS_BTCH_ALLAll battch prrocesssing aauthorrizatiionsS_DDIC_ALLDDIC: AAll auuthoriizatioonsS_DDIC_SUData Diictionnary: All aauthorrizatiionsS_NUMBEERNumber rangee mainntenannce: AAll auuthoriizatioonsS_SCD0_ALLChange doc