SAP permission knowledge training notes √ system security 6. One of the permissions is
System Security includes six aspects. Permission security is applicable to applications, and the other five aspects are infrastructure security.
Authentication authentication. Before logon.
Authorizations permission. Internal application software. Define what can be done (opposite to law ).
Confidentiality is confidential. Encryption during transmission.
Integrity. It will not be modified. Digital signature.
Non-repudiation is not supported.
Availability availability
√ Image metaphor
The permission object is equivalent to a template, and the permission (authorization) is equivalent to a key, boxed, and given to a person.
User master record
Profile or role (Suitcase, with a maximum of 150 permissions in earlier versions)
Auth OBJ (type: auth obj class)
Auths
Fields & Value
As we did before R3, the workload of the system administrator is too large. Improved in R3. With the parameter file generator, the corresponding tcode is pfcg. It generates a profile based on role.
The traditional role has only three types of content: transaction, report, and URL. With pfcg, after adding tcode to role, it will automatically find the required permission object and generate a profile based on two tables: usobx (which objects) and usobt (default value ). Su25 copies them out of usobx_c and usobt_c, which can be modified. In this case, pfcg no longer queries the original table, instead of querying the new table. (There is a small problem, such as adding a permission object ......) Su24: view the permission object of the transaction.
Each object can have up to 10 fields. For example:
'1class activity (explicit, modify, and create)
Factory activities
** The above is Program Kernel control.
After entering the tcode, what will the system do in sequence? Take va01 as an Example
First, check the tstc table to see if the entered tcode exists.
Check sm01 again to see if the system administrator basis has locked the transaction (for example, temporarily locked at the end of the month)
Check the s_tcode permission object again (if this permission object is not available, no transaction can be executed. Generally, it lists all transactions that have the right to execute. Code . What is controlled here is to enter the transaction and leave it alone after it enters. -- This is a transaction level of 1st to control whether a transaction can be entered.
Level 2nd is the permission object.
These functions can be implemented by kernal without writing programs.
To control the transaction, ABAP uses the authority-check statement to check whether a system variable is 0. If the value is equal to 0, the permission check is successful and can be processed. The value ranges from 0 to stop.
** Operation
Q operation: create a user without any permissions.
Result: The menu is displayed and cannot be executed.
Q operation: Create a role, add tcode, maintain organization structure data, and maintain permission objects.
| These operations are performed by the system administrator, but the operation content is proposed by the business team. The system administrator does not understand it.
| In the strictest cases, three permission administrators are responsible for user master data, role admin, and role distribution.
Enter organization structure level data first
Then maintain the permission object:
In this case, you can open the technical field (utility opens the technical attribute, as shown in s_tcode)
Green light indicates a default definition. Utility opens the technical attribute, s_tcode
The red light indicates that the organizational structure is not maintained.
Yellow light indicates that some permission objects do not have default values (Click yellow light to change to *, and you can also click top yellow light)
Generate Profile
Assign to user
User coparison user master data. Explanation: It is equivalent to refreshing the memory, which takes effect in real time. Otherwise, the user will log out and then log on.
Q: How many lines of programs are written?
Parameters: pa_car type Scarr-carrid.
Data: WA type Scarr.
Select single * From Scarr into WA where carrid = pa_car.
Write: wa-carrid, wa-carrname.
At selection-screen.
Authority check object's _ card"
Id carrid filed pa_care
Id activi filed 03
If sy-subrc <> 0
Msgg e045 (bc400) with pa_car
Endif.
MSG class
SE11 Scarr
Select airlines to list them.
Specifies a transaction code as a program.
Su93 plus transaction code
Add permissions to role. The permission object becomes red. Standard
Manually add s_carr_id. Manually.
Invalid. Because no check is performed. The table has no permissions. Show it at the door and accompany you.
Lock and add
After adding the following lines, you will not be able to read them. The system prompts an error and stops.
Programmer s_developer can debug and change (to allow) the returned value ). Therefore, the role of the production system cannot be assigned to anyone. This is also one of the reasons that development must be done in other systems.
AIS audits information systems to simplify auditing. This training points out
SE16 sensitive permissions.
Problem: For standard transactions, sap has set the permission objects to be checked during execution. If you want to add more, you need to "su21 create a permission object, maintain the permission object, and modify the source program ". The workload and difficulty are very small, but the workload is relatively large when the source program is involved.
Suim user information system. With sucess logins, with critical authori (you can define which permission objects are set together and then list such users)
Permission test: The test fails.
A dedicated data import tool. Lsmw. Sxda (dedicated), SM35 is a function under lsmw, and catt is also an API for batch input.
** Use HR to improve permission management
Not role → user,
Instead, role → HR position → HR person → SAP User.
In this case, when John is from job A to Job B, his sap permissions are automatically changed after HR maintenance, and basis is not required. Currently, the company does not use position.
** Besides, role
Basic Role & Compose role
Create a basic role first, and then associate n basic role to compose role. It can be automatically updated.
Derive Role & reference role
It is used to maintain several sets of similar permissions (only the organizational structure fields are different. The reference role does not have organizational structure data. The derive role obtains permissions from it, and adds organizational data. However, there are not many derive role and reference role applications, because there are also differences in other permission fields, and in reality there are few similar cases (business scale.