HOW TO SAP

SAP GRC Access Control Explain

December 28, 2017  
SAP GRC Access Control consists of the following modules:
  • Compliant User Provisioning (CUP)
  • Risk Analysis and Remediation (RAR)
  • Enterprise Role Management (ERM)
  • Superuser Privilege Management (SPM)
Compliant User Provisioning (CUP)
CUP provides the workflow engine to drive compliant user and role maintenance processes within the SAP environment. These processes are auditable and verifiable, with clear, configurable processes for approval, SoD checking and provisioning.
Risk Analysis and Remediation (RAR)
RAR is the repository for definitions of SOD (segregation of duties rules). As well as using the rules to check if user and role administration activities could introduce risks to your business, RAR reports on the risks within the system – presenting them in a graphical format within a web browser.
Enterprise Role Management (ERM)
ERM rigorously applies naming conventions and validations to role creation, reducing management effort and the risk of segregation of duties violations. To use ERM you have to define structured working methods.
Superuser Privilege Management (SPM)

Previously known as Firefighter, SPM lets you assign 'emergency user' status to normal support users, giving them extended access for exceptional circumstances. A notification is linked to the use of this extended access. And all activities are logged during its use to reduce the risk of unauthorised activities taking place. SPM is one of the simplest Access Control components to deploy.
 Continue Reading

SAP Security Authorization Interview question

December 23, 2017  
  1. How do you determine what organization value to be given to user?
    Refer request form, change request, functional team, copy from sample user, consult their subordinate or manager. Some business sense is needed. Never give more values then requested.
  2. How would you map a tcode to user?
    Check request form. Investigate the user's role function. Research the function of the tcode. Do not give any tcode which that is not needed by the user in business point of view.
  3. What background or periodic job security consultant should know?
    - Daily check on sap* and ddic user. It should be locked times (unless there is upgrade)
    - Run RSUSR006 to check locked users.
    - Check is production client is lock against direct changes
    - Check on sap_all profile. No one should have it.
  4. Single Role Naming conventionSample : MY1XFCSOA or MY1XFCSOD
    Explain:
    - MY (country code)
    - 1X (domain - which correspond to org level value excel sheet)
    - FCSO (abbreviation of the function role - Finance Create sales order)
    - A (activity type - A means change, D means display)
  5. Max profile?
    -312
  6. How to check how much profiles a user have?- Table USR04
  7. System parameter used by security- login/no_automatic_user_sapstar
    - Login/failed_to_user_lock
    - Login/fails_to_session_end
    - Login/gui_auto_logout
    - many more, google for results.
  8. Why sap* cannot be used?- SAP is design not to check authorization for user sap*
    - Who ever has sap* get control over the whole system
  9. Tcode frequently use
    - SUIM, PFCG, SU01, SU53 and google for more
  10. What is SU24- Remove and add authorization object check (to be display in PFCG)
    - Use to standardized common authorization object to be pulled in a role
  11. What is a derived role- A child role derived from master template
  12. Authorization object
    - A collection of authorization field.
  13. How to check user access issue- SU53, ST01
  14. User do not have access but SUIM search indicates authorization givenReason:
    - Max profile reach
    - Didn't relogin
    - Did not perform user comparison
  15. Which tables shows what profile a user have?- UST04
  16. PFCG tables- agr_agrs, agr_1251, agr_1252, USR02 and etc
  17. How to transport a role- PFCG > there is a transport truck icon. Alternately, use mass transport from the menu
  18. Convert field to org level- Run program PFCG_ORGFIELD_CREATE
  19. What is GRC- Governance Risk and Compliance
    - Help company to put in place a set of policy and control to be SOX compliance
  20. Components of GRC- CUP (Compliance user provision - enable self request for role and also approval)
    - RAR (Risk Analysis and Remediation - check SOD, generate report and propose solution)
    - ERM (Enterprise role Management - Assist in role designing)
    - SPM ( Super privileged management - profile super user access like firecoll and mitigation)
  21. Why do single roles sometimes has more profile
    - When there are more then 150 object in a profile, SAP auto generates new profile


End of SAP Security Authorization Interview question
 Continue Reading

SAP SECURITY - Create authorization object and assign to user

December 21, 2017  
Authorization Objects are used to manipulate the current user's privileges for specific data selection and activities from within a program.

We could always create our own authorization objects and implement it in our own abap programs. As an example, we will create our own authorization field similar to TCD used in S_TCODE 

Steps to create authorization field
1. Go to transaction code SU20
2. Click the create new button on the application toolbar.
3. Enter "ZTCODE" in the Field Name and "TCODE" in the Data Element, then hit Enter.
4. Click the save button on the system toolbar.
Next step is to create the authorization class and authorization object

Steps to create authorization class
1. Go to transaction code SU21
2. Click on the Create button's drop down icon and select "Object Class".
3. Enter "ZTRN" on the Object Class field.
4. Give it a description and save it.

Steps to create authorization object
1. Again in SU21, in the list of authorization class(folder icon), click the one that we've created(ZTRN).
2. Click on the Create buttodrop down, this time selecting "Authorization Object".
3. Enter "Z_TCODE" on the Object field and give it a description.
4. On the authorization fields section, enter ACTVT and ZTCODE. ACTVT is used to set and limit the activity of the user, while the ZTCODE is the authorization field that we've created earlier which is
responsible for holding a list of tcodes.
5. On the Further Authorization Object Settings, click on "Permitted activities" button. Here we will select the specific activities that we want to be available for our authorization object.
6. As an example, we will select 01(Create), 02(Change), and 03(Display).
7. Save and Exit.

Now we're done creating our own authorization object, let us now use and assign it to a user.

Steps to create a role
1. Go to transaction code PFCG.
2. Enter "ZAUTHTEST" on Role field and click the "Single Role" button.
3. Now give it a description, click the save button and click the Authorization tab.
4. Click the "Change Authorization Data" button inside the authorization tab.
5. Then click the "Manually" button on the application toolbar and type in the name of the authorization object that we've created earlier("Z_TCODE") and press enter.
6. Expand all the nodes, double click on the input field of the Activity and select activity 01 and 02.
7. Enter the tcode of our own abap program in ZTCODE field, in our example I used "ZCOMM" .
8. And also don't forget to add the S_TCODE authorization object and enter ZCOMM on it's field.
9. Now Click on the Generate button in the application toolbar and press enter on the pop-up screen.
10. press the back button and assign a specific user on the user tab and click User Comparison button.
11. Now create another role by repeating steps 1 to 9 but this time select activity 03 on step 6.
12. Then assign this 2nd role to another user.
 Continue Reading

SAP SECURITY INTERVIEW - FIND USER ID FROM TABLE PA0105

December 19, 2017  

  1. You only  have Personal Number (PERNR) or Email (USRID_LONG) as reference
  2. SE16 > PA0105 
  3. Now enter PERNR or USRID_LONG
  4. SUBTY must be 0001
  5. Now execute


 Continue Reading

SAP SECURITY - MASS CHANGE USER LICENSE VIA SU10

December 18, 2017  







  1. SU10 > Authorization Data > User > Multiple Selection
  2. Choose copy from txt file (if you have it in txt format) or clip board (if you click copy paste)
  3. Click Copy and it will bring you back to previous screen
  4. Click Execute
  5. Select All user
  6. Click Transfer
  7. You will get back to SU10 main screen again
  8. Click Change
  9. License data Tab > Select your desired user license from drop down list
  10. REMEMBER TO CHECK "CHANGE"
  11. Now Save and continue
  12. Once finish, log will be displayed for your reference
 Continue Reading

Organizational Level Authorization Field

December 17, 2017  

ARBPL Work Center
PLVAR Plan Version
KOKRS Controlling Area
BUKRS Company Code
PRCTR Profit center
IWERK Planning Plant
SWERK Maintenance Plant
EKGRP Purchasing Group
EKORG Purchasing Org.
WERKS Plant
VKORG Sales Organization
VTWEG Distribution Channel
SPART Division
VSTEL Shipping Point
LGORT Stor. Loc.


BERID MRP Area
 Continue Reading

SAP SECURITY - MASS CHANGE USER LICENSE VIA SU10

December 16, 2017  







  1. SU10 > Authorization Data > User > Multiple Selection
  2. Choose copy from txt file (if you have it in txt format) or clip board (if you click copy paste)
  3. Click Copy and it will bring you back to previous screen
  4. Click Execute
  5. Select All user
  6. Click Transfer
  7. You will get back to SU10 main screen again
  8. Click Change
  9. License data Tab > Select your desired user license from drop down list
  10. REMEMBER TO CHECK "CHANGE"
  11. Now Save and continue
  12. Once finish, log will be displayed for your reference
 Continue Reading

SAP SECURITY : GRC maintaining Workflow CUA system

December 15, 2017  



  1. Open http://domain.com/useradmin
  2. Login with an adminsitrator
  3. Enter an user ID and click  Go
  4. Default only display 5 row. To change go to
  5. Upper right of the browser and select 'SHOW ALL'
  6. Done
 Continue Reading

GRC does not process report real time. It has to be schedule as a job for RAR reporting to work.

December 13, 2017  

  1. Schedule USER, ROLE, PROFILE SYNCHRONIZATION. This job is used for Batch Risk Analysis job later for reporting
  2. GRC > CONFIGURATION > SCHEDULE JOB > Check only the 3 below > Then click schedule button at the bottom
  3. Give a Job name > You may specify any options you like > Click Schedule. In our case, it will run weekly starting from 6th Oct 2011
  4. Now schedule a new job > Select the 4 check box below > Click Schedule at the bottom
  5. Same as before, just specify a job name and any option you like. Now click schedule again.
  6. To check if the job you schedule is ready or running, just click "SEARCH"
  7. Then enter the search criteria and result will show as below:




 Continue Reading

SAP SECURITY EXPORTING USER EMAIL

December 11, 2017  
To extract user's email, you may search from table USR21 and ADR6


  1. SE16 > USR21 and enter user ID
  2. Copy the PERNR (personal number) 
  3. SE16 > ADR6 and paste the PERNR
  4. You will get a list of email addres
Alternatively, you may replace Table ADR6 with  PA0105 but this table only exist in HR system.
 Continue Reading

SCUM SETTINGS - LOGON DATA TAB

December 10, 2017  

SCUM SETTINGS - LOGON DATA TAB has the following settings as below:

Global
You can only maintain the data in the central system. The data is then automatically distributed to the child systems. These fields do not accept input in the child systems, but can only be displayed.

All other fields that are not set to “global” accept input both in the central and in the child systems and are differentiated only by a different distribution after you have saved.
Proposal
You maintain a default value in the central system that is automatically distributed to the child systems when a user is created. After the distribution, the data is only maintained locally, and is not distributed again, if you change it in the central or child system.
RetVal
You can maintain data both centrally and locally. After every local change to the data, the change is redistributed to the central system and distributed from there to the other child systems.
Local
You can only maintain the data in the child system. Changes are not distributed to other systems.
Everywhere
You can maintain data both centrally and locally. However, only changes made in the central system are distributed to other systems, local changes in the child systems are not distributed.
 Continue Reading

GRC 5.3 Create Password Self Service

December 09, 2017  
GRC 5.3 - Create Password Self Service with Challenge Response with the following steps:


  1. GRC > CUP > Configuration > Self Service >
  2. Authentication Source : Challenge Response
  3. Select Service to Disable Verification: None 
  4. Scroll down > Create > Now add your questions > Save
  5. Repeat step 4 for other questions
  6. Change >
    Number of questions End User has to register : 2
    Number of unsuccesful attempts after which user is locked: 3
    The above value is up to your to define
  7. To make PSS link visible at main AE page > CUP > Configuration > Request form Customization
  8. Check password self service > Change > Visible : Yes > Save

  10. Its visible now
  11. CUP  > Configuration > Connectors  > Look for existing connectors > Change PSS to Enable 
  12. If you failed to perform step 10, you will not see the child system when requesting for password reset
  13. CUP  > Configuration > Workflow > CUA SYSTEM > Create / Change to ensure you identify child - parent relationship of your CUA systems.
 Continue Reading

GRC 5.3: Set Valid To Date to 12/31/9999 for new user

December 07, 2017  



    1. GRC request result in valid to date of 12/31/9999 this can be done by:
    2. CUP > Request form customization > User Valid To > Set Default Value = *

 Continue Reading

SAP SECURITY AUTHORIZATION: S_TABU_DIS has no 01 Activity

December 05, 2017  
Given the high criticality and increasing complexity related to table access –
SAP® has introduced a new authorization object for a more refined
table access control.

The authorization object S_TABU_NAM was introduced last year.
This authorization object consists of two fields ACTVT (Activity)
and TABNAME (name of table or view).
This concept is valid for generic table access through transactions like SE16,
SE16N, SE17, SM30, SM31, SM34 as well as generic function modules
(e.g. RFC_READ_TABLE)

The authority-check was integrated in the function module
VIEW_AUTHORITY_CHECK as per Release 7x with corresponding
Support Packages (Please refer to OSS Notes 141950 and 1434284
for more details).

To make sure the new object is downwards compatible with the previous
checks on S_TABU_DIS and S_TABU_CLI where applicable;
the check will only be performed if the check on S_TABU_DIS was not successful. Continue Reading

Performance issue on MDG - Manual Pre Implementation Step (Note 1719803)

December 03, 2017  





  1. Tcode PFCG, Edit the MDG role
  2. Click on Menu tab
  3. Expand the Hierarchy
  4. Go to Role Menu > Supplier Governance > Change Request > Search Supplier > 
  5. Right Click on WDY_Application - Enterprise Search  > Details
  6. Update Application configuration according to SAP note
  7. This is where you update the field application config:

  8. Now do the same for others.
  9. After this is done, Basis can perform the note 1719803 implementation now
 Continue Reading

Table usla04 to locate single role coming from which child system in CUA

December 02, 2017  
In CUA system, you can use table USLA04 to  check the role originates from which child system.


  1. SE16
  2. Enter USLA04
 Continue Reading

GRC 5.3 - Valid to date is always the current date during submission of a new request

November 30, 2017  






  1. GRC 5.3 provision user with validity period the same day user was created. SU01 screen as below:
  2. In GRC you can see the following when request for a new account:
  3. This was cause by following settings in GRC 5.3 in Configuration > Field Mapping > LDAP Mapping > Additional Fields > validToDate
  4. Remove this entries and try again.
 Continue Reading

HOW TO SAP - Perform system trace for missing authorization

November 29, 2017  

How to perform system trace for authorization









  1. Execute tcode ST01
  2. Check Authorization Check (you may select more)

  3. Click Trace On (Make sure to turn it off after you are done!)

  4. Now ask user to perform their task.
  5. *If there is more then one app server, go tcode SM51
  6. *Then double click on the app server.
  7. *Then repeat step 1 to 3
  8. Remember - Once user completed the test, turn of all trace from ST01
  9. Now, click Analysis

  10. Filter the trace like below (select what you need)
  11. For authorization issue, anything above RC=0 meaning there is missing authorization.

 Continue Reading

VIRSA - HOW TO export mitigation control

November 28, 2017  
  1. SA38 or SE38 and execute  /VIRSA/ZVRAT_L03
  2. Enter the following details:




3. Exported file looks like:
 Continue Reading

SOD Scan using /n/virsa/zvrat

November 26, 2017  






  1. Tcode /n/virsa/zvrat
  2. Ok

  3. Enter userid
  4. Choose the system where user id was created

  5. Then execute
  6. If the system id was not found, you may add the system using those entries in SM59.
  7. To add, execute /n/virsa/zvrat_s16
  8. Select Comp Calibrator Configuration

  9. Under Parameter 19, add in a new system

  10. Save and try scan again
 Continue Reading

GRC 5.3 SNC - Provision with upper case userid which cause SNC to fail

November 25, 2017  



  1. GRC 5.3 is able to provision SNC settings to SU01 but USERID appears in upper case format as below:

  2. SNC is case sensitive, thus it will failed when user tried to login.
  3. Because GRC 5.3 convert user id to UPPERCASE as below:

  4. This can be resolved in two step.
  5. Step 1: Configuration > Request Form Customization > SNC Name > 
    Default value > p:#!#userId#!#@DOMAIN.COM

  6. Step 2: Configuration > Field Mapping > LDAP Mapping > Additional Fields > Add SAP_User_ID and then map it to the correct LDAP fields. In our case, its "mailNickname" because it is in lowercase.
  7. GRC will then replace userId with the LDAP field "mainNickname" which is in lowercase

  8. Once provision, SNC field in SU01 will be in this format p:zmolan@DOMAIN.COM
 Continue Reading
Subscribe to: Posts (Atom)
Designed By: Blogger Templates | Templatelib