SAP stands for "Systems Applications and Products in Data Processing." It was founded in 1972 by five former IBM employees in Germany.

The great advantage of SAP is, it creates a common centralized database for all the applications running in an organization. The application has been assembled in such a versatile way that it handles the entire functional department within an organization. Today major companies including Microsoft and IBM are using SAP's Products to run their own businesses.

R/2, which ran on Mainframe architecture, was the first SAP version. Sap's products are generally focused on Enterprise Resource Planning (ERP). Sap's applications are built around R/3 system which provides the functionality to manage product operations, cost accounting, assets, materials and personnel. The R/3 system of SAP runs on majority of platforms including windows 2000 and it uses the client/sever model.

ERP is a package with the techniques and concepts for the integrated management of business as a whole, for effective use of management resources, to improve the efficiency of an enterprise.

Initially, ERP was targeted for manufacturing industry mainly for planning and managing core business like production and financial market. As the growth and merits of ERP package ERP software is designed for basic process of a company from manufacturing to small shops with a target of integrating information across the company.

IDES stands for International Demonstration and Education System. A sample application provided for faster learning and implementation. This version is only used for training purpose. IDES comes with some dummy data, to enable you to quickly learn.

User IDs can be created by following the below procedures: Using SU01 transaction code Using SU10 transaction code Using CATT scripts Refer the “Learnbasis - User Management Activities in .PDF” document for detailed procedures.

PFCG is the transaction code used to invoke profile generator tool. Profile Generator is a tool which can be used to automatically generate and assign authorization profiles.

Profile generator reduces the time for authorization implementation. The profile generator automatically selects authorization objects which are relevant based on the transaction codes added in the role. An administrator only needs to configure the customer specific settings.

Profile Generator was released with the 3.1G version and has really changed the way authorizations were implemented.

The USOBX_C, and USOBT_C tables are called as Customer tables, which should be created using SU25 transaction code in a fresh implementation or an upgrade.

The table USOBX_C defines which authorization checks are to be performed within a transaction and also determines which authorization checks are maintained in the Profile Generator.

The table USOBT_C defines for each transaction and for each authorization object which default values an authorization created from the authorization object should have in the Profile Generator.

To create/maintain users, the following are the minimum authorization objects which are required: S_USER_GRP: User Master Maintenance: Assign user groups S_USER_PRO: User Master Maintenance: Assign authorization profile S_USER_AUT: User Master Maintenance: Create and maintain authorizations.

A role is a grouping of privileges, which can be assigned to the users. In the other words, a role is a collection of transaction codes, reports, and authorization objects which are further restricted based on the function of the user.

A derived role is a role which inherits the menu structure and the functions included (transactions, reports, Web links, and so on) from a reference role.

A role can only inherit menus and functions if no transaction codes have been assigned to it before. The higher-level role passes on its authorizations to the derived role as default values which can be changed afterwards.

However, the Organizational level definitions are not inherited to the derived role, which means they should be maintained individually.

A composite role is a container which can collect several different roles. It is also called as a collective role.

Composite roles do not contain authorization data. If you want to change the authorizations (that are represented by a composite role), you must maintain the data for each role of the composite role.

Creating composite roles makes sense if some of your employees need authorizations from several roles. Instead of adding each user separately to each role required, you can set up a composite role and assign the users to that group.

Note that a composite role can’t contain another composite role.

User Comparison will reconcile the PROFILES within a user's account and make the necessary changes. This is especially true when you've assigned specific Valid-To dates for the roles on an account. If the Valid-To (expiry) date of a role has passed, the User Comparison will REMOVE the profile/role from that account.

As mentioned above, if you see a red button in PFCG this means that a User Comparison should be executed to help reconcile the profiles for the users. You can also see this in SU01 if a specific role has a red button.

As a suggestion, recommends running the report PFCG_TIME_DEPENDENCY once a day to perform a User Comparison and help 'clean up' the User Master Record for your system.

Security is the degree of protection against danger, loss, or a business threat.

Security as a form of protection is structures and processes that provide or improve security as a condition.

In an application level, it is the condition that prevents unauthorized persons from having access to official information that is safeguarded through various security measures.

Application security encompasses measures taken throughout the application's life-cycle to prevent exceptions in the security policy of an application or the underlying system (vulnerabilities) through flaws in the design, development, deployment, upgrade, or maintenance of the application. Below are some of the Security standards and regulations: Sarbanes-Oxley Act (SOX) Health Insurance Portability and Accountability Act (HIPAA) IEEE P1074 ISO/IEC 7064:2003 Information technology -- Security techniques -- Check character systems

Security also follows the Application Security methods, where in the measures are taken throughout the life-cycle to prevent un authorized access to the system. It follows the Sarbanes-Oxley Act (SOX), which helps the companies to quickly identify any threats and either to fix them or mitigate them as and when they occur with a periodic review. Maintaining the system with defined processes in the User Management, Role Management activities are also a part of these Security standards.

Whenever a user logs on to the System, a user buffer is built containing all authorizations for that user. Each user has their own individual user buffer. This can be viewed using transaction code SU56 A user would fail an authorization check if:

The authorization object does not exist in the user buffer The values checked by the application are not assigned to the authorization object in the user buffer The user buffer contains too many entries and has overflowed. The number of entries in the user buffer can be controlled using the system profile parameter auth/number_in_userbuffer.

It is always recommended to make the user logoff and login again to the SAP system, which will automatically reset the user buffer. However, if you wish to manually reset the buffer for any user, go to SU53 or SU56 transaction codes, click authorization values, select “Reset User Buffer” option.

However, if you wish to reset the buffer for a different user, select the other user using button. Please note: resetting of the buffers could change the performance of the entire system.

Below are the various commands to reset the buffers:

/$SYNC - buffers of the application server /$CUA - CUA buffer of the application server /$TAB - the TABLE buffers of the application server /$DYNP - the screen buffer of the application server

It doesn't restrict on the number of roles assigned. However, the maximum Profiles that can be assigned to any user is ~ 312.

Table USR04 holds the Profile assignments for users. This table contains both information about the change status of a user as well as the list of profile names that were assigned to the user.

The PROFS field is used to save the change indicator (C = User created, M = User changed) and the name of the profiles assigned to the user. The field is defined with a length of 3,750 characters. Since the first two characters are for the change indicator, 3,748 characters are still available for the list of profile names per user. Since the maximum length for each profile name is 12 characters, the maximum number of profiles per user is 312.

Note 841612 delivered a solution for increasing the number of usable profiles per user from 300 to the maximum value of 312.

All possible activities (ACTVT) are stored in table TACT. Also, the valid activities for each authorization object can be found in table TACTZ.

Execute SE16 or SE16N transaction code. Enter the table name “AGR_1252”. Enter the Role name in the role field and hit execute.

To remove duplicate roles from the user master, perform the following: 1. Go to SE38 (you can also use SA38 transaction code) 2. Enter the program name “PRGN_COMPRESS_TIMES” 3. Click Execute. 4. Enter the Role name (you can also specify a group of roles or users.) NOTE: A list of user IDs can be specified to remove the duplicate/expired roles. 5. Click Execute.

Simulation Run – will perform a simulation on the mentioned roles/user IDs.

day to day activities

access request-----> p1----> 3 incidents----------> p2----> 6 > Change requests----> p3 mail requests------> p4

su01 pfcg suim se16 su53 st01

usr02 agr* tables

create t.r in dev system for the role and delete the role in dev system Move t.r from dev to qa and prd

not possible ( we can’t reset the password 1000 users at a time )

yes ( first we need to setup su24 then create roles )

By using derived roles concept ( we can add new t.code to multiple roles at a time)

we can do changes directly in tables

Changed: All changes made to “Standard” authorizations (except for blank authorizations) are indicated as “Changed” Maintained: At least one field was empty by default and has since been filled with a value.

we can do changes directly in tables

The following authorization objects are required to create and maintain user master records: •S_USER_GRP: User Master Maintenance:Assign user groups •S_USER_PRO: User Master Maintenance: Assign authorization profile •S_USER_AUT: User Master Maintenance: Create and maintain authorizations

NO

A role act as container that collect transaction and generates the associated profile. The profile generator (PFCG) in SAP System automatically generates the corresponding authorization profile.

When a user logs on to the R/3 System, a user buffer is built containing all authorizations for that user. Each user has their own individual user buffer. For example, if user Smith logs on to the system, his user buffer contains all authorizations of role.

Execute SE16 Table: AGR_AGRS Composite roles You can put multiple composite roles using the more button.

by using SU10 t.code. If you have less than 16 users then you can paste the userids. If you have more than 16 users – Click on Authorization data and click on next to users and upload from clipboard.

1. Remove all the roles and profiles assigned to the user. 2. Move them to TERMINATE User group. 3. Lock the user

SU22 displays and updates the values in tables USOBT and USOBX. SU24 does the same in tables USOBT_C and USOBX_C. The _C stands for Customer. The profile generator gets its data from the _C tables. In the USOBT and USOBX tables the values are the standard values as shown in SU24.