SAP Security

Through Tcode SU56, We will check the users buffer

We need to login to the system the change has taken, Go to

SM20 you need to select the date and time or range in time

tab, select * in the user tab once you key in all the

inputs be sure to select the servers or instance on left

hand side and then execute.

you need to select the user master record.

You will get report for user master record, find the user

id in the list

This is one way to lock the users by executing Tcode EWZ5.

another way is by executing su10... authoriztion tab....

evaluate the users list......... transfer...... execute

Execute su01

You can find out a tab called system tab....

If system tab is not displayed there in su01 screen there

is no CUA is configured.

Derived roles are also called as Child Roles and Master

Roles are called as Parent Roles.

Derived Roles refers to the roles that already exist. As

name indicates Derived roles are derived from other role

(Master Role).

Derived ROles inherits the menu structure and functions

included (transactions, reports, Weblinks and so on) from

the role referenced.

The default authorization values of the derived role are

that of the inherited role. The Org Levels are to be

maintained in the derived Role

Displays the current users Authorization Profiles available

ti the ID. Can also be used to reset their User buffer to

pick up new roles and authorizations.

Collection of rules is nothing but rule set. There is a

default rule set in GRC called Global Rule Set.

parameters : when ever user want some defaults values

when ever he/she excute the t-code we can mainatian some

pid's by taking help of abapers.

we can create roles , transport , copy ,

download,modifications , all these thing done from pfcg t-

code.

Derived roles..To restrict the user access based on

organizational level values.

Derived role will be inherited by master role and inherit

all the properties except org level values.

PFCG is used to create maintain and modify the roles.

PFCG_TIME_DEPENDENCY is a background job of PFUD.

PFUD is used for mass user comparison but the difference is

if you set the background job daily basis it will do mass

user comparison automatically

Offline Mode Risk Analysis process is performed with the help of Risk Identification and Remediation module in SAP GRC Access Control Suite. Offline mode Analysis helpos in identifying SOD Violations in an ERP System remotely. The data from system is exported to flat files and then it can be imported into the CC instance with the help of data extractor utility.

It can also be used to remotely analyze an ERP system which may be present in a different ERP Landscape.

Before adding custom t-code to a role we should see if there any authorization objects maintained for this t-code in SU24, If not we should maintain. Also we need to find authority check in the program related to the custom t-code by using t-code SE93. If the custom t-code doesnt have auth object sas an exception it should all authorization groups S_TABU_DIS. If the t-code satisfies any one condition we can save and generate the role.

not more than 10 authorization fields in object,

312 profiles in a role ,

150 authorization objects,

If changes are to be reflected immediately, user comparison is recommended.

Generally this task is done PFCG_TIME_DEPENDENCY background job which runs once daily so that roles are adjusted after running this report.

Also during indirect asssignment of roles to user using t codes Po13 and po10, we have to to do user comparision, so that the roles get reflected in the SU01 record of user.

Just to say all the t-codes which can affect roles and user master records are critical ones. SU01, PFCG, RZ10, RZ11, SU21, SU03, Sm37 are some of critical t-codes.

Below are critical objects

S_TABU_DIS

S_USER_AGR

S_USER_AUT

S_USER_PRO

S_USER_GRP