Authorizations in SAP

Andrea Cavalleri is an SAP-certified security and compliance consultant. He founded Aglea s.r.l. (www.aglea.com) in 2003.He has more than 12 years of experience in IT and morethan 15 years of experience as a developer in C++ and Microsoft Access. Andrea has been a team leader in more than 30SAP GRC, identity management, and security projects andhas been a teacher for SAP Italy authorization and securitycourses since 1999. Massimo Manara is an SAP-certified security and compliance consultant at Aglea s.r.l. (www.aglea.com), the only Italian company whose core business is SAP security and compliance.He has nearly 10 years of experience in IT security and a bachelor's and master's degree in security computer science. Massimo has been a team leader in several SAP security projects and has been a teacher for SAP Italy GRC courses since 2009.

Acknowledgments
PART 1
User Master Records
Displaying the Technical Names of Transactions in the SAP Easy Access Menu en Masse
Improving Your User Master Record Accuracy with Hidden Fields
Defining an SAP User ID Naming Convention to Manage User Master Records
Using BAPIs to Help Mass-Maintain the User Master Record
Customizing the Rules for Automatically Generated Passwords During User Creation
Finding and Using User Parameters to Prepopulate Transactional Fields
Improving Your Business Reporting through User Groups
Working with Inactive Users
Customizing SAP and User Menus through the Session Manager
Assigning Roles through an Organization Structure without SAP HCM Deployed
Constraining Organization Structure Visibility through an HR Personnel Development Profile
Automatically Maintaining Structural Authorizations
Linking User Master Records to HR Data
Performing Mass Changes for Users and Roles in Java
Displaying Authorization Errors in Transaction Log SU53 for Different Users
Customizing Users' Selection en Masse
Mass-Changing Secure Network Communications Data for SSO User Mapping
PART 2
Development Security
Validating Your ABAP Code before Moving into the Production System
Archiving and Restoring a User's Favorites
Displaying the Security Data Dictionary Definition with the Object Navigator
Finding Vulnerability Strings in Your ABAP Code
Creating a Transaction Variant to Restrict User Activities
Finding Authorization Object Documentation
Searching for Values and Definitions in ABAP Data Dictionary Tables
Mass-Exporting Query User Group Information
Managing an Authorization Check in the Transaction Header
Restricting a User's Access to Called Transactions
Managing Customizing Tables in a Production System
Analyzing Your Security System to Keep it Updated
Using Parameter Transactions to Avoid Giving Direct Tables/Programs Access to End Users
Discovering Maintenance Customizing Transactions with a Table Name
PART 3
Profile Generator
Finding Roles That Contain Transactions at the Menu Level
Permanently Enable the Technical Name View in Transaction PFCG's Authorization Tree
Creating a Sustainable Authorization Roles Naming Convention
Evaluating the Manual or Modified Authorization Status during Profile Generator Maintenance
Creating an SAP_ALL Display-Only Role
Maintaining an Aligned Set of Job Roles with a Naming Convention
Designing and Assigning a Basic Role to All Users
Maintaining Derived Roles to Improve Authorization Maintenance
Discovering Misalignment between Transactions by Downloading Data to Spreadsheets
Finding Misinterpreted Authorization Wildcards in Your Roles
Performing Mass Downloads and Uploads of Standard Authorization Values
Setting Up Mass Adjustments for Derived Roles
Troubleshooting Authorization Problems for Users
Customizing Your Tree Menu Settings to Avoid Duplicate Structures
Automatically Populating the Authorization Objects Transaction Link When Performing a Developer Trace
Adjusting Query Maintenance to Avoid Security Problems
Cleaning Up Unused Batch Jobs
Setting Up Authorizations to Allow Internet Service
Avoiding Security Holes during SAP Menu Role Maintenance
Changing the Rules to Generate Profile Names
Comparing Authorization Roles to Check for Alignment Between Systems
Replacing the Parent Role of a Derived Role en Masse
Generating Large Quantities of Profiles for Roles in a Single Transaction
Using SAP BAPIs to Manage Roles with an External Program
Using Manual Composite Profiles to Bypass the Profile Technical Limit of 312
Using Parameter IDs and Customizing Transactions to Manage Authorizations
Removing Expired User-Role Links
Filtering Roles by Their Status
PART 4
Segregation of Duties
Tailoring Your Ad-Hoc Analysis by Using Custom Groups in RAR and ARA
Modifying Your Selection Criteria for User/Roles Analysis in SAP GRC 10.0
Clustering Data to Enhance Your RAR Reporting for Easier Consumption
Performing a User Impact Risk Analysis
Setting Selection Criteria for the Web Interface as a Default Value
Defining a Firefighter User ID Naming Method
Using Organizational-Level Mapping in Business Role Management to Improve Role Derivation
Using Business Role Management to Define Business Roles in Place of Composite Roles
Setting Up Data Segregation in SAP GRC ARA
Keeping Your Mitigation Tables Clean and Accurate with the Invalid Mitigation Report
PART 5
Upgrades
Making Your Roles Compliant with Transaction SU25
Deciding How to Set Up Your Authorization Upgrade
Managing Derived Roles during an Upgrade
Converting a Manually Created Profile into a Role
Avoid Maintaining a Role's Authorization Tree Twice When New Transaction Codes Are Added
Identifying New Transactions in a Role's Menu
Communicating Password Requirement Changes During SAP Upgrades
PART 6
Auditing
Searching for Roles or Users Using Transaction SUIM with Asterisk Searching
Using the Security Audit Log to Manage Your Super Users' Access
Changing the Classification of an Audit Log Message
Configuring the SAP System to Log Activity in the Security Structure
Activating Table Tracing to Log the Details of Changes Made
Viewing All Instances of Profile Parameters
Identifying Alias Transactions to Eliminate Unauthorized System Access
Finding a Specific User Who Has Made Changes to Values
Identifying Query Changes
Protecting and Auditing Your Remote Function Call
PART 7
Security Templates
Using a Spreadsheet to Collect Authorization Data
Defining a Template for Gathering and Defining Your Job Role Data
Defining a Template for Gathering the Organizational Constraints of Job Role Data
Defining a Template for Gathering the Nonorganizational Constraints of Job Role Data
Using Pivot Tables and Authorization Reports to Customize Data for the Reader
PART 8
Continuous Compliance and Governance
Defining Data for User Revalidation
Revalidating Roles and Providing Documentation for Analysis
Making Sure Users Are Assigned Only to the Roles and Transactions They Use
Using Indirect Role Assignment to Simplify User Maintenance and Reporting
Defining Business Owners
Finding Misalignments between Organizational-Level Pop-Ups and Authorization Data in Derived Roles
Finding Manually Created Authorizations in a Role's Authorization Tree
Substituting SAP Queries with Specific Transaction Codes
Using a Query to Find Manually Created Authorizations and Convert them to Roles
Additional Resources
Index