If you create an authorization definition, you need to think about which authorization combinations are not compliant. You can differentiate between two use cases:
-
Find all SAP roles and profiles with invalid combinations of authorizations.
Create an SAP function for authorizations that cannot occur together with an SAP role or an SAP profile. The authorization check identifies all SAP roles and profiles whose authorizations in total have this invalid combination of authorizations.
-
Find all identities that have obtain invalid combinations of authorizations through their SAP user accounts.
Create different SAP functions for authorizations that in combination are invalid. Create compliance rules that combine these SAP functions. The compliance check finds all identities that have such invalid authorization combinations over the sum of all authorizations of their SAP user accounts.
Example for use case 1
A company has changed its policies on compliant SAP authorizations. Now the new policies must be checked to see if existing authorizations comply. SAP roles and profiles with invalid combinations of authorizations must be identified so that they can be modified to meet the new requirements.
An SAP function is created for each invalid authorization combination.
|
SAP function |
SAP application |
Authorization objects |
Field |
Value |
|---|---|---|---|---|
|
F-A |
TR1 |
AO2 |
ACTVT |
* |
|
TR1 |
AO2 |
Class |
* | |
|
TR1 |
AO3 |
ACTVT |
01+02 | |
|
TR1 |
S_TCODE |
TCD |
TR1 | |
|
RF |
AO5 |
ACTVT |
* | |
|
RF |
AO5 |
RLTYP |
R* | |
|
RF |
S_RFC |
RFC_NAME |
RF | |
|
F-B |
TR1 |
AO3 |
ACTVT |
* |
|
TR1 |
AO4 |
ACTVT |
02,03,07 | |
|
TR1 |
AO4 |
Class |
DEF[*] | |
|
TR1 |
S_TCODE |
TCD |
TR1 |
The following SAP profiles are available:
|
SAP profile |
SAP application |
Authorization objects |
Field |
Value |
|---|---|---|---|---|
|
P1 |
TR1 |
AO1 |
ACTVT |
* |
|
TR1 |
AO1 |
Class |
* | |
|
TR1 |
AO3 |
ACTVT |
* | |
|
TR1 |
AO4 |
ACTVT |
01, 02 | |
|
TR1 |
AO4 |
Class |
DEF* | |
|
TR1 |
S_TCODE |
TCD |
TR1 | |
|
P2 |
TR1 |
AO2 |
ACTVT |
* |
|
TR1 |
AO2 |
Class |
* | |
|
TR1 |
AO3 |
ACTVT |
01 | |
|
TR1 |
S_TCODE |
TCD |
TR1 | |
|
P3 |
TR1 |
AO3 |
ACTVT |
01, 02 |
|
TR1 |
AO4 |
Class |
* | |
|
TR1 |
AO4 |
ACTVT |
03, 07 | |
|
P4 |
RF |
AO5 |
ACTVT |
03 |
|
RF |
AO5 |
RLTYP |
* | |
|
RF |
S_RFC |
RFC_NAME |
RF |
SAP profiles are found that match the SAP function during authorization checking.
Results of the authorization check: TestWithoutTCD is not set.
-
SAP function: F-A
SAP profile affected: P4
The profile P4 has all the authorization objects, fields, and values named in SAP application RF.
The profile P1 is missing authorization objects AO2, S_TCODE, AO5, and S_RFC. Therefore it does not match the SAP function.
The profile P2 is missing the value 02 for the authorization object AO3 as well as the authorization objects AO5 and S_RFC. Therefore it does not match the SAP function.
The profile P3 is missing authorization objects AO2, S_TCODE, AO5, and S_RFC. Therefore it does not match the SAP function.
-
SAP function: F-B
SAP profile affected: P1
The profile P1 has all the authorization objects and fields named in the SAP function and at least one of the values.
The profile P2 is missing authorization object AO4. Therefore it does not match the SAP function.
The profile P3 is missing authorization object S_TCODE. Therefore it does not match the SAP function.
Profile P4 is missing the authorization objects AO3, AO4, and S_TCODE. Therefore it does not match the SAP function.
If the TestWithoutTCD configuration parameter is set for authorization checking, then the SAP profiles P2 and P3 comply with the new guidelines and can continue to be used. The profiles P1 and P4 must be modified to comply with the new policies.
Results of the authorization check: TestWithoutTCD is set.
-
SAP function: F-A
The authorization objects S_TCODE and S_RFC are ignored during the check.
SAP profile affected: none
The profile P1 is missing authorization objects AO2 and AO5. Therefore it does not match the SAP function.
Profile P2 is missing authorization object AO5 and value 02 for authorization object AO3. Therefore it does not match the SAP function.
The profile P3 is missing authorization objects AO2 and AO5. Therefore it does not match the SAP function.
The profile P4 is missing authorization objects AO2 and AO3. Therefore it does not match the SAP function.
-
SAP function: F-B
The authorization object S_TCODE is ignored during the check.
SAP profiles affected: P1, P3
The profile P1 has all the authorization objects and fields named in the SAP function and at least one of the values.
The profile P3 has all the authorization objects and fields named in the SAP function and at least one of the values.
The profile P2 is missing authorization object AO4. Therefore it does not match the SAP function.
The profile P4 is missing authorization objects AO3 and AO4. Therefore it does not match the SAP function.
If the TestWithoutTCD configuration parameter is set for authorization checking, then the SAP profiles P2 and P4 comply with the new guidelines and can continue to be used. The P1 and P3 profiles must be adjusted.
Example for use case 2
SAP user accounts must be checked for guidelines violations. The following user accounts and identities are available:
-
User A with user account AC1 with the SAP profile P1
-
User B with user account AC2 with the SAP profiles P2 and P3
-
User C with user account AC3 with the SAP profile P2 and user account AC4 with the SAP profile P3
The SAP profiles have the following authorizations:
-
P1 with AO1 and AO2
-
P2 with AO1
-
P3 with AO2
An identity cannot have the two authorizations AO1 and AO2 at the same time. The SAP function SF-A is created for the check. A compliance rule CR-X finds all identities that match this SAP function.
-
SF-A checks AO1 AND AO2
-
CR-X: The identity has at least the SAP SF-A function.
Only the SAP profile P1 matches the SAP function. Therefore, the compliance rule finds a rule violation for just User A. To ensure that the combination of the SAP profiles P2 and P3 is also recognized as invalid, additional SAP functions and compliance rules must be created.
-
SF-B checks AO1
-
SF-C checks AO2
-
CR-Y: The identity has at least the SAP function SF-B AND they have at least the SAP function SF-C.
The SAP profiles P1 and P2 match the SAP function SF-B. The SAP profiles P1 and P3 match the SAP function SF-C. Thus, the compliance rule CR-Y can be used to determine all identities who are assigned the SAP profiles P1 or P2 and P3 though their user accounts and therefore have both authorizations AO1 and AO2.
|
Rule |
Rule condition |
Identity that violate rules |
|---|---|---|
|
CR-X |
The identity has at least the SAP function SF-A. |
User A |
|
CR-Y |
The identity has at least the SAP function SF-B AND they have at least the SAP function SF-C. |
User A User B User C |