Applying Security Constraints to a Security Role

Use

You can map users or groups to a security role. Security roles management enables you to apply security constraints over these security roles and, in this way, to manage the permissions of the users and groups that are mapped. You can apply different security constraints:

· Over the different resources on the server.

· Over the domains on an application that requires zones with more specific security permissions.

The users and groups that are mapped to a security role gain the same security rights as those applied over the security role itself.

In the case of the default security role administrator that contains the default user Administrator – the Administrator has permissions to manage all the resources on the J2EE Engine, since its role has permissions to perform all administrative functions.

Procedure

...

In the Security Provider Service, choose the Runtime ® Policy Configurations ® Security Roles tab. Then choose the Switch to edit mode button in the upper left-hand part of the screen.

Action	Procedure
Create a new security role	... 1. Select a component to which the security role will be applied from Components. 2. On the Security Roles tab page, choose Add. 3. In the Add Security Role dialog, specify the name of the new role and its description. The description is displayed each time a user selects the role, and allows the others users to understand the purpose of the role you create. 4. Choose OK.
Create a role reference	... 1. Select the role from which you want to create a reference to another role. 2. Choose the Role Reference button. 3. Select a role to map to from the right-hand side Security Roles list. 4. Choose Save. Your new role reference is mapped to the selected security role. We recommend that instead of creating a new security role, you use a role reference to an existing security role that has already been configured, which corresponds to the mappings you need. If you have an application and a resource in the application to which you want to apply security restrictions, you can create a role reference to the administrators security role. Now create a new security role named application_role. Specify a reference from the application_role to the administrators role. When you save the role, the users mapped to the administrators role will have access to the resource that is mapped to the application_role. The benefit for you is that if a user or a group is removed from the administrators group, you will not have to make any changes to the application_role, since you only reference the corresponding administrators role. This enables you to keep the security configuration stable.
Apply run-as-identity for a user	Select the role to mark as run-as-identity and choose Change.
Remove a security role	... Select the role from the Security Roles list and choose Remove.

Mapping Users and Groups

Use

Create the security roles using names that explain which users will be included. Then map the existing users to that group. For more information about creating new users and groups, see J2EE Engine User Management.

Once the roles are filled with users and groups, use the other services provided by the Security Provider Service to apply the constraints to the roles.

Procedure

...

1. Choose Security Provider service Policy Configurations --> Security Roles --> User Mappings tab and select the component to manage.

2. Choose the Switch to edit mode button from the upper left-hand part of the screen.

If You Want To	Then
Map a user to a role	... 1. In Security Roles, select the role to map the user to. 2. Select the user you want to map to the role from the User Tree, and choose Add.
Remove the mapping of a user to a role	... 1. Select the role to which the user is mapped to in Security Roles. 2. Select the user to un-map from Users and choose Remove.
Mapping a group to a role	... 1. Select the role to manage from Security Roles. 2. Select the group you want to map to the role from the User Tree and choose Add.
Removing the mapping of a group to a role	... 1. Select the role, where the group is mapped to from Security Roles. 2. Select the group to un-map from Groups and choose Remove.

Architecture of Security Roles

There are two types of security role in the SAP J2EE Engine:

· Application J2EE security roles that are based on the J2EE standard and which you can use to protect resources such as URLs or EJB methods.

· Server J2EE security roles with which you can protect any resources defined by the relevant service, such as Keystore Views.

Characteristics of the application J2EE security roles:

· The role is an abstract logical grouping of users that is defined by the developer.

· The role is defined in the deployment descriptor (XML files) of a particular application.

· The role consists of only a name and a description.

· The role relates only to the application for which it was defined.

Characteristics of the server J2EE roles:

· These roles can be created automatically by a service or manually by the administrator.

Purpose

The application J2EE security roles are suitable for purely static, activity-related access control. This concept is based on the assignment of authorizations by activity (such as the activity financial accountant), but not by instances (such as by cost centers). This means that all users to which the role Financial Accountant is assigned can post for all cost centers.

With the J2EE security roles, the developer can of an application can additionally decide whether he or she uses these rules purely declaratively or with programmatic role references:

· Declarative security means that the container forces access control without the developer having to program it.

· Programmatic security means that the developer uses a method to check whether a caller of an EJB or a Web resource has a specific role. The developer can control the display of individual control elements using these “role references”. In this way, for example, users to which the role queried in the reference is assigned can receive a more extensive display on the same Web page than users to which this role is not assigned. There can be a mapping between the role checked in the program (such as “USER”) and the actual security role that can be assigned to users by the administrator (such as “HR_CLERK”), that is, a different role may be assigned to the one that is actually checked in the program. If the developers of the various components of an application have used roles with different names, but with the same semantics, these can therefore be consolidated in this way.

J2EE security roles should be used purely declaratively. UME roles and the corresponding UME APIs should be used for programmatic access control.

Work Flow when Using J2EE Security Role References

The developers can use role references (programmatic security) that correspond to individual authorizations in the program of their applications. In a second step, the developers or development coordinators assign at least one security role to each role reference. These J2EE security roles are delivered. The administrator at the customer site installs the application with the respective security roles. The user administrator then assigns the security roles to users or user groups.

Work Flow with Declarative Use of J2EE Security Roles

The developers program their applications and specify the J2EE security role associated in each case in the XML file. These J2EE security roles are delivered and used as described under J2EE security role references.

Determining Change Documents

Use

You can use this report to determine all changes to the following objects:

· A user (RSUSR100)

· A profile (RSUSR101)

· An authorization (RSUSR102)

· A role assignment (RSSCD100_PFCG)

· A role (RSSCD100_PFCG)

Note that changes for users, profiles, and authorizations are divided into two areas:

· Changes to authorizations: creating the user, changing, adding, or removing profiles

· Changing header data: password changes, validity, user type, user group, account number, lock status

You can select both field to obtain all information. In this case, the left column shows the status before the change the right column the changed entry.

You determine the changes for roles and role assignments using a separate interface.

Determining Documents for Users, Profiles, and Authorizations

...

1. Start the user information system (transaction SUIM).

2. Expand the Change Documents node.

3. Choose the Execute option next to For Users (or For Profiles or For Authorizations).

4. Specify the user (or the profile, or the authorization) and other restricting values, and choose Execute.

The result list Lists of Change Documents for Users appears.

5. You can display details for profiles and authorizations by double clicking the appropriate object in the result list.

Determining Documents for Roles and Role Assignments

The interface for determining change documents for role assignment is a section of the interface to determine the change documents for roles.

...

1. Start the user information system (transaction SUIM).

2. Expand the Change Documents node.

3. Choose the Execute option next to For Roles (or For Role Assignments).

4. Enter the required details and then choose Execute.

You can select an individual role or a particular change document with the fields Name of the Role and Change Number of the Document. You can use the fields Changed By and To Date or To Time to further restrict the selection. You can use the button next to Changed By to enter your user name in the input field.

You can also choose the following document types under Change Documents, where an additional input field is displayed at the end of the list for some document types:

¡ Overview of change documents

¡ Creating and deleting roles

¡ Role description

¡ Single roles in composite roles

¡ Transactions in the role menu

¡ Other objects in the role menu

¡ Authorization data

¡ Org. level value

¡ Authorization profile

¡ Attributes

¡ MiniApps

¡ Composite role home page

¡ User assignment

With the User Assignment option, you can use the input field Assigned User to display the changes to role assignments for individual users.

You can use the option All Change Documents (Technical View) to display the contents of the key fields of the table entered in the field Change Document Table. If you enter an asterisk (*) as a placeholder or leave the field empty, all tables are used in the evaluation.

Transferring Users from New Systems

Use

If you include a new system in the distribution model selected, you must make sure that the user master records in the new system are transferred to the central system.

Prerequisites

You have synchronized the company addresses.

Procedure

...

...

1. Log on to the central system (in this example, ADMCLNT070).

2. In the Implementation Guide (IMG, transaction SALE), choose Modeling and Implementing Business Processes ® Predefined ALE Business Processes ® Central User Administration ® Transfer Users from New Systems (transaction SCUG).

The system displays the Central User Administration Structure Display screen with a tree structure of the systems of the distribution model. The systems with New indicators contain user master records that are not contained in the Central User Administration.

3. If you are setting up a completely new Central User Administration, place the cursor on the central system and choose Transfer Users.

The system displays the following tab pages:

New users	These users are not yet contained in Central User Administration. By choosing Transfer Users, you can transfer the selected users into the central system. This transfers all user parameters such as address and logon data, as well as profiles and roles. In the future, the user will be maintained centrally.
Identical users	These are users with identical user IDs (that is, their name and user name is the same). The roles and profile data for this user can be transferred to the central system. The user is then distributed and therefore appears as it is stored in the central system. Local data is overwritten.
Different users	These user IDs are contained in both the central and the child systems, but with different data. If in a single case, the users are actually the same user, you can transfer the roles and profile data for the user to the central system. The user is then distributed as it exists in the central system. If these are two different users, create a new user ID for one user in the central system, and delete this user in the child system.
Already central users	These users are already in the Central User Administration under the same name and are maintained centrally.

4. Select all new and changed users and choose Transfer Users.

5. Perform steps 3 and 4 successively for all child systems from which you want to transfer users.

6. After you have completed the user transfer, remove the roles Z_SAP_BC_CUA_SETUP_CENTRAL and Z_SAP_BC_USR_CUA_SETUP_CLIENT from the system users.

These roles are only required to set up the CUA, but not for its operation. By restricting the authorizations of the system users to the minimum level, you increase the security of your system landscape.

7. Use transaction SCUL to check the distribution of the users after the transfer.

Users that you have not copied to the central system can still be maintained in the child system. This means that the functions Create and Delete are still displayed in the user maintenance. These functions are no longer available only after the complete transfer of all users.

Licence Data Tab Page in SU01

You specify the contractual user type of the user on this tab page.

For more information about user types, see the SAP Service Marketplace under the path http://service.sap.com/licenseauditing --> System Measurement Named User --> User Classification.

If you are using Central User Administration, you can edit the user types in the central system using User Maintenance (transaction SU01) or Mass User Maintenance (transaction SU10). The following requirements must be fulfilled:

· Central and child systems have a release status of at least SAP Web AS 6.20 and SAP Note 704412 is installed

· In transaction SCUM, the maintenance of the license data is set to Global (see Setting Distribution Parameters for Fields). This is the default setting for a new installation of the CUA.

Personalization Tab Page in Su01

On the Personalization tab page, you can make person-related settings using personalization objects. You can call this tab page both in role maintenance and in user maintenance.

Groups Tab Page in SU01

You assign the user to a user group on this tab page. This is purely a grouping that is suitable, for example, for mass maintenance of user data (transaction SU10).

Assignments that you make on the Groups tab page are not used for authorization checks that are specified on the Logon Data tab page using the User Group field.

Authorization Profile SAP_NEW

This composite profile contains a single profile for each release that contains the authorizations that the users require to be able to continue using the functions that they have used until now, but which are protected with new authorization checks. However, you should not leave this profile active for a long period of time.

We recommend that you perform the following steps:

...

1. After the upgrade, delete the SAP_NEW_* profiles from the composite profile SAP_NEW for releases before the last revision of your authorization concept.

2. Assign the composite profile SAP_NEW to all users. This means that they can continue to use the functions that they have used until now.

3. Distribute the authorizations contained in the SAP_NEW single profiles to the roles or profiles that you use productively and maintain the authorization values.

4. Delete the profile assignment for SAP_NEW and the SAP_NEW profile.

A long list of SAP_NEW profiles (for example, after multiple upgrades) indicates that it is time to revise and redefine your authorization concept.

Authorization Profile SAP_ALL

This composite profile contains all SAP authorizations, meaning that a user with this profile can perform all tasks in the SAP System. You should therefore not assign this authorization profile to any of your users. We recommend that you maintain only one user with this profile. You should keep the password of this user secret (store it in a safe) and only use it in emergencies (see also Protective Measures for SAP*).

Instead of using the SAP_ALL profile, you should distribute the authorizations contained within it to the relevant places. You should, for example, not assign the SAP_ALL authorization to the system administrator (or superuser), but rather only the authorizations required for system administration, that is the S_* authorizations. This gives the administrator authorization to administer the entire SAP System. However, he or she cannot perform any tasks in other areas (such as HR).

Profiles Tab Page in SU01

On the Profiles tab page, you assign manually created authorization profiles and therefore authorizations to a user. The generated profiles of the roles assigned to the user are also displayed here.

Never enter the generated profiles directly on the Profiles tab page, as transaction PFUD deletes these assignments if there is no entry for them on the Roles tab page. When you assign a role to a user on the Roles tab page, the profile generated for this role is automatically entered on the Profiles tab page (see Assigning a Role and Comparing Profiles in the User Master Record with Roles).

You can assign 300 authorization profiles to a user (see SAP Note 410993).

You can manually maintain profiles by choosing Tools ® Administration® User Maintenance ® Manual Maintenance ® Edit Profiles Manually (see Creating and Maintaining Authorizations and Profiles Manually); however, we recommend that you use the Profile Generator instead, and generate the profiles automatically. You can enter composite profiles (a combination of several profiles) in the user master records when manually maintaining profiles.

The SAP system contains predefined profiles, the most important of which are explained below:

· SAP_ALL: To assign all authorizations that exist in the SAP system to users, assign the profile SAP_ALL.

· SAP_NEW: Composite profile to bridge the differences in releases in the case of new or changed authorization checks for existing functions, so that your users can continue to work as normal. This composite profile contains very extensive authorizations, as, for example, organizational levels are assigned with the full authorization asterisk (*).

Temporarily assign either the composite profile SAP_NEW, suitably adjusted beforehand, or the relevant single profile SAP_NEW_ contained in the composite profile. You require all single profiles between the old release and the new release. For example, if you are upgrading from SAP R/3 4.5B to SAP R/3 4.6C, you require the following SAP_New profiles: SAP_NEW_4.6A, SAP_NEW_4.6B und SAP_NEW_4.6C. The simplest way to make these assignments is to delete all other single profiles from SAP_NEW and to assign SAP_NEW. Once you have incorporated the new authorization checks in your authorization concept, delete the SAP_NEW profile to avoid assigning authorizations that are too extensive.

You must add the new authorizations to manually generated profiles

· SAP_APP: This profile contains all application authorizations. It is not included in the standard SAP system, however you can generate it with the report REGENERATE_SAP_APP. You can decide when executing this report whether authorizations for the SAP NetWeaver and HR areas should be included.

Special Features if You Are Using Central User Administration (CUA).

If you are using Central User Administration with the field distribution setting Global for the Profiles field (transaction SCUM), the Profiles tab page in the central system has the following special features:

· The additional column System that specifies the system in which the manually generated profile is valid

· The additional pushbutton Text Comparison, with which you can make the profile and role names of the child systems known to the central system

· The profiles generated by the assignment of roles are no longer displayed (these profiles are only displayed in the child systems in which they are valid)

SNC Tab Page in SU01

This tab page is only displayed if you are using Secure Network Communications (SNC). It contains the following fields:

SNC Name

The SNC name is the user name from the external security product that you copy from there and either enter in this field or in table USRACL. A unique, that is a canonical SNC Name is also generated for storage in the database.

Unsecure communication permitted (user-specific)

To allow unsecure communication, although you have activated SNC with profile parameter snc/enable set this indicator.

Possible Combinations of Profile Parameters and Indicators

snc/accept_insecure_gui	Indicator not set	Indicator set
0 (do not permit unsecure communication)	SNC	SNC
U (user-dependent)	SNC	no SNC
1 (permit unsecure communication)	no SNC	no SNC

Determining Roles, Profiles, Authorizations, and Authorization Objects

Use

These reports RSUSR070 (roles), RSUSR020 (profiles), RSUSR030 (authorizations), and RSUSR040 (authorization objects) are constructed in the same way: The first node by complex selection criteria represents a combination of the nodes below in each case. The evaluation for the Roles node is presented as an example. In this way, you can, for example, find all roles that contain the authorization post document (F_BKPF_BUK, activity 01).

Procedure

...

1. Start the user information system (transaction SUIM).

2. Expand the Roles node.

3. Choose the Execute option next to Roles by complex selection criteria.

4. Under Selection by authorization values, enter F_BKPF_BUK in the Object1 field, and choose Input Values (you cannot enter any values for report RSUSR040).

The fields previously hidden for entering the values are now ready for input.

5. Enter the activity 1 as the value.

The result list appears.

6. There are additional functions available to you on the result list, depending on the search area:

Detail: Starts transaction PFCG: displaying the role

User assignment

Profile assignment

Transaction assignment

Value Input

The input values for the Value field of the authorization object are interpreted as follows:

Value	Explanation
no input	The system displays all authorization objects, irrespective of the value entered in the field.
’ ’	The system displays all authorization objects whose field contains a space as the value.
A*	The system displays all authorizations values whose field value begins with “A”.
*	The system displays all authorization objects whose field contains the placeholder asterisk as the value.
’*’	The system displays all authorization objects whose field contains the placeholder asterisk as the value.
VALUE	The system displays all authorization objects whose field contains “VALUE” as the value.

User Information System

Use

You can use the User Information System to obtain an overview of the authorizations and users in your SAP System at any time using search criteria that you define. In particular, you can display lists of users to whom authorizations classified as critical are assigned. You can also use the User Information System to:

· Compare roles and users

· Display change documents for the authorization profile of a user

· Display the transactions contained in a role

· Create where-used lists

We recommend that you regularly check the various lists that are important for you. Define a monitoring procedure and corresponding checklists to ensure that you constantly check your authorization plan.

We also strongly recommend that you define the authorizations that are critical for you, and regularly check which users have these authorizations in their profiles.

To start the User Information System (transaction SUIM), either choose Tools --> Administration --> User Maintenance --> Information System in the SAP menu, or, in the user maintenance transaction (SU01), choose Information --> Information System.

Initial Screen of the User Information System

Assigning Users

You assign users to a role with this procedure.

Prerequisites

· You have created a menu for the new role and set up the authorizations.

· You have created the users that you want to assign to the role.

Procedure

...

1. Choose Tools ® Administration ® User maintenance ® Roles (transaction PFCG).

2. Specify the role to which you want to assign one or more users.

3. Choose the User tab page.

The status display on the tab page tells you whether users have already been assigned to the role.

Red: No users assigned

Green: At least one user assigned

Yellow: Although users are assigned, user master comparison is not current

For composite roles, the status display refers only to the assignment of users.

4. Enter as many user IDs as desired in the list.

Enter the user IDs either directly or from the possible entries help. You can make a multiple selection with the Select pushbutton, such as all users in a user group.

You can specify a validity period for the assignment in the other columns. When you assign users to the role, the default start date is the current date and the default end date is the 31.12.9999. You can change these default values.

5. Perform a user comparison if necessary.

The generated profile is not entered in the user master record until the users have been compared. Changes to the users assigned to the roles and the generation of an authorization profile also require a comparison.

You must then perform a user comparison on the User tab page, to automatically enter the generated authorization profiles in the user master record for the assigned users.

If you do not want to restrict the assignment validity period (current date until 31.12.9999), no further action is required. If you want to limit the validity period, you must periodically schedule the report transaction PFUD daily to update the user master records. It must also be scheduled if you use the organizational management.

Never enter generated authorizatio profiles directly into user master records, as these are deleted if the corresponding role is not contained in the user master record.

You have the following options for performing a user comparison:

¡ Choose the User Comparison button on the User tab page. The users are compared for the role you created. The status displayed for this key specifies whether a new comparison must be made.

¡ Choose Utilities ® Settings ® Automatic comparison at save. When you save the role, a user comparison is performed automatically.

¡ Wait until the user comparison is made with the program PFCG_TIME_DEPENDENCY. Set the indicator HR-OrgComparison indicator on the selection screen of the report.

You should schedule the report PFCG_TIME_DEPENDENCY periodically (preferably daily) as a background job. This ensures that user authorizations are regularly updated. The program performs a complete user master comparison for all roles. The authorizations are updated in the user master records. The authorization profiles of user assignments which have become invalid are removed from the user master record. The authorization profiles of valid user assignments to the role are entered.

Users who are assigned to a composite role are displayed on a gray background in the roles in the composite role. The entries cannot be changed. They should only be changed in the composite role.

If you perform a user master comparison for the composite role, it performs a user master comparison for all roles in the composite role.