Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP security authorization concepts for multiple SAP products

Go to solution
Former Member

‎04-24-2012 2:56 AM

0 Kudos

Greetings all,

I am aware that SAP has a large product portfolio of products including SAP ECC 6.0, BI 7.0, HCM, SCM, SRM, MDG, ADS, etc.  My question is how best to find which products use only the standard authorization concepts as used in SAP ECC 6.0 (ABAP-based profile generator) and which have supplemental authorization concepts.  I am aware, for example, that BI 7.0 and HCM has, in addition to the standard authorization concept, their own means of further restricting access (analysis authorizations in BI 7.0, and structural authorizations in HCM).  Are there any additional authorizaiton concepts besides these and how would I find which SAP products employ which types of authorization concepts?


Any guidance is greatly appreciated.

Kind Regards,

Bartz

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎04-24-2012 4:19 AM

0 Kudos

Hi Bratz,

All the netweaver solutions have the same authorization concepts. Additionally on top of that say BI, HCM, CRM have different concepts, tools which will help in securing the data & application. There are application with totally different authorization concepts (Like MDM,BO).

Best place to check is the Security Guides. Secuirty Guides for each sap delivered product are listed in Service Market Place. (Release & Upgrade Info-->Installation & Upgrade Guides-->Security Guide)

Regards,

Ajesh.

7 REPLIES 7

Go to solution
Former Member

‎04-24-2012 4:19 AM

0 Kudos

Hi Bratz,

All the netweaver solutions have the same authorization concepts. Additionally on top of that say BI, HCM, CRM have different concepts, tools which will help in securing the data & application. There are application with totally different authorization concepts (Like MDM,BO).

Best place to check is the Security Guides. Secuirty Guides for each sap delivered product are listed in Service Market Place. (Release & Upgrade Info-->Installation & Upgrade Guides-->Security Guide)

Regards,

Ajesh.

Go to solution
martin_voros
Active Contributor

‎04-24-2012 4:22 AM

0 Kudos

Hi,

the product that uses standard authorization concept (PFCG and so on) must be built on top of Netweaver. I believe that basically all products try to use this standard authorization concept provided but platform unless it does not work. As you said it does not work for HCM and BI. You forgot authorization concept used in CRM. The good source of info should be SAP security guides. You can also check table of content of this book for various concepts.

The problem is with products that are not built on top of Netweaver platform. These have completely different authorization model (usually these have been bought by SAP).

Cheers

Go to solution
koehntopp
Product and Topic Expert
Product and Topic Expert

‎04-24-2012 12:38 PM

0 Kudos

Hi Bartz,

most of the time the authorization concept will be determined by the platform, as already stated. There are a few exceptions that you listed, if you look in more detail there are a few others that depend on customization or table entries.

Once we start looking at other platforms (Java, Mobile) things start getting more difficult. Customers may see the need to harmonize their authorization management with some form of identity management. Outside the ABAP world there is a trend to bring everything together in ActiveDirectory.

Can I ask what the background on your question is? What kind of problem are you trying to solve...?

Frank.

Go to solution
Former Member

‎04-24-2012 3:07 PM

0 Kudos

Thanks all for the informative replies.  To summarize, it would appear that any products based on the NetWeaver platform will use the "standard" authorization concept as initially introduced by SAP.  Any additional products not built on the NW platform (products bought by SAP) will likely have its own proprietary security model, and the trend is for harmonization of security with Active Directory.

@Frank:  The nature of this question is that I have a work program to review security, but based entirely around the standard NW security (roles, authorization objects, fields, etc.).  As SAP is continually expanding its product offerings, I would like to know how applicable this work program is for other products.  As it seems from this thread, my work program will not be applicable to products not based from the NetWeaver platform.

Go to solution
OttoGold
Active Contributor
In response to Former Member

‎04-24-2012 6:34 PM

0 Kudos

Hi,

I am wondering what this "work program" of your is? Can you please share some details?

Is that a tool? A methodology? A task you were assigned? Could also be my English that something got lost in translation, but I don`t understand and am very curious.

cheers Otto

Go to solution
Former Member
In response to Former Member

‎04-24-2012 8:17 PM

0 Kudos

@Otto:  When I was referring to a "work program", I was referring to a list of steps that I personally follow such as executing SUIM reports and looking at roles through PFCG.  Ultimately, what I have come to find from this thread is that if the product is not NetWeaver based, it does not follow the "standard" security design as created by SAP.

Go to solution
Former Member
In response to Former Member

‎04-24-2012 8:41 PM

0 Kudos

Hi Bartz,

Your work program will be valid but you just need to extend it for the different technologies.  Ultimately you are looking for the same things, however system admin activities in MDM (for example) are represented in a different way than they would in an ABAP stack.  It's not actually too much work to extend them if you have access to a system and someone who is familiar with the authorisation model in that non-ABAP component.

Cheers

Alex