Hi Vamsi,

The following are the phases involved in implementing SAP Security:

<b>Preparation</b>

- Set up a team responsible for the user roles and the authorization concept.

- Identify the business areas affected and their special security requirements.

- Plan security requirements for production, test and development environments. User in different system needs different level of access. For example a developer in Development system need border access where as he only need display access in Production.

- Schedule training for the team member, so that they now how roles and authorization works.

- The team members must be familiar with the basic principles of the SAP authorization concept and the available control and administration tools. The members responsible for implementation must be able to use the Profile Generator.

<b>Analysis and Design</b>

- Specification of the role and authorization concept:

- Identify required roles. Determine task profiles based on the organization chart and a business process analysis. Check if SAP role templates can be used.

- Specify relevant applications functions (transactions, reports, Web links) to the roles. Make any required adjustments if role templates are used.

- Specify if the roles are higher-level roles or specific roles; that is, if they are subject to any restrictions resulting from organizational or application-specific control mechanisms.

- Identify required composite and individual roles for implementing the roles and the authorization concept.

- Check the role and authorization concept. To detect any shortcomings in conception before actual implementation, SAP recommends that you create a prototype of the concept.

<b>Implementation</b>

- From a technical point of view, user roles are implemented as composite roles using the Profile Generator. Composite roles consist of individual and composite roles that each contain the relevant authorizations and menu data. Authorizations specify the scope of access to data and functions. User menus use hierarchical structures to specify the access path to the transactions, reports and Internet pages released for a specific user.

- You create user roles in the following way:

- Create individual roles: Individual roles either describe higher-level functions that are independent of organizational or application-specific restrictions or are used as templates for creating derived roles that are not subject to any restrictions.

- Having checked the individual roles used as the derivation basis, you create the derived roles. These contain the desired organizational or application-specific restrictions. For each responsibility area, you create a derived role from an existing individual role.

- Finally, the composite roles are created from the implemented individual and derived roles as the technical counterparts of the user roles.

<b>QA</b>

- To ensure that productive operation is not affected, it is important to thoroughly test the user roles in connection with the authorizations before you switch over to production. In addition, the responsible area manager must approve of the role and authorization concept implemented.

- To standardize the test, the relevant process flows must be determined and published. You should use predefined test scenarios that cover all business processes implemented.

- The test scenarios should include both positive and negative checks of the authorizations of the individual roles. The positive test checks whether the functions are executed as desired, while the negative test must confirm that all restrictions defined are observed. For example, a human resources administrator can display the users for a specific work center, but not the records for other work centers. The test scenarios must cover all functions that are to be performed by a user role.

- If a function cannot be called during the test, you must correct the user roles and the authorization concept. Note that changes may affect several (derived) roles. In extreme cases, you must revise the entire role and authorization concept.

- You may also be required to modify the user menus in order to simplify access to the functions. To ensure that the system becomes more user-friendly, the project team responsible should closely cooperate with the representatives of the relevant business areas.

After fine-tuning the user roles, you must repeat the tests as often as necessary until the user roles implemented completely comply with the security and usability requirements

<b>Cutover</b>

- Before you create the productive users, you must configure central user management and create the master records for user management in your production environment.

- To simplify the creation of the individual user master records, you first create model records. These model records are used as copy templates for the records of the productive users. In the central system, create a user master record for each role specified in the company-wide role matrix (authorization list). If a role is subdivided into several responsibility areas that are subject to organizational restrictions (company code, cost center, plant, and so on) or application-specific control mechanisms (for example, FI authorization groups), you must create a separate record for each responsibility area. Be sure to maintain the additional data (parameters, printers, and so on).

- After consulting the area managers (data owners), define the roles for each user. Consider that some users may have several roles or different roles in various logical systems (clients). Enter the assignments in a user and role matrix.

- To create a master record for a user, you copy the model record for the relevant role and customize this record as required.

- Get the final approval of the area managers with regard to the users created and communicate all access-relevant data (system, client, ID, and password) to the end-users.

Hope it helps.

Please award points if it is useful.

Thanks & Reagrds,

Santosh