Solved: Creating the Authorization Matrix?

Former Member · ‎03-27-2008

How requirement gathering should be done?

What is procedure to Create Authorization Matrix in SAP Secuirty Project?

Former Member · ‎03-27-2008

Hi Ajit,

Transactions and authorizations defined in roles are a result of business process needs.

So first, the functional/business consultants needs to define the proper business processes in place. Initially, this is done at the transaction level.

In this initial requirement gathering, the security team needs to be proactive to understand all these process and propose possible changes. viz. normalize the roles so that a transaction is not duplicated across many roles(unless required), check if any within role SOD's are forming and act accordingly...etc

Next, would be to determine the object values, which is normally done with high degree of interaction with the functional consultants. For larger companies, some roles might need to be restricted too, hence, derived roles would also come into play... all this forms a part of requirement gathering.

Companies follow different procedures for requirement gathering, but you go through ADM940, it gives a good hindsight of the matrix.

The answer to your question is very deep........

So just shoot whatever specific questions flash your mind

Hope this helps

Abhishek

Former Member · ‎03-27-2008

Hi Ajit,

Transactions and authorizations defined in roles are a result of business process needs.

So first, the functional/business consultants needs to define the proper business processes in place. Initially, this is done at the transaction level.

In this initial requirement gathering, the security team needs to be proactive to understand all these process and propose possible changes. viz. normalize the roles so that a transaction is not duplicated across many roles(unless required), check if any within role SOD's are forming and act accordingly...etc

Next, would be to determine the object values, which is normally done with high degree of interaction with the functional consultants. For larger companies, some roles might need to be restricted too, hence, derived roles would also come into play... all this forms a part of requirement gathering.

Companies follow different procedures for requirement gathering, but you go through ADM940, it gives a good hindsight of the matrix.

The answer to your question is very deep........

So just shoot whatever specific questions flash your mind

Hope this helps

Abhishek

Former Member · ‎03-27-2008

Thankyou Abhishek once again!!!

" normalize the roles so that a transaction is not duplicated across many roles(unless required), check if any within role SOD's are forming and act accordingly...etc..."

What does this statement signify?

Also are there any tools involved to identify transaction from process?

Please let me know if you have any case studies which illustrates this? or where can I find the same?

Regards ,

Ajit

Former Member · ‎03-27-2008

Hi Ajit,

It depends on the type of security design the company is implementing. For example, if its a process based design, each business process is linked to a security role. Then we try to normalize the roles, so that one transaction is not duplicated across many processes. Unless these transactions play a different role in various business processes, viz. simple example could be : display in one/maintain in another.

Which type of approach is your company implementing? Job based security or process based security?

Regarding the SOD, we try not to create a role with an inherent SOD. You can search the forum for "SOD", contains a pool of knowledge and links discussed by our experts.

Each implementation has its own processes, its difficult to predict this with tools, its actually the job and responsibility of the functional/business teams to define the processes and their underlying transactions/restrictions. Am not sure of any case studies you are specifically looking for are out here. Will leave this one to the gurus.

Thank you

Abhishek

Former Member · ‎03-28-2008

Thankyou Abhishek Guru for the valuable information.:)

Actually,I am fresher in security and was just involved in Role build and FUT phase.

But want to learn how to carry out a security implementation project,the security designing concepts ?

Please suggest me some source and guide me in the same.

Please ellaborate Job based security or process based security?

.

Former Member · ‎03-28-2008

Hi Ajit,

If you are starting new to security, then you can go through books like authorizations made easy, and can also enroll for the SAP ADM courses. There are also good books for authorizations and the procedures for implementing it on SAP-PRESS. You can buy them too.

You can search this forum for certification too:

To answer your question on job and process based roles:

Process roles are roles that contain at least one tcode, but are usually a set of tcodes, reports and programs. They represent a defined granular business process with specific functions within the R/3 environments. Set of these roles make up a job for a user.

Job roles are roles containing multiple tcodes, reports and programs which make up specific Job Functions .These may also be referenced as Position-Based Roles. In most cases, users are only assigned one Job Role

Hope this helps

Abhishek

former_member1111832 · ‎02-20-2015

This message was moderated.