SAP SRM - Security



In SAP SRM, there are various activities that can be performed under security. Security deals with −

  • User authorization
  • User authentication
  • Single Sign-on
  • Data transfer between SRM applications with secure methods
  • Managing access control

SAP SRM is based on SAP NetWeaver platform, so you configure the security for SRM similar as in SAP NetWeaver.

Managing User Administration and Authentication

There are various user management tools that you can use in SAP NetWeaver. These tools are inbuilt to SAP system and can be called from transactions.

Using these tools, you can manage the application platform for Java and ABAP.

Managing Users in ABAP Engine

Step 1 − You can manage users in the SAP system using T-Code: SU01, you can use this to manage users in ABAP system.

Initial Screen

Step 2 − To create a new user, enter the username and click on Create button.

User

Step 3 − You will be directed to the next window where you can see multiple tabs. In the Address tab, enter the details about the user. Title, first name, last name, academic title, and other details.

Multiple Tabs

Step 4 − In Logon Data tab, enter the details like User type, Password details, etc

Logon Data

Step 5 − Go to the Roles tab to add the role as per business requirement. There are predefined roles as per different modules.

You have an option to select from single roles or composite roles.

Single Roles

Step 6 − You can scroll to different tabs. In Groups, you can add a user to different groups.

User To Different Groups

Step 7 − When you enter all the details, you can click on the Save button at the top.

Profile Generator (PFCG)

Transaction — PFCG

You can use this transaction to manage roles in ABAP system and to provide user authorization. You can create new roles, copy existing roles, define single and composite roles, etc.

Step 1 − In the following screen, you have to enter the role name and click on Single/Composite role.

Test

Step 2 − To copy an existing role, you can click on the Copy Role button. Select the role from the list of existing roles, you can select Single/Composite Role.

Copy Role

Step 3 − To change a role. Select the role from the list and click on the Change button.

Change_button

Step 4 − When you go to the User tab, you can see the list of users that has been applied to this role. You can see user id, user name, from and to date.

Change Roles

Step 5 − You can also perform a user comparison master record or can add a direct user to this role.

Central User Administration

You can use this method to centrally maintain users for multiple ABAP-based systems. This method also supports synchronization with a directory server.

These system users are required for RFC configuration between two clients. These RFCs are also required to transfer the data here.

You need to create the following in the respective clients with the following defined roles −

  • Client 1 − 400 User, this is a central system — CUA_EC400

  • Client 2 − 410 User, this is a child system — CUA_EC410

The usernames mentioned above have been created in client 400 and 410 respectively with the following roles −

User CUA_EC400 is associated with the following roles (roles in the central system) −

  • SAP_BC_USR_CUA_CENTRAL
  • SAP_BC_USR_CUA_CENTRAL_BDIST
  • SAP_BC_USR_CUA_CENTRAL_EXTERN

UME Engine

You can use Web-based UME administration console to maintain users, roles and authorizations in Java-based systems that use the UME for the user store.

User Types

When you create a new user, you can select the following user types −

User Types

Each user has its own description as per business requirement. A dialog user is required to login to system as an individual user.

The following are the different user types in SAP

S.No User Types In SAP & Description
1

Dialog

Individual, interactive system access

2

System

Background processing and communication withing a system (Such as RFC users for ALE, Workflow, TMS, and CUA)

3

Communication

Dialog-free communication for external RFC calls

4

Service

Dialog user available to a larger, anonymous group of users.

5

Reference

General, non-person related users that allow the assignment of additional identical authorizations, such as for Internet users created with Transaction SU01. No logon is possible.

Advertisements