This website is not affiliated with, sponsored by, or approved by SAP AG.

Securing objects coming to SAP through an interface

SAP Security

Moderators: Snowy, thx4allthefish, jurjen

Securing objects coming to SAP through an interface

Postby basd » Mon Sep 12, 2011 12:51 pm

Hello All,

I have an interesting client requirement which involves research on the topic of SAP Security:)

Essentially, I will have several objects from MM and PP arena (material master, BOMs, Routings, Change Masters) which will be maintained through an external system, then sent to SAP through an interface. This data will be maintained in an external system, and SAP will be the system or record. This data will not be modifiable in SAP.

The question involves identifying methodology for securing this data in SAP once it gets transmitted through an interface. Security needs to be set up in such a way that this data can be viewed by people who have access to respective transactions. In cases where people have access to update transactions, access needs to be revoked for these specific data coming down the interface.

For example, let's say there is a person, John, who has access to BOM maintenance transactions CS02 and CS03. Let's assume that BOM A1 comes through an interface and becomes available in SAP. I need John to be able to view BOM A1 using CS03, but not update it using CS02. Same goes for material master, task lists, etc.

What do you think the best approach would be? Is there an authorization object specific to each update transaction (MM02, CA02, CS02) which can be sent through an interface with each item where SAP will know to check against users' security profile? I am imagining some sort of special authorization field which will come down the interface.

Please let me know your thoughts.

Thanks in advance,
Alex
basd
 
Posts: 117
Joined: Thu Nov 24, 2005 12:08 pm
Location: Cleveland, OH

Re: Securing objects coming to SAP through an interface

Postby Sharpshooter » Tue Sep 13, 2011 4:32 am

Each of the objects you mention has a field "Authorization group" - technical name BEGRU and there are standard authorization objects to check this. This would seem to fit your requirement exactly. The data coming from the interface needs to have a value in the authorization group for which no user is given access for change. The object for material master, for example, is M_MATE_MAT.
Good luck!
Sharpshooter
 
Posts: 1171
Joined: Wed Mar 17, 2010 12:01 pm
Location: In the dark

Re: Securing objects coming to SAP through an interface

Postby basd » Tue Sep 13, 2011 12:03 pm

Excellent information - thank you.

I researched information you posted and was able to create a functional spec for BOMs. Looking through routing transactions (CA01, CA02, CEWB), I was not able to find the 'authorization group' field on any screens, not in any tables. Do you know how the security segregation is handled for routings?

Thanks again,
Alex
basd
 
Posts: 117
Joined: Thu Nov 24, 2005 12:08 pm
Location: Cleveland, OH

Re: Securing objects coming to SAP through an interface

Postby Sharpshooter » Wed Sep 14, 2011 3:36 am

I had not really looked at routings for this before now - you are correct, SAP does not provide the authorization group field.
Here are a couple of possible workarounds:

1) Object C_ROUT can control access by status. You could create a second 'Released' status in customising that is used for routings from the interface only.
2) Control with engineering change management - use a change master for routings from the interface which is restricted by the authorization group in the change master.

Option 1 seems the most straightforward.
Good luck!
Sharpshooter
 
Posts: 1171
Joined: Wed Mar 17, 2010 12:01 pm
Location: In the dark

Re: Securing objects coming to SAP through an interface

Postby basd » Tue Oct 04, 2011 9:55 am

Thanks for the response and info.
basd
 
Posts: 117
Joined: Thu Nov 24, 2005 12:08 pm
Location: Cleveland, OH

Securing objects coming to SAP through an interface

Postby basd » Tue Oct 04, 2011 10:03 am

Hello all,

I am having difficulty finding a way to restrict access to specific routings. Looking through routing transactions (CA01, CA02, CEWB), I was not able to find the 'authorization group' field on any screens, nor in any routing tables. Why don't routings have an auth group field available, where many other PP objects (BOMs, Change Masters, etc.) do have an auth group field?

Do you know how the security segregation is handled for routings - is there a standard routing auth object which looks at a certain field to determine if that particular routing can be changed in CA02?

Crosspost on security board: viewtopic.php?f=24&t=355329&p=1072500#p1072500
{moderator note : and merged with it}

Thank you,
Alex
Last edited by Gothmog on Tue Oct 04, 2011 10:42 pm, edited 2 times in total.
Reason: merged from the PP forum
basd
 
Posts: 117
Joined: Thu Nov 24, 2005 12:08 pm
Location: Cleveland, OH


Return to SAP Security

Who is online

Users browsing this forum: No registered users and 4 guests





This website is not affiliated with, sponsored by, or approved by SAP AG.