Hi Prakash,


If you are very strong in Security you can apply for 
Security job for 2years..If you are not please dont 
experiment in new company it wil a big problem for you.

And for SOD and SOX is very Important topic. SOD 
Sagregation of Duty Analysis is fully automated tool which 
is used for auditing.

SOD and SOX is very huge topic. You cannot understand until 
you read relevant books and start practice

SOD and SOX are used for SAP Audit purposes in the company 
and Virsa tool is a 3rd party tool integrated with SAP,used 
for finding of the risks before applying the roles (new) to 
a user.

While creating user the security admin should get approval 
to create that user from the Project Manger. The 
particulars like lastname of the user, type of user, 
validity dates etc are required. Now u can create user.

first thing, u need to have access su01 transaction.
if the system in which we r creating user, is connected to 
CUA, then it is necessary to check if we can create user in 
child. while assigning roles, in role tab, progi,e for that 
role should be generated and user comparision should be done

While creating the user we have to know the following 
details:
1. System
2. Approval from linemanager
3. Type of user (Dialog or service etc.)
4. Roles to be assigned.
5. Validity of th user.

Every Tcode has list of authorization objects which are 
maintained in roles. when a Tcode is executed that objects 
will refered in roles, if an object is not maintained in 
role then it is an authorisation error which can be seen 
through SU53 tcode. This list of maintianed auth. object 
of  Tcode can be checked through SU24.

SU25: A transaction that copies SAP defaults from USBOT & 
USOBX to USOBT_C and USOBX_C.

USOBT, is a table that consists of transactions and 
authorisation objects. It stores default values of 
authorisation from authorisation objects. 

USOBX, is a table that defines the necessary authorisation 
checks that needs to be performed within a transaction. 

Initially both tables USOBT and USOBX consists of default 
values. These two tables are then used for fill up of the 
customer tables USBOT_C and USOBT_X through the transaction 
SU25. 


SU24: A transaction that maintains the assignment of 
authorisation objects in the customer tables USOBT_C and 
USOBX_C.

temp role is a default sap provided role...and a copy role 
is one we customize from a temp role...

Derived role:- Is a role which is derived from the parent role
   Parent role can be either a customised role r temp role

in derived role, all the transactions of parent role r 
copied but not the org structure and auth.
and we cant add more transactions in derived role.
in copy roles all the transactions with auth r copied

Try STAT and if the info in that is not enough, enable audit

When we assign roles and save user profile it will not ask 
for user conparision... 
we need to go to role tab and double click on the role 
which you have assigned recently then it will navigate to 
PFCG screen then click on user tab if it is yellow we need 
to do user comparision... if it is in green we need not to 
do user comparision.. if it is yellow then click on user 
comparision then complete comparision then that role will 
reflect in to user buffer list..
But this role comparision will be done when we create 
role..if we miss there then we will do when user will get 
authorization error.. reason is role not yet stored in user 
buffer list.
We can do mass comparision by using tcode PFUD.

If you schedule the below mention sap default job in 
background periodic every day or hourly basis no need to 
compare manually.
PFG_TIME_DEPENDENCY (This Is a ABAP program)

this is rajesh.   ya, after maintaining authorization fields
u need to save and generate the profile b'coz, it is like
tht wht ever fileds ur going to fill is correct and their is
no change so tht ur going to save. after tht ur going to
generate the prolie means it is ready to assign to the
respective user for tht u need confirmation from r/3 tht
this profile is in r/3 db. after tht this profile is
assiging to user.

hai this is jagadish

if you not generate profile name before u chage the 
authorization then it ask a profile name when u save and 
generate in authorization tab. and when we generating the 
profile after save then the profile is save with the given 
authorizations and activities and et... in database. One 
thing u understand that any authorization or activities are 
stored in a profiles and when we assign them then the 
profile name takes place in user master records. ok


if i am wrong in this correct me any of this group

byeee

jagadish

If we do any modifications or If we create any role and 
maintain authorization fields and values we will save those 
changes. That means wht changes we have made that will be 
saved. If we generate profile means it wil generate 
profiles according to tcode and authorizaion objects you 
have maintained in that role.That profiles wil remain in 
user master records...

Thanks
Shanti.

When we save a profile that we only save the values 
whatever changes made in authorization object but still it 
is not working due to non activation of authoriztion 
profile.

A generate button used to activate all values and create a 
authorization profiles.

Because we can't assign authorization directly to the user
that's why we generate a authorization profile.

thorugh mail or tool like remedy .....

Generally tickets are raised by the end users or clients.
each organization having a separate tool box for the purpose
of tickets and then the team leader allot the tickets to
corresponding person through mail.

Generally user asks queries through chat or mail.
But when they need something to do from our end.. 
please ask them to raise ticket ,say for example. if they 
user wants to change the password or create a user id or 
role changes.
Tell them to raise a ticket to security/Authorization team 
with necessary info such as system name,client number.If 
any error ask for SU53.
Each ticket counts your productivity.

Cheers
Prasath

A 3rd party tool called AHD

Clarify Tool....From HP

Remedy

HP open view, remedy,mail(Microsoft Outlook),Lotus 
Notes,Magic

Solution Manager. It can be used as centralised system to 
raise tickets from any system(R3, BIW,APO, CRM etc..)

dilog user, syste user, trns por use, like that 5 type of 
users

dialog, reference, communication, services, system

Dialog user 'A'
Individual system access (personalized) 

Logon with SAPGUI is possible. The user is therefore 
interaction-capable with the SAPGUI. 
Expired or initial passwords are checked. 
Users have the option of changing their own passwords. 
Multiple logon is checked.
Usage: For individual human users (also Internet users)

System user 'B'
System-dependent and system-internal operations 
Logon with SAPGUI is not possible. The user is therefore 
not interaction-capable with the SAPGUI. 
The passwords are not subject to to the password change 
requirement, that is, they cannot be initial or expired. 
Only an administrator user can change the password. 
Multiple logon is permitted.
Usage: Internal RFC, background processing, external RFC 
(for example, ALE, workflow, TMS, CUA)

Communication user 'C' 
Individual system access (personalized) 
Logon with SAPGUI is not possible. The user is therefore 
not interaction-capable with the SAPGUI. 
Expired or initial passwords are checked but the conversion 
of the password change requirement that applies in 
principle to all users depends on the caller 
(interactive/not interactive). (*) 
Users have the option of changing their own passwords.
Usage: external RFC (individual human users)

Service user 'S'
Shared system access (anonymous) 
Logon with SAPGUI is possible. The user is therefore 
interaction-capable with the SAPGUI. 
The passwords are not subject to the password change 
requirement, that is, they cannot be initial or expired. 
Only a user administrator can change the password. 
Multiple logon is permitted.
Usage: Anonymous system access (for example, public Web 
services)

Reference user 'L' 
Authorization enhancement 
No logon possible. 
Reference users are used for authorization assignment to 
other users.
Usage: Internet users with identical authorizations

to transport a role follow these steps:

1.to transport the role between the two systems,RFC MUST BE
ENABLED (REMOTE FUNCTION CALL)

2.login into a user goto pfcg specify a role which is
already created click on the send transport icon.

3.after sending the request the user who had sent the role
to particular user should release the request by se10

4.in order to check the other user has recieved or not he
should go for transcation scc1 for checking wether he has
recieved of not.

1.Create a transport request in SE10.
2.PFCG - please specify the role name - press the transport 
button(truck icon).
*** In case of mutiple roles,go to utilities-mass 
transport**
3.there will be three info screens. give tick mark.
4.give the transport request number, which you created in 
SE10.
5.Press ok.
6.To confirm the changes,go to se10 and see your request 
number,right click and verify the roles are attached.

1. Go to PFCG, type role name in case of single role
transport and click on "execute".
  or if you want to transport more than one roles,
     a) go to Utilities->Mass Transport.
     b) Click on Multiple Selection button, list the role
names that you want to transport and click on "Execute".
2. Click on "Transport" button (Truck icon).
3. It will ask for transport request number, then click on
"Create Request"
4. Give details of transport i.e. ticket number(if any),
name of requester of transport, date on which you are going
to release the transport request and then finally click
"continue".
5. now message will be displayed showing what all is added
into the transport request i.e. contents of this transport.
6. Then goto SE10/SE01 and select option "Modifiable" in
Section 'Transport requests', uncheck option "Released" and
click on "Display".This will show the transport request that
you have just created.
7. Expand the request and it will show you the task which is
under the request.Click on that task an press "Transport"
button (Truck icon). At the bottom line, it will show u
status of the task i.e. task is released or not.
8. Then click on Request no. and transport it. Hereby, your
transport request is released and roles have been transported.
In case of test systems, transports are automatic (varies
from project to project) and for Production system, they are
managed by BASIS team.
In case of auto-transport, you can login to test system and
check time interval by which "auto-import" job gets
triggered (this can be done in SM37). after it gets released
in nearest time interval (usually its between 15-30 min),
your transport request will be imported to that system and
hereby your roles will be transported to that system.

we have daily periodic job
PFCG_TIME -DEPENDENCY

in pfcg use user compare and complete compare.if you are 
using role to generate authorization profiles that should 
not assigned in the user master records untill activate the 
user compare and complete compare.in composite role have no 
user compare and complete compare.

su24/su25, su18/19

Using SU21 we can create the New Authorization Object

1)Type /nsu24 to attach authorisation object to a 
transaction. 

2)Select any transaction ex:me21n. F8(execute)

3)Click on the check indicator pencil to edit the 
authorisation object. 

4)Create a request to make changes on the pop up request box

5)Select the authorisation object you want to create and 
ensure that you get the check/maintained green tick on.

6)Once done, save and to recheck get back to /nsu24 and 
type in your transaction me21n and you could see whether 
your new authorisation object is attached to the 
transaction. 

Note: To enable this authorisation object to work you need 
to get to your role and reassign this transaction to the 
role and maintain the authorisation table. Another way, you 
could click on expert mode in the authorisation table and 
select the 'Read Old Status & Merge with New' option and 
maintain your authorisation table for the transaction with 
the new authorisation object.

temp role is a default sap provided role...and a copy role 
is one we customize from a temp role...

temp role:-
it is the sap standard role, which is defined by sap.
copy role:- copy from a existing role is copy role.