Introduction to ERP and SAP:

What is an ERP?
Enterprise Resource Planning

Integrated System

Resources – Money/Materials/People

Flower Business:

Initial Stage:
Growth:
Adopting separate software:
 Accounting
 Warehouse system
 HR Software
 Production

Sales Vs Production

The ERP Solution:

Centralized System => Common Database

(FI, MM, PP, HR(HCM), Security, Basis, CO, SD, PTP…..etc)

Integration is Key
Modularity

Key features and benefits of ERP Systems:

Real-Time data -
Common Database -
Connected Processes -
Manage Entire Company -
Enterprise-Wide Integration -
Consistent Look and Feel -

Benefits:

Higher Productivity -
Improved Inventory Management -
Better Insights -
Less complexity(IT Perspective) -
HIGH Security -
What is SAP?
SAP – Company (SAP SE)

Market Leader in ERP Software.

SAP - System, Applications, and Products in Data Processing.

SAP/Peoplesoft/Oracle/MS Dynamics 365/Workday/Salesforce/Infor…

SAP: Software(ERP)

CRM, PLM, BI….

SAP ERP

SAP’s scale and Market Position:

Company Size: 1L+

Global Reach: 4.4L+ Customers in 180+ countries. 77%

Who uses SAP?

70% - 500 largest companies run SAP

Demand for SAP Skills:

BWM:

Metallic Blue Paint, Sunroof….

Step-1: Taking the Order (SAP SD)

Step-2: Check the Stock (SAP MM)
Step-3: Buying the supplies(Purchasing) (SAP Ariba) – Purchase Requisition, Purchase Order
Step-4: Building the car(Production) (SAP PP) – BOM(Bill of materials)
Step-5: Checking the Quality (SAP QM)
Step-6: Shipping Car (SAP WM/TM)
Step-7: Handling the Money(SAP FI and SAP CO – SAP FICO)

Step-8: Managing the people(SAP HR/HCM)

SAP Security:
End User (or) Business User/Consultant/Administrator

SAP System => HUGE COMPLEX BUILDING (Financial data, customer order, employee
details, car designs etc.)

SAP Security => Entire Security System (Locks, Gaurds, access badges, Cameras etc etc)

What is SAP Security?

1. Protection of Data
2. Access Controls
3. Compliance

Prevent unauthorized access -

Ensure compliance – (GDPR, SOX etc. )

Impact:
Prevents internal Frauds –
Ensures correct actions –
Protects senstive data –

Tools used for Accessing SAP ERP:

1. SAP LogonPad/ SAP GUI

2. SAP Fiori –
3. SAP HANA Cockpit –
4. ABAP Workbench (Developer kit)
5. Other tools

SAP System Landscape

SAP System IDS (SIDs)
SAP Versions (Flavors)
Default clients and Users
Types of Projects

How do SAP Systems are installed/configured for any business?

Restaurant chain: (Sandeep)

Development => Testing new recipes

Quality => Tasting and checking quality
Production => Serving the customers

1. BASIS Team (Builders)

2. Functional Consultants(Chefs)
3. Developers- ABAP(Toolmakers)
4. SECURITY TEAM(YOU!!)

SAP System Landscape:

Three-system landscape:

Development(DEV) –
Quality(QAS) -
Production(PRD) -

Sandbox(playground) -
Training systems –

DEV:

ECC => XXX => 100, 200, 300, 400….

S/4 HANA => XXX => 100, 200, 300, 400….
GRC => XXX => 100, 200, 300, 400….
FIORI => XXX => 100, 200, 300, 400….

SAP System ID (SID)

UNIQUE Three character identifier

S/4 HANA, GRC

DEV =>
S/4 HANA => SD4
GRC => GD4

QA =>
S/4 HANA => SQ4
GRC => GQ4
Prod =>
S/4 HANA => SP4
GRC => GP4

DR4, S44, F44. FFF, JI1, 1D4, 5DE

SAP Versions (IDES and NON-IDES)

IDES – Training systems (learning)

Non-IDES – Real Time (Actual business)

Default clients and Users:

DEV =>
S/4 HANA => SD4

1000 (000 – 999)

Standard clients:
000 – Master reference.
001 – Exact copy of 000
066 – For SAP (Earlywatch service)

Default Users:

SAP* =>

DDIC =>

EARLYWATCH =>

Types of SAP Projects:

Implementation Projects -
Support Projects -
Rollout Projects -
Upgrade Projects –
Coversion/Migration Projects -
Development Project –
 1. User Administration
2. SAP Authorizations Overview
3. Role Maintenance(PFCG)
4. Authorization Maintenance (SU24, SU22, SU25)
5. Analyse Authorization issues (Troubleshooting)
6. Transporting Authorizations
7. Special Authorizations (RFC, Table level security, Critical authorizations etc.)
8. Security Audit Tools (SM19/SM20)
9. Optimization

User Administration:

Creating new accounts => Create a new accounts, copy from existing users
Modifying accounts => Lock/Unlock, Validity, Reset Password, User Attributes, User groups
etc. etc.
Managing Access => Roles assingments/removals.
Monitoring =>

SU01 – Tcode/Transaction – Single User Maintenance

SU10 - Mass User Maintenance

User Types:

1. Dialog User –
2. System User –
3. Communcation User – (RFC – Remote Function Call)
4. Service User –
5. Reference User Type –

Selection Critirea:

*BMW* => 12BMWUJ, BMW450sd, 678BMW

BMW* => BMWABC, BMW345,
*BMW => 123BMW, ABCBMW
BMW =>

Navigation:

SU01 =>

/n => End/close the current session

/o => Open new session
/nex – Log off from the system (without any confirmation)
Possible Values/F4/LOV/List of Values

SU01
/nSE38
/nSE16

/oSE38
/oSE16

==============

To check program details of any tcode => SE93 (Maintain Transaction)

(Maintain – Create/change/display/delete etc.)

To check code (or) directly execute the program => SE38(ABAP Editor)/SA38(Program
Execution)

SU01 => Mandatory Field => LastName/Password

SU10 => NO MANDATORY FIELDS

SU01 – Single User Maintenance

SU10 – Mass User Maintenance
SUGR – Maintain User Group

Single/Mass users - Create/Lock/Unlock/Reset Password/User attributes

Create user groups
How to check program linked with any tcode(SE93)
/n, /o, /nex
Wild characters (*, ?)

SE38/SA38 => Program Execution/ Report Execution

SE93 => Maintain Transaction
SU3 => Maintaining defaults

Change Documents For Users:

Inactive Users: (RSUSR200)
*****Password Rules (Default Password Rules, Customization, Blacklisted/weak passwords,
password policies) => First Line of Defense
User Naming Conventions
User Related Tables
User Lock Status
*****User Buffer
Change Documents For Users:

Audit Log/History Book

Default Password Rules:

Customize password generation => PRGN_CUST

SE16 => Table Display

SM30 => Table Maintenance

SU01D – User Display

SU01 – User Maintenance

Blacklisted/Weak Passwords: (USR40)

Welcome
India
Password
123
BMW
Sumanth@BMW

WelCOME, Welcome, WelcoME => *welcome*

BMW@108

Password policies:

User Naming Conventions:

Easier Identification
Simplified user management
Consistency
Enhanced Security

Communication user types => RFC_**

System User Types => BG_**, WF_*

TEST_SK_UA01

BMW

Maximum Characters => 12

SE16/SE16N => Table Display
SM30 => Table Maintenance

All the USER RELATED TABLES will store that information

USR*

User Locks

0 – Not Locked
32 – Global Lock (CUA)
64 – Administration lock (System Administator)
128 – Incorrect login attempts

Cumulative -

USR21 & ADR6

USR01/USR02/USR40/PRGN_CUST

Authorizations:

1. User Buffer
2. Authentication Vs Authorizations
3. Understand Authorization Components (Auth Class, Auth Objects, Auth Field&Values)
4. Roles & Profiles (Building blocks)
5. Different types of Roles (Single/Composite roles; Single – Master/Derived/Enabler etc)?
6. Role Building

Understanding and Managing Authorizations:

Authentication Vs Authorizations
Autentication – Happens outside the system
Authorizations – Happens inside the system

****User Buffer:
(Authorization Container) – SU56
SAP Authorizations:

New People, New Job -

Business Changes -
Rules & Regulations(The Law) -
New Tech -
Company Growth -

The Golden Rules – Basic Principles

1. Identiy Management – One person One ID

2. *****Least Privilege(Only what you need) => Minumum Permissions
3.Critical Authorizations(Guard the Master Keys!!) (SAP_ALL, Debug Change Access, Direct
Table entry etc etc.)
4.Audit Trails(Keep a logbook!)
5.Control Principle(Get it Aprroved)

*****ABAP Authorization - How SAP Checks Permissions?

AUTHORITY-CHECK

Components of an Authorizations:

Hierarchy

Auth Field values => Auth Fields => Auth Object => Auth Class => Auth Profiles => Role =>
User

Authorization Class: Group of related Authorization Objects (Filing Cabinet)

FI – Finance, SD – Sales, BC_A – Basis Admin
Authorization Object: (Drawers/Specific Folders) Group of related Authorization Fields
Each Auth Object Protects a certain type of acitvity or data.
S_TCODE, S_USER_GRP etc etc.
*****NO NEED TO UNDERSTAND ANY AUTHRORIZATION OBJECT TECHNICALLY
Authorization Field and Values: (Individual Files/Labels) They define what exactly is being
checked by the Object.

(Auth Fields => Auth Object => Auth Class) =>

Tcode => Roles

How Tcodes Are Associated/Mapped with Auth Objects??

Authorization Components
******Authorization Default Values (SU22 & ) & Associated Tables.
Roles & Profiles (PFCG)
Types of Roles
SAP standard Profiles (SAP_ALL SAP_NEW etc).
Role Building

Authorization Defaults:

SU01
VA01

Default Auth Values => Auth Objects/Auth Fields/Auth Default Field values

USOBT & USOBX (tcode – SU22) – Master Library/Read-Only Blueprint.

USOBT_C & USOBX_C(Tcode – SU24)

Using SU25 tcode => We copy all the data from SU22(USOBT & USOBX) to SU24(USOBT_C &
USOBX_C)

Roles & Profiles:

Roles – Authorizations Containers

PFCG – Profile Generator (Maintaining the roles)

Create Role => Role Generation(Profile will get generated automatically by System)

PFCG => (Role Workshop)

Types of Roles:
Single Role – (Z_USER_ADMIN)

Master Roles
Derived Roles
Enabler Roles
Single Roles

Composite Role – (Roles container) (Z_SECURITY_CONS)

Account Payable Supervisor => 10 different single roles (Comp role – Z_AP_SUPERVISOR)

Security Consultant => User Admin, Role Admin etc etc.

===========
Role Maintenance:

Introduction
Navigation with PFCG
Creation of different roles (Role Building, role naming convention, single roles, composite
roles creation, Master(reference/template) and Derived Roles, Assignments/removals)
Role Menu Objects (Different Applications)
Authorization Maintenance in Roles (Auth Maint buttons, Auth Object status, Maint Org
levels, Where used list)
Role versions/Best practies of role building
Role Overview status
Mass Maintenance options roles – (PFCGMASSVAL)
Transfer of Roles (TR/Transport Request)
Summary

Introduction:

Accounts Payable Clerk – Process Invoices, Make Payemnts, View Vendor data etc.

Manual authorization profiles

Roles(Activity groups)

Roles Vs Profiles

Maitain auth in a role => Generate (System creates role profile) => Assign role to user =>
user buffer.

PFCG -

Creation of Different Roles:

Overview

Role Building and Naminig:

System landscape => DEV, QAS, PROD

ONLY in the DEV system = Role Build

DEV(Build) => QAS(Tested) => PROD(End Users)

DEV if for Development =>
SU24 Proposal Data =>
Consistency across Landscape => (Transport Requests)
Safe Testing Environment =>
Approval =>
Reduced Risk on PRD =>

Role Naming:

No “SAP” Prefix => Z/Y*

Length Limit => 30 characters
Allowed characters => A-Z, 0-9, _ & + etc. (No wild characters) (Alphanumeric, _, :)

Target system/Role Type/Module/Org

Role type:
S – Single Role
M - Master Role
D – Derived Role
C – Composite Role

Z_S4H_S_SD _SALES_ORDER_00000
Z_FIR_M_ SD _XXXXXXX_CXXXX
Z_GRC_D_ SD _XXXXXXX_C1000

Z:S4:S:FI:AP_CLERK:1000 – “Acccounts Payable Clerk – Single Role – 1000”

Composite Roles:

Master Roles and Derived Roles Concept:

(Inheritance Function)

Org Levels – Company Code, Plant, Storage Location.. etc.

Dmart => Hyd, Bang, Delhi, Mumbai, Chennai etc.

“Store Inventory Manager”

Checking stock levels (MB52)
Create a goods receipts when new stock arrives(MIGO)
Run inventory reports
Stock transfers between storage locations

100 stores => 100 separate roles for each store

“Daily spoilage Report” (ZSPOILAGE)

“Global Inventory Manager”

Master Role(Reference/Template/Parent):
“Store Inventory Manager” => Z:S4:M:SD:STORE_INV_MNGR_XXXX
MB52, MIGO, ZSPOILAGE etc etc.

Add tcodes and maintain authorizations.. (Maintain some dummy values for org levels in
Master role)

Plant(Store id), company code etc.

Derived Role(Child/Replicated role):

We maintain only Org levels in the derived roles.

DOESN’T INHERIT ORG LEVELS

Master Roles => What user can do

Derived Roles => Where a user can do

1 Master Role => 100 Derived Roles

Authorization Maintenance Within Roles:

Auth Object Status

Org Levels

AUTHORIZATION CHECK PROCESS