SAP SECURITY GRC INTRODUCTION
- The term ‘Basis’ when used in the context of SAP technology refers to the application layer of the SAP system. When you think about the role a ‘Basis Adminstrator’ has, it should include system administration tasks such as managing the database, transporting development and configuration objects from one SAP system to another, monitoring system performance to ensure no interruption in system stability occurs in the SAP production environment, installing and upgrading the software on the servers, and system security.
- Security refers to both application security in the SAP Runtime environment and the system access outside the SAP Runtime environment. The user accounts defined for users in the SAP Runtime environment are secured by roles that grant authorizations to them. SAP Authorizations control access to transactions (Business Process Activities), or what can be performed within a specific business process step. For example, a user may be able to create sales orders, but only for their specific sales area, sales office and customer.
- The SAP authorization concept is based upon the logical relationship between a user ID and the range of system authorizations with which it can be associated.The architecture of the authorization system is based upon the utilization of several individuals but related logical components: Profiles, Objects, Fields, and Authorizations. The user ID refers exclusively to profiles. Each profile grants a set of specific system access authorizations to user.
- Composite profiles refer to the various employee roles available in the corporation (for instance: Purchasing / Receiving Clerk or Accounts Agent). As the name suggests, composite profiles may contain multiple user IDs necessary to perform all the business operations associated with a particular role. A composite profile may encapsulate another composite profile(s). In practice, a model composite profile should be recognized for each possible role in the organization, which may be used to produce hybrid composite profiles.
- The over existence of the hybrids can defy the very purpose of composite profiles and they should be created only when specific needs arise.
User ids allow access to SAP applications. Each user must have a corresponding profile specifically assigned. In many situations, multiple composite profiles can be assigned to a user ID, depending on the role(s) an individual user is responsible for, in the business processes.