APM
Detailed Technical Overview
APM Contents
APM – PFCG Overview
APM – Role Management
Authorization Trace
Role Maintenance/Derived Roles
Mass Changes
APM – Risk Management
Risk and Process Definition
Pro-active Risk and Process Analysis
Risk and Process Analysis Reports
APM Contents
APM – Basis
Configuration
Special User Monitor
Batch-Job Monitor
APM – References
Online Tutorial
Support Forum
Contact Information
APM Overview
Created by a team of experience consultants
and clients inputs to provide an effective and
efficient way to manage authorizations.
The process oriented approach creates a
minimum authorizations necessary to perform
a business process.
Role management features reduce
administration cost.
Risk management features provide a clear
view of Segregation of Duties.
APM – PFCG Overview
Authorization Trace
Function
Launching an authorization trace
Retrieving authorization trace to
workspace for role generation
Simplified user interface to launch
authorization trace
APM
Yes
Yes
Yes
PFCG Note:
Yes
AMP has a function used to launch
and stop an authorization trace. The
profile generator does not have
this function, which is available only
via Transaction ST01.
No
The profile generator allows only the
manual addition of data from the
authorization trace.
No
APM automatically adjusts all
settings required for an authorization
trace. Except for two texts and user
to be recorded, no additional
information is necessary.
APM – PFCG Overview
Mass Change Function within a Role
Function
APM
PFCG
Mass change for ORG fields
Yes
Yes
Mass change for non-ORG fields
Yes
No
Mass change across a version
(several fields)
Yes
No
Note:
A "normal" mass change always
consists of changing the mass of one
field. A mass change across a version
can be performed for numerous fields.
Example: The company code 0001
always has the chart of accounts INT,
always the sales organization 0001,
always the plants 001 and 002, etc. If
such statements are possible, then
such chains can be saved as versions
(onetime procedure) and can then be
utilized for mass changes via
numerous fields.
APM – PFCG Overview
Upload/Download
Function
APM PFCG
Authorizations of roles without menu
Yes
No
Authorizations of roles with menu
No
Yes
Authorizations of profiles (not assigned to any role) Yes
No
Authorizations of an authorization trace
No
Yes
Note:
APM – PFCG Overview
General Workspace Information
Function
Workspace with Undo/Redo function
APM PFCG Note:
Yes
Consistency check when retrieving
roles, profiles, authorizations, traces,
and transactions
Yes
No
APM has a Undo/Redo functions similar
to the one offered by MS Word or Excel
No
APM checks and verifies the following
when retrieving authorizations: - Missing
entry in check table for objects with field
activity – Missing entry in the original
table of profiles (USR* tables) – Missing
entry in the performance tables of
profiles (UST* tables). If the retrieved
authorization is invalid or flawed (e.g., if
the SAP_NEW profile is flawed or
defective in the K_ABC authorization
object, a value is missing in one field in
this case), APM indicates this flaw or
defect by displaying a warning bell
symbol. The following are possible
defects or flaws: A value was not
assigned to a field, incorrect technical
field name, etc.
APM – PFCG Overview
General Workspace Information
Function
Assigning full authorization * to empty
fields
Assigning full authorization * to all fields
Additional save options for authorizations
in addition to download and generation
Subsequent verification of critical
authorizations/objects
Verification of critical authorizations/
objects during role creation
APM
Yes
Yes
Yes
Yes
Yes
PFCG Note:
Yes
In APM, the affected range for this function
can be selected by marking authorizations.
No
In APM, the affected range for this function
can be selected by marking authorizations.
No
APM has additional save options for
authorizations, namely the lists.
Authorization data is saved to a separate
database table, which can be read by APM.
Yes
In APM, roles can be monitored using risk
and process analyses. Report RSUSR002
of the profile generator is one method of
monitoring.
No
Risk analyses can be added to the work
screen. If an authorization/object is added
that appears in the risk analysis, this
authorization/object is marked with a red or
yellow traffic light. The user thus has the
opportunity to respond to critical
authorizations/objects as early as during
role creation.
APM – PFCG Overview
Role Creation via Transactions
Function
APM
PFCG
Transaction synchronization when
adding transactions to role menu
Yes
Yes
Transaction synchronization when
deleting transactions from role menu
("Activity" authorization field was not
changed manually)
Yes
Yes
Transaction synchronization when
deleting transactions from role menu
("Activity" authorization field was
changed manually)
Importing to the role menu the
transaction code added to the
workspace
Yes
Yes
Note:
No
The delete routine of the profile
generator is no longer effective as soon
as the "Activity" field was manually
changed. Objects can then be deleted
only manually.
No
APM adds all transactions added to the
APM list screen to the role menu in an
unstructured format. A folder is created
where all new transactions are added
one below the other.
APM – PFCG Overview
Role Creation via Transactions
Function
Deleting from the role menu
transactions added to the
workspace
Synchronization function for
transaction code also in
workspace
Is it possible to forego
inactive authorizations meant
as protection during the
transaction synchronization?
APM
Yes
Yes
Yes
PFCG
Note:
No
If transactions are removed from the APM
workspace, APM automatically deletes these
transactions and empty folders from the role
menu. This is a purely manual task when
using the profile generator.
No
APM not only synchronizes transactions with
roles based on menu changes but this
function is also available from the
workspace.
No
APM does not require any inactive
authorization objects with a protective
function during the transaction
synchronization.
APM – PFCG Overview
Role Creation via Transactions
Function
APM
PFCG
Is it possible to compress
authorizations?
Yes
Yes
Is it practical to compress
authorizations?
Assign ownership to Role
Yes
Yes
Note:
No
Compression is generally advisable since this
reduces the number of authorizations. However,
when using the profile generator, compression
can lead to additional authorizations being
added during the next transaction
synchronization due to the compression. APM
does not have this problem.
No
Assigning an owner to a role during Generation
assists the security administrator to identify who
to contact for approval.
APM – PFCG Overview
Analysis Options
Function
APM
PFCG
Are analysis options available for
individual authorization objects or
authorizations?
Yes
Yes
Are analysis options available for
numerous authorization objects or
authorizations?
Yes
No
Are analysis options available for
authorization chains with up to three
authorizations?
Yes
Yes
Are analysis options available for
authorization chains with more than
three authorizations?
Yes
No
Note:
Only individual objects/
authorizations can be queried
in the SAP analysis report
(e.g., RSUSR002). APM offers
the option of assigning and
evaluating diverse fields to a
risk version.
Reports are only able to
evaluate process chains with
up to three authorizations.
APM's process analyses are
not restricted in this respect.
APM - Role Management
Authorization Trace
Defined from the SAP point of view in cooperation
with the user departments.
No need to learn how SAP-System trace is handled.
Easily troubleshoot and resolve authorization issues.
The logged authorizations represent the minimum
specifications.
Retrieve to workspace for role generation or add to
existing role.
APM - Role Management
Authorization Trace
When entering a trace for multiple users, please
make sure that this trace can be activated and
deactivated for all users, only.
APM user traces must be deactivated and deleted
via APM.
APM users must always log in the defined
application server.
APM - Role Management
Authorization Trace
A non-observance of this prescription may lead to
the following problems:
You cannot start or end a user trace via APM
anymore. This may happen when an APM user trace
has been stopped via SAP-Standard. In this case, it is
absolutely mandatory to terminate the trace via SAPStandard (Transaction ST01). Only thereafter, all
functions are available again.
You cannot import or delete a user trace and you will
get the message that this user trace on operating
system level does no longer exist. This may happen
when an APM user trace has been deleted via SAPStandard instead of via APM. In this case, use the
menu item Utilities – Reconciliation of tables.
APM - Role Management
List Functions
Authorization list is the working platform of APM
where authorizations and authorization objects can
be entered, deleted, or changed.
When saving a list, no change documents are
created.
Inactive authorization no longer necessary.
Compress List (Merger) will not create new
authorization.
Mass authorization change.
Undo and redo.
APM - Role Management
PFCG - Inactive Authorization
Remove value
“01, 06, 24”
APM - Role Management
PFCG - Inactive Authorization
New authorization
is inserted
APM - Role Management
PFCG - Inactive Authorization
Best practice is to create a
copy, inactive, and make
changes to copied authorization
APM - Role Management
PFCG - Inactive Authorization
When standard transaction
is deleted the changed
authorization remains
APM - Role Management
APM - Inactive Authorization
APM will not insert “New”
authorization. Notice that there
are no status within APM.
APM - Role Management
APM - Inactive Authorization
APM will delete all “Standard
and Changed” authorization.
APM - Role Management
PFCG – Derived Role
Customer Invoice Processing
USA Company Code - 0001
CAN Company Code - 0002
F-22 (Enter Customer Invoice)
F-22 (Enter Customer Invoice)
F-28 (Post Incoming Payment)
F-28 (Post Incoming Payment)
F-32 (Clear Customer) ............
F-32 (Clear Customer) ............
APM - Role Management
APM – Derived Role
Customer Invoice Processing
USA Company Code - 0001
CAN Company Code - 0002
F-22 (Enter Customer Invoice)
F-22 (Enter Customer Invoice)
F-28 (Post Incoming Payment)
F-28 (Post Incoming Payment)
F-59 (Payment Request)..........
F-32 (Clear Customer) ............
F-32 (Clear Customer) ............
ACTV = 02, 06
BURKS = 0003
APM - Role Management
APM – Derived Role
Deviation Folder
All inherited field value from the master role can be
modified.
Deviations can be field-related or object-related.
All deviation folders can be used for the automatic
mass change.
Extension Folder
Add additional authorization to dependent role.
Always use “After Mass Change”.
APM - Role Management
Mass Authorization Change
Mass change multiple fields value via Deviation
Folder.
Manually mass change single field.
APM - Risk Management
Risk Analysis
A collection of critical authorization objects.
Pro-actively identify Risks during Role maintenance.
Exclusion objects are inactive in role.
Risk analysis discovers weaknesses and security
gaps within the authorizations and enable a direct
elimination of these risks.
APM - Risk Management
Risk Analysis
Document Risk Version
APM - Risk Management
Risk Analysis
Very critical
Critical
Inactive
APM - Risk Management
Risk Analysis
Risk can be defined as:
Object
Single occurrence
APM - Risk Management
Process Analysis
A collection of critical combination of authorization
objects.
Pro-actively identify Process Analysis during Role
maintenance.
Unlimited business process chain per Version.
APM – Risk Management
Process Analysis
Multiple Process
Chains per Version
APM – Risk Management
Process Analysis
Transaction combinations
can be defined in set
APM – Risk Management
Process Analysis Report
Process to User or
Role Report
APM – Risk Management
Process Analysis Report
Report can be executed
for User(s) or User Group
APM – Risk Management
Process Analysis Report
Users to Process Chains
APM – Risk Management
Process Analysis Report
Process Chains to Users
APM - Basis Configuration
APM Trace setting
APM - Basis Configuration
Expert mode
Verify if Transaction is
valid before generation
APM - Basis Configuration
Always check Menu…-Delete
and Create to prevent direct
modification of S_TCODE
Activate Role ownership
APM - Basis Configuration
Set Proactive Risk or Process
Authorization Analysis
Sequence Analysis: Object
then Single Occurrence
APM - Basis Configuration
Always select “Confirm
all automatically”
APM – Basis Configuration
Standard APM functions for List,
Deviation, and Mass Changes
APM - Basis
Special Users
Emergency or Special user are defined for
supervision.
3-Level Security Concept
Every login of a safety-relevant special user causes a
system log message to be written, and can be
evaluated.
All activities of a safety-relevant special user are
recorded on transaction- and/or program level, and
can be evaluated.
All activities of safety-relevant special users are
recorded within transactions or programs down to the
used function, and can be evaluated.
APM - Basis
Batch-Job-Monitor
Automatic supervision of jobs in the SAP
environment.
The monitoring is planned periodically, and the
monitoring tools optionally send mails and/or
express mails, or prints error messages on the
printer as soon as erroneous jobs are detected
within a defined period of time (cycle).
This method enables to optimize error handling
through in-time reporting to the responsible
person(s).
APM - Basis
Directory Viewer
SAP-Explorer – enables a direct administration of
directories and files of the SAP-Server without
having to go to the operating system.
In addition to the display, copy, and delete file
functions, the SAP-Explorer also supports the
Upload and Download of files.
APM – Next Steps
Many new functionalities have been added…
More will be implemented by Q4/05 and Q1/06
Please give us the opportunity to learn more about
your requirement and show your basis/security
team a brief online demonstration of APM’s
powerful functionalities.
Schedule a presentation at:
813-283-0070 or
info@realtimenorthamerica.com