SlideShare a Scribd company logo

S4H_790 IAM - Authorization Concept Guidelines for S4HANA Cloud.pptx

Download as PPTX, PDF
I
ITAdmin28

This document provides an overview and guidelines for authorization concepts across development, quality, and production systems for a 3-tier SAP landscape. It describes the typical purposes and activities for each system during both implementation projects and post go-live operations. The development system is used for configuration, testing, and transporting changes to the quality system. The quality system is used for integration and user acceptance testing before transports are moved to production. The production system has authorization guidelines that depend on whether it is pre go-live, during cutover, or post go-live. Project teams, support teams, and business users all have different authorization needs depending on the system and project phase.

Software
1 of 23
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
CUSTOMER SAP S/4HANA Cloud, extended edition September 25, 2020 Identity and Access Management (IAM) Authorization Concepts for 3 Tier Landscape Approach
2 CUSTOMER © 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ Purpose of this Document Overview Purpose of the Different Systems  Development System  Quality System  Production System Authorization Guidelines for Different Systems  Development System Authorization Guidelines  Quality System Authorization Guidelines  Production System Authorization Guidelines Agenda
3 CUSTOMER © 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ The purpose of this document is to describe the Identity and Access Management (IAM) Authorization Concept approach for 3 tier landscapes (Development, Quality, Production) for an implementation projects development, testing and cutover phases as well as the approach for maintaining an operational system. Purpose of this Document
Authorization Concept Overview
5 CUSTOMER © 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ The Authorization Concept must be determined for all the systems provided with the solution and all potential users, not just for the Production System and the business users. The Systems provided with SAP S/4HANA Cloud, extended edition are as follows:  Development System (DEV)  Quality System (Q)  Production System (PRD) The purposes of the Development System, the Quality System, and the Production System are significantly different from each other. Therefore, the needs of a project team member and post go- live support user are significantly different than those of a business user when determining their Authorization. The Authorization Concepts are defined by guidelines as described in the following slides. Overview: Systems
Authorization Concept Purpose of the Different Systems
7 CUSTOMER © 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ The Development System is where the project team members work to define what the solution will look like by utilizing preconfigured business processes and any specific customer related configuration during the fit-to-standard and planning and design processes to document backlog items and delta requirements. What activities are typically performed in the Development System for Authorization? • Master Data Definition and Creation • SAP Configuration • SAP Custom Development • SAP Security, Roles, and Authorizations • Unit Testing of Configuration, Development Objects, and Security Roles • Release of Configuration, Development and Security Transports for import to the Quality System • Audits of Unit Testing Development System: What is this system initially used for?
8 CUSTOMER © 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ After the Project Go-Live, the Development System is used to support the operation of the Production Landscape. What activities are typically performed in the Development System after Project Go-Live, when the Production System is in use, for Authorization? • Production System defect investigation. • Corrections/bug fix application and testing prior to introduction into the Quality System. • Upgrade of applications and testing prior to introduction into the Quality System. • New Enterprise Extension activation. • New functionality, business processes, and testing. • Role maintenance and transport creation. Development System: What is this system used for after Go-Live?
9 CUSTOMER © 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ The Quality System is where the project team members build upon the work done in the Development system by testing end-to-end integrated business processes in a Production like environment. What activities are typically performed in the Quality System for Authorization? • Master Data Definition and Creation. • SAP Client Specific Configuration (example: number ranges). • Integration testing of configuration, development objects, and security roles in end to end business processes. • Conduct Authorization Tracing for any authorization incidents. • User Acceptance Testing. • Release of configuration, development, and security transports for import to the Production System • Audits of Integration Testing. • End User Training (optional). • Performance Testing (optional). Quality System: What is this system initially used for?
10 CUSTOMER © 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ After the Project Go-Live, the Quality System is used to support the operation of the Production Landscape. What activities are typically performed in the Quality System after Project Go-Live, when the Production System is in use, for Authorization? • Production System defect investigation. • Corrections/bug fix application and testing prior to introduction into the Production System. • Upgrade application and testing prior to introduction into the Production System. • New Enterprise Extension activation. • New functionality and business processes creation and testing. • Testing of Role changes prior to import into the Production System. Quality System: What is this system used for after Go-Live?
11 CUSTOMER © 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ The Production System is where the project team members will execute Mock Cutovers ( a practice cutover), it is assumed, to ensure that the build of the Production System will be successful and that the business processes will work as designed for the business end-users. What activities are typically performed in the Production System for Authorization? • Master Data Definition and Creation using Conversions. • SAP Configuration (example: number ranges). • SAP Custom Z-Table Data Entry through manual entry and/or through data loads. • SAP Roles and Authorizations transport import. • Testing of configuration, development objects, and security roles and authorization. • Validation of configuration, development, and authorization and role transports imported from the Quality System. • Smoke testing of all in-scope business processes to ensure proper operation once a Mock Cutover is completed. • Audits of Mock Cutover testing. Production System: What is this system initially used for?
12 CUSTOMER © 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ After the Project Go-Live, the Production System is used to operate the business. What activities are typically performed in the Production System after Project Go-Live, when the Production System is in use, for Authorization? • Execution of all in-scope business processes designed by the project for use in the Production System. • Smoke testing of all in-scope business processes to ensure proper operation once the Production Cutover activities to build the Production System are completed. • Production System defect investigation. • Corrections/bug fix application after testing in the Development and Quality Systems. • Import of transports for any new functionality introduced. • Role assignment to users. • Authorization tracing to investigate any authorization issues. Production System: What is this system used for after Go-Live?
Authorization Concept Authorization Guidelines for the Different Systems
14 CUSTOMER © 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ Authorization Concepts are dependent upon the following:  Who needs the authorization?  For what System do they need authorization?  What Activities do they need to perform in a particular SAP System?  How long do they need the authorization in a particular SAP System? System Authorization Considerations
15 CUSTOMER © 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ These Development System guidelines are for the Project Team and Production Support Teams. In the Development System, during a project, the authorization concept used is to give each Project Team and Production Support Team Member as much access as possible. Follow these Development System Authorization guidelines:  #1: Limit a user’s access where their actions would cause significant problems such as damage requiring a system restoration or which would result in unnecessary additional costs. ▫ Example 1: Configurator would have display access only and would not be given change access to the SAP Switch Framework to activate enterprise extensions because some of these extensions are irreversible and if activated by a user, a system restore from backup would be required to correct the issue resulting in lost project time and additional project costs. ▫ Example 2: Configurator would not have a developer’s license as that license is an additional cost and the configurator does not have the responsibility to write custom code.  #2: Limit a user’s access where there is a separation of duty requirement. ▫ Example 1: The configurator and developer will not have authorization to release their own transports as the company has made the decision that they want a separation of duty in this area to control the transports released to the Quality Assurance system. ▫ Example 2: Roles administration and Basis administration need to be separated. Developer. ▫ Example 3: Configurator System Authorization Guidelines: Development System
16 CUSTOMER © 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ In the Quality System, during a project, the authorization concept used is a combination of the Development System and Production System Authorization Concepts. Follow these Quality System Authorization guidelines:  #1: Limit a Project Team and Production Support Team User’s access where their actions would cause significant problems such as damage requiring a system restoration or which would result in unnecessary additional costs. • Project Team and Production Support Team Members should continue to have broad access in the Quality System  #2: Limit a Project Team/Production Support Team User’s access where there is a separation of duty requirement.  #3: Limit a Business User to the same authorization they have in their Production System.  #4: Limit a Test User to the same authorization for the position for which they were created. System Authorization Guidelines: Quality System
17 CUSTOMER © 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ In the Production System, the Authorization Concept used is dependent upon the state of the Production System. For the purpose of this document, the three states are: 1. Before Production Go-Live  The Project Team will execute Mock Cutovers and validate the results of those Mock Cutovers.  The Business Users will execute Smoke Tests to validate that the business processes are working as expected after a Mock Cutover is completed. 2. During Cutover for Production Go-Live  The Project Team will execute the Production Go-Live Cutover and validate the results.  The Business Users will execute Smoke Tests to validate that the business processes are working as expected. 3. After Production Go-Live  The Production Support Team will investigate Production Defects.  The Business Users will execute the in scope business processes. System Authorization Guidelines: Production System
18 CUSTOMER © 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ Before Production Go-Live Project Team members: should have the access needed to execute the Mock Cutover Activities that they are responsible for. Business Users: should have authorization equivalent to their Production System access in order to execute Smoke Tests. Production Support Team members: should have access to the various firefighter user ids and use them to troubleshoot any issues identified during Mock Cutover where Production System access beyond a normal Business User is required. Follow these Production System (Before Production Go-Live) Authorization guidelines:  #1: Limit the Project Team Users’ access to only those needed for them to execute their Mock Cutover Activities.  #2: Limit the Business Users’ access to their Production System access.  #3: Limit the Production Support Team Users’ access to only those firefighter roles created for troubleshooting issues. System Authorization Guidelines: Production System
19 CUSTOMER © 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ During Cutover for Production Go-Live Project Team members: should have the access needed to execute and validate that the Production Go-Live Cutover Activities that they are responsible for have been properly performed. Business Users : should have authorization equivalent to their Production System access in order to execute Smoke Tests to confirm that the system is functioning properly after the Project Team has validated that the Cutover Activities supporting the Business Process are successfully completed. Production Support Team members: should confirm that the firefighter user ids provide the designed access for troubleshooting in the Production System. Follow these Production System (During Cutover for Production Go-Live) Authorization guidelines:  #1: Limit a Project Team User’s access to only those needed for them to execute and validate their Production Go-Live Cutover Activities.  #2: Limit a Business Users access to their Production System access.  #3: Temporarily allow the Production Support Team members to use their various firefighter user ids to confirm that they provide the desired access for troubleshooting. System Authorization Guidelines: Production System
20 CUSTOMER © 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ After Production Go-Live Project Team members: should not have any project related access to the Production System. Business Users: should have their normal Production System access in order to execute any in- scope business processes for which they are responsible. Production Support Team members: should not have any project related access to the Production System but would be able to utilize the firefighter user ids for limited periods of time in order to troubleshoot issues identified by Business Users in the Production System. Follow these Production System (After Production Go-Live) Authorization guidelines:  #1: Remove a Project Team User’s access related to any project specific activities.  #2: Provide the Business User with their normal Production System access.  #3: Temporarily allow the Production Support Team members to use their various firefighter user ids only when an issue is identified in the Production System by the Business Users that needs investigated in that System. System Authorization Guidelines: Production System
Thank you.
© 2020 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platforms, directions, and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, and they should not be relied upon in making purchasing decisions. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. See www.sap.com/copyright for additional trademark information and notices. www.sap.com/contactsap Follow us
www.sap.com/germany/contactsap © 2020 SAP SE oder ein SAP-Konzernunternehmen. Alle Rechte vorbehalten. Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, ohne die ausdrückliche schriftliche Genehmigung durch SAP SE oder ein SAP-Konzernunternehmen nicht gestattet. In dieser Publikation enthaltene Informationen können ohne vorherige Ankündigung geändert werden. Die von SAP SE oder deren Vertriebsfirmen angebotenen Softwareprodukte können Softwarekomponenten auch anderer Softwarehersteller enthalten. Produkte können länderspezifische Unterschiede aufweisen. Die vorliegenden Unterlagen werden von der SAP SE oder einem SAP-Konzernunternehmen bereitgestellt und dienen ausschließlich zu Informationszwecken. Die SAP SE oder ihre Konzernunternehmen übernehmen keinerlei Haftung oder Gewährleistung für Fehler oder Unvollständigkeiten in dieser Publikation. Die SAP SE oder ein SAP-Konzernunternehmen steht lediglich für Produkte und Dienstleistungen nach der Maßgabe ein, die in der Vereinbarung über die jeweiligen Produkte und Dienstleistungen ausdrücklich geregelt ist. Keine der hierin enthaltenen Informationen ist als zusätzliche Garantie zu interpretieren. Insbesondere sind die SAP SE oder ihre Konzernunternehmen in keiner Weise verpflichtet, in dieser Publikation oder einer zugehörigen Präsentation dargestellte Geschäftsabläufe zu verfolgen oder hierin wiedergegebene Funktionen zu entwickeln oder zu veröffentlichen. Diese Publikation oder eine zugehörige Präsentation, die Strategie und etwaige künftige Entwicklungen, Produkte und/oder Plattformen der SAP SE oder ihrer Konzernunternehmen können von der SAP SE oder ihren Konzernunternehmen jederzeit und ohne Angabe von Gründen unangekündigt geändert werden. Die in dieser Publikation enthaltenen Informationen stellen keine Zusage, kein Versprechen und keine rechtliche Verpflichtung zur Lieferung von Material, Code oder Funktionen dar. Sämtliche vorausschauenden Aussagen unterliegen unterschiedlichen Risiken und Unsicherheiten, durch die die tatsächlichen Ergebnisse von den Erwartungen abweichen können. Dem Leser wird empfohlen, diesen vorausschauenden Aussagen kein übertriebenes Vertrauen zu schenken und sich bei Kaufentscheidungen nicht auf sie zu stützen. SAP und andere in diesem Dokument erwähnte Produkte und Dienstleistungen von SAP sowie die dazugehörigen Logos sind Marken oder eingetragene Marken der SAP SE (oder von einem SAP-Konzernunternehmen) in Deutschland und verschiedenen anderen Ländern weltweit. Alle anderen Namen von Produkten und Dienstleistungen sind Marken der jeweiligen Firmen. Zusätzliche Informationen zur Marke und Vermerke finden Sie auf der Seite www.sap.com/corporate/de/legal/copyright.html. SAP folgen auf

More Related Content

PDF
Development Best Practices
Salesforce Partners
 
RTF
Deepti Debnath_Citi Corp-2015
deepti Debnath
 
PDF
Release and Enviromental Management
Salesforce Partners
 
PPTX
Best Practices for a Repeatable Shift-Left Commitment
Applause
 
PPTX
Ais development strategy
Rahat Chowdhury
 
PDF
SaaS System Validation, practical tips on getting validated for go-live and t...
Steffan Stringer
 
PPTX
SAP License Audit Tips
AuditBot SAP Security Audit
 
PPTX
Introduction to ERP Concept
Amity University | FMS - DU | IMT | Stratford University | KKMI International Institute | AIMA | DTU
 
Development Best Practices
Salesforce Partners
 
Deepti Debnath_Citi Corp-2015
deepti Debnath
 
Release and Enviromental Management
Salesforce Partners
 
Best Practices for a Repeatable Shift-Left Commitment
Applause
 
Ais development strategy
Rahat Chowdhury
 
SaaS System Validation, practical tips on getting validated for go-live and t...
Steffan Stringer
 
SAP License Audit Tips
AuditBot SAP Security Audit
 
Introduction to ERP Concept
Amity University | FMS - DU | IMT | Stratford University | KKMI International Institute | AIMA | DTU
 

Similar to S4H_790 IAM - Authorization Concept Guidelines for S4HANA Cloud.pptx (20)

PDF
Webinar Presentation: Best Practices in QA Testing - Leveraging Open Source T...
Emtec Inc.
 
PPT
Learn software testing with tech partnerz 1
Techpartnerz
 
RTF
Deepti Debnath_2015
deepti Debnath
 
PPTX
A Complete Guide to Functional Testing
Matthew Allen
 
PPTX
SITIST 2018 Part 1 - Installation of custom CIC Certified Add-On client systems
sitist
 
DOC
BVT_Swamy_Abap_4
BOGGARAPU VENKATA TRINADHA SWAMY
 
PPTX
Automating Deployment Between Orgs Using Git & Continuous Integration
Sebastian Wagner
 
PDF
Quality at the speed of digital
rajni singh
 
PDF
Continuous Performance Testing: The New Standard
TechWell
 
PDF
Continuous testing
Dr Ganesh Iyer
 
PPTX
Neev QA Offering
Neev Technologies
 
PDF
Best Practices in Testing Force.com Application
Emtec Inc.
 
PPTX
DevOps in Salesforce AppCloud
rsg00usa
 
PDF
Tech Mastermind - Test Suite 20.10.pdf
SaiKumarBorusu
 
PPTX
The quality assurance checklist for progressive testing
Maitrikpaida
 
PPTX
The Quality Assurance Checklist for Progressive Testing
Cygnet Infotech
 
DOC
RajivRanjan_Resume
Rajiv Ranjan
 
PDF
ERP Training
Soumya De
 
PPTX
Salesforce Continuous Integration with AutoRABIT
Vishnu Raju Datla
 
PDF
Simplify Salesforce Testing with AI-Driven Codeless Tools
Sauce Labs
 
Webinar Presentation: Best Practices in QA Testing - Leveraging Open Source T...
Emtec Inc.
 
Learn software testing with tech partnerz 1
Techpartnerz
 
Deepti Debnath_2015
deepti Debnath
 
A Complete Guide to Functional Testing
Matthew Allen
 
SITIST 2018 Part 1 - Installation of custom CIC Certified Add-On client systems
sitist
 
BVT_Swamy_Abap_4
BOGGARAPU VENKATA TRINADHA SWAMY
 
Automating Deployment Between Orgs Using Git & Continuous Integration
Sebastian Wagner
 
Quality at the speed of digital
rajni singh
 
Continuous Performance Testing: The New Standard
TechWell
 
Continuous testing
Dr Ganesh Iyer
 
Neev QA Offering
Neev Technologies
 
Best Practices in Testing Force.com Application
Emtec Inc.
 
DevOps in Salesforce AppCloud
rsg00usa
 
Tech Mastermind - Test Suite 20.10.pdf
SaiKumarBorusu
 
The quality assurance checklist for progressive testing
Maitrikpaida
 
The Quality Assurance Checklist for Progressive Testing
Cygnet Infotech
 
RajivRanjan_Resume
Rajiv Ranjan
 
ERP Training
Soumya De
 
Salesforce Continuous Integration with AutoRABIT
Vishnu Raju Datla
 
Simplify Salesforce Testing with AI-Driven Codeless Tools
Sauce Labs
 
Ad

Recently uploaded (20)

PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
DOCX
The Five Best AI Cover Tools in 2025.docx
aivoicelabofficial
 
PDF
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
PDF
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
PPTX
Presentation of Computer CLASS 2 .pptx
darshilchaudhary558
 
PPTX
Introduction to Artificial Intelligence
lohedi9363
 
PPTX
Materi-Enum-and-Record-Data-Type (1).pptx
RanuFajar1
 
PPTX
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
PDF
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
PPTX
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
PPTX
Online Work Permit System for Fast Permit Processing
SHEQ Network Limited
 
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
PPTX
What to Capture When It Breaks: 16 Artifacts That Reveal Root Causes
Tier1 app
 
PDF
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
PPTX
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
PDF
How to Confidently Manage Project Budgets
OnePlan Solutions
 
PDF
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
PPTX
ISO 45001 Occupational Health and Safety Management System
EHA Soft Solutions
 
PDF
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
PDF
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
The Five Best AI Cover Tools in 2025.docx
aivoicelabofficial
 
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
Presentation of Computer CLASS 2 .pptx
darshilchaudhary558
 
Introduction to Artificial Intelligence
lohedi9363
 
Materi-Enum-and-Record-Data-Type (1).pptx
RanuFajar1
 
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
Online Work Permit System for Fast Permit Processing
SHEQ Network Limited
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
What to Capture When It Breaks: 16 Artifacts That Reveal Root Causes
Tier1 app
 
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
How to Confidently Manage Project Budgets
OnePlan Solutions
 
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
ISO 45001 Occupational Health and Safety Management System
EHA Soft Solutions
 
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
Ad

S4H_790 IAM - Authorization Concept Guidelines for S4HANA Cloud.pptx

  • 1. CUSTOMER SAP S/4HANA Cloud, extended edition September 25, 2020 Identity and Access Management (IAM) Authorization Concepts for 3 Tier Landscape Approach
  • 2. 2 CUSTOMER © 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ Purpose of this Document Overview Purpose of the Different Systems  Development System  Quality System  Production System Authorization Guidelines for Different Systems  Development System Authorization Guidelines  Quality System Authorization Guidelines  Production System Authorization Guidelines Agenda
  • 3. 3 CUSTOMER © 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ The purpose of this document is to describe the Identity and Access Management (IAM) Authorization Concept approach for 3 tier landscapes (Development, Quality, Production) for an implementation projects development, testing and cutover phases as well as the approach for maintaining an operational system. Purpose of this Document
  • 5. 5 CUSTOMER © 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ The Authorization Concept must be determined for all the systems provided with the solution and all potential users, not just for the Production System and the business users. The Systems provided with SAP S/4HANA Cloud, extended edition are as follows:  Development System (DEV)  Quality System (Q)  Production System (PRD) The purposes of the Development System, the Quality System, and the Production System are significantly different from each other. Therefore, the needs of a project team member and post go- live support user are significantly different than those of a business user when determining their Authorization. The Authorization Concepts are defined by guidelines as described in the following slides. Overview: Systems
  • 6. Authorization Concept Purpose of the Different Systems
  • 7. 7 CUSTOMER © 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ The Development System is where the project team members work to define what the solution will look like by utilizing preconfigured business processes and any specific customer related configuration during the fit-to-standard and planning and design processes to document backlog items and delta requirements. What activities are typically performed in the Development System for Authorization? • Master Data Definition and Creation • SAP Configuration • SAP Custom Development • SAP Security, Roles, and Authorizations • Unit Testing of Configuration, Development Objects, and Security Roles • Release of Configuration, Development and Security Transports for import to the Quality System • Audits of Unit Testing Development System: What is this system initially used for?
  • 8. 8 CUSTOMER © 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ After the Project Go-Live, the Development System is used to support the operation of the Production Landscape. What activities are typically performed in the Development System after Project Go-Live, when the Production System is in use, for Authorization? • Production System defect investigation. • Corrections/bug fix application and testing prior to introduction into the Quality System. • Upgrade of applications and testing prior to introduction into the Quality System. • New Enterprise Extension activation. • New functionality, business processes, and testing. • Role maintenance and transport creation. Development System: What is this system used for after Go-Live?
  • 9. 9 CUSTOMER © 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ The Quality System is where the project team members build upon the work done in the Development system by testing end-to-end integrated business processes in a Production like environment. What activities are typically performed in the Quality System for Authorization? • Master Data Definition and Creation. • SAP Client Specific Configuration (example: number ranges). • Integration testing of configuration, development objects, and security roles in end to end business processes. • Conduct Authorization Tracing for any authorization incidents. • User Acceptance Testing. • Release of configuration, development, and security transports for import to the Production System • Audits of Integration Testing. • End User Training (optional). • Performance Testing (optional). Quality System: What is this system initially used for?
  • 10. 10 CUSTOMER © 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ After the Project Go-Live, the Quality System is used to support the operation of the Production Landscape. What activities are typically performed in the Quality System after Project Go-Live, when the Production System is in use, for Authorization? • Production System defect investigation. • Corrections/bug fix application and testing prior to introduction into the Production System. • Upgrade application and testing prior to introduction into the Production System. • New Enterprise Extension activation. • New functionality and business processes creation and testing. • Testing of Role changes prior to import into the Production System. Quality System: What is this system used for after Go-Live?
  • 11. 11 CUSTOMER © 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ The Production System is where the project team members will execute Mock Cutovers ( a practice cutover), it is assumed, to ensure that the build of the Production System will be successful and that the business processes will work as designed for the business end-users. What activities are typically performed in the Production System for Authorization? • Master Data Definition and Creation using Conversions. • SAP Configuration (example: number ranges). • SAP Custom Z-Table Data Entry through manual entry and/or through data loads. • SAP Roles and Authorizations transport import. • Testing of configuration, development objects, and security roles and authorization. • Validation of configuration, development, and authorization and role transports imported from the Quality System. • Smoke testing of all in-scope business processes to ensure proper operation once a Mock Cutover is completed. • Audits of Mock Cutover testing. Production System: What is this system initially used for?
  • 12. 12 CUSTOMER © 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ After the Project Go-Live, the Production System is used to operate the business. What activities are typically performed in the Production System after Project Go-Live, when the Production System is in use, for Authorization? • Execution of all in-scope business processes designed by the project for use in the Production System. • Smoke testing of all in-scope business processes to ensure proper operation once the Production Cutover activities to build the Production System are completed. • Production System defect investigation. • Corrections/bug fix application after testing in the Development and Quality Systems. • Import of transports for any new functionality introduced. • Role assignment to users. • Authorization tracing to investigate any authorization issues. Production System: What is this system used for after Go-Live?
  • 14. 14 CUSTOMER © 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ Authorization Concepts are dependent upon the following:  Who needs the authorization?  For what System do they need authorization?  What Activities do they need to perform in a particular SAP System?  How long do they need the authorization in a particular SAP System? System Authorization Considerations
  • 15. 15 CUSTOMER © 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ These Development System guidelines are for the Project Team and Production Support Teams. In the Development System, during a project, the authorization concept used is to give each Project Team and Production Support Team Member as much access as possible. Follow these Development System Authorization guidelines:  #1: Limit a user’s access where their actions would cause significant problems such as damage requiring a system restoration or which would result in unnecessary additional costs. ▫ Example 1: Configurator would have display access only and would not be given change access to the SAP Switch Framework to activate enterprise extensions because some of these extensions are irreversible and if activated by a user, a system restore from backup would be required to correct the issue resulting in lost project time and additional project costs. ▫ Example 2: Configurator would not have a developer’s license as that license is an additional cost and the configurator does not have the responsibility to write custom code.  #2: Limit a user’s access where there is a separation of duty requirement. ▫ Example 1: The configurator and developer will not have authorization to release their own transports as the company has made the decision that they want a separation of duty in this area to control the transports released to the Quality Assurance system. ▫ Example 2: Roles administration and Basis administration need to be separated. Developer. ▫ Example 3: Configurator System Authorization Guidelines: Development System
  • 16. 16 CUSTOMER © 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ In the Quality System, during a project, the authorization concept used is a combination of the Development System and Production System Authorization Concepts. Follow these Quality System Authorization guidelines:  #1: Limit a Project Team and Production Support Team User’s access where their actions would cause significant problems such as damage requiring a system restoration or which would result in unnecessary additional costs. • Project Team and Production Support Team Members should continue to have broad access in the Quality System  #2: Limit a Project Team/Production Support Team User’s access where there is a separation of duty requirement.  #3: Limit a Business User to the same authorization they have in their Production System.  #4: Limit a Test User to the same authorization for the position for which they were created. System Authorization Guidelines: Quality System
  • 17. 17 CUSTOMER © 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ In the Production System, the Authorization Concept used is dependent upon the state of the Production System. For the purpose of this document, the three states are: 1. Before Production Go-Live  The Project Team will execute Mock Cutovers and validate the results of those Mock Cutovers.  The Business Users will execute Smoke Tests to validate that the business processes are working as expected after a Mock Cutover is completed. 2. During Cutover for Production Go-Live  The Project Team will execute the Production Go-Live Cutover and validate the results.  The Business Users will execute Smoke Tests to validate that the business processes are working as expected. 3. After Production Go-Live  The Production Support Team will investigate Production Defects.  The Business Users will execute the in scope business processes. System Authorization Guidelines: Production System
  • 18. 18 CUSTOMER © 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ Before Production Go-Live Project Team members: should have the access needed to execute the Mock Cutover Activities that they are responsible for. Business Users: should have authorization equivalent to their Production System access in order to execute Smoke Tests. Production Support Team members: should have access to the various firefighter user ids and use them to troubleshoot any issues identified during Mock Cutover where Production System access beyond a normal Business User is required. Follow these Production System (Before Production Go-Live) Authorization guidelines:  #1: Limit the Project Team Users’ access to only those needed for them to execute their Mock Cutover Activities.  #2: Limit the Business Users’ access to their Production System access.  #3: Limit the Production Support Team Users’ access to only those firefighter roles created for troubleshooting issues. System Authorization Guidelines: Production System
  • 19. 19 CUSTOMER © 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ During Cutover for Production Go-Live Project Team members: should have the access needed to execute and validate that the Production Go-Live Cutover Activities that they are responsible for have been properly performed. Business Users : should have authorization equivalent to their Production System access in order to execute Smoke Tests to confirm that the system is functioning properly after the Project Team has validated that the Cutover Activities supporting the Business Process are successfully completed. Production Support Team members: should confirm that the firefighter user ids provide the designed access for troubleshooting in the Production System. Follow these Production System (During Cutover for Production Go-Live) Authorization guidelines:  #1: Limit a Project Team User’s access to only those needed for them to execute and validate their Production Go-Live Cutover Activities.  #2: Limit a Business Users access to their Production System access.  #3: Temporarily allow the Production Support Team members to use their various firefighter user ids to confirm that they provide the desired access for troubleshooting. System Authorization Guidelines: Production System
  • 20. 20 CUSTOMER © 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ After Production Go-Live Project Team members: should not have any project related access to the Production System. Business Users: should have their normal Production System access in order to execute any in- scope business processes for which they are responsible. Production Support Team members: should not have any project related access to the Production System but would be able to utilize the firefighter user ids for limited periods of time in order to troubleshoot issues identified by Business Users in the Production System. Follow these Production System (After Production Go-Live) Authorization guidelines:  #1: Remove a Project Team User’s access related to any project specific activities.  #2: Provide the Business User with their normal Production System access.  #3: Temporarily allow the Production Support Team members to use their various firefighter user ids only when an issue is identified in the Production System by the Business Users that needs investigated in that System. System Authorization Guidelines: Production System
  • 22. © 2020 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platforms, directions, and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, and they should not be relied upon in making purchasing decisions. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. See www.sap.com/copyright for additional trademark information and notices. www.sap.com/contactsap Follow us
  • 23. www.sap.com/germany/contactsap © 2020 SAP SE oder ein SAP-Konzernunternehmen. Alle Rechte vorbehalten. Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, ohne die ausdrückliche schriftliche Genehmigung durch SAP SE oder ein SAP-Konzernunternehmen nicht gestattet. In dieser Publikation enthaltene Informationen können ohne vorherige Ankündigung geändert werden. Die von SAP SE oder deren Vertriebsfirmen angebotenen Softwareprodukte können Softwarekomponenten auch anderer Softwarehersteller enthalten. Produkte können länderspezifische Unterschiede aufweisen. Die vorliegenden Unterlagen werden von der SAP SE oder einem SAP-Konzernunternehmen bereitgestellt und dienen ausschließlich zu Informationszwecken. Die SAP SE oder ihre Konzernunternehmen übernehmen keinerlei Haftung oder Gewährleistung für Fehler oder Unvollständigkeiten in dieser Publikation. Die SAP SE oder ein SAP-Konzernunternehmen steht lediglich für Produkte und Dienstleistungen nach der Maßgabe ein, die in der Vereinbarung über die jeweiligen Produkte und Dienstleistungen ausdrücklich geregelt ist. Keine der hierin enthaltenen Informationen ist als zusätzliche Garantie zu interpretieren. Insbesondere sind die SAP SE oder ihre Konzernunternehmen in keiner Weise verpflichtet, in dieser Publikation oder einer zugehörigen Präsentation dargestellte Geschäftsabläufe zu verfolgen oder hierin wiedergegebene Funktionen zu entwickeln oder zu veröffentlichen. Diese Publikation oder eine zugehörige Präsentation, die Strategie und etwaige künftige Entwicklungen, Produkte und/oder Plattformen der SAP SE oder ihrer Konzernunternehmen können von der SAP SE oder ihren Konzernunternehmen jederzeit und ohne Angabe von Gründen unangekündigt geändert werden. Die in dieser Publikation enthaltenen Informationen stellen keine Zusage, kein Versprechen und keine rechtliche Verpflichtung zur Lieferung von Material, Code oder Funktionen dar. Sämtliche vorausschauenden Aussagen unterliegen unterschiedlichen Risiken und Unsicherheiten, durch die die tatsächlichen Ergebnisse von den Erwartungen abweichen können. Dem Leser wird empfohlen, diesen vorausschauenden Aussagen kein übertriebenes Vertrauen zu schenken und sich bei Kaufentscheidungen nicht auf sie zu stützen. SAP und andere in diesem Dokument erwähnte Produkte und Dienstleistungen von SAP sowie die dazugehörigen Logos sind Marken oder eingetragene Marken der SAP SE (oder von einem SAP-Konzernunternehmen) in Deutschland und verschiedenen anderen Ländern weltweit. Alle anderen Namen von Produkten und Dienstleistungen sind Marken der jeweiligen Firmen. Zusätzliche Informationen zur Marke und Vermerke finden Sie auf der Seite www.sap.com/corporate/de/legal/copyright.html. SAP folgen auf