As all of us know, SAP is an an example of an Enterprise Resource Planning software. However, a lot of beginning security consultants are so taken up familiarising themselves with “creating roles and users” that they lose sight of the fact that the security exists to support the various Enterprise functions of the SAP solutions. Today as I write the hundred-th post of my hobbyist blog I am starting a new section to capture all things functional. All though a beginning security analysts can get by with just knowing core security concepts, its always expected that we understand the tools that SAP provides for securing functional data and applications.
I will start this series of posts on SAP functional security by talking about Enterprise Structure. The Enterprise Structure as the name indicates is a description of how the organisation implementing a particular SAP instance of SAP is structuring their business within SAP. The building of the enterprise structure is one of the main jobs of the functional consultant and something that gets decided in the blue printing phase of a SAP implementation. While it is certainly possible to add to the the enterprise structure later on, a complete re-design of the enterprise structure creates a lot of challenges in reconciling the new with the old. While a security analyst is rarely present in the design discussions around enterprise structure we should understand the structure and use our knowlegede in the subsequent security design. A lot of the organizational levels that are used in the roles are determined by the values of the enterprise structure.
The enterprise structure is accessed via the implementation guide (transaction SPRO) as shown below. The enterprise structure is divided first into sections for the definition, assignment of the enterprise structure. Further each of these sections are further divided into sections for the different functional areas likes Finance, Sales and Distribution and Human Rsources Management
Its not necessary that all the functional areas seen here be implemented in a particular SAP instance. For example a large of companies either don’t implement SAP HR in the same instance as the other areas or don’t use SAP at all for their HCM functions.
Each of the main functional areas have a number of nodes under them to configure the different organisational elements under them. For Finance these elements can be something like the company code, for logistics it would be plants and for sales it would be the sales organization, distribution channel and sales group (together called the sales area).
Once the distinct elements of the Enterprise Structure is defined, the next step is to create the relationships between the various elements. These options are available under the Assignment node within the Enterprise Structure. These relationships should also be remembered when setting up the organizational level values in roles. For example a typical SAP transaction would touch more than one of the many enterprise elements and we should always aim that the values we maintain in roles mirror the structure built in the IMG.
With this short introduction to the Enterprise Structure I would like to end this post. Its not my aim to describe the different elements of the enterprise here but just to let the security analyst know the source of the cryptic values that come up in the various SU53 screens that irate users keep sending out to us. Please keep exploring the various nodes in the Enterprise Structure!