πŸ” SASA. Curriculum Design - SAP Security Architecture
πŸ”

πŸ” SASA. Curriculum Design - SAP Security Architecture

This curriculum is derived from author’s overall experience as an Enterprise Architect in SAP Security into a practical, modular course framework. Each theme covers a focused area of SAP Security β€” from user administration to compliance auditing. It’s a Foundational level curriculum

🎯 Course Overview

#
Theme
Focus Area
1
User Master Record Fundamentals & Management
Identity & Access Foundation
2
Authorization Design & The Profile Generator (PFCG)
Role Architecture & Security Design
3
Development & Transactional Security
Code Security & Access Control
4
Segregation of Duties (SoD) & Governance
Compliance & Risk Management
5
Handling Upgrades & Conversions
Security Continuity
6
Auditing & Continuous Compliance
Monitoring & Governance

πŸ“˜ Theme 1: User Master Record Fundamentals & Management

Focus: Foundational tasks for user administrators β€” accurate identification and efficient daily maintenance.

Learning Topics

πŸ”– Identification & Naming
  • Establishing sustainable SAP User ID naming conventions (e.g., using personnel numbers)
  • Simplifying long-term user management
πŸ”– Data Accuracy
  • Improving user record accuracy using hidden fields in Transaction SU01
  • Practical application for companies without SAP HCM
πŸ”– Efficient Maintenance
  • Using BAPIs (e.g., BAPI_USER_CHANGE) for programmatic updates
  • Transaction SU10 for mass maintenance of user master records and address data
πŸ”– Authentication Control
  • Customizing rules for automatically generated passwords
  • Balancing complexity requirements with user-friendliness

πŸ› οΈ Key Transactions

  • SU01 β€” User Maintenance
  • SU10 β€” Mass User Maintenance

πŸ“˜ Theme 2: Authorization Design & The Profile Generator (PFCG)

Focus: Technical side of creating and maintaining roles to ensure a sustainable security concept.

Learning Topics

πŸ”– Sustainable Naming
  • Implementing a "pattern language" for role names
  • Identifying module, role type (template, derived, composite), and access mode (management, edit, view)
πŸ”– Role Architecture
  • Job role template concept
  • Maintaining alignment between template job roles and localized (derived) job roles
πŸ”– Technical Optimization
  • Permanently enabling technical name views in Transaction PFCG
  • Simplifying troubleshooting and understanding of authorization trees
πŸ”– Mass Adjustments
  • Using standard programs (e.g., SUPRN_REGENERATE_DEPENDENT)
  • Mass-adjusting derived roles to keep them aligned with parent roles

πŸ› οΈ Key Transactions

  • PFCG β€” Profile Generator / Role Maintenance

πŸ“˜ Theme 3: Development & Transactional Security

Focus: Securing custom ABAP code and managing how users access various system functionalities.

Learning Topics

πŸ”– Code Validation
  • Using the Code Inspector (Transaction SE38) to scan ABAP code for backdoors or security holes
  • Pre-production security scanning practices
πŸ”– Restricting Access
  • Using Transaction SHD0 to create transaction variants
  • Hiding buttons or setting static values when standard authorizations are insufficient
πŸ”– Managing Called Transactions
  • Using Transaction SE97 to control and block transactions called indirectly
  • Managing the CALL TRANSACTION statement
πŸ”– Parameter Transactions
  • Avoiding direct access to critical transactions (like SE16 or SE38)
  • Defining parameter transactions for specific programs or tables

πŸ› οΈ Key Transactions

  • SE38 β€” Code Inspector
  • SHD0 β€” Transaction Variants
  • SE97 β€” Transaction Call Authorization

πŸ“˜ Theme 4: Segregation of Duties (SoD) & Governance

Focus: Using SAP GRC Access Control to manage risks and ensure compliance with internal and external policies.

Learning Topics

πŸ”– Risk Analysis
  • Tailoring ad-hoc analysis using custom groups
  • New selection criteria available in SAP GRC 10.0
πŸ”– Emergency Access
  • Defining a structured firefighter user ID naming method
  • Identifying emergency users and improving log collection performance
πŸ”– Role Management
  • Organizational-Level Mapping in GRC 10.0
  • Using the new "Business Role" type to simplify role derivation and abstraction
πŸ”– Clean Systems
  • Using standard reports to identify and remove invalid mitigation controls
  • Keeping mitigation tables accurate

πŸ› οΈ Key Tools

  • SAP GRC Access Control 10.0
  • Firefighter / Emergency Access Management

πŸ“˜ Theme 5: Handling Upgrades & Conversions

Focus: Strategies for maintaining authorizations during release upgrades and transitioning from older security models.

Learning Topics

πŸ”– Transaction SU25 Mastery
  • Understanding critical steps of SU25 (e.g., step 2c for authorization merging)
  • Preparing roles in advance to avoid errors during upgrades
πŸ”– Conversion Strategies
  • Using Transaction SU25 step 6 to convert obsolete manual profiles
  • Transitioning to modern, role-based authorizations
πŸ”– Transaction Mapping
  • Identifying and managing new transaction codes introduced in upgrades
  • Browsing Table PRGN_CORR2 for delta transactions
πŸ”– Change Communication
  • Alerting end users to new password rules (e.g., case sensitivity)
  • Using static logon screen messages via Transaction SE61

πŸ› οΈ Key Transactions

  • SU25 β€” Authorization Profile Upgrade
  • SE61 β€” Document Maintenance (Logon Screens)
  • Table PRGN_CORR2

πŸ“˜ Theme 6: Auditing & Continuous Compliance

Focus: Monitoring system activity and preparing documentation for periodic reviews.

Learning Topics

πŸ”– Audit Logging
  • Configuring the Security Audit Log (Transactions SM19/SM20N)
  • Monitoring superuser activity and customizing event classifications
πŸ”– Table & Change Tracing
  • Activating table logging to track changes to critical custom tables
  • Configuring change documents for security organization structures
πŸ”– Usage Statistics
  • Using Transaction ST03N workload statistics
  • Identifying unused roles and ensuring users have minimum authorizations
πŸ”– Revalidation Documentation
  • Using pivot tables and specialized queries (e.g., via Transaction SQVI)
  • Delivering understandable data to business owners for annual revalidation

πŸ› οΈ Key Transactions

  • SM19 / SM20N β€” Security Audit Log
  • ST03N β€” Workload Monitor
  • SQVI β€” QuickViewer

πŸ“‹ Course Design Notes

This curriculum follows an activity-based, emergent learning approach β€” bridging theoretical SAP security concepts with real-world application scenarios.
Design Element
Detail
Format
Workshop / Bootcamp / Self-Paced
Duration
6 modules Γ— 2–4 hours each
Delivery Mode
Virtual / Blended
Target Audience
SAP Basis Admins, Security Consultants, GRC Specialists, Auditors
Assessment
Kahoot-based quizzes per theme
Certification Track
Track 09 : Certification aligned
Curriculum derived from SAP Security Architecture book content β€” converted to a 6-theme course structure.