swsrl 发表于 2015-9-21 12:52:29

SAP的权限一席谈

  我们通过SUIM可以看到里面的一些SAP security的 object
http://www.cnblogs.com/jefflu2012/p/data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAQIAAAEPCAIAAAAms13ZAAAQRklEQVR4nO2dT6vdxhXA9TX6Bbou+At0mU33Kc36UpKv0b2hm3KhdBNwds42mybOphuvbEKIcUhuwCHmGZswNRivlIVu9PRmzpw5+n8k/Q4/zLvzRjOj0fw0upLmuXpGEIePqiaIwwcaEAQaEAQaEESNBgRRowFB1GhAEPXuNfjT3//VZe3mEE6joEFuAC02sKJx3KvSwRvOHWJ7lmnkHH3irXsHxCE0mLWFA2ItDcTOHF+j2362h3cNxlTn9vCs0jDFvTlK3lZMqYFygsn9qpuo9KNl2yiPfs6z/Kptkr0ipQqlYWktA9pZHIvKobH0cG5nc7ujdM6w/pw1ptHA3hf6r3o1Q6xU7N9ie/QmKRUNqKWYPqydxW4s5skd02G7oxyCYf05a0ysQTeDJadxb8VsysiYdqthKUqlloZN0k6x/Nw463ukBu/O+P6cPGaZDcScYp59a9Brr+fWINck8SAq1Vm6NFfRzjWoDYf8UBoM2OtlNEgzWw6i/ls00PZcL8HyW2N1uRQPGgxu2OQaWA6irkGawb47xnqN+zJ5WDXIdVabkv5WL0HMXGyGnogGugaWkZpzYHA/p8d9exrU+dktJ0av3xb3tte2xsKNrR2ToveYmD64V5WU4l7rndP3QFg6YXAPzxrWd4r0vqvz3advvooG+u7MIUZxiOdaO7Kdxc7U8wz7lb6bA3pvgdj5q3VE31h4/DkJNCBuQ58odhxoQNzGMR2o0YAgajQgiBoNCKJGA4Ko0YAg6rqu/vi3+wAHh9mAIOrq8fMbgINTffr1C4CDgwYAaACABgCf6hqcRoTncnS8tdZbOcv0ni8Nwk+fDyA9AK7KaXj48OH5fD7OXm+r9zxqUJljgQPZtzHDDqSlWOOwG9naaXtPORnPpMGw3nOqgekZREmDXqNB0aBXYwZrUCzWrsGY1hYHVq5JOQ3q+tuI0+lUv6pyJgzWoGnbV3cj1+DNaPDszfvT6fTszfuG+/981OV0Ols0ePT9o0ffP2oL6fLXf/zXrsGzN++rqqrrqqqqZ2/e//lu3P/sySQaRC2Miu2lwel0ztEMDqMGYgMsA+uOBq+qhqqqRcZr0ArQet788M2XP3zz5Q9pg7ekQdeEARo0RT178/5/3/4/InWgqEHjQF1XqVETatCMi3NVjddAlH8VDRr9Gg2imaGq6iZ9Eg260130cZMaRNeRjQ93w6SBaILoQK/ZoNuwmTS4/9kTD7OByJjZoPvxmvL7D2N6rzvoUw1SE7ahwVSzQWpCzoGiBgoTanCuqvMUGiitNWogfhlofu7+O2A2aIWMLpPQQD6QI78bNDSX740JjQNtSnSYdQ3abwJzfzdoBUhj5GzQdIJdg/rX/9TnuF6xMYNng/pV9fLphy+ffjihBlGnRYkb06A5ZuM1qH7/otz0gvJFuahBVVeNBnPMBs3ob9EdsGiQtrMpp4cG5yrVIJ0HBs8GLdNq0M4GbTQpXzz95C8P/tA0fksadEftVBdFypcE+2wwx3cDPYzDrjgbtB1rKUepvZcG+mzQTAjTalDXdTQ/NA5sRoM709mrWxPGaCCa0PeG6azfDcQGj5kNxHZWnSuEYjl9WXE2aPb6my9/6I57xYFtaBCdKpoRHI2JvhpEJgy4YfrRxw8a5vhuYNHAIq1lNohMyJVz6kQ6OaStymnQXPq3XwDmmA0iDZpx3059qQNb1SCaCgbMBl0Tht0w/ejjB1VdNxosNhukPtg1UGaDrgmKBt0fqqp68uO/m+GVflQ06MZ8s0G3o5px37RNdGAbGrRxdeCzJ+MvitLhNUCDdjaY/LuB2M7czDB+NugWZdfgi6efdDXofjQehaqqu5NDNFFM0nvNfjVDvyU94t41CD99fjqd21slymOgYRoo5DSI7uGITK6BeHSbDilq8FUm2uuE4l6HiS6KUg0Upj2JKA5sRoNmlDf/KrGMBsaYVYNwfbh+Lg5fezsX6L3x5Qzuvdz+bkYDJwdg9QO56b3eVu+hwU4O5F7LOaIGg8NzOQ3n8zl3IF211ls5y/SeIw0ADgIaAKABwNcv+BumADf8RWuC4C9aAzy/qQJBHD7QgCDQgCDQgCACGhBEQAOCCGhAEAENCCKgAUEENCCI0GowZrUEQWw9bjUYtnYOYAegAQAaAKABQBA1EP+SVO6vLPWoaXQJADMRaxAN1vYjGsCOKWjQJnbnh/Tfbs7cJmkJ0VbRr5Q/bwgwLSYNovTu0FQGtF6CuJVeLMBMDPluYBnQQk19tkIDWJLCnSLx9LyMBlGs3lOwY/xqsHrXwHEYcqdI+XmABuJWXBTBkli/G4T8KO9m1u/zRF+Co61yxeIAzA1PkQHQAAANAAIaAISuBgRx2LhqcPnlNcBhQQMANAAQNbh37wOF1VvcY9+qqqqq1ZsB/pE1yP05lwEapANx/NBsny73qnfKXusUPrKi7sPyMb0Ko45CqsHPN7/eu/fBdz++7P6vOE1iePsuvH3Xr4IZNLAUspgGE5ZjLxYNpkX+bhCZ0HVgQg2is2B6Xmx+EA95mkcpSi85l7lbl154sf25k30xUewrsSJjD6w+4HyS/YrcmjDGgUtegyhd/Kgcueh4i+nGksXNlZaL2SztVwrMJYqF6+1MN9HbABf9TlEjwBgHxH7vpUGx2Fw5RQ3EqifXQO+KS+a7QbQ5GsxN4YZpK8AwB8R+F0/kVRL6MVtSg3SkTqiB0vioFqWdetehQZHyc4MxDoj9bj/xe9AgJ4be/sk1KDZA6To0KLLE4zP9MNiHkVjmpjVQMuiDW8nJbDCAhZ4iRxcVekpuBIvbFjUollz8Od28TdSzWWYDsfBc+9MNx+wg3HYLL1P4hPG6aG+jgUNwYOkObzQ4E8SB4/f/+6xzYxTgaKABwDwaRM+eAZwzlwbNW9k/3/y6+h4CFJlLg0+/fjHehKqqiikA45lRg+9+fDnSBDSAZZhXg9aEgY3La9A+NI0+dlPEEgBSZtcgWq7Qr3EZDaJ08WNXCQCdeTUY40AYrcHqnQtbYUYNRjoQDBdF3Z+j6yI0ADtzaTDegWD4iqyMeDQAO94fn3VHc69rJDQAOxt4mSK6BaSnRHeKACxsQAOAuUEDADQAQAOAgAYAwf8NU4AF2Ml6A26Pwhi8rzdIHxHkcq7elbBdNrPeQB/oaABj2Mx6A+MzY3ECMU4pcFg2s94g95ZE9w0iXi6CYXhfbyCe2qM8AQ1gHNtYb2DXIF140Kav3tfgls2sNxhwUaSUBtDF9eOzSb4b5D4CtLh+mSI3jnvdKeI2ERRxrQHAMqABABoAoAFAQAOA4PyGKcAy7GS9gbBj0u1UAJHNrDfoNZQjAdAAdDaz3iD9OMeGcEw2s94gvJXfm1AeG7eJSubAY2bY0HqD0BFAf78o/UF544jRD8H/eoP0o/i+XfQRDaAX3tcbKG/Rhf4a5ApEhoOzmfUGYuKY2cBSFxwE14/PZtWAu0nQ4vpliqIGobReuXiniNtEEJxrALAMaACABgBoABDQACA4v2EKsAx7Xm+weufCVnC93uC2lbYxrTxZm7aiSeoCP7heb3BtovkduCWHJkN/T7heb3Btou3F0ugJcZTYzSy+q5d7CS/aSixEf0qtN2P1EQDB+XqDaxP7v18dkvdGxSmlO0b1kot1WQrP5YTVcb3eIGRGv1GDNE8xUSmhWNewGsEDrtcbhPU0SHOKVzu9Co/KRwY/uF5vEO6Ov7U0MGbopYH4EdbC9eOz3KV57jvAVBoogxUNdonrlyn0b6itAKIV+tVI8fImzROliHUZJ660KFgX1xoALAMaAKABABoABDQACM5vmAIsA+sN/LKDXdgKrDcYUtEkdUWlic8lRjZyqubtHtYbjGrVHEXlHr15aOpeYb3Buyh/Lo/yULn4FFl5bKwkitsqzci1Td8XCAtowHoDpeViSnFbvbpcaUp1wHqD7Fb6kLJrkNudYi36bqLBhLDewFpFemnRt/D0o5hS3Da92mkbVtSg3XDaI751WG9Q1sCYYd3ZoFiaJfGwuH58lhs00RCcXANl7E6ugZJnjosiPfGwuH6ZQjl35q4EcpcH6Yb6gE7zRCliXfaJK92vXPliunErsanRryA41wBEGMTTdykabAhO5HN1LBoAoAEAGgA4v2EKsAy7XW8AYMf1eoNKikV7h7dxjsEG1huE9YYgQ/8gbGC9QSi9OCA+uFUer4ofQ/L8Nf0oZrPXCG7ZwHqDYH5Hsjsc00S9cKVAJduwGsEb3tcbXFtpfjMnl3luDXrVCN7wvt7g2kpVg9zVS5S5eAmk19tXg7RGcIv39QbXVhrefA6lQZnLM58G4kdwyDYen6EBzMo2XqYYf1HUzSBuJaa0id1ixQ0tNYJbtqEBwKygAQAaALjV4PHzm8fPb5qv2vv4+fHzm9V7FXI41WB/72nvb4/2hNMbpvs7d+5vj/aE0/UG+xs0+9ujPeF0vUF3MhFv58/eL1PXxUWRZ5yuN2jPnbt5/MRs4Bmn6w2aQZNzoPgAWHzKqzxIjrIF6ZmxUrWlcDTwjNP1Bs0moga5NxfEDN0xmitBzJYWq1Qt1ijuEfjE6XoDZTYYpoFSglKIUYNiYmA28I3T9QbLaJBeSuXyGKvObRjQwDdO1xtMflFk2US5cLKf+HMfuSjyjPfHZ7kLmOijfw2YDTzj9GWK7qCJLl1yKd380c/V3ciVrGyoN+ZOh2Y2RAPPONVg1sVrO9gjmBanGkx77vSgAbOBZ/xqsPqr0ZP/vHqvQg6nGgAsCRoAeL1hCrAkTtcb9NgBB19/t95CcLre4Nq4/q/0TNYvpcd20xaVKxyFlsHpeoNr4w6jgX1bmAOn6w1u25d58zlNNz7uVR5Fi/WKLYmK1WvvNRtET7WVFsKEOF1vcNs+gwbR+AvJOOuOqmhz8aOSMmCCGly4mAJz4HS9wW37bLNBlL+YiAZwp599rje4bV/pbVDlxB9dVCgXLdFWabFRjek1jLKtXYOocDEnzIHT9QZ3mpiMjOJ5XRw9vYZXcewaK7IUpWyCBsuwgcdn+qCZ6aJIz9+rIjTwzwZephigQcjfKermjDKIVYtzkZiSyya2X7yOEtujtxAmYQMaAMwNGgCgAQAaAAQ0AAibuGEKMDfbW2/A3UOYHNfrDa5NlG6xL9pHyW1+Vzhs0uZwvd4g+HjbzPLIeUW8tWeLuF5voLzjUHy+W8wWZVZO9oqK+iNkcfqKGmZpp7JHyr4sMHp2g+v1BrlBGQ0XcSsxW25E6pUqVRQTLdns7RS30nsDLLheb2A5N48Zo5vTQCwWDcbjer1BLw2MlyJiYhTFZiygQdokiwbtttMe0N3jer2BXYMxJ9TioFl9NlDKMWYGHe+PzwaPKku2YRdFymm4uLlY6YQXRcpegMIGXqawXxv0yqZsqzRAvAKJ0tPEtFJdg1wh4h6Fu3bl9gIUNqDBjDvPcIG378IBNdBP/HBMrhrUBHHguGpw+eU1wGFBAwA0AEADgAsaAFzQAOCCBgAXNAC4oAHABQ0ALmgAcEEDgAsaAFzQAOCCBgAXNAC4oAHABQ0ALmgAcEEDgMsvr38DrTIx3kBZxxMAAAAASUVORK5CYII=
  
  论坛对话 :
  sap权限管理主要涉及几个概念,profile,role,authorization objects.
  
  不太明白sap是怎么实现权限管理的,比如说你新建一个用户,role和profile 是怎么起到权限控制的作用呢,他们的关系是什么?
  
  真正的权限控制应该是profile吧,它怎么实施权限检查呢?比如你用tcode的时候,系统怎么检查你是否拥有合法权限?
  >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

  正好倒过来,role->域名,profile->IP。
  
  role可以从实际业务角度理解,应该设计成u201C最小单一工作角色u201D,比如仓库管理员工作角色可能粒度就粗了点,也许可以设计成:成品仓库管理员,原材料仓库管理员......,甚至设计成:成品仓库发货员,成品仓库收货员,成品仓库盘货员.....
  
  Composite role只是role维护管理的方式。
  
  profile是从SAP权限管理的技术概念,用来管理实际权限(权限对象的值),可以通过维护role来由系统生成profile,也可以手工维护。
  
  权限对象authorization object,一般可以定义为操作某个业务元素所相应需要的权限。比如,需要对公司代码的操作做权限控制,就需要一个相应的权限对象。
  
  权限对象由若干权限字段authorization field组成。换句话说,权限字段定义了权限对象的操作属性。
  接上例,如果公司代码的权限对象中,创建一个u201C公司代码u201D的权限字段,那么该权限对象就可以提供对具体"公司代码"的控制。
  如果再加一个activity的字段(一般为ACTVT),那么就可以控制到对某个公司代码(如0001),做某种操作(如修改)的权限控制。
  
  简单地说:
  Role -> 实际工作中的角色
  Profile -> 权限管理中的技术角色
  authorization object->权限维护、检查的操作对象
  authorization field->权限管理的最小单元,定义了authorization object拥有什么authorization field及其数量决定了authorization object的特性和粒度。
页: [1]
查看完整版本: SAP的权限一席谈