Beruflich Dokumente
Kultur Dokumente
Page 1
of 59
1. OBJECTIVE...........................................................................................................................................................................5
2. ABC CORP SAP R/3 SECURITY STRATEGY................................................................................................................5
3. SCOPE.....................................................................................................................................................................................5
4. APPROVAL PROCESS........................................................................................................................................................5
5. SECURING SAP CLIENTS AND SYSTEMS....................................................................................................................6
5.1 CLIENT OWNERSHIP.................................................................................................................................................... 6
5.2 DEVELOPMENT ROLE DEFINITIONS............................................................................................................................. 6
Security Administrator..........................................................................................................................................................6
Basis Administrator..............................................................................................................................................................6
ABAP/4 Developer................................................................................................................................................................6
Functional User ...................................................................................................................................................................7
Client Independent Configurator.........................................................................................................................................7
Client Dependent Configurator............................................................................................................................................7
Configurator.........................................................................................................................................................................7
5.3 SYSTEM SECURITY..................................................................................................................................................... 7
Sandbox.................................................................................................................................................................................7
Development (Dev2 010, 100)..............................................................................................................................................7
Training.................................................................................................................................................................................8
Integration............................................................................................................................................................................8
Production.............................................................................................................................................................................9
5.4 THE TRANSPORT SYSTEM........................................................................................................................................... 9
6. USER GROUP SECURITY...............................................................................................................................................11
7. NAMING CONVENTIONS................................................................................................................................................12
7.1 SAP R/3 PROFILE GENERATOR ACTIVITY GROUPS....................................................................................................12
7.2 -.............................................................................................................................................................................. 13
Authorizations.....................................................................................................................................................................13
Single profiles.....................................................................................................................................................................13
Composite Profiles..............................................................................................................................................................14
8. SAP SECURITY ORGANIZATION.................................................................................................................................15
9. SAP ACCESS AUTHORIZATION/PROCESS (UNDER DEVELOPMENT).............................................................16
9.1 ..............................................................................................................................................................................................16
9.2 ...............................................................................................................................................................................................16
9.3 ADMINISTRATIVE PROCEDURES FOR SAP ACCESS..........................................................................................16
THIS ITEM IS ON THE SECURITY TEAMS TO DO LIST.............................................................................................17
10. ABC CORP SAP R/3 SECURITY ACCESS FORM ....................................................................................................18
11. LOG-ON PARAMETER ADMINISTRATION.............................................................................................................19
12. USER MASTER RECORDS............................................................................................................................................20
12.1 CREATING A USER MASTER RECORD...................................................................................................................... 20
12.2 ADDRESS............................................................................................................................................................... 20
12.3 LOGON DATA......................................................................................................................................................... 21
Page 2
of 59
Initial Password..................................................................................................................................................................21
User Group.........................................................................................................................................................................21
Valid From/Valid To...........................................................................................................................................................21
12.4 DEFAULTS.............................................................................................................................................................. 22
Output Device.....................................................................................................................................................................22
Print Controller Functions.................................................................................................................................................22
Decimal Notation................................................................................................................................................................22
Date Format........................................................................................................................................................................22
12.5TASK PROFILE.......................................................................................................................................................... 22
12.6PROFILES................................................................................................................................................................. 22
12.7 USER PARAMETERS................................................................................................................................................ 23
13. PASSWORD ADMINISTRATION...................................................................................................................................24
13.1
13.2
13.3
13.4
of 59
Page 4
of 59
Overview
1. Objective
To ensure that SAP R/3 security provides an efficient and effective structure for ensuring the
integrity, accuracy, and availability of the information within SAP.
2. ABC Corp SAP R/3 Security Strategy
ABC Corp SAP R/3 security will be implemented through the definition of security roles. Security
roles will represent jobs/positions. Each job/position will represent a logical grouping of SAP R/3
transactions required for that job/position to carry out defined business activities and responsibilities.
User access will be controlled through the assignment of roles to users. Additionally, responsibilities
will be assigned to restrict organizational access. For example, the position Material Manager will
be restricted to each plant, preventing users from creating/maintaining inventory outside of their plant
location.
3. Scope
This document contains SAP R/3 Security Development and Administration procedures. As the SAP
R/3 projects are executed, this document will require review and enhancement. The document
includes the following topics:
Objectives
SAP R/3 Security Strategy
Definitions
System and Client Security
User Group Strategy
Naming conventions
SAP Security Organization
Requesting SAP access
Security Parameter Administration
User administration
Password administration
Security administration structure
Manual security administration
Help Desk Procedures
Security Change Control
Security Monitoring
Release Impact on Security
4. Approval Process
Standard operating procedures must be properly reviewed and approved prior to production
implementation. SAP R/3 Security Administration procedures require a two-level approval process:
SAP IT Infrastructure team and Business Process Team or Business partner .
At this point, the Director responsible for SAP Infrastructure will conduct the first level of approval.
IT management includes two positions, the Director and Vice President of Information Technology.
Page 5
of 59
ABC Corp
Page 6
of 59
ABC Corp
Functional User
These users have full functional access except for the following:
Basis Administration
Security Administration
Oracle Database
Client Independent Tables
Corrections and Transport System
Client Independent Configurator
This specific user will have access to configure client independent tables. This access, when
granted for a client in a system, will allow the user to make changes that impact all clients for
that particular system. The authorization object S_TABU_CLI grants the specific security for
this role. This access should be limited to key project team members.
Client Dependent Configurator
Users with this access will be able to change SAP data via the transaction SM31. The role will
require a combination of S_TCODE for SM31 and access to the authorization object
S_TABU_DIS. Granting table access should be limited to the proper authorization group.
Granting * access to the table authorization group will allow users to maintain all tables defined
in SAP, including Basis and Security related tables.
Configurator
Users will be able to access SAPs Implementation Management Guide (IMG). Access to the
IMG is required in order to configure SAP functionality. Configuration access will require a
combination of access to the IMG and client dependent table configuration.
5.3 System Security
Sandbox
The Sandbox system is primarily used for self-training and user exploration. Typically, the
Sandbox system and clients will contain these types of users:
Security Administrator
Basis Administrator
Functional User
ABAP/4 Developer
Client Independent Configurator (if necessary)
Client Dependent Configurator
Configurator
The Correction and Transport (CTS) function will be turned off in the Sandbox system. Client
independent configuration access will be allowed if there are no other clients that will be
impacted by the change. Table access will be granted but should be limited in the event that
additional controlled clients are installed on the Sandbox system.
Development (Dev2 010, 100)
The Development system is used to develop and configure an operational version of the SAP R/3
system. The Development system is the first area where functional configuration and ABAP/4
Page 7
of 59
ABC Corp
development takes place. The use of change control and detailed security roles in client 100 will
be required to ensure that all changes are properly authorized and the development process is
properly controlled.
The Development system will have the following types of users:
Basis Administrator
Security Administrator
ABAP/4 Developer
Configurator
Client Dependent Configurator
Client Independent Configurator (As required)
Functional User
Help Desk
Additionally, corrections and transport (CTS) will be turned on and users, based on their role
within the project, will be given specific CTS permissions. Permissions will be segregated into
the following categories:
Users may be assigned one or more of the aforementioned permissions. To ensure proper
change control, the ability to create a task and release requests should be segregated.
IMPORTANT: The establishment of CTS security and how it is administered will be dependent
on how the system landscape is setup.
Training
The SAP R/3 InfoDB Training system is used at ABC Corp. The system will be used in a
classroom setting that will consist of ABC Corp class participants and instructors from ABC
Corp and SAP.
The Training client is a pre-configured client from SAP. SAP has customized the system objects
including creating user master records and profiles. For security purposes, the pre-configured
user master records will be used for granting class participant access. User master records will
need to be configured for the instructors, security administrators, and system administrators. In
addition, a profile for changing passwords and unlocking users will be created.
Integration
This system is a controlled environment for process and integration testing. Configuration
access, including both client dependent and independent table access should be prohibited. While
there may be multiple clients within this system, each client should adhere to the same limitations
and restrictions.
Page 8
of 59
ABC Corp
Create/Change/Delete Users
Re-generate Activity Groups
Assign/Change/Remove Activity Groups
Re-set Password
Lock/Unlock Users
Changes to activity groups, authorizations and profiles will be processed in the Development
system and migrated to Production using the Transport System.
5.4 The Transport System
SAP has its own self-contained change control mechanism, Transport system. This mechanism
controls the changing and updating of information that includes: tables, process configuration,
ABAP/4 programs, screens, menus and SAP Security. The structure of the Transport System
(CTS) is critical when addressing how SAP security will be developed and administered.
CTS is used to migrate changes within a controlled and secured manner, across the entire
system landscape. CTS controls the flow of changes between Development, Integration/QA
and Production systems. It ensures that all changes are properly authorized and tested prior to
being implemented in Production.
To facilitate the use of the transport system and ensure the integrity of SAP application security,
the following procedures should be followed when designing and administering SAP security
with the SAP R/3 Profile Generator.
Page 9
of 59
ABC Corp
1. Design all activity groups centrally. It is recommended that a Security client be used as a
central repository for security configuration.
2. Production Security Administration should originate in the Security Configuration client
(150) and be transported into Production. Security Administration includes the creation or
enhancement of activity groups.
3. When the Basis team is creating new clients or systems, coordinate the copying of user
master data and activity groups. SAP categorizes activity groups as configuration within
the HR module while user master data and manual security are considered general table
data. To ensure that all security information is copied, the Basis Administrator must copy
the user master data and configuration data from the originating client.
4. Setup a new development class for all Security Administration activities, including both
manual and SAP R/3 Profile Generator initiated work.
5. Use the same change request number from the initial creation of the activity group through
to the point of the initial generation.
6. When changing existing activity groups, use the same change request number throughout
the modification process.
7. Coordinate transports of activity groups with the Basis Administrators, these particular
transports can affect system response time.
8. Setup a transport layer that allows complete migration from the Security Configuration
client to all other systems and clients.
9. 10. Do not create and generate activity groups outside of the central security client. SAP uses a
standard numbering scheme that can conflict when transporting activity groups between
multiple clients.
Page 10
of 59
ABC Corp
User Group
Super
Super
Super
Super
Super
Super
Super
SUPER
Help Desk
Integration/QA System
Role
Security Administrator
Basis Administrator
Functional User
SAP* and DDIC
Help Desk
User Group
Super
Super
TBD
SUPER
Help Desk
Training System
Role
Security Administrator
Basis Administrator
Functional User/ Class Participants
SAP* and DDIC
Help Desk
User Group
Super
Super
TBD
SUPER
Help Desk
Production System
Role
Security Administrator
Basis Administrator
Production User/Role
SAP* and DDIC
Help Desk
User Group
Super
Super
TBD*
SUPER
Help Desk
* The structure for the production user groups will be determined in the future.
Page 11
of 59
ABC Corp
Naming Conventions
7. Naming Conventions
A standard naming convention is used to develop security activity groups, authorizations and profiles.
This standard facilitates the process of identifying access privileges.
SAP uses a standard naming convention for its own system objects and has reserved name ranges for
customer objects (i.e. customized profiles, authorizations and authorization objects). SAP requires
the first character of a custom security activity group, authorization, profile and object, start with a
Y or Z. In addition, an underscore _ is not allowed to be used in the second character
position. Following the SAP recommended naming conventions helps to ensure that customized
objects are independent of the SAP supplied objects and will not be overwritten during the import of
a new SAP releases/upgrades.
7.1 SAP R/3 Profile Generator Activity Groups
The naming standards for the SAP R/3 Profile Generator will allow you to identify if it is a
development or production activity group, the module, the ABC Corp division it was designed
for, and the business role it pertains to.
NOTE: The names used for the activity group technical name and text description will be
identical to the names used for the corresponding generated profiles technical name and text
description. Detemine Activity Group Naming Standards (Site Location)
1st character
- Z to represent a custom developed activity group only to be used in
development systems.
- Y to represent a custom developed activity group used in production only.
Detail and master activity groups will start with Y.
2nd & 3rd character Alpha numeric to represent the module the activity group was
designed for. See appendix A for a list of modules
character Represents the division for which this role/ activity group will exist in.
4th to 7th characters - A four digit random number generated by the Role Definition form.
Each role will be uniquely identified and tracked using this random number. For example, if
when creating the Role Definition form for the Cell Culture Accounts Payable Clerk the
form randomly generated the number 0001, then the name would be ZOC0001__.
IMPORTANT: All ten characters must be used in the name. If all characters are not used,
the SAP R/3 Profile Generator will automatically fill the remaining spaces with underscores
_. This automated process of filling in missing characters could make it very difficult to
administer and audit security.
Page 12
of 59
ABC Corp
Naming Conventions
Text Description: The description is to be used to further identify profiles. The first eight
characters are restricted to the convention described below. How to use the description to
further define the profiles:
1st to 4th Characters Hierarchical identifier (Company Code, Plant, Sales Org,
Warehouse, etc.). Note: Use _ALL for Master Role.
5th Character Dash Separator
6th Character Space (before beginning the free form text)
Remainder Free form text to be used for the Role description. Note: The free form
text should begin with the ABC Corp division
Example: For a Warehouse Receiving role in the Consumer Care division the
following roles could be created: (assume that the random number from
the Role Definition form is 0049)
May be replaced by responsibilities
7.2 In general, the naming standards for manual authorizations will not be used for security at ABC
Corp. However, these standards will allow you to identify whether it is a composite profile (job
role), a simple profile (transaction in a role), or an authorization assigned to a profile. In
addition, the naming standard includes the job role and which division the authorizations is for,
the SAP application area of the profile, and whether the privileges granted by the profile include
read or write access.
Authorizations
1st character - "Z" to represent an in-house customized authorization.
2nd character - Single character representing the application type (i.e. "S" for system,
"F" for Financial, "V" for Sales & Distribution, and "M" for Manufacturing [see
Technical Name of the object for standards]).
3rd character - "/" to represent an authorization.
4th to 12th characters - These 9 digits should be customized to represent the
function being given access to. Underscores can be used to separate the characters in
two strings. For example, the authorization YF/CRT_CO_01 represents the
authorization for access to post customer invoices.
Short Text - The short text of an authorization should start with the object name, and
then a description of the type of authorization represented. For example, an
authorization for object F_BKPF_BLA that has assigned activity values of 01, 02, 03,
08 (create, change, display, display change documents) and an authorization group DR
(authorization group for document type DR - Customer Invoices) should have the
following short text: F_BKPF_BLA: Auth. to maintain customer invoices.
Single profiles
1st character - Z to represent an in-house designed profile.
2nd character - Single character representing the application type (i.e. "S" for system,
"F" for Financial, "V" for Sales & Distribution, and "M" for Manufacturing [see
Technical Name of the object for standards]).
3rd character - "_" to represent a single profile.
Page 13
of 59
ABC Corp
Naming Conventions
4th to 7th characters - These 4 characters should represent the transaction being
given access. For example, the profile ZF_FB01_999 will represent complete access
to the transaction FB01.
8th character - _ to show a break between the transaction and type of access.
9th to 12th characters - These 4 characters should be used to document the
organizational access being granted for that transaction. This access should follow the
specific naming conventions documents for the ABC Corp division.
Single profile text - The text of a profile should start with the transaction being
granted access and then contain text describing the type of access (i.e. Maintain
Accntg Docs for Company Code xxx) FB01: Access to maintain A/R documents
for company xx.
Composite Profiles
1st character - "Z" to represent an in-house customized profiles.
2nd and 3rd characters - Two characters representing the module for the role.
Human Resources composite profiles will start with HR, and Basis will start with
BS. Each business group will have a unique two-character identifier. Please note
that the only naming convention constraint for SAP security implementation is an "_"
in the second character position.
3rd character - ":" to represent a composite profile.
4th to 12th characters - These 9 digits should be customized to represent the role being
defined. Underscores should be used to separate versions of the role.
Page 14
of 59
ABC Corp
Security Organization
Page 15
of 59
ABC Corp
Access/Administrative Procedures
User name
Project/Thread
Process Team
Date Received
Date Completed
Completed By
Brief Description of Actions Taken
User Type Requested
Approvers Name
System Name
Client Number
After sending the e-mail to SAP Access, open the e-mail and file it in the appropriate folder.
9.3 Administrative Procedures for SAP Access
1. Add the SEA DBo your Lotus Notes Desktop you will only need to do this once.
2. Each morning, open the SEA DBand leave it open. This will allow everyone to be notified
when new requests are received.
3. For requests that you process (i.e. those for your Project/Thread), once the request is
processed move the request to the respective FOLDER. Folders are listed in the SAP Access
desktop.
4. IMPORTANT The only requests that should be processed are those still listed in the In
Box.
Page 16
of 59
ABC Corp
Access/Administrative Procedures
5. IMPORTANT Under no circumstance should any message be deleted. All messages must
be retained and stored in the appropriate folder.
PLEASE REFER TO LOTUS NOTES EPN FOR THE CURRENT PROCEDURES
FOR REQUESTING ACCESS TO SAP SYSTEMS.
EPN > Engagement Library > Reference Documents > Program Level > Process and
Systems Integrity > Forms/Templates: SAP Access Form
Page 17
of 59
ABC Corp
Page 18
of 59
ABC Corp
Log-on Parameters
Description
login/min_password_lng
login/password_expiration_time
Login/fails_to_session_end
Login/fails_to_user_lock
rdisp/gui_auto_logout
Auth/test_mode
Auth/system_access_check_off
Auth/no_check_in_some_cases
Login/ext_security
Auth/rfc_authority_check
Login/failed_user_auto_unlock
Login/no_automatic_user_sapstar
Auth/no_check_on_tcode
Auth/auth_number_in_userbuffer
Auth/authorization_trace
Auth/check_value_write_on
Page 19
of 59
ABC
Corp
Value
3
0
3
90
12
0
N
N
N
N
0
30
minutes
N
N
Y
N
1
800
N
Y
1000
N
Y
ABC Corp
Page 20
of 59
ABC Corp
The following fields within the Address tab is required for ABC Corp.
Required Fields
Form of Address
Last Name
Information Required
Mr. or Ms
Users Full Name
Last Name, First Name
Complete phone number, including area code
or country code.
Country of users ABC Corp location.
Users sub-department (e.g. Accounts
Payable, Order Management, etc.)
ABC Corps building identifier (e.g. INSERT
B&D EXAMPLES, etc.)
Complete phone number, including area code
or country code.
First Name
Country for Format
Department
Building
Telephone No.
Page 21
of 59
ABC Corp
User Type
SAP uses the user type field to determine what type of processing the user will need. There
are four types of users and each type will define if the user needs interactive, batch,
background, or external processing.
User Type
Dialog
BDC
Background
CPIC
(CPI-S Interface)
Description
Default user type used for functional system users.
Enables the user to process batch input sessions.
Allows users to process background jobs.
Allows users to make external CPI-C calls from
within SAP to external programs.
12.4 Defaults
Output Device
This area will display all printers that are available to that particular user. All users should be
given a default printer based on their location and naming convention. Access to printers is
controlled by S_SPO_DEV and all users require access to this authorization object in order to
print SAP documents and reports.
Print Controller Functions
The Print Immediately and Delete After Output buttons should be enabled.
Decimal Notation
The decimal notation for ABC Corp should be set to point to conform with the US
monetary formats.
Date Format
The standard date format for ABC Corp should be set to MM/DD/YYYY.
12.5 Task Profile
Information for these fields should not be added from this screen. The profile generator
(Transaction PFCG) should be used to assign access. Once the PFCG is used to assign access
to users, fields within this screen are populated with the users profile information.
12.6 Profiles
Information for these fields should not be added from this screen. The profile generator
(Transaction PFCG) should be used to assign access. Once the PFCG is used to assign access
to users, fields within this screen are populated with the users profile information.
In the event that manual security is used, which should be limited to the sandbox and
development systems, this is where the manual profile are added/deleted for a user.
Page 22
of 59
ABC Corp
.
12.7 User Parameters
This tab does not contain any required fields. Users may choose to update these fields at their
own discretion. The user parameter tab allows users to manage certain key fields by
automatically defaulting information into those fields. Therefore, any time a user encounters
these fields in other transactions throughout the SAP client, the field will automatically have a
default value equal to what has been assigned in this parameter default screen. The
parameters column contains any parameter identifications (PIDs) selected for this user. (A
list of PIDs can be viewed by clicking on a box to the left of the parameters column and
subsequently clicking on the down arrow.)
Page 23
of 59
ABC Corp
Password Administration
PARA*
Delo*
Feb*
July*
NY*
DTLL*
Marc*
Augus*
Page 24
of 59
NETS*
GIANTS
April*
Sept*
MONEY
GOD
May*
Oct*
ABC Corp
Password Administration
Nov*
YANK*
CASH
Dec*
NewY*
Abc*
Knick*
123*
Aspir*
JETS
NEED*
Note: Each system should be analyzed and the list expanded as deemed necessary.
Page 25
of 59
ABC Corp
Page 26
of 59
ABC Corp
The Help Desk users will not be authorized to change any security configuration or assignment of
security to users.
15.1 Resetting User Passwords
Help Desk personnel will be given access to all SAP clients and systems. The individuals will
have access to reset passwords for all users, except those attached to the groups SUPER, Basis
and Security.
IMPORTANT: Only the Security Administrators and SAP* will have the ability to reset
passwords for users in-groups SUPER, Basis and Security.
15.2 Unlocking User Ids
Help Desk personnel will be given access to all SAP clients and systems to unlock users. They
will be limited to those users not assigned to the user groups SUPER, Basis and Security.
Additionally, procedures will state that Help Desk should only unlock users that have been
locked due to invalid logon attempts. Only the Security Administrator can unlock users that
have been locked by administrators. And, the SAP system profile parameter that automatically
unlocks users at mid-night will be disabled.
IMPORTANT: Only the Security Administrator and SAP* will be allowed to unlock users
assigned to user groups SUPER, Basis and Security.
15.3 Resolving Access Issues/Problems
In the event that a user contacts the Help Desk for a security issue, the Help Desk personnel
will follow these steps in order to efficiently and effectively process the users request.
1) Have the users execute transaction SU53 (type this in the command box).
2) Have the user print the screen as it appears, selecting the print icon on the screen. The user
has the option of printing at their location or printing it directly to the Help Desk.
3) If printed at their location, fax the printout to the Help Desk or to the Security
Administrator. The Help Desk should have the fax number for the Security Administrator.
4) The Help Desk will also record the user id , user name, system and client where the
processing error occurred. The system and client information can be obtained at the bottom
of the users SAP screen or by executing SYSTEM > STATUS.
Page 27
of 59
ABC Corp
5) The Help Desk will then forward the call to the appropriate Security Administrator for
resolution.
Page 28
of 59
ABC Corp
of 59
ABC Corp
Detailed Steps/Instructions
The following detailed steps identify the specific actions to be completed, persons
responsible for the activities, clients affected and timing when creating a new activity group.
1. Create a Role Definition form for the new activity group, documenting the
transactions and/or authorization objects.
All activity groups, both development and production, must be properly documented.
Work the person making the inquiry/request to define the new activity group. At a
minimum, the definition must identify the transactions.
Additionally, a role owner must be identified for the new activity group. The role owner
is responsible for validating any changes to the activity group once it has been configured
and implemented.
IMPORTANT The Role Definition form is an attachment to the FastTrack Task
Design Application Security.
UNABLE TO FIND THIS FORM IN FASTTRACK, WILL CONTINUE
RESEARCHING
2. Create the new activity group in DV2, client 150.
Using the Role Definition form, configure the new activity group in client 150.
IMPORTANT All new activity groups must be configured in client 150 and transported
to other clients, ensuring that the object number used by SAP is identical across all clients.
Follow these standard steps for creating and generating an activity group:
1. Create the activity group.
2. Document the name properly.
3. Select the transactions from the company menu.
4. Complete the authorization profile.
5. Generate the activity group using the proper naming convention (See SAP Security
Administration Standard Operating Procedures).
6. Update the tracking and testing information on the Role Definition form.
Additionally, refer to R/3 Authorizations Made Easy for assistance in using the
Profile Generator.
3. Transport the new activity group across the DV2 client landscape.
The new activity group(s) must be copied to the other clients in the Development system.
Using the Profile Generator, create a transport for the new activity group. The following
steps should be followed when transporting an activity group:
Page 30
of 59
ABC Corp
1. From within the Profile Generator, click on the Transport icon. SAP will
automatically create the transport task and request number.
2. Execute transaction SE10 Customizing Workbench.
3. View the Customizing Requests for your User Id.
4. Drill down into the Transport Request until the subsequent task numbers are all
displayed.
5. Single click on the appropriate task. With the cursor positioned on the desired task,
click the Release button on the menu bar.
6. Complete the proper documentation requirements for new security transports.
7. If more than one underlying task exist for the request, repeat Steps 5 & 6 until all
tasks have been released.
8. Once all tasks have been released, single click on the request number and then click on
the Release button on the menu bar.
9. Select the Release and Transport option, this will take the existing request and create
a transport file.
10. After SAP releasing the request, review the transport log to validate that the transport
processed successfully.
11. For valid, successful transport, prepare an E-Mail to EMAIL ACCOUNT NAME
TBD in Lotus Notes. This message will be used to notify the Basis Team of the need
to transport the activity group to other clients in the DV2 system. The message
should include the transport number, clients to be impacted, timing requirements and
brief description of the transport request.
Additionally, refer to Chapter 11 in R/3 Authorizations Made Easy for assistance in creating
and releasing transports.
4. Regenerate the activity group
Once the Basis Team has successfully applied to transport to the other clients in the
Development system, the new activity group must be re-generated.
IMPORTANT The activity group is client dependent, it must be re-generated in
all of the clients where the transport was applied.
After regenerating the new activity group(s), the user buffers must be reset to activate the
changes.
From the SAP Main Menu:
Tools > Administration > User Maintenance > Users
Following this menu path takes you to the Sub-Menu for user administration. Select
Environment > Mass Changes > Reset All User Buffers
IMPORTANT Check the message at the bottom of the screen after resetting the user
buffers. If an error occurs, contact the Basis Administrators.
Page 31
of 59
ABC Corp
IMPORTANT If time permits, changes to development roles should originate in DV2 client
150 and be transported to the appropriate systems and clients.
Detailed Steps/Instructions
The following detailed steps identify the specific actions to be completed, persons responsible for
the activities, affected clients and timing.
1. Record the change in the Development Role Update Log (Excel Spreadsheet)
All changes, additions or deletions, must be logged. The log is used to validate and
coordinate the over update and re-generation of the configuration activity groups.
Page 32
of 59
ABC Corp
The affected development roles should be updated in all clients. At the time of creating these
procedures, changes should be applied to the Pre-configuration Sandbox and 010
Configuration Master.
Using the Profile Generator (transaction PFCG), perform the necessary updates to the
appropriate configuration activity group(s).
IMPORTANT Review the System/Client landscape to ensure that all clients are being
properly updated.
3. Re-generate the affected activity group
The activity group(s) must be regenerated in all-appropriate clients.
of 59
ABC Corp
IMPORTANT The number of clients where the transport needs to be applied may
have changed since the creation of these procedures. Review the System/Client
landscape to ensure that all clients are properly updated. 16.4 Updating General User
Development Role
There are four separate configuration teams using the P3 Thread Development System (DV2).
The General User role is being used and assigned by/to all four teams. Changes to all
development roles must originate in the Security Configuration Client (client 150).
The size of the General User role, including number of transaction, authorizations and profiles
requires that changes be handled in a manner to ensure that changes are easily applied to clients
and users.
All changes to the General User role will follow five steps:
1. Record the change in the General User Update Log (Excel Spreadsheet)
2. Add the appropriate transaction(s) or authorization object(s) to the SAMPLETBD activity
group
3. Re-generate SAMPLETBD
4. Reset User Buffers
5. Coordinate scheduling of TBD update and re-generation
IMPORTANT If time permits, changes to development roles should originate in client 150 and
be transported to subsequent systems and clients.
Detailed Steps/Instructions
The following detailed steps identify the specific actions to be completed, persons responsible for
the activities, affected clients and timing.
1. Record the change in the General User Update Log (Excel Spreadsheet)
All changes, additions or deletions must be logged. The log is used to validate and coordinate
the over update and re-generation of the General User role.
An Excel spreadsheet is stored on
TBD
Update the log with the following information:
Date of Change
Role Changed
Team/Person Requesting Changes
Description of Change
Transaction (added or deleted)
Authorization Object (added or deleted)
PSI Security Administrator Processing Change
Date Applied to Client 150
Transport Number
Page 34
of 59
ABC Corp
of 59
ABC Corp
IMPORTANT The number of clients where the transport needs to be applied may have
changed since the creation of these procedures. Review the System/Client landscape to ensure
that all clients are properly updated.
16.5 Creating/Maintaining Authorizations and Profiles
In general, manual authorizations and profiles will not be used at ABC Corp. Security
development and administration will be handled through the use of the SAP R/3 Profile
Generator. The following guidelines should be followed for manual SAP security development.
Note: If adding or changing an authorization that is incorporated in an existing profile, the user
must log-off and log-on after the new access has been assigned for the update to be applied.
Page 36
of 59
ABC Corp
IMPORTANT Prior to creating and applying the transport, verify the settings for table T77TR
in all destination clients. Two entries should exist, T 1001 A007 and T 100 B007. These
entries will prohibit the transporting of relationships.
Detailed Steps/Instructions
The following detailed steps identify the specific actions to be completed when transporting
activity groups.
IMPORTANT Additional information regarding the screens and transactions used to transport
activity groups is available in Chapter 11 of R/3 System Authorizations Made Easy.
1. Identify the activity group(s) to be transported.
Based on your recent activity group modifications or configurations, identify the activity
groups that need to be transported.
It is recommended that you group the activity groups into a single transport. But, be aware of
the size of the activity groups. DO NOT TRANSPORT GENERAL USER WITH ANY
OTHER ACTIVITY GROUPS.
Additionally, please consider the number of users, systems and clients affected by the transport.
All of this information should be considered when determining the grouping structure of activity
group(s) to transport.
2. Identify the systems and clients to be updated.
Identify the systems and clients where the transport should be applied. All security related
transports should originate from DV2 Development system, client 150.
At a minimum, transports should be applied to DV2 client 010 (development), U3Q client 010
(Integration) and U3P client 010 (Production).
IMPORTANT At the time of creating these procedures, U3Q and U3P have not been
installed. These systems represent the Integration System and Production system. Client 010
is the number for the Development Configuration Master client. This number may change
based on the system/client landscape.
3. Create and document the transport for the activity group(s).
Using the Profile Generator, create the transport for the identified activity groups.
If transporting more than one activity group, use the same transport number created for the
first activity group.
For example, if transporting activity groups YDXXTEST1 and YDXXTEST2. SAP will
create a transport number DV2K9000011 for the first activity group. When transporting the
Page 37
of 59
ABC Corp
second activity group, either select or type the transport number assigned to the first activity
group.
Additionally, refer to Chapter 11 in R/3 Authorizations Made Easy for assistance in creating
and releasing transports for multiple activity groups.
IMPORTANT All security related transport must be properly logged in document.
??????????????
Update the log with the following information
Date Transport Created
Transport Number
Description of Transport
Activity Group Affected
Originating System and Client
Destination System and Client
Processed by (PSI)
Transport Validated Working in Destination
4. Release the transport in SAP.
Once the transport has been successfully created, the transport must go through the proper
release through the Transport Management System (TMS).
SAP categorizes activity groups as Customizing, execute transaction
SE10 Customizing Organizer. Display the transports listed under your /User Name.
SAP groups the transport information into a task and request. In order to transport the
activity group, all tasks associated with the request must be properly released. Once all tasks
have been released, the request can be released.
When the request is released, the activity groups have been transported. Contact the Basis
Team.
5. Contact the Basis Team.
The Basis Team will perform the actual application of the transport to the destination
system(s) and client(s).
Prepare an e-mail, addressed to P3 SAP Basis Team. The e-mail should contain the
following information:
Transport Number
Systems where the transport should be applied (e.g. DV2)
Clients that the transport should be applied to (e.g. 003, 010)
Description of the change
Timing requirements: Urgent, please apply immediately, end-of-day, etc
Your phone number
Additionally, copy (CC:) the other PSI Security Administrator to make them aware of the
transport.
Page 38
of 59
ABC Corp
Page 39
of 59
ABC Corp
Page 40
of 59
ABC Corp
Page 41
of 59
ABC Corp
Transaction Security
19.2 Identify and Configure Check Object Security (transaction SE93 and table TSTCA).
The following steps should be followed when defining a check object:
Review the existing authorization objects to determine the ability to use an SAP supplied
authorization object.
If necessary, create the new authorization object. New objects must be defined in table
TOBJ. Work with the SAP Security Administrator to create new authorization objects.
Define the authorization values required to execute the transaction. Each authorization
object can have up to ten fields. In defining the check object, a value must be specified for
at least one field.
Execute transaction SE93 to create the check object.
Enter the new transaction code and click on the Maintain icon. SAP will display a screen
that shows the transaction code, program name, screen number and check object. The
check object field may be blank for new transactions.
Enter the authorization object selected to be the check object.
Enter the authorization values for the check object. Click on the value button for the check
object, SAP will display a pop-up screen with the fields defined to the selected authorization
object. Enter the values in the required fields. Values can be entered in one or all of the
fields.
IMPORTANT: In defining and configuring custom transaction security requirements, the ABAP/4
Developer should work with the SAP Security Administrator to properly define and configure the
security requirements.
Page 42
of 59
ABC Corp
Internet Security
Page 43
of 59
ABC Corp
ALE Security
Page 44
of 59
ABC Corp
Page 45
of 59
ABC Corp
Page 46
of 59
ABC Corp
Output/Spool Security
Page 47
of 59
ABC Corp
Security Monitoring
Screen Name
ABAP: Execute Program
ABAP Editor: Initial Screen
Display Report Tree
Transactions SA38 and SE38 require use of the report name (as listed on the following table).
Transaction SUIM leads the user through the repository information report tree.
The following procedures are standard security monitoring activities. In addition to performing
these tasks, the results of the monitoring procedure should be documented and retained in order to
provide a useful audit trail.
Page 48
of 59
ABC Corp
No.
1
Objective
Ensure invalid login
attempts are properly
reviewed.
Ensure changes to
passwords are properly
authorized.
Security Monitoring
Monitoring Procedure
The report lists for each client within the system, all users
with invalid login attempts and those users locked either
by Security Administrators or too many invalid password
attempts. Review the report to identify any
inconsistencies or patterns.
Review password change documents for key users,
including SAP*, DDIC, Basis and Security
Administrators. The ability to reset passwords should be
limited to Basis and Security Administrators, and Help
Desk users. (Choose header data and passwords for
desired userids.)
For each system, review the key security related system
profile parameters. The parameter values should be
configured according to the recommended values in
Section 11 Logon Parameter Administration in the SAP
R/3 Security Administration Standard Operating
Procedures. Additionally, these parameters should be
consistently set for all SAP systems. Refer to Section 11
Log-on Parameter Administration.
For selected key users, including Basis and Security
Administrators, execute the report and review change
history. Review the date of changes and who made the
changes. Changes should be limited to other Basis or
Security Administrators.
Review the users that have access to change within the
authorization objects S_USER_GRP, S_USER_AUT and
S_USER_PRO. Access to change within these objects
should be limited to Security Administration team
members. The Basis team should have the ability to reset
passwords for all user groups except SUPER and Security.
The ability to display can be given to any user.
Review the report and verify that the passwords for SAP*
and DDIC have been changed for all clients. The report
shows all of the clients defined to the system. SAP* and
DDIC passwords should be consistently maintained on all
clients. (Choose header data and passwords for desired
userids.)
Check for transactional access to security administration.
Page 49
of 59
Report or
Transaction
RSUSR006
Recommended
Frequency
Daily
RSUSR100
Weekly
RSPARAM
Bi-weekly
RSUSR100
RSUSR101
RSUSR102
Bi-weekly
RSUSR040
How to
efficiently
accomplish
this task is
questionable
.
Bi-weekly
RSUSR100
RSUSR002
Monthly
Monthly
System
Client
Completed By
(Who/Date)
ABC Corp
No.
Objective
transactions is properly
secured.
10
11
12
13
Security Monitoring
Monitoring Procedure
Execute report RSUSR010 and check for transactions
PFCG, SU01, SU02, SU03 and SU05. They control
access to the profile generator, user administration,
profile administration, authorization maintenance and
internet user administration.
Review the users that have table access for both client
independent and dependent table access (S_TABU_CLI
and S_TABU_DIS). Access to maintain tables should be
coordinated with the Basis Team. Table access needs to
coincide with the ability to perform configuration. Client
independent table access should be restricted to key
process team members and to Basis team members.
Client independent table access should be limited to the
Sandbox and to the Configuration Master clients within
the Development box.
Review the users defined for all clients and systems. Each
user should be assigned to a valid pre-approved user
group. Refer to Section 6 User Group Security for
approved user groups.
Execute the ABAP/4 program and select the address
fields: first name, name field 1, building name, street,
city, location, department, phone, extension and country
key. Review the user master records to ensure all users
have the required address information properly formatted.
This activity should be completed for each system, the
report analyzes all of the clients within a system.
Verify the data contained in table USR40. This table
contains ABC Corp specific impermissible password
settings.
Review the configuration and activation of the SAP R/3
Profile Generator. Review the documentation in the
Enterprise IMG to ensure all configuration steps have
been successfully completed. This activity should focus
on new systems.
?
Page 50
of 59
Report or
Transaction
Recommended
Frequency
RSUSR040
Monthly
RSUSR002
Monthly
USR03
Monthly
SE16
Semi-annually
SPRO
Semi-annually
System
Client
Completed By
(Who/Date)
ABC Corp
No.
Objective
users) are appropriately
restricted.
Security Monitoring
Monitoring Procedure
Page 51
of 59
Report or
Transaction
Recommended
Frequency
System
Client
Completed By
(Who/Date)
ABC Corp
Security Monitoring
Description
Lists the active users logged on to the entire system (transaction
SM04)
Analyzes all users defined to the system for critical authorizations
Provides analysis of critical transaction combinations (transaction
SU98)
Allows analysis of critical combinations of authorizations
(transaction SU96)
Complex selection criteria based on profile
Complex selection criteria based on authorization
Compare tool. Compares two users to see difference and
similarities in which transactions can be executed
Where-used selection , profiles only
Complex search on activity group only
Re-generate SAP_ALL profiles
Information System Reporting Tree
List of active users logged on to all clients in the system
List of R/3 Servers defined to the current system
List by User, all the objects that user has assigned to them based on
Object Classes
Description
Copies table TSTCA to TSTCA_C and populate TSTCA with
S_TCODE.
Copies the data in table TSTCA_C back into TSTCA and replaces
S_TCODE
Tests the environment checks for SAP systems
Write special user data to sequential file.
Assigns the profile S_A.CPIC to the user SAPCPIC
Converts the Basis development
Converts the data in USOBX-OKFLAG for upgrade tools (SU260
Page 52
of 59
ABC Corp
Security Monitoring
RHPROFL0
RHAUTHUP1
Page 53
of 59
ABC Corp
Page 54
of 59
ABC Corp
Identifier
M
O
X
Page 55
of 59
ABC Corp
Thread Leaders
Integration
Page 56
of 59
ABC Corp
Appendix C - Glossary
Appendix C - Glossary
Authorization Objects - A template utilized by SAP transactions/programs for testing access
privileges. The object may contain a group of 1 to 10 fields. The objects are checked using AND
logic to determine if the user has been permitted through authorizations, to carry out the desired
action.
Authorizations - A set of permissible values (value set) for an authorization object. The values are
assigned based on the fields defined in that authorization object and the required access capabilities
(i.e. a value of 03 in the activity field will assign display access and value of 11 in the company code
field will assign access to company 11).
Authorization Group - An assignment of customized values to groups of similar information. The
authorization groups are used in conjunction with authorizations associated with specific
authorization objects. The field can contain an alphanumeric value up to 4 characters/digits.
Single Profile - A mechanism for grouping either similar or dissimilar authorizations into a logical
group. The profile provides an efficient method for administering user access to similar functionality
through the assigning of a single profile to a user. The single profile can only contain authorizations.
Composite Profile - A mechanism for grouping either similar or dissimilar access into a logical group.
The composite profile provides an efficient method for administering user access to complex
functionality spanning several modules. The profile may contain single profiles, authorizations, or
other composite profiles.
User Group - A mechanism for grouping SAP users into similar categories for administrative
procedures. The basis administrators and R/3 security administrators are generally included in the
SUPER group. The user group is a security administration attribute that can be used to decentralize
user administration. A security administrator must be given explicit access to a user group.
Activation - An action of making an authorization or profile activate. Activating an authorization
or profile will replace the current active version with the maintenance version. All authorizations
and profiles must be activated for the access to be applied to users.
Activity Group Activity groups are used in conjunction with creating authorization profiles using
the Profile Generator. An activity group is a collection of activities (tasks, reports and transactions)
for which you can then use Profile generator to generate an authorization profile automatically. You
then assign the profile to the user via the activity group.
Profile Generator The profile generator is an automated security development and administration
tool developed by SAP AG. This functionality was integrated into the SAP R/3 software for release
3.1G. It automates the creation of activity groups, generating authorizations, creating single/simple
profiles and assigning activity groups to users. The profile generator is a transaction based security
administration tool.
Page 57
of 59
ABC Corp
Appendix C - Glossary
Transaction A four-character code used to SAP to identify a screen used within the SAP R/3
system. The transaction code (e.g. FB01, SU03) is the foundation for developing and administering
SAP application security.
Role A role is the first level for defining user access to the SAP R/3 system. For example, a role
defined for ABC Corp is A/P Clerk. In defining a role, scripts and/or transactions are assigned to a
role based on the required functionality necessary to complete the job responsibilities for a given role.
A role is the lowest level of security that can be granted to a user. A user may be granted/assigned to
more than one role.
Position A position is a logical grouping of roles that relate to a defined organizational position
within ABC Corp. For example, the position of the corporate A/P Clerk may consist of the roles A/P
Clerk, Monthly Payables Review, and Corporate PO Review. The position provides a logical
grouping for assigning all of the necessary roles that a user requires for their job responsibilities. A
user should only be assigned one position.
Page 58
of 59
ABC Corp
Appendix C - Glossary
Page 59
of 59