Beruflich Dokumente
Kultur Dokumente
By Lodewijk Borsboom
Contents 1. 2.
2.1. 2.2.
INTRODUCTION CUSTOMIZING
Critical Authorizations Customizing Critical Combinations
1 2
2 4 6 6 7
2.3. Customizing Reports 2.3.1. For Critical Authorizations 2.3.2. For Critical combinations
3.
3.1. 3.2.
REPORTING
Reporting Critical Combinations Reporting Critical Authorizations
9
9 10
1. Introduction
This instruction is about the ABAP report RSUSR008_009_NEW or transaction code S_BCE_68002111. This transaction is also included in the SUIM menu:
Lodewijk Borsboom
www.sap-security.nl
2. Customizing
2.1. Critical Authorizations
Click on Critical Authorizations (Kritieke bevoegdheden) .
Here you find all authorization IDs which are: Critical of itself: ZK* Only Critical in combination with another authorization ID: ZT* A combination of 2 ZT-authorization IDs equals one of the businesss defined SoD Criterion.
Lodewijk Borsboom
www.sap-security.nl
Select the record with ZT01 - Post Vendor Credit Memo (Crediteurenfacturen boeken) and double-click in the left column on Authorization data (Bevoegdheidsgegevens)
Here you see the details of 1 part of the SoD criterion, in this case on transaction level only. But you can also specify on object levels.
With a Group you can choose if the criteria have an OR or an AND relation. If you specify more than one Group, the groups always have an AND relation with each other. In this specific case it shows that the user will comply with this authorization ID when he is authorized for at least one of the named transactions (because of the OR operator).
Lodewijk Borsboom
www.sap-security.nl
Execute the actions above for authorization ID ZT02 Creditor Payments (Betalingen aan crediteuren) as well. You will see the screen below:
Lodewijk Borsboom
www.sap-security.nl
In here, the SoD conflicts are described according to the following naming conventions:
Combination1 Authorization ID 1 Authorization ID 2 Classification
ZC01
ZT01
ZT02
All classifications are assigned to a different color: H (High) = Red (Rood) M (Medium) = Purple (Paars) L (Low) = Yellow (Geel) Select ZC01_ZT01ZT02_H H: Post Vendor Credit Memo_ Creditor Payments) (Crediteurenfacturen boeken_Betalingen aan crediteuren) and double-click on Critical Authorization (Kritieke bevoegdheid)
Lodewijk Borsboom
www.sap-security.nl
In here, the link is established between the 2 authorization IDs. This link always has an AND-logic.
One report variant has been made. Select ZVIVARE_GEVOELIGEDAT (Display & Change Authorization for Sensitive Data) and double-click on Critical Authorization (Kritieke bevoegdheid) in the left column:
Lodewijk Borsboom
www.sap-security.nl
On this screen you notice that this report variant is only covering Authorization IDs ZK01 & ZK02:
Lodewijk Borsboom
www.sap-security.nl
Only the classified-High SoD-criteria are presented here. You have the flexibility to report on self-chosen divisions of the SoD concept.
Lodewijk Borsboom
www.sap-security.nl
3. Reporting
Selecting a variant is mandatory Using selection criteria is optional The output is always based on userids. If you want to analyze roles only, you would need to have set of test users in a test environment: one dedicated user for each role.
Lodewijk Borsboom
www.sap-security.nl
This user (that represents composite role ZF-COORDINATOR-VAKW) has 3 conflicts MEDIUM and 1 conflict HIGH.
10
Lodewijk Borsboom
www.sap-security.nl