SAP Security Online

R/3 Security
Derived Role
Composite Role
User Type
Profile parameter
NewPassword rules
Authorizatio Aalysis
Authorizatio Chec!s Starti" SAP Trasactios

#troductio o Authorizatios
Authorization objects enable complex checks of an authorization, which allows a
user to carry out an action. An authorization object can group up to $%
authorizatio fields that are checked in an AND relationship.
For an authorization check to be successful, all field alues of the authorization
object must be maintained accordingly. !he fields in an object should not be seen
as input fields on a screen. "nstead, fields should be regarded as system
elements, such as infotypes, which are to be protected.
#ou can define as many system access authorizations as you wish for an object by
creating a number of allowed alues for the fields in an object. !hese alue sets
are called authorizatios. !he system checks these authorizations in &R
relationships.
Trou'leshooti" authorizatio i SAP R/3(
$hen you encounter errors during testing of roles, you can use %&'( and %!)* to analyze
the error.
*. Ask the user to run %&'( to display the result of the last failed authorization. "t is
important the user run %&'( immediately after failed authorization check, as only
the last object the failed the authorization check is saed.
+. #ou can run trace using %!)* to further analyze the error. For more detail follow
the link,
Audit #formatio System
!he Audit "nformation %ystem -A"%. has been deeloped to proide internal and
external auditors, %ecurity Administrators and those with data protection and controlling
responsibilities with a tool to assist in understanding and completing re/uired tasks in the
complex %A0 enironment.
!he %A0 Audit "nformation %ystem -A"%. proides a centralized repository for reports,
/ueries, and iews of data that hae a control implication. A"% was first aailable for %A0
12( 3ersion (.)D, and is deliered as standard in %A0 12( 3ersions 4.5 and aboe. A"% is
proided at no additional cost from %A0, and allows an auditor or manager to work online
in the production system on a real time basis..(((()ore
*mer"ecy Role +,irefi"hti"-
6ow good you do your security there may come a time when user might need
emergency authorizations. %uch authorization can be necessary in exceptional situations.
"t could be a month end close, which got closed before the month end.
3irsa proides tool called firefighter, which can help you.
First you hae to define what is an emergency for your company. #ou might hae to create
roles for these emergencies, and also define the time frame this role will be assigned to
users. #ou might hae to define an approal procedure for this. 6oe is this going to be
audited. $ork with your audit team to make sure they are ok with the process
Shortcut to create role with may reports /tcode
7nce " had couple of roles which where made just t hold reports. !he number of
reports where huge. 6ere is how " did it.
First create a CATT script with a dummy role and add one tcode. 8ake the role and
!9code as ariant. 7nce you hae this you can add any number of tcode to any existing
role. "could resuse this tocreate another roles where " had to insert lot of !9codes.
Pro.ect Phases (. 0lease follow the link for detail on project phases
Recommeded /oo!s 9 :lick on the books to directly purchase from Amazon
Derived Role
Derived roles
*. Deried roles refer to roles that already exist. !he deried roles inherit the menu structure
and the functions included -transactions, reports, $eb links, and so on. from the role
referenced. A role can only inherit menus and functions if no transaction codes hae been
assigned to it before.
+. !he higher9leel role passes on its authorizations to the deried role as default alues which
can be changed afterwards. 7rganizational leel definitions are not passed on. !hey must
be created anew in the inheriting role. &ser assignments are not passed on either.
(. Deried roles are an elegant way of maintaining roles that do not differ in their functionality
-identical menus and identical transactions. but hae different characteristics with regard to
the organizational leel.
4. !he menus passed on cannot be changed in the deried roles. 8enu maintenance takes
place exclusiely in the role that passes on its alues. Any changes immediately affect all
inheriting roles.
'. #ou can remoe the inheritance relationship, but afterwards the inheriting role is treated like
any other normal role. 7nce a relationship is remoed, it cannot be established again.

Composite Role
Composite roles
*. A composite role is a container with seeral different roles. For reasons of clarity, it
does not make sense and is therefore not allowed to add composite roles to composite
roles. :omposite roles are also called roles.
+. :omposite roles do not contain authorization data. "f you want to change the
authorizations -that are represented by a composite role., you must maintain the data
for each role of the composite role.
(. :reating composite roles makes sense if some of your employees need authorizations
from seeral roles. "nstead of adding each user separately to each role re/uired, you
can set up a composite role and assign the users to that group.
4. !he users assigned to a composite role are automatically assigned to the corresponding
-elementary. roles during comparison.

o !he menu tree of a composite role is, in the simplest case, a combination of the
menus of the roles contained. $hen you create a new composite role, the initial
menu tree is empty at first. #ou can set up the menu tree by choosing Read
menu to add the menus of all roles included. !his merging may lead to certain
menu items being listed more than once. For example, a transaction or path
contained in role * ad role + would appear twice.
o "f the set of roles contained in a composite role changes, the menu tree is also
affected. "n such a case, you can completely rebuild the menu tree or process
only the changes. "f you choose the latter option, the 0rofile ;enerator remoes
all items from the menu which are not contained in any of the roles referenced.
o "t is possible -and often necessary. to change the menu of a composite role at
any time. #ou adjust these menus in the same way as the menus for roles -see
aboe..
Characterizatio of user types
Dialo" user 0A0
"ndiidual system access -personalized.
<ogon with %A0;&" is possible. !he user is therefore interaction9capable with the
%A0;&".
=xpired or initial passwords are checked.
&sers hae the option of changing their own passwords.
8ultiple logon is checked.
Usage: For individual human users (also Internet users)
System user 0/0
%ystem9dependent and system9internal operations
<ogon with %A0;&" is not possible. !he user is therefore not interaction9capable
with the %A0;&".
!he passwords are not subject to to the password change re/uirement, that is,
they cannot be initial or expired.
7nly an administrator user can change the password.
8ultiple logon is permitted.
Usage: Internal RFC, background processing, external RFC (for example, !",
#orkflo#, $%&, CU)
Commuicatio user 0C0
"ndiidual system access -personalized.
<ogon with %A0;&" is not possible. !he user is therefore not interaction9capable
with the %A0;&".
=xpired or initial passwords are checked but the conersion of the password
change re/uirement that applies in principle to all users depends on the caller
-interactie2not interactie.. ->.
&sers hae the option of changing their own passwords.
Usage: external RFC (individual human users)
Service user 0S0
%hared system access -anonymous.
<ogon with %A0;&" is possible. !he user is therefore interaction9capable with the
%A0;&".
!he passwords are not subject to the password change re/uirement, that is, they
cannot be initial or expired.
7nly a user administrator can change the password.
8ultiple logon is permitted.
Usage: non'mous s'stem access (for example, public (eb services)
Referece user 010
Authorization enhancement
No logon possible.
1eference users are used for authorization assignment to other users.
Usage: Internet users #ith identical authori)ations
1emarks?
->. $ith all non9interactie system accesses -that is, not using the %A0;&"., the password
change rule -which exists for all users except for system and serice users when
passwords are initial or hae expired. is not enforced by the system if there is no
interaction option. 6oweer, proided that you can execute a password update dialog with
the user -@A middleware, such as %A0 "!%, for example,., 1F: client programs should
recognize the need to change a password and initiate the subse/uent password change by
calling special function modules -@A see note *4'B*'. or 1F:9A0" functions -as of 4.5:..
!he user interaction -including handling error and exceptional situations. is proided here
with the middleware -@ 1F: client..
Profile Parameters for 1o"o
!o make the parameters globally effectie in an %A0 %ystem -system profile parameters.,
set them in the default system profile D=FA&<!.0F<. 6oweer, to make them instance9
specific, you must set them in the profiles of each application serer in your %A0 %ystem.
!o display the documentation for one of the parameters, choose $ools ** CC%&**
Configuration ** +rofile %aintenance -transaction 1C*)., specify the parameter name and
choose ,ispla'-
Password Chec!s
0arameters =xplanation
login2minDpasswordDlng Defines the minimum length of the
password.
Default alue? (E permissible alues? ( F G
login2minDpasswordDdigits Defines the minimum number of digits -)9
H. in passwords.
Default alue? )E permissible alues? ) F G
Aailable as of %A0 $eb A% 5.*)
login2minDpasswordDletters
Defines the minimum number of letters -A9
C. in passwords.
login2minDpasswordDspecials Defines the minimum number of special
characters in the password 0ermissible
special characters are -.IJKL MNO2
-.@PQR>STU9D.,E?VWXYJJZA
login2minDpasswordDdiff Defines the minimum number of characters
that must be different in the new password
compared to the old password.
Default alue? *E permissible alues? * F G
login2passwordDexpirationDtime Defines the alidity period of passwords in
days.
Default alue? )E permissible alues? any
numerical alue
login2passwordDchangeDforD%%7 "f the user logs on with %ingle %ign97n,
checks whether the user must change his
or her password.
Aailable as of %A0 $eb A% 5.*), as of
%A0 [asis 4.5 by %upport 0ackage
login2disableDpasswordDlogon :ontrols the deactiation of password9
based logon
login2passwordDlogonDusergroup :ontrols the deactiation of password9
based logon for user groups
)ultiple 1o"o
login2disableDmultiDguiDlogin :ontrols the deactiation of multiple dialog
logons
Aailable as of %A0 [asis 4.5
login2multiDloginDusers <ist of excepted users -multiple logon.
#correct 1o"o
login2failsDtoDsessionDend Defines the number of unsuccessful logon
attempts before the system does not allow
any more logon attempts. !he parameter is
to be set to a alue lower than the alue of
parameter login2failsDtoDuserDlock.
Default alue? (E permissible alues? * 9HH
login2failsDtoDuserDlock Defines the number of unsuccessful logon
attempts before the system locks the user.
[y default, the lock applies until midnight.
Default alue? *+E permissible alues? * 9HH
login2failedDuserDautoDunlock Defines whether user locks due to
unsuccessful logon attempts should be
automatically remoed at midnight.
Default alue? * -<ock applies only on same
day.E permissible alues? ), *
#itial Password2 1imited 3alidity
login2passwordDmaxDnewDalid Defines the alidity period of passwords
for newly created users.
login2passwordDmaxDresetDalid Defines the alidity period of reset
passwords.
SS& 1o"o Tic!et
login2acceptDsso+Dticket Allows or locks the logon using %%7 ticket.
Aailable as of %A0 [asis 4.5D, as of %A0
[asis 4.) by %upport 0ackage
login2createDsso+Dticket Allows the creation of %%7 tickets.
Aailable as of %A0 [asis 4.5D
login2ticketDexpirationDtime Defines the alidity period of an %%7
ticket.
login2ticketDonlyDbyDhttps !he logon ticket is only transferred using
6!!0-%..
login2ticketDonlyDtoDhost $hen logging on oer 6!!0-%., sends the
ticket oly to the serer that created the
ticket.
&ther 1o"i Parameters2
login2disableDcpic 1efuse incoming connections of type :0":
login2noDautomaticDuserDsapstar :ontrols the emergency user %A0> -%A0
Notes +(G( and 5G)4G.
login2systemDclient %pecifies the default client. !his client is
automatically filled in on the system logon
screen. &sers can type in a different client.
login2updateDlogonDtimestamp %pecifies the exactness of the logon
timestamp.
&ther User Parameters
rdisp2guiDautoDlogout Defines the maximum idle time for a user in
seconds -applies only for %A0 ;&"
connections..
Default alue? ) -no restriction.E
permissible alues? any numerical alue
1ear more a'out this effects differet user type
New Password rules
7eriew of the improements and changes in password rules or logon procedures that
are deliered with $eb A% A[A0 B.)) or Net$eaer +))4s
Passwords2 Differetiatio 'etwee upper ad lower case4 ma5imum
le"th icreased from ei"ht to forty characters
For new passwords, the system distinguishes between upper and lower case E in
addition, passwords can now consist of up to forty characters -up until now, the
maximum has been eight characters.. "n newly9installed systems, this applies
immediately to all usersE in systems that hae been upgraded to $eb A% A[A0
B.)) or Net$eaer +))4s from an earlier release, we hae ensured that all users
can continue to log on using their old password. "nformation that tells the system
whether a user has a new password or a password of the old type is stored in the
user master recordE this information is analyzed when the system checks the
password? if the user has a password of the old type, the system conerts the first
eight characters of the password into upper caseE the remaining thirty9two
characters must be spaces. 7therwise, the password is analyzed in its entirety and
without being conerted into upper case. "n &nicode systems, you can use
&nicode characters in passwords.
1eleant -new. profile parameters?
o login2minDpasswordDlowercase
o login2minDpasswordDuppercase
o login2passwordDdownwardsDcompatibility
Password history2 size ca ow 'e defied as re6uired +it used to 'e
limited to five etries-
!he passwords that the user has assigned in the course of a password change are
stored in the password history -passwords set by the user administrator are not
stored in the password history.. !he system preents the user from reusing
preiously9used passwords. !he password history used to be limited to fie
entriesE you can now define the size of the password history -maximum alue?
*)) entries. using a profile parameter -login2passwordDhistoryDsize..
1oc! period for password cha"e ca 'e selected +it used to 'e limited to
oe day-
!o preent the password history from being bypassed, a user may only change his
or her password again after the lock period has passed -exception? the user is
asked to change the password by the system.. #ou can now select this lock period
using the profile parameter login2passwordDchangeDwaittime -maximum alue?
*))) days..
+Advace- password cha"e with stricter password rules
#ou can now set the system so that it asks only users whose current password no
longer satisfies the current -stricter. password rules to change their password -in
adance.. !o do this, set the profile parameter
login2passwordDcomplianceDtoDcurrentDpolicy @ *.
3alidity period of uused passwords ca 'e restricted
0asswords that are not used by the authorized user are a security risk. For this
reason, you are now able to restrict the alidity period of these passwordsE here,
the system distinguishes between initial passwords -that is, passwords that are
assigned by the user administrator and that are to be changed by the user at the
next opportunity. and non9initial passwords -that is, passwords that hae been set
by the user.. -!echnical. users of the type %=13":= and %#%!=8 are exempt from
this regulation.
1eleant -new. profile parameters?
o login2passwordDmaxDidleDinitial
o login2passwordDmaxDidleDproductie
1o"o2 Compromisi" error messa"es are avoided
"f you attempt to log on using incorrect logon data, the system now only issues
the "eeric error messa"e KName or password is incorrectK as a ruleE further
reasons for failed logons -for example, locked user accounts, user account is
outside alidity period, and so on. are only gien in detail when alid logon data
has been passed. =rror scenarios in which the system could not check the logon
data, or where no further check is allowed are the exceptions to this rule?
o K&ser has no password 9 logon using password is not possibleK
o K0assword logon no longer possible 9 too many failed attemptsK
!he default values of certain profile parameters that are releant to security
hae been changed?
o login2failedDuserDautoDunlock ? ) -instead of *.
1oc!s for failed lo"o attempts remai valid for a ulimited
period(
o login2failsDtoDuserDlock ? ' -instead of *+.
The loc! for failed lo"o attempts is set after five failed
passwordlo"o attempts(
o login2noDautomaticDuserDsapstar ? * -instead of ).
The emer"ecy user must 'e activated e5plicitly(
o login2minDpasswordDlng ? 5 -instead of (.
Passwords must cosist of at least si5 characters(
o login2ticketDexpirationDtime ? G -instead of 5).
1o"o tic!ets are oly valid for ei"ht hours(
!he profile parameters login2passwordDmaxDnewDalid and
login2passwordDmaxDresetDalid hae been replaced by the profile parameter
login2passwordDmaxDidleDinitial, which means that the system no longer
distinguishes between the first and the subse/uent setting of a password by the
user administrator regarding the restriction of the alidity of the resulting initial
passwords.

Authorizatio Aalysis
Aalyze Authorizatio chec! SU73
1. :hoose the menu path &'stem .* Utilities .* ,ispla' uthori)ation Check or transaction
code SU73. #ou now can analyze an error in your system that just occurred because of a
missing authorization.
2. #ou can call !ransaction SU73 in all sessions, not just in the session in which the error
occurred. Authorization errors in other usersQ sessions, howeer, cannot be analyzed from
your own session.
3. "n the below example, user [ob calls !ransaction 3A)( -display sales order.. !he message
/0ou do not have authori)ation for $ransaction 123/ appears- &ser [ob now chooses
transaction code /SU73 and the system displays the authorization object that was just
checked and, for comparison purposes, the alues of the object that user [ob has in its user
master record. "n this case the user [ob don\t hae 3A)( assigned to any of his role.
4. !ransaction %&'5 allows the user to see what current authorizations are in his buffer

Authorizatio Trace ST%$
#ou can analyze authorizations as follows? :hoose $ools 9A dministration 9A %onitor .* $races .*
&+ &'stem $race or !ransaction %!)*.
:hoose trace component uthori)ation check and pushbutton $race on- !he trace is automatically
written to the hard disk.
!o limit the trace function to your own sessions, choose "dit 9A Filter .* &hared. =nter your user "D
in field $race for user onl' in the displayed dialog box.
7nce the analysis is completed, choose $race off-
!o display the results of the analysis, choose 4oto .* Files5nal'sis or the pushbutton File list%elect
the re/uired file and choose nal')e.
!he results of the authorization check are displayed in the following format? ZAuthorization
objectA?ZFieldA@Z!ested alueA
!he return code shows whether or not the authorization code was successful.
%!)* 1eturn :ode
) Authorization check passed
* No Authorization
+ !oo many parameters for authorization check
( 7bject not contained in user buffer
4 No profile contained in user buffer
5 Authorization check incorrect
B,G,H "nalid user buffer

Authorizatio Chec!s
Authorizatio Chec!s Starti" SAP Trasactios
$hen a user starts a transaction, the system performs the following checks?
!he system checks in table !%!: whether the transaction code is alid and
whether the system administrator has locked the transaction.
!he system then checks whether the user has authorization to start the
transaction. !he %A0 system performs the authorization checks eery time a user
starts a transaction from the menu or by entering a command. "ndirectly called
transactions are not included in this authorization check. For more complex
transactions, which call other transactions, there are additional authorization
checks.
o !he authorization object %D!:7D= -transaction start. contains the field
!:D -transaction code.. !he user must hae an authorization with a alue
for the selected transaction code.
o "f an additional authorization is entered using transaction %=H( for the
transaction to be started, the user also re/uires the suitable defined
authorization object -!%!A, table !%!:A..
"f you create a transaction in transaction %=H(, you can assign an
additional authorization to this transaction. !his is useful, if you want to
be able to protect a transaction with a separate authorization. "f this is
not the case, you should consider using other methods to protect the
transaction -such as A&!671"!#9:6=:] at program leel..
!he system checks whether the transaction code is assigned an authorization
object. "f so, a check is made that the user has authorization for this authorization
object.
!he check is not performed in the following cases?
o #ou hae deactiated the check of the authorization objects for the
transaction -with transaction %&+4. using check indicators, that is, you
hae remoed an authorization object entered using transaction %=H(.
#ou cannot deactiate the check for objects from the %A0 Net$eaer and
61 areas.
o !his can be useful, as a large number of authorization objects are often
checked when transactions are executed, since the transaction calls other
work areas in the background. "n order for these checks to be executed
successfully, the user in /uestion must hae the appropriate
authorizations. !his results in some users haing more authorization than
they strictly need. "t also leads to an increased maintenance workload.
#ou can therefore deactiate authorization checks of this type in a
targeted manner using transaction %&+4.
o #ou hae globally deactiated authorization objects for all
transactions with transaction %&+4 or transaction %&+'.
o %o that the entries that you hae made with transactions %&+4 and %&+'
become effectie, you must set the profile parameter
A&!62N7D:6=:]D"ND%78=D:A%=% to ^#_ -using transaction 1C*)..
All of the aboe checks must be successful so that the user can start the transaction.
7therwise, the transaction is not called and the system displays an appropriate message.
Chec!i" Assi"met of Authorizatio 8roups to Ta'les
#ou can also assign authorization groups to tables to aoid users accessing tables using
general access tools -such as transaction %=*5.. A user re/uires not only authorization to
execute the tool, but must also hae authorization to be permitted to access tables with
the releant group assignments. For this case, we delier tables with predefined
assignments to authorization groups. !he assignments are defined in table !DDA!E the
checked authorization object is %D!A[&DD"%.
TIPS AND TRICKS
R/3 Security Tips
9uci!3iewer +S93#-
ùick3iewer -%`3". is a tool for generating reports. %A0 ùery offers the user a whole
range of options for defining reports. %A0 ùery also supports different kinds of reports
such as basic lists, statistics, and ranked lists. ùick3iewer -%`3"., on the other hand, is a
tool that allows een relatiely inexperienced users to create basic lists. " hae created a
tutorial for %`3". S93# Tutorial
User assi"met
Neer insert generated profiles directly into the user master record -!ransaction %&)*..
Assign the role to the user in the Roles tab in transaction %&)* or choose the User tab in
role maintenance -0F:;. and enter the user to whom you want to assign the role or
profile. "f you then compare the user master records, the system inserts the generated
profile in the user master record.
Do ot assi" ay authorizatios for modules you have ot yet istalled
"f you intend to gradually add modules to your system, it is important you do not assign
any authorizations for those modules you hae not yet installed. !his ensures that you
cannot accidentally change data in your production system you may need at a later stage.
<eae the corresponding authorizations or organizational leels open.
Creati" SPR& Display oly.
#ou might be asked to gie %017 display while implementing your %A0. "generally gie
these authoriztion to make it display only. 0lease test it.
&'.ect ,ield 3alue
%D017a=:! 017a=:!D"D >
%D017a=:! 017aD:7NF >
%D1F: A:!3! )(
%D1F: 1F:DNA8= >
%D1F: 1F:D!#0= >
%D!A[&D:<" :<""D8A"N! Q
%D!A[&DD"% A:!3! )(
%D!A[&DD"% D":[=1:<% >
%D!1AN%01! !!#0=
Deactiate or remoe
0"=: and !A%]
%D:7D= 1=873= %017
Creati" Authorizatio ,ields
"n authorization objects, authorization fields represent the alues to be tested during
authorization checks.
!o create authorization fields, choose $ools 99A 6+ (orkbench 99A ,evelopment 99A
7ther $ools 99A uthori)ation 7b8ects 99A Fields.
!o create an authorization field, proceed as follows?
1. :hoose Create authori)ation field-
2. 7n the next screen, enter the name of the field. Field names must be uni/ue and
must begin with the letter : or ;(
(. Assign a data element from the A[A0 Dictionary to the field.
#ou can often use the fields defined by %A0 in your own authorization objects. "f you
create a new authorization object, you do not need to define your own fields. For example,
you can use the %A0 field A:!3! in your own authorization objects to represent a wide
ariety of actions in the system.
Creati" Authorizatio &'.ects
An authorization object groups together up to ten authorization fields that are checked
together in an authorization check.
!o create authorization fields, choose $ools 99A 6+ (orkbench, ,evelopment 99A 7ther
tools 99A uthori)ation ob8ects 99A 7b8ects.
=nter a uni/ue object name and the fields that belong to the object. 7bject names must
begin with the letter : or ; in accordance with the naming conention for customer9
specific objects.
#ou can enter up to ten authorization fields in an object definition. #ou must also enter a
description of the object and documentation for it. =nsure that the object definition
matches the A[A0 A&!671"!#9:6=:] calls that refer to the object.
1oc!i" Security <oles throu"h #)8 trasactios
=en though you hae restricted your users from %&)* or 0F:; -to modifiy themseles or
other people. they can get into these areas by the different "8; transaction codes. "f your
core team or user community has access to?
7#+) 9 Authorizations
7#+* 9 &ser profiles
7#++ 9 :reate subadministrator
7#+4 9 :lient maintenance
7#+' 9 :% [:? %et up :lient
7#+B 9 :reate %uper &ser
7#+G 9 Deactiate %A0>

R/3 Security Ta'les
%ecurity !ables
!able Description
&%1)+ <ogon data
&%1)4 &ser master authorization -one row per user.
&%!)4 &ser profiles -multiple rows per user.
&%1*) Authorisation profiles -i.e. OD%A0DA<<.
&%!*): :omposit profiles -i.e. profile has sub profile.
&%1** !ext for authorisation profiles
&%1*+ Authorisation alues
&%1*( %hort text for authorisation
&%14) !abl for illegal passwords
&%;10 &ser groups
&%;10! !ext table for &%;10
&%6)+ :hange history for logon data
&%1)* &ser 8aster -runtime data.
&%=1DADD1 Address Data for users
A;1D*)*5 Name of the actiity group profile
A;1D*)*5[ Name of the actiity group profile
A;1D*+') Authorization data for the actiity group
A;1D*+'* Authorization data for the actiity group
A;1D*+'+ 7rganizational elements for authorizations
A;1DA;1% 1oles in :omposite 1oles
A;1DD=F"N= 1ole definition
A;1D6"=1+ 8enu structure information 9 :ustomer ers
A;1D6"=1! 1ole menu texts
A;1D7[a Assignment of 8enu Nodes to 1ole
A;1D017F 0rofile name for role
A;1D!:D!b! Assignment of roles to !codes
A;1D!=b!% File %tructure for 6ierarchical 8enu 9 :us
A;1D!"8= !ime %tamp for 1ole? "ncluding profile
A;1D&%=1% Assignment of roles to users
&%7[! 1elation transaction to authorization object -%A0.
&%7[!D: 1elation !ransaction to Auth. 7bject -:ustomer.
&%7[b :heck table for table &%7[!
&%7[bF<A;% !emporary table for storing &%7[b2!> chang
&%7[bD: :heck !able for !able &%7[!D:
R/3 Security Tcodes
*d User
Trasactio Code
)eu Path 0urpose
%&( &'stem --> User +rofile--> 7#n
,ata
%et address2defaults2parameters
%&'( &'stem --> Utilities --> ,ispla'
uthori)ation Check
Display last authority check that failed
%&'5 $ools --> dministration -->
%onitor --> User 6uffer
Display user buffer
Role Admiistratio
Trasactio Code
)eu Path 0urpose
0F:; $ools --> dministration --> User
%aintenance --> Roles
8aintain roles using the 0rofile ;enerator
0F&D ZnoneA :ompare user master in dialog.
!his function can also be called in the 0rofile
;enerator? "nvironment --> %ass compare
!he aob for user master comparison is?
0F:;D!"8=DD=0=ND=N:# -to 1elease 4.)
16A&!&0*.
%&0: $ools ..* dministration ..* User
%aintenance ..* Roles ..*
"nvironment ..* %ass 4eneration
8ass ;eneration of 0rofiles
User Admiistratio
Trasactio Code
)eu Path 0urpose
%&)* $ools --> dministration --> User
%aintenance --> Users
8aintain &sers
%&)*D $ools --> dministration --> User
%aintenance --> ,ispla' Users
Display &sers
%&*) $ools --> dministration --> User
%aintenance --> User %ass
%aintenance
&ser mass maintenance
%&)+ $ools ..* dministration ..* User
%aintenance ..* %anual
%aintenance ..* "dit +rofiles
%anuall'
8anually create profiles
%&)( $ools --> dministration --> User
%aintenance --> %anual
%aintenance --> "dit uthori)ations
%anuall'
8anually create authorizations
Profile 8eerator Cofi"uratio
Trasactio Code
)eu Path 0urpose
1C*) $ools ..* CC%& ..* Configuration 8aintain system profile parameters.
R/3 /asis Tcodes
Commo Trasactio Codes for /asis Admiistratio
A<)*
%A0 Alert 8onitor %=*4 &tilities for Dictionary
!ables
%%8) 8enu 8aintenance
and !est
A<)+ Database Alert
8onitor
%=*' A[A[24 1epository
"nfo %ystem
%%8* %A0 and :ompany
8enu
administration
A<)( 7perating %ystem
Alert 8onitor
%=() A[A024 1un time
Analysis
%!)* %ystem !race
A<)4 8onitor :all
Distribution
%=(G A[A024 =ditor %!)+ %etup2!une [uffers
A<)' 8onitor :urrent
$orkload
%='4 ;enerate !able 3iew %!)( 0erformance %A0
statistics, $orkload
A<)5 0erformance?
&pload2Download
%=5* 12( Documentation %!)4 %elect Database
Actiities
A<)B =arly $atch 1eport %=G) A[A024 Deelopment
$orkbench
%!)' %`< !race
A<)G &sers <ogged 7n %=H* 8aintain 8essages %!)5 7perating %ystem
8onitor
A<*) Download to =arly
$atch
%=H+ 8aintain %ystem <og
8essages
%!)B Application 8onitor
A<** Directories %=H( 8aintain !ransaction
:odes
%!)G Network 8onitor
A<*+ Display !able [uffer
-=xp session.
%6)* 7nline 6elp? F* 6elp
%erer
%!)H Network Alert
8onitor
A<*( Display %hared
8emory -=xpert
mode.
%6)( :all =xtended 6elp %!*) !able :all %tatistics
A<*' :ustomize %A07%:7<
destination
%":] "nstallation :heck %!** Display Deeloper
!races
A<*G <ocal File %ystem
8onitor
%<D[ <ogical Databases
-!ree %tructure.
%!*+ Application 8onitor
A<*H 1emote File %ystem
8onitor
%<$4 !ranslation?
Application 6ierarchy
%!*4 Application Analysis
A<+) =arly $atch Data
:ollector <ist
%8)* <ock !ransactions %!++ A[A024 1untime
=rror Analysis
D[)* Analyze =xclusie
<ock $aits
%8)+ %ystem 8essages %!A! <ocal !ransaction
%tatistics
D[)+ Analyze !ables and
"ndexes
%8)4 &ser 7eriew %!D1 !AD"1 :onsistency
:heck
D[)( 0arameter :hanges in
D[
%8*+ Display and Delete
<ocks
%!&N 0erformance
8onitor 8enu
D[** =arly $atch 0rofile
8aintenance
%8*( Display &pgrade
1ecords
%&)* 8aintain &ser
1ecords
D[*+ 7eriew of [ackup
<ogs
%8+* %ystem <og %&)+ 8aintain
Authorization
0rofiles
D[*( Database
Administration
:alendar
%8(* !able 8aintenance %&)( 8aintain
Authorizations
D[*4 %how D[A Action
<ogs
%8(' [atch "nput
8onitoring
%&*) 8ass :hanges to
&ser 8aster
1ecords
0F:; 0rofile ;enerator F
Actiity ;roups
%8(5 [ackground aob
%cheduler
%&*+ 8ass :hanges to
&ser 8aster
1ecords
1C)* aob %cheduling
8onitor
%8(B [ackground aob
7eriew
%&+) 8aintain
Authorization Fields
1C)+ Network ;raphics for
%A0 "nstances
%8(G ùeue 8aintenance
!ransaction
%&+* 8aintain
Authorization
7bjects
1C)( 0resentation, :ontrol
%A0 "nstances
%8(H aob Analysis %&++ Auth 7bjects &sage
in !ransactions
1C)4 8aintain %A0
"nstances
%8') $orkprocess
7eriew
%&+4 8aintain 0rofile
;enerator !ables
1C)5 Alert !hresholds
8aintenance
%8'* <ist of %A0 %erers %&+' :opy %A0 to
:ustomer 0rof ;en
!ables
1C)G %A0 Alert 8onitor %85( Display28aintain
7peration 8ode %ets
%&() 7erall
Authorization
:hecks
1C*) 8aintenance of 0rofile
0arameters
%854 1elease of an =ent %&') 8aintain &ser
Defaults
1C** 0rofile 0arameters %85' [ackground
0rocessing Analysis
!ool
%&'* 8aintain &ser
Address
%A1 8aintain !ransaction
:odes
%855 %ystem9wide $ork
0rocess 7eriew
%&'+ 8aintain &ser
0arameters
%A1A Archie 8anagement %85B aob %cheduling %&'( Analyze
Authorization =rror
%:A! :omputer Aided !est
!ool
%85G aob Administration %&'5 Display list of &ser
Authorizations
%::) :lient :opy %8;$ ;ateway 8onitor %3=1 A[A024 3erification
%:&( !able 6istory %8<; <ogon ;roups %38: %tart 3iew
8aintenance with
8emory
%D** Data 8odeler %8b Display 7wn aobs %$!) :onfigure $orkflow
!race
%D[= 8atchcode 7bjects
-test.
%7FF %A0office? Area 8enu%$&G !echnical !race
7n27ff
%=)* !ransports and
:orrection %ystem
%0)) %pool and 1elated
Areas
%$&H Display !echnical
!race
%=)+ =nironment Analyzer %0)* 7utput :ontroller %$&D Diagnostic !ools
%=)( !ransport &tilities %0** !em%e Directory %$&= "nitiate =ent
%=)B !ransport %ystem
%tatus Display
%0*+ !em%e
Administration
%$&F $orkflow 8onitor
%=)H $orkbench 7rganizer %0"! 7utput :ontroller %$&6 !est 8ethod
%=*) :ustomizer 7rganizer %0AD %pool Administration %$$D %witch on $ork
"tem =rror
8onitoring
%=** A[A024 Dictionary
8aintenance
%0A8 %A0 0atch 8anager %#N! Display %yntax
!race 7utput
%=*+ A[A024 Dictionary
Display
%0A! %pool Administration
9 test
!&)* :all %tatistics
%=*( 8aintain !echnical
%ettings -!ables.
%0DD Display 8odified
DD": objects
!&)+ Actie "nstance
0rofile parameters
R/3 Security= Audit Chec!
!here comes a time when you hae to deal with auditors. " hae put together a check list
to go through. "f this is a new implementation you should go through this and may be you
can impress your boss.
"f you hae any doubts as to whether or not reisiting your %A0 infrastructure security is
worth your while, take this short test and see how well your %A0 systems security now
fares.... follow the li!
SAP R/3 user #D SAP> ad other system user id has 'ee ade6uately secured(
The productio system has 'ee set to productive(
Access Restrictio2 SCC? ad S*%@
SAD*3*1&P is secured
Cha"e maa"emet is secured ad cotrolled
Trasport access to productio is restricted
Developer access i productio
Cha"e critical um'er ra"e is restricted
Custom ta'les has authorizatio "roup
1oc!i" of sesitive systems trasactio codes
/DC user types should has oly re6uired access
Ru Pro"ram i the 'ac! "roud
Cha"es to critical SAP R/3 ta'les are lo""ed
Scheduli" ad )oitori" /atch .o's
Access to ru reports should 'e restricted(
Critical ad custom SAP R/3 ta'les are restricted(
SAP R/3 user #D SAP> ad other system user id has 'ee ade6uately secured(
0erformed the following steps to confirm that user "D %A0> has been ade/uately secured?
3erified whether default password of %A0> was changed in all production clients?
=xecute transaction code %A(G, and run report 1%&%1))(.
1eiewed RSUSR%%3 report to erify that the parameter
login5no9automatic9user9sapstar is set -alue @)..
Bho has sapAall adsapAew

=xecute transaction code %&"8
:lick on ^&ser_
:lick on ^<ist of users according to complex selection criteria_.
:lick on ^[y user profiles_.
=nter %A0DA<< in the 0rofile field and click =xecution button
=xecute transaction code SU#)
:lick on ^&ser_
:lick on ^[y user profiles_.
=nter SAPAN*B in the 0rofile field and click on the =xecution button
Ris!2 !he %A0DA<< profile grants a user full2complete access to all functions in the %A0
system and has the potential to be misused. !he %A0DA<< profile should only be assigned
to a minimal number of users on the system.
The default SAP R/3 passwords for DD#CC SAPCP#C ad *arlyBatch -in client )55.
hae been changed and access restricted to the super user.
0erformed the following procedures to erify that the default %A0 12( passwords for DD":,
%A0:0": and =arly$atch hae been changed and access restricted to the super user "D?
=xecute transaction? SA3D
0rogram? RSUSR%%3
Default passwords that should be changed?
%A0> 9 0A%%
DD": 9 *HH+)B)5
%A0:0": 9 AD8"N
=arly$atch 9 %&0071!
Ris!2 %A0 comes supplied with a number of default user "Ds, all of which hae default
passwords. !he passwords to these "Ds are well known, and therefore if they are not
changed, the "Ds could potentially be misused
!o reiew any passwords which are not allowed for users to use?
=xecute transaction code? S*$@
!able name? USR?%
Ris!2 !able &%14) is used to preent users from using a list of commonly guessed
passwords. "f it is not used it increases the possibility that users could select triial
passwords or you can use profile parameter to do this

The SAP R/3 system profile parameters have 'ee set to appropriate values(
0erformed the following procedures to determine whether the %A0 12( system profile
parameters hae been set to appropriate alues? click here for more deail on profile
parameter

The productio system has 'ee set to productive(
!o erify that the company codes utilized in the %A0 12( systems are set to productie.
!here are arious company codes that come as default within %A0. !his is to ensure that
only the company codes that are being used should be checked and set9up as productie.
%7b team2 %ecurity team should perform the following steps?
=xecute transaction code? 7[1(
1eiew ^0roductie_ column and ensure applicable global settings hae not been checked
off.
!he production client settings hae been flagged to not allow changes to programs
and configuration.
0erformed the following steps to erify that production client settings hae been flagged to
not allow changes to programs and configuration?
=xecute transaction code SCC? +all cliets- ad S*%@
Double click on the applicable production client.
3erify that changes to client dependent and client independent objects are not
allowed and that the client is set to productie.
Access Restrictio2 SCC? ad S*%@
!ransaction codes %::4 and %=)5 are critical transactions which can be used to preent
direct changes being made to the production system. "f these transactions are not
appropriately set there is a risk that unauthorized changes may be made directly in the
production system, without going through the appropriate change management process.
0erformed the following steps to erify that the ability to make changes to client and
system settings is restricted and access priileges are appropriately assigned based on job
responsibilities. 0erform the following steps
9uery $
=xecute transaction code? SU#)
%elect &ser by complex criteria
Authorization object? SATC&D*
!ransaction code alue? SCC?
Authorization object? SATA/UAD#S
Actiity? %E ad %3
Authorization ;roup? SS
Authorization object? SATA/UAC1#
"ndicator for cross client maintenance? F
9uery E
!ransaction code alue? SCC?
Authorization object? SAAD)#A,CD
%ystem Administration Function? T%%%
Authorization object? SACTSAAD)#
Administration task? #N#T
9uery 3
=xecute transaction code? %&"8
Authorization object? %D!:7D=
!ransaction code alue? %=)5
Authorization 7bjects? sDtransprt
Actiity 3alue? >
1e/uest !ype? >
Authorization 7bjects? sDctsDadmi
Administration !ask? 1=<=

SAD*3*1&P is secured
7nly the %A0 12( super user has %DD=3=<70 authorization object with critical actiity
alues in the production system.
0erformed the following procedures to erify that only super user has %DD=3=<70
authorization object with critical actiity alues in the production system?
9uery
o =xecute transaction code? SU#)
%D!:7D=? S*3D
Authorization 7bject? SAD*3*1&P
All fields? G>H
Ris!2 !he risk here is that users who hae this access, hae the ability to perform
deelopment related functions in the production system. %uch access should be
restricted to deelopers in the deelopment system only.

0erformed the following procedures to ensure that %A0 12( change management
enironment proides a secure and controlled structure for software changes.
%tart the transaction S*$@, enter the table name and choose option Display.
TC*S:ST =nironments
"nspect the table !:=%#%! which details the arious enironments.
TC*TRA1 :ross !ransports
"nspecte the table !:=!1A<, note arious transport layers. 1eiewed transport
layers .
TC*D*1# 1ecipient systems
"nspect the table !:=D=<" which details with %A0 systems receie released
transports.
0erformed the following procedures to ensure that %A0 12( change management
enironment proides a secure and controlled structure for software changes.
%tart the transaction S*$@, enter the table name and choose option Display.
TC*S:ST =nironments
"nspect the table !:=%#%! which details the arious enironments.
TC*TRA1 :ross !ransports
"nspecte the table !:=!1A<, note arious transport layers. 1eiewed transport
layers .
TC*D*1# 1ecipient systems
"nspect the table !:=D=<" which details with %A0 systems receie released
transports.
Trasport access to productio is restricted
0erformed the following procedures to erify that the ability to make transports to
production is restricted and access priileges are appropriately assigned based on job
responsibilities?
Ris!2 !he risk here is that users who hae this access, hae the ability to moe code from
the deelopment enironment to the production enironment.
=xecuted transaction? SU#)
!ransaction code alue? S*$$
Authorization 7bject? SATRANSPRT
Actiity alue? %$ &R ?3
1e/uest !ype? DTRA &R CUST

Developer access i productio
!he ability to make changes to the %A0 12( Data Dictionary is restricted and access
priileges are appropriately assigned based on job responsibilities.
0erformed the following procedures to erify that the ability to make changes to the %A0
12( Data Dictionary is restricted and access priileges are appropriately assigned based on
job responsibilities?
=xecuted transaction? SU#)
o Authorization object? SATC&D*
o !ransaction code alue? S*$$
o Authorization object? SAD*3*1&P
o Actiity alue? %$ or %E
o 7ther fields? G>H
Ris!2 !he risk here is that users who hae this access, hae the ability to maintain the
%A0 database -data dictionary..

#detify users who ca do developmet i Productio
%D!:7D=? S*3D
Actiity? %E ad %3
All fields? <=A3= [<AN]
All fields? ^>_
deelopment related functions in the production system. %uch access should be restricted
to deelopers in the deelopment system only.
%D!:7D=? S*3D
Deelopment 7bject "D? PR&8
Actiity? %E
All fields? ^>_ AND <=A3= [<AN]
deelopment related functions in the production system. %uch access should be restricted
to deelopers in the deelopment system only.
!able Name? D*3ACC*SS
Ris!2 Deeloper key is re/uired along with the open system to make changes within
production.

Cha"e critical um'er ra"e is restricted( -company code, charts of accounts etc..
0erformed the following procedures to erify that the %A0 system appropriately restricts
the ability to change critical number ranges -i.e., company codes, chart of accounts,
accounting period data, etc...
!ransaction code alue? SNR&
Authorization object? SANU)/*R
Actiity? %E
Number of number range? G>H
Ris!2 !he risk here is that users who hae this access, hae the ability to maintain critical
number ranges.
Custom ta'les has auth "roup
0erformed the following procedures to erify that all customized %A0 12( tables hae been
assigned to the appropriate authorization group?
=xecuted transaction code? S*$@
!able name? TDDAT
!able name? ;>C :>
Ris!? "f tables are not assigned to authorization groups it is not possible to appropriately
control direct access to tables.
1oc!i" of sesitive systems trasactio codes i Productio eviromet(
9uery
!he authorization to lock and unlock transaction codes should only granted to selected few
users. !his also applies to costumer deeloped tcodes proided they are entered in table
!%!:A through transaction code %=H(
Do check using the following report in production who has this access.
=xecute transaction? %8)*
71
=xecute transaction? %=*5
!able Name? !%!:
: info field? +) to +)
Ris!2 %A0 recommends that certain sensitie transactions be locked in the production
system to preent accidental or malicious use. !he risk therefore is that these
transactions be accidentally run, or run with malicious intent.
9uery
;enerated a list of users who hae access to lock2unlock transaction codes.
o =xecute transaction code? %&"8
o %D!:7D=? %8)*
o Authorization object? %DAD8"DF:D
Field alue? !<:] -lock2unlock transactions.
Ris!? !hese users hae the ability to lock or unlock sensitie transactions which should
not be run in the production system.
/DC user types should has oly re6uired access( Do0t eed sapAall
!o erify that [D: users are assigned only authorizations to perform the re/uired task,
performed the following steps?
:lick on ^&ser_
:lick on ^[y user "D_.
!hen execute by clicking on the small green check mark.
:lick on ^7ther iew_ twice to display the user type for all listed user "Ds.
Ris!2 !he risk here is that these "Ds hae been proided ^super user_ access rights, which
is excessie based on the typical needs for these "Ds. %uch "Ds could potentially be
misused.

An oeriew of jobs scheduled in the %A0 12( system is performed regularly.
0erformed the following steps to produce a listing of batch input sessions?
=xecute transaction code %8('
=nter a > in the ^%ession name_ field and ^:reated [y_ field.
:lick on ^"ncorrect_ !ab.
Ris!2 "f batch sessions are not monitored on a regular basis, there is a risk that important
batch sessions will contain errors or not be completely processed and therefore processing
of critical financial information will not be complete and the issue will not be identified on a
timely basis

/DC user types should has oly re6uired access( Do0t eed sapAall
!o erify that [D: users are assigned only authorizations to perform the re/uired task,
performed the following steps?
:lick on ^&ser_
:lick on ^[y user "D_.
!hen execute by clicking on the small green check mark.
:lick on ^7ther iew_ twice to display the user type for all listed user "Ds.
Ris!2 !he risk here is that these "Ds hae been proided ^super user_ access rights, which
is excessie based on the typical needs for these "Ds. %uch "Ds could potentially be
misused.

An oeriew of jobs scheduled in the %A0 12( system is performed regularly.
0erformed the following steps to produce a listing of batch input sessions?
=xecute transaction code %8('
=nter a > in the ^%ession name_ field and ^:reated [y_ field.
:lick on ^"ncorrect_ !ab.
Ris!2 "f batch sessions are not monitored on a regular basis, there is a risk that important
batch sessions will contain errors or not be completely processed and therefore processing
of critical financial information will not be complete and the issue will not be identified on a
timely basis

R/3 Security= /ac!"roud processi" S)37
Ru Pro"ram i the 'ac! "roud
[y default user is allowed to schedule reports for background processing, but cannot
release. Authorization for to release jobs is controlled by %D[!:6Da7[. Actiity 1=<= is
needed to release jobs. Actiity 017! is re/uired to display log.
!he other authorization like delete change andmoe should only be assigned to the batch
adminstrator.
%D[!:6DAD8 should be granted to batch administrator and not to all the users. !his is a
critical authorization can release other users jobs. :ontrols access to jobs in all clients of a
system.
%D[!:6DNA8 can be used to schedule jobs under a different user id. Neer gie > as this
would allow the user to start batch jobs under any user id.
!o check who all hae acces to this production follow the instruction below
%Dtcode? S)3@/S)3I
Authorization 7bjects? SA/TC<AJ&/C SA/TC<ANA)
aob 7perations? R*1*2
%ummary of jobs for a group? G>H
[ackground user "D.? G>H
Ris!2 !he risk here is that users who hae this access, hae the ability to run programs
directly in the background, bypassing transaction leel security in %A0, and could
potentially run programs 2transactions they are not explicitly authorized to run.
/atch iput = S)37
[atch input transaction code %8(' needs authorizationforobject %D[D:D87N". #ou can
restrict the priileages tocertain sesssion byentering the respectie session name or name
range. "f you use name range then naming conetion should be used properly.
%Dtcode? S)37
Authorization 7bjects? SA/DCA)&N#
[atch "nput monitoring actiity? G>H
%ession Name? ^>_
1isk? !he risk here is that users who hae this access, hae the ability to process batch
transactions without being explicitly authorized to do so.
Cha"es to critical SAP R/3 ta'les are lo""ed ad maa"emet re"ularly reviews
the lo"s(
1un transaction %=*5, table DD)H< and noted that tables hae been selected for logging.
ùery
%D!:7D=? S*%$
Authorization object? SATRANSPRT
Actiity? %E
Field 7bject in $orkbench 7rganizer? UP8R
1isk? !he risk here is that users who hae this access, hae the ability to transport
matchcodes into the production system. %uch access should be restricted to basis
administrators only.

Scheduli" /atch .o's
[y default user is allowed to schedule reports for background processing, but cannot
release. Authorization for to release jobs is controlled by %D[!:6Da7[. Actiity 1=<= is
needed to release jobs. Actiity 017! is re/uired to display log.
!he other authorization like delete change andmoe should only be assigned to the batch
adminstrator.
%D[!:6DAD8 should be granted to batch administrator and not to all the users. !his is a
critical authorization can release other users jobs. :ontrols access to jobs in all clients of a
system.
%D[!:6DNA8 can be used to schedule jobs under a different user id. Neer gie > as this
would allow the user to start batch jobs under any user id.
!o check who all hae acces to this production follow the instruction below.
0erformed the following steps to erify which users hae the ability to change the %A0 12(
job schedule?
=xecute transaction code %A(G, 1%&%1))+
%Dtcode? S)3@ -%chedule.
Authorization 7bject? SA/TC<AJ&/
aob 7perations? R*1*
%ummary of jobs for a group? G>HC >
Ris!2 !he potential risk here is that users who hae this access, hae the ability to run
programs directly in the background, bypassing transaction leel security in %A0, and
could potentially run programs or transactions they are not explicitly authorized to run.
)oitori" /atch .o's
1un transaction %8(B to check if any of the jobs that had been during the last year are
still actie.
Ris!2 "f jobs are not monitored on a regular basis, there is a risk that jobs will not run to
completion and therefore processing of critical financial information will not be complete
and the issue will not be identified on a timely basis

Access to ru reports should 'e restricted(
%Dtcode? SA3D
Authorization 7bjects? SAPR&8RA)
&ser action A[A0 program? SU/)#T - foreground and background.
Authorization ;roup? >, ^>_
Ris!2 !he risk here is that users who hae this access, hae the ability to run programs
directly, bypassing transaction leel security in %A0, and could potentially run programs
2transactions they are not explicitly authorized to run.
%Dtcode? SA3D
Authorization 7bjects? SAPR&8RA)
&ser action A[A0 program? *D#T -maintain attributes, text elements, A[A024 utilities to
copy and delete programs.
Authorization ;roup? >
Ris!2 !he risk here is that users who hae this access, hae the ability to maintain
program attributes.

Critical ad custom SAP R/3 ta'les are restricted(
=xecute transaction %&"8
Authorization 7bject? %D!:7D=
!ransaction :ode? %8(* -enhanced tables maintenance.
Authorization object? %D!A[&DD"%
Actiity? )+ AND )(
Ris!2 !he risk here is that users who hae this access, hae the ability to maintain table
data directly in the production system. !his includes transactional, masterfile, security
and configuration data.
=xecute transaction %&"8
Authorization 7bject? %D!:7D=
!ransaction :ode? %8(*
Authorization object? %D!A[&DD"%
Actiity? )+ AND )(
Authorization 7bject? %D!A[&D:<"

#detify if custom trasactios have refereces to authorizatio o'.ects(
!able name? TSTCA / TSTC
!:7D=? ;>
:heck table !%!:A and erified that no C transactions existed. 3erified in table !%!: that
the majority were secured by Authorization objects. %ince all transactions are secured by
%D!code this control is still effectie.
CUA
"n complex system landscapes with multiple systems and clients, the administration cost
for keeping the user master records in the systems consistent and up9to9date is ery high.
=mployees join the company, resign, or change jobs within the company. &sers must
usually access seeral systems and clients in order to perform their business tasks, and
therefore re/uire multiple users.
%ince user master records are client9specific, they must be maintained in each client of
each and eery system. For example, if you want to create a new user, you must create it
manually in all the clients of all of the %A0 12( %ystems in which it should be alid.
&ser master records can be maintained centrally in one client of a system. "f a new client
is built as a copy of a maintenance client, the new client can initially be filled with the user
master records of the maintenance client. During this copy, the roles of the maintenance
client are copied together with the user master records. 6oweer, you cannot select which
users should be copied and which should not. !he user master records also cannot be
automatically synchronized se/uentially

Advata"e of havi" CUA
Administration of a whole system landscape from one single central system
7eriew of all user data in the whole system landscape
:onsistent user data in the whole system landscape
Additional local maintenance still possible

CUA i separate system vs i PRD
Adantages
No performance impact on 01D system
"ndependence from planned downtime of 01D system
"ndependence from 01D system release -higher release with more functionality
can be used. 8aintenance actiities of :&A central system -e.g. import of support
packages. has no impact on 01D system
Access to user management can easily be controlled
Disadantages
Additional hardware and administration cost

CUA i PRD
Adantages
No additional hardware and administration cost
Disadantages
0erformance impact on 01D system
No user administration during downtime of 01D system.
01D system release determines :&A functionality -no higher release can be used.
8aintenance actiities of :&A central system -e.g. import of support packages.
causes downtime of 01D system
Access to user management can be controlled only if separate client on 01D
serer is set up

Pro K Cos2 Si"le CUA
Adantages
1e/uires little resources -hardware and2or diskspace.
:onsistent user master data in the whole system landscape
7ne single point of administration and control
Disadantages
8aintenance of :&A central system has immediately impact on production Fno
test of :&A functionality possible
&naailability of :&A central system has impact on the whole system landscape
0lanned downtime of :&A central system has to be confirmed by all system
owners
6igh olume of user data and high number of changes to user master records
-e.g. caused through client copy in D=3. can result in decrease of performance of
the :&A central system
Not suitable for customers where responsibilities for user administration are
organizationally split based on systems

&r"aizatioal challe"es
!echnical :&A configuration does not match the organization of the user
administration
:onflicts due to unclear responsibilities for user management
&ser administrators are not trained in :&A usage
CUA= #stallatio
#troductio
:lients with ery complex landscape with multiple landscape and multiple clients,
maintaining the entire enironment become ery challenging. &sing :entral &ser
Administration -:&A., you can maintain user mater records centrally in one system.
:hanges to the information are then automatically distributed to the child systems. !his
means that you hae an oeriew in the central system of all user data in the entire
system landscape. Distribution of the data is based on a functioning Application <ink
=nabling landscape -A<= <andscape.. "n this way, data can be exchanged in a controlled
manner and is kept consistent. An A<= %ystem ;roup is used by the :entral &ser
Administration to distribute user data between a central system and child systems linked
by A<=.
:entral &ser Administration -:&A. data is distributed asynchronously between the
application systems in an A<= enironment. !his ensures that it still reaches the target
system een if it was unreachable when the data was sent.
7ne system in the :entral &ser Administration -:&A. A<= enironment is defined as the
central system. !he central system is linked with eery child system in both directions.
!he child systems are not linked to each other, with the exception of the central system,
which is itself a child system, from the point of iew of :entral &ser Administration.
Setti" Up Cetral User Admiistratio
!o set up :entral &ser Administration -:&A., perform the procedures described below.
Steps to Set Up the CUA
%pecify <ogical %ystems
Assign <ogical %ystems to a :lient
:reate :ommunication &sers -AD8D:&A.
:reate 1F: Destinations
%et Distribution 0arameters for Fields
%ynchronize
:ompany Addresses
:reate :&A
!ransfer &sers

Setti" Up 1o"ical Systems
%ystems of the :entral &ser Administration -:&A. are referred to using logical system "Ds.
A logical system is a client. !herefore you must first set up logical system names that you
then assign to the clients in the %A0 systems.
Commuicatio Users ad R,C Destiatios
!his section proides you with an oeriew of the interaction of communication users, 1F:
destinations, and authorization roles of the communication users and the administration
tasks that are connected with this. !he exact procedure is described in the following
sections. :ommunication users are re/uired for the internal communication of the
systems in an A<= group -the distribution of user data.. !hese communication users,
defined in the target systems, are entered in 1F: destinations in the calling systems. !o
increase the security of your system landscape, when you are creating communication
users, assign only greatly restricted authorizations, as described below to the
communication users.
&ser "D used in all the system is AD8D:&A and this users is a communication user
Authorization for :entral system
%A0D[:D&%1D:&AD%=!&0D:=N!1A< and
%A0D[:D&%1D:&AD:=N!1A<
Authorization for :lient system
%A0D[:D&%1D:&AD%=!&0D:<"=N! and
%A0D[:D&%1D:&AD:<"=N!.

Setti" Up ,ield Distri'utio Parameters
"f you are using :entral &ser Administration, you can use the distribution parameters in
transaction %:&8 to determine where indiidual parts of a user master record are
maintained.
c "n the central system
c <ocally in the child system
c "n the child system with automatic redistribution to the central system and the other
:&A child systems
=ery input field of the user maintenance transaction %&)* has a field attribute that you
set
once in the central system with transaction %:&8 during :ustomizing. As far as possible,
you
should then not change the field maintenance indicator at all.
"f you later change the distribution from !ocal or +roposal to 4lobal or Redistribution, data
inconsistencies can occur. $hen resoling these inconsistencies you must proceed with the
utmost care. 7therwise data losses will occur.
!he only exception to this is the !ocks tab page. #ou can change the indicators
on this tab page at any time without any risk.
Procedure
<og on to the central system
"n the "mplementation ;uide -"8;, transaction %A<=., choose %odeling and
Implementing 6usiness +rocesses +redefined !" 6usiness +rocesses Cross.
pplication 6usiness +rocesses Central User dministration &et ,istribution
+arameters for Fields -transaction %:&8..
!he system displays the User ,istribution Field &election screen, with tab pages of the
fields whose distribution parameters you can set. !o display additional fields, choose page
down.
#ou can select the following options on the tab pages?

8lo'al #ou can only maintain the data in the central system. !he data is then
automatically distributed to the child systems. !hese fields do not accept input in the child
systems, but can only be displayed. All other fields that are not set to ^global_ accept input
both in the central and in the child systems and are differentiated only by a different
distribution after you hae saed.
Proposal #ou maintain a default alue in the central system that is automatically
distributed to the child systems when a user is created. After the distribution, the data is
only maintained locally, and is not distributed again, if you change it in the central or child
system. 1et3al #ou can maintain data both centrally and locally. After eery local change
to the data, the change is redistributed to the central system and distributed from there to
the other child systems.
1ocal #ou can only maintain the data in the child system. :hanges are not
distributed to other systems.
*verywhere #ou can maintain data both centrally and locally. 6oweer, only changes
made in the central system are distributed to other systems, local changes in the child
systems are not distributed.
!o maintain the other parameters, too, switch to the other tab pages. !he tab
pages correspond to those of user maintenance.
%ae your entries.
!he distribution parameters are automatically transferred to the child systems.
Address ta'
!itle, <anguage and 0rinter are setup for 1etal, rest are setup to ;lobal
1o"o data
"nitial password is set to 0roposal, and rest is set to ;lobal
Default
All attributes set to 1et3al

Parameters
All attributes set to 1et3al
Profiles/ Roles
All attributes set to ;lobal
1oc!
&nlock incorrect logon is set to <ocal

Trasferri" Users from New Systems
"f you include a new system in the distribution model selected, you must make sure that
the user master records in the new system are transferred to the central system.
Prere6uisites
#ou hae synchronized the company addresses.

Procedure
<og on to the central system
"n the "mplementation ;uide -"8;, transaction %A<=., choose 8odeling and
"mplementing 0redefined A<= [usiness 0rocesses :entral &ser
Administration !ransfer &sers from New %ystems -transaction %:&;.. !he
system displays the Central User dministration &tructure ,ispla' screen with a
tree structure of the systems of the distribution model. !he systems with :e#
indicators contain user master records that are not contained in the :entral &ser
Administration.
"f you are setting up a completely new :entral &ser Administration, place the
cursor on the central system and choose $ransfer Users.
!he system displays the following tab pages?
New users !hese users are not yet contained in :entral &ser
Administration. [y choosing $ransfer users, you can transfer the selected users into the
central system. !his transfers all user parameters such as address and logon data, as well
as profiles and roles. "n the future, the user will be maintained centrally.
#detical users !hese are users with identical user "Ds -that is, their
name and user name is the same.. !he roles and profile data for this user can be
transferred to the central system. !he user is then distributed and
therefore appears as it is stored in the central system. <ocal data is oerwritten.
Differet users !hese user "Ds are contained in both the central and the child
systems, but with different data. "f in a single case, the users are actually the same user,
you can transfer the roles and profile data for the user to the central system. !he user is
then distributed as it exists in the central system. "f these are two different users, create a
new user "D for one user in the central system, and delete this user in the child system.
Already cetral users !hese users are already in the :entral &ser Administration
under the same name and are maintained centrally.

%elect all new and changed users and choose !ransfer &sers.
0erform steps ( and 4 successiely for all child systems from which you want to
transfer users.
After you hae completed the user transfer, remoe the roles
%A0D[:D:&AD%=!&0D:=N!1A< and %A0D[:D&%1D:&AD%=!&0D:<"=N! from the
communications users.
!hese roles are only re/uired to set up the :&A, but not for its operation. [y
restricting the authorizations of the communications users to the minimum leel,
you increase the security of your system landscape.
&se transaction %:&< to check the distribution of the users after the transfer.
&perati" Cetral User Admiistratio
!his section combines information that affect functions that hae special features when
you
are using :entral &ser Administration -:&A.
User )aiteace with Active Cetral User
Admiistratio
$ith actie :entral &ser Administration, you still use transaction %&)* to maintain users,
howeer user maintenance is somewhat different?
$hether fields are ready for input or not depends on the distribution attributes
that you assigned to the field in transaction %:&8. 7nly the fields that may be
maintained in the system are ready for input. #ou can only change a field that is
to be maintained globally in the central system. !his field does not accept input in
the child systems.

"n the central system, the user maintenance transaction also displays the tab
page &'stems- 6ere you enter the systems to which users are to be distributed.
!o display the systems for the corresponding distribution model, use the possible
entries help. =ach time you sae, the system distributes the user data to these
listed systems.
!he Roles and +rofiles tab pages each contain an additional column for each entry,
specifying the system for which the user is assigned the role and2or profile. $ith
the $ext comparison from child s's- 0ushbutton on the Roles and +rofiles tab
pages, you can update the texts for roles2profiles that you hae changed, for
example, in the child systems. !he texts in the child systems are stored
temporarily so that they are aailable in the central system. As the comparison
re/uires some time, it is performed asynchronously and the current texts may
not be aailable immediately. #ou can only assign profiles to users for the systems
in which they are distributed. "f you enter a new system when you assign profiles
to users, the system displays a warning that the user was assigned a new
system. !he entry is automatically transferred into the tab page &'stems- After
this, the user master record is also distributed in the new system.

All user master records are created in the user master records. &sers can then only log
onto
the central system if the central system itself is entered in &'stems tab page of the
corresponding user master record.

Performi" a Te5t Compariso with Tar"et System
Specificatio
"f you hae created, deleted or imported roles and2or profiles in a child system of the
:entral
&ser Administration -:&A., there is initially a different data status in the central and child
systems. #ou do not need to perform a text comparison for all child systems, but can clean
up
the data specifically for the affected child system as follows?
"n the central system, you use transaction %&)* to execute the $ext Comparison
from Child &'stem function and specify the changed child system as the target
system.
#ou send the changed role data from the child system in which you hae made
the role maintenance -transaction 0F:;. changes, to the central system. !o do
this, choose "nvironment $ext Comparison for CU Central &'stem in
transaction 0F:; of the child system.
CUA= Tips
Access to the configuration of :entral &ser Administration -:&A. transactions should be
controlled. :onsideration should be gien to restricting access to only releant user
administration staff to the following :&A 8aintenance transactions.
CUA Tcode Name ad Descriptio
%A<= Display A<= :ustomizing &sed to configure the A<= enironment for
:&A. !his transaction also allows access other A<= and 1emote
Function :all -1F:. configuration.
%:&A :entral &ser Administration !ransaction used to maintain the :&A
landscape.
%:&< :entral &ser 8anagement <og !ransaction used to iew :&A audit and
error logs.
%:&8 :entral &ser Administration !ransaction used to define field distribution
for :&A.
1emoing :entral &ser :lient
<og on :entral system and run report 1%D=<:&A to remoe one or more child systems.
=xecute $=+) and select 0artner !ype <%. Delete message types ::<7N= and
&%=1:<7N= for the selected child system.
Delete the complete partner model.
=xecute transaction [D54. "n change mode, delete the methods for the deleted
child and sae the entries.
!hen log on to eery child system to be deleted.
1un report 1%D=<:&A on the child system.
"n $=+) if there are any inbound parameters for the child client, delete them.
7nce this is done the complete partner profile can be deleted.
"t is not recommended to delete the 1F: destinations but rather remoe :&A
administratie access from the communication user\s role.
,or ,urther CUA Trou'leshooti" follow the li!
Si"le Si" &
"f you are one of those admin who faces any of the issues listed below, then %%7 is for you.
&sers access multiple systems, including %A0 and non9%A0 %ystems. %ome systems reside
in a dedicated network zone in the intranet but many systems reside on different networks
or on the "nternet.
&sers need to hae different "Ds and passwords to access these systems.
=ach of these systems also maintains its own password policy. For example, in the %A0 61
system, the user has to change his or her password eery () days. "n the next system, the
user has to change the password eery H) days. "n another system, the user does not need
to regularly change his or her password at all.
$hat does this lead toP &sers forget their passwords. !he administrator is constantly resetting
passwords. ]eep in mind that this makes social engineering much easier.
%olution is %ingle %ing 7n. %%7 users access multiple systems based on single authentication.
#mplemeti" SS& i Netweaver E%%?s
#mplemeti" SS& +R/3 / *terprise portal-
#mplemeti" SS& i Netweaver E%%?s
3erify the followi" profile parameters are set correctly i the 'ac!ed usi" rz$$
login2acceptDsso+Dticket @ *
login2createDsso+Dticket @ )
8ake sure that in the portal the connector to back end is defined with following setting and
permission is set correct.
Authentication !icket !ype 9 %A0 <ogon !icket
<ogon 8ethod 9 %A0<7;7N!":]=!
&ser 8apping !ype 9 useradmin,user
,i5 certificate
<ogin in to 3isual Administrator
*. %elect the ]ey %torage %erice.
+. %elect the !icket]eystore iew.
(. Delete the %A0<ogon!icket]eypair and %A0<ogon!icket]eypair9cert entries.
4. &nder =ntry, choose :reate . !he ]ey and :ertificate ;eneration dialog appears.
'. =nter the %ubject 0roperties in the corresponding fields.
!he entries in these fields build a Distinguished Name in the form?
:N@ , 7&@ , 7@, <@, %!@ , :@
&se capital letters for the :ountry Name.
5. =nter SAP1o"oTic!etLeypair as the =ntry Name.
Do not enter a different name. !his a+== =ngine uses the entry with this name to sign logon tickets.
B. %elect the %tore certificate option and choose D%A as the algorithm to use.
G. :hoose ;enerate .
Now dowloaded the JE** Tic!et via 3isual Admi Tool
<ogin to 3isual Admin !ool
open tree K%erer U A %erices A ]ey %torageK
$ithin the K]ey %torageK choose iew K!icket ]eystoreK and entry K%A0<ogon!icket]eypair9certK
click on K=xportK and sae the ticket to a propper location
,ialy uploaded the ew tic!et to STRUST
:lick on the link for video tutorial
#mplemeti" SS& +R/3 / *terprise portal-
#mplemeti" Si"le si"o for *terprise Portal ad R/3 /ac!ed
Procedure
Dowload pu'lic=!ey certificate of Portal Server
&se the ]eystore Administration tool to download the erify.der file from the
portal.
Set profile parameters
7n all of the component systemQs application serers?
*. %et the profile parameters login2acceptDsso+Dticket @ * and login2createDsso+Dticket @
) in eery instance profile.
#mport pu'lic=!ey certificate of Portal Server to compoet system0s certificate
list ad
add Portal Server to AC1 of compoet system
[oth of these steps can be performed with transaction &$RU&$&&7;, which is an extended
ersion of transaction &$RU&$. For detailed documentation on transaction &$RU&$, see
the
$eb Application %erer documentation under &ecurit' * $rust %anager-
"n the %A0 %ystem, start transaction &$RU&$&&7;.
A screen with the following layout appears
!he PS* status frame on the left displays the 0%=s that are defined for the system.
!he PS* maiteace section on the top right displays the 0%= information for the
0%= selected in the 0%= status frame.
[elow that, the certificate section displays certificate information for a certificate that
you hae selected or imported.
!he Si"le Si"=& AC1 section on the bottom right displays the entries in the A:< of
the system.
Note that the layout of the transaction will ary slightly, depending on the
release of the %A0 %ystem.
+. "n the 0%= status frame on the left, choose the system 0%=.
(. "n the certificate section, choose "mport :ertificate.
!he Import Certificate screen appears.
4. :hoose the File tab.
'. "n the File path field, enter the path of the portal\s erify.der file.
5. %et the file format to D=1 coded and confirm.
B. "n the !rust 8anager, choose Add to 0%=.
G. :hoose Add to A:<, to add the 0ortal %erer to the A:< list.
H. "n the dialog box that appears, enter the portal\s system "D and client. [y default,
the portal\s system "D is the common name -:N. of the Distinguished Name
entered during installation of the portal. !he default client is ))).
"f necessary, you can change these default alues by changing the properties
login.ticketDissuer and login.ticketDclient respectiely in user
management properties.
!he other alues are taken from the certificate.
*). %ae your entry.
**. Do not forget to set profile parameters and "!% serice parameters as described in
:onfiguring %A0 %ystems to Accept and 3erify %A0 <ogon !ickets .
Result
!he %A0 component systems are able to accept %A0 logon tickets and erify the 0ortal
%ererQs digital signature when they receie a logon ticket from a user.
#mporti" Portal Certificate ito SAP System
Prere6uisites
#ou hae downloaded the public9key certificate of the portal serer -erify.pse file.. &se
the ]eystore Administration tool for this.
Procedure
*. "n the component system, start transaction %!1&%!.
!he following screen appears.
!his screen displays a list of the certificates contained in the 0%= of the component
system.
2. "n the certificate group box, choose Import Certificate.
!he Import Certificate screen appears.
3. :hoose the File tab.
4. "n the File path field, enter the path of the portal\s erify.der file.
'. %et the file format to D=1 coded and confirm.
6. "n the !rust 8anager, choose dd to +&".
B. %ae the new certificate list.
!he new certificate list is automatically replicated to all application serers in the
system. #ou do not hae to import the portal certificate onto each application
serer separately.
Sar'aes=&5ley +S&F-
%arbanes97xley has become the ad hoc standard for financial transparency, trust, and
corporate accountability. $hile mandatory for all publicly9owned companies, %arbanes9
7xley is also becoming a best practice for all types of companies who wish to identify with
good goernance practices.
A significant amount of attention is currently focused on %ection ()+ -Disclosure. and
%ection 4)4 -"nternal :ontrols.. %arbanes97xley %ections ()+ and 4)4 are designed to
ensure information re/uired to be disclosed is initiated, processed, recorded, and reported,
and that management has assessed the effectieness of internal controls regarding the
reliability of financial reporting.
:=7s and :F7s of public companies must?
:ertify that they hae reiewed financial statements and each annual or /uarterly
report.
:ertify that each such report fairly represents the companyQs financial condition.
:ertify that they hae established and are maintaining internal controls
=nsure the effectieness of such internal controls eery /uarter.
Address significant changes in internal controls or other factors that could
significantly affect such controls.
"dentify correctie actions taken regarding deficiencies2weaknesses in controls.
Disclose any significant deficiencies in internal controls and2or any fraud inoling
persons with a significant role in upholding such controls
S&F/SoD= Tool Compariso
Feature 2 Attribute Approa [earing 0oint :%" 3irsa %ystems
0roduction "nstallations ' 4 4 '
0roduct %tability 2 8aturity 4 ( + '
%upport ( ' ( '
%upport %eparation of Duties
roles2responsibilities identification and
resolution
' ( ( '
%upport ease of implementation
re/uirements and integration to %A0 4.B
' ( ( '
%upport monitoring -after the fact. and audit
of compliance to %arbanes97xley %ection 4)4
' ( ( '
<ist of critical transactions such as change
security systems, change user accesses,
limitation to system and transaction access
' 4 4 '
1ules and roles can be enforced and
customized at high leel
' ' ' '
1ule sets and high leel rule definition ' ' ' '
$orkflow and approals functionality ' ) ) '
:ross platform conflicts identification ' ) ) 4
=xtend rule sets to include non9system
controls for %oD
' ) ) '
Drill down to role definition and change
configuration to eliminate %oD conflict
4 4 4 '
%ecurity software does not impact
performance and integrity of =10 system
' 4 4 4
!echnical %upport 1ating ' ( ( '
=stablished &ser ;roup ) ) ) '
"nitial %oftware "nestment :ost =xpensie :heap :heap =xpensie
Annual 8aintenance2%upport Fees =xpensie :heap :heap =xpensie
Additional 6ardware 1e/uired #es No No No
"mplementation :osts ' + + '
=nd9&ser !raining 1e/uired 1e/uired 1e/uired 1e/uired 1e/uired
!o %etup 0roduct Demonstration 4 ( ( '
=xisting :ustomer 1eferences 4 ( + '
1ating ' is good and ) is poor. !his is my personal opinion.
&ther SAP S&F/SoD Tool
Sya5io proides you with integrated software solutions for %A0 for both 4overnance, Risk <
Compliance (4RC) as well as 6usiness +erformance %anagement (6+%), giing you the opportunity
to optimize your business processes and %A0 controls in an efficient manner. %ynaxion has
deeloped content packs to monitor the following areas?
0urchase to 0ay
7rder to :ash
Finance to 1eport
&ser Actiity
%egregation of Duties
7rganizations using the %ynaxion software solutions hae achieed key business improements
such as a reduction of %egregation of Duties -%oD. conflicts, open items on suspense accounts and
%A0 license costs. [y exception9based monitoring of your %A0 controls and reporting of deiations
to the desired outcome, the %ynaxion software solutions enable you to optimize your key business
processes.
8ore information can be obtained at Sya5io0s we'site
S&F= Critical Trasactios
TCode Ris! Descriptio

:AGB 8ass 1eplace $ork :enter
:A!5 6uman 1esources
:<)4 Delete :lass
F.(4 :redit <imit 8ass :hanges
F.G) 8ass 1eersal of Documents
F)44 3endor Archiing
F"*+ :hange 6ouse [anks2[ank Accounts
"0() 1un Date 8onitoring
<N)G Number range maint.? <3%D<=N&8
8803 :lose 0eriods
8813 Allow 0osting to preious 0eriod
0A+) Display 61 8aster Data
0A() 8aintain 61 8aster Data
0AB) Fast =ntry
0AHB :ompensation Administration F 8atrix
0F:; 1ole 8aintenance 9 %ystem integrity, stability at risk
1C)4 8aintain %A0 "nstances
%A(G A[A0 1eporting 9:an run programs not protected appropriately
%A1A Archiing 8anagement 9 %hould be restricted to Archie Admin
%::* :lient :opy 9 %pecial %elections
%::4 :lient Admin. 9 %ystem stability O integrity at risk
%::' Delete :lient 9 %ystem stability at risk
%::5 :lient "mport 9 %ystem stability O integrity at risk
%::H 1emote :lient :opy 9 %ystem stability O integrity at risk
%::< <ocal :lient :opy 9 %ystem stability O integrity at risk
%=)* !ransport 7rganizer 9 %ystem stability O integrity at risk
%=** Data Dictionary 8aint. 9 %ystem stabiltiy O integrity at ris
%=*( 8aintain tech tables settings 9 %ystem stabilitiy at risk.
%=*5 Data [rowser 9 =xposure to confidential information
%=(B Function [uilder
%=(G A[A0 =ditor 9 %ystem stabiltiy O integrity at risk
%8)* <ock !ransactions 9 %ystem stabiltiy at risk
%8)+ %ystem 8essages 9 %hould be restricted to %ystem Admins only
%8() !able 8aintenance 9 %ystem integrity O stability at risk
%84H =xecute 7% commands 9 %ystem stability at risk
%8') $ork 0rocess oeriew 9 %ystem stability at risk
%&)* &ser 8aintenance 9 %hould be restricted to &ser Admins only
%&)+ 0rofile 8aintenance 9 %ystem stability and integrity at risk
%&)( 8aintain Authorizations
%&)' 8aintain "nternet user
%&*) &ser 8ass 8aint 9 %ystem stabilty at a ery high risk
%&+) Authorization 7bject fields
%&+* Authorization 7bjects
%&+4 8aintain Assignment of Authorization 7bjects
%&+' 0rofile ;enerator &pgrade and First "nstallation
SAP Security #terview 9uestios
9( SAP Security T=codes
A. Fre/uently used security !9codes
%&)* :reate2 :hange &ser %&)* :reate2 :hange &ser
0F:; 8aintain 1oles
%&*) 8ass :hanges
%&)*D Display &ser
%&"8 1eports
%!)* !race
%&'( Authorization analysis
Clic! here for all Security T=codes
9 1ist few security Ta'les
Clic! here for security ta'les
9 <ow to create usersM
=xecute transaction %&)* and fill in all the field. $hen creating a new user, you must enter an
initial password for that user on the !ogon data tab. All other data is optional. Clic! here for
turotial o creati" sap user id
9 Bhat is the differece 'etwee US&/FAC ad US&/TACM
!he table &%7[bD: defines which authorization checks are to be performed within a
transaction and which not -despite authorit'.check command programmed .. !his table also
determines which authorization checks are maintained in the 0rofile ;enerator.
!he table &%7[!D: defines for each transaction and for each authorization object which
default alues an authorization created from the authorization object should hae in the 0rofile
;enerator.
9 Bhat authorizatio are re6uired to create ad maitai user master recordsM
!he following authorization objects are re/uired to create and maintain user master records?
%D&%=1D;10? &ser 8aster 8aintenance? Assign user groups
%D&%=1D017? &ser 8aster 8aintenance? Assign authorization profile
&9U&"R9U$? &ser 8aster 8aintenance? :reate and maintain authorizations
9 1ist R/3 User Types
1. ,ialog users are used for indiidual user. :heck for expired2initial passwords 0ossible
to change your own password. :heck for multiple dialog logon
2. &ervice user 9 7nly user administrators can change the password. No check for
expired2initial passwords. 8ultiple logon permitted
3. &'stem users are not capable of interaction and are used to perform certain system
actiities, such as background processing, A<=, $orkflow, and so on.
4. Reference user is, like a %ystem user, a general, non9personally related, user.
Additional authorizations can be assigned within the system using a reference user. A
reference user for additional rights can be assigned for eery user in the Roles tab.
9 Bhat is a derived roleM
Deried roles refer to roles that already exist. !he deried roles inherit the menu
structure and the functions included -transactions, reports, $eb links, and so on. from
the role referenced. A role can only inherit menus and functions if no transaction codes
hae been assigned to it before.
!he higher9leel role passes on its authorizations to the deried role as default alues
which can be changed afterwards. 7rganizational leel definitions are not passed on.
!hey must be created anew in the inheriting role. &ser assignments are not passed on
either.
Deried roles are an elegant way of maintaining roles that do not differ in their
functionality -identical menus and identical transactions. but hae different
characteristics with regard to the organizational leel. Follow this link for more info
9 Bhat is a composite roleM
A composite role is a container which can collect seeral different roles. For reasons of
clarity, it does not make sense and is therefore not allowed to add composite roles to
composite roles. :omposite roles are also called roles.
:omposite roles do not contain authorization data. "f you want to change the
authorizations -that are represented by a composite role., you must maintain the data
for each role of the composite role.
:reating composite roles makes sense if some of your employees need authorizations
from seeral roles. "nstead of adding each user separately to each role re/uired, you
can set up a composite role and assign the users to that group.
!he users assigned to a composite role are automatically assigned to the
corresponding -elementary. roles during comparison. ,ollow the li! to lear more
9( Bhat does the differet color li"ht mea i profile "eeratorM
A.

9( Bhat are the differet ta's i P,C8M
A.
9 Bhat does user compare doM
"f you are also using the role to generate authorization profiles, then you should note that the
generated profile is not entered in the user master record until the user master records hae
been compared. #ou can automate this by scheduling report F:;D!"8=DD=0=ND=N:# on a
daily.
(((()ore Pa"e E
9( Ca we covert Authorizatio field to &r"C field
A. Authorization field can be changed to 7rganization field using 0F:;D71;F"=<DD:1=A!= or
C0F:;D71;F"=<DD:1=A!=
&se %=(G or %A(G to run the aboe report.
7rganizational leel fields should only be created before you start setting up your system. "f
you create organizational leel fields later, you might hae to do an impact analysis. !he
authentication data may hae to be postprocessed in roles.
!he fields KActiityK, KA:!3!K and K!ransaction codeK, K!:DK cannot be conerted into an
organizational leel field.
"n addition, all affected roles are analyzed and the authorization data is adjusted. !he alues of the
authorization field which is now to become the organizational leel field are remoed and entered
into the organizational leel data of the role.
Note? !able for 7rg =lement9 &%71;
1efer to Note (+(G*B for more detail.
9( <ow may profiles ca 'e assi"ed to ay user master record(
A. 8aximum 0rofiles that can be assigned to any user is T (*+. !able &%1)4 -0rofile assignments
for users.. !his table contains both information on the change status of a user and also the list of
the profile names that were assigned to the user.
!he field 017F% is used for saing the change flag -: @ user was created, 8 @ user was changed.,
and the name of the profiles assigned to the user. !he field is defined with a length of (B')
characters. %ince the first two characters are intended for the change flag, (B4G characters remain
for the list of the profile names per user. [ecause of the maximum length of *+ characters per
profile name, this results in a maximum number of (*+ profiles per user.
9( Ca you add a composite role to aother composite roleM
A. No
9( <ow to reset SAP> password from oracle data'ase(
A. <ogon to your database with orasid as user id and run this s/l
delete from sap&I,-usr2; #here bname=>&+?> and mandt=>@@@>A
commitA
$here mandt is the client.
Now you can login to the client using sap> and password pass
9( Bhat is differece 'etwee role ad profile(
A. A role act as container that collect transaction and generates the associated profile. !he profile
generator -0F:;. in %A0 %ystem automatically generates the corresponding authorization profile.
Deeloper used to perform this step manually before 0F:; was introduced by%A0. Any maintenance
of the generated profile should be done using 0F:;.
9( Bhat is user 'ufferM
A. $hen a user logs on to the %A0 12( %ystem, a user buffer is built containing all authorizations for
that user. =ach user has their own indiidual user buffer. For example, if user %mith logs on to the
system, his user buffer contains all authorizations of role &%=1D%8"!6D17<=. !he user buffer can
be displayed in transaction %&'5.
A user would fail an authorization check if?
!he authorization object does not exist in the user buffer
!he alues checked by the application are not assigned to the authorization object in the
user buffer
!he user buffer contains too many entries and has oerflowed. !he number of entries in the
user buffer can be controlled using the system profile parameter
auth/um'erAiAuser'uffer.
Previous Pa"e Ne5t Pa"e
9( <ow to fid out all roles with T=code SU%$M
A. #ou can use %&"8 A 1oles by complex criteria or 1%&%1)B) to find out this.
;o to the %election by Authorization 3alue.
"n 7bject * put %D!:7D= and hit enter.
And put %&)* in !ransaction code and hit execute -clock with check. button.
" use authorization object, as you can use this to test any object.

#ou can also get this information directly from table, if you hae access to %=*5 or %=*5N. =xecute
%=*5N
!able A;1D*+'*
7bject %D!:7D=
3A<&= -low. %&)*

9( <ow to fid out all the users who "ot SU%$ M
A. #ou can use %&"8 A&ser by complex criteria or -1%&%1))+. to find this out.
;o to the %election by Authorization 3alue.
"n 7bject * put %D!:7D= and hit enter.
And put %&)* in !ransaction code and hit execute -clock with check. button.
" use authorization object, as you can use this to test any object.
9( <ow to fid out all the roles for oe composite role or a selectio of composite rolesM
A. =xecute %=*5N
!able A;1DA;1%
:omposite roles #ou can put multiple composite roles using the more button
9( <ow to fid out all the derived roles for oe or more )aster +Paret- rolesM
A. =xecute %=*5N
!able A;1DD=F"N=
&se either agrDname field or 0arentDagr field.
9( <ow ca # chec! all the &r"aizatio value for ay roleM
A. =xecute %=*5N
!able A;1D*+'+
1ole !ype in the role here and hit execute.
#ou can always download all the information to spreadsheet also using .
9( <ow do # restrict access to files throu"h A1$$M
A. First create an alias. ;o to t9code A<** A configure A create alias. <et say we are trying to
restrict alias D"1D!=80 which is 2tmp. 7pen 0F:; and assign t9code A<**, and change the
authorization for %DDA!A%=! as mentioned below
Actiity ((
0hysical file name 2tmp2>
0rogram Name with %earch 6elp >
9( <ow ca # add oe role to may usersM
A. %&*). "f you hae less than *5 users then you can paste the userids.
"f you hae more than *5 users F :lick on Authorization data and click on next to users and
upload from clipboard .
6it the change button and go to the role tab and add the roles to be assigned and hit sae.
9( Bhat are the /est practices for loc!i" e5pired usersP
A. <ock the user. 1emoe all the roles and profiles assigned to the user. 8oe them to !=18 &ser
group.
9( <ow ca 'e the password rules eforced M
A. 0assword rules can be enforced using profile parameter. Follow the link to learn more about the
profile parameter.
9( <ow to remove duplicate roles with differet start ad ed date from user masterM
A. #ou can use 01;ND:7801=%%D!"8=% to do this. 0lease refer to note G5'G4* for more info.
9( <ow come the users have authorizatio i P,C8C 'ut user still complais with o
authorizatioM
A. 8ake sure the user master is compared. 8ay be the there is a user buffer oerflow
Also check the profile9 Follow the instruction below.
%&"8 A &ser by complex criteria.
0ut the userid of user who is haing issue.
=xecute
Double click on the user id and expand the tree. %elect the profile in /uestion and see if
the authorization is correct or not. "f not do the role reorg in 0F:; and see if that helps.
9( <ow ca # have a display all roles(
A. :opy sapDall and open the role and change the actiity to )( and )G
9( <ow ca # fid out all actvt i sapM
A. All possible actiities -A:!3!. are stored in table TACT -transaction %8()., and also the alid
actiities for each authorization object can be found in table TACT; -transaction %=*5..
9( <ow to fid all the users who "ot access to cha"e ad create usersM
A.
PreviousPa"e Ne5tPa"e
9( Bhat is SAPM
A. %A0 is the name of the company founded in *HB+ under the ;erman name -%ystems,
Applications, and 0roducts in Data 0rocessing. is the leading =10 -=nterprise 1esource 0lanning.
software package.
9( *5plai the cocept of G/usiess CotetH i SAP /usiess #formatio BarehouseM
A. [usiness :ontent is a pre9configured set of role and task9releant information models based on
consistent 8etadata in the %A0 [usiness "nformation $arehouse. [usiness :ontent proides
selected roles within a company with the information they need to carry out their tasks. !hese
information models essentially contain roles, workbooks, /ueries, "nfo%ources, "nfo:ubes, key
figures, characteristics, update rules and extractors for %A0 12(, my%A0.com [usiness Applications
and other selected applications.
9( Bhat is #D*SM
A. "nternational Demonstration and =ducation %ystem. A sample application proided for faster
learning and implementation.
9( Bhat is SAP R/3M
A. A third generation set of highly integrated software modules that performs common business
function based on multinational leading practice. !akes care of any enterprise howeer dierse in
operation, spread oer the world. "n 12( system all the three serers like presentation, application
serer and database serer are located at different system.
9( Bhat are presetatioC applicatio ad data'ase servers i SAP R/3M
A. !he application layer of an 12( %ystem is made up of the application serers and the message
serer. Application programs in an 12( %ystem are run on application serers. !he application
serers communicate with the presentation components, the database, and also with each other,
using the message serer. All the data are stored in a centralized serer. !his serer is called
database serer.
9( Bhat should 'e the approach for writi" a /DC pro"ramM
A. :onert the legacy system data to a flat file and conert flat file into internal table. !ransfer the
flat file into sap system called ^sap data transfer_. :all transaction-$rite the program explicitly. or
create sessions -sessions are created and processed ,if success data will transfer..
9( Bhat are the ma.or 'eefits of reporti" with /B over R/3M
9( Bould it 'e sufficiet .ust to Be'=ea'le R/3 ReportsM
A. 0erformance d 6eay reporting along with regular 7<!0 transactions can produce a lot of load
both on the 12( and the database -cpu, memory, disks, etc.. aust take a look at the load put on
your system during a month end, /uarter end, or year9end d now imagine that occurring een
more fre/uently. Data analysis d [$ uses a Data $arehouse and 7<A0 concepts for storing and
analyzing data, where 12( was designed for transaction processing. $ith a lot of work you can get
the same analysis out of 12( but most likely would be easier from a [$.
9( Bhat is the differece 'etwee &1AP ad Data )ii"M
A. 7<A0 9 7n line Analytical processing is a reporting tool configured to understand your database
schema, composition facts and dimensions. [y simple point9n9clicking, a user can run any number
of canned or user9designed reports without haing to know anything of %`< or the schema. [ecause
of that prior configuration, the 7<A0 engine ^builds_ and executes the appropriate %`<. 8ining is to
build the application to specifically look at detailed analyses, often algorithmicE een more often
misappropriate called ^reporting.
9( Bhat is G*5teded Star SchemaH ad how did it emer"eM
A. !he %tar %chema consists of the Dimension !ables and the Fact !able. !he 8aster Data related
tables are kept in separate tables, which has reference to the characteristics in the dimension
table-s.. !hese separate tables for master data is termed as the =xtended %tar %chema.
9( Defie )eta dataC )aster data ad Trasactio data
A. 8eta Data? Data that describes the structure of data or 8eta7bjects is called 8etadata. "n other
words data about data is known as 8eta Data. 8aster Data? 8aster data is data that remains
unchanged oer a long period of time. "t contains information that is always needed in the same
way. :haracteristics can bear master data in [$. $ith master data you are dealing with attributes,
texts or hierarchies. !ransaction data? Data relating to the day9to9day transactions is the
!ransaction data.
9( Bhat is /e5M
A. [ex stands for [usiness =xplorer. [ex enables end user to locate reports, iew reports, analyze
information and can execute /ueries. !he /ueries in workbook can be saed to there respectie
roles in the [ex browser. [ex has the following components? [ex [rowser, [ex analyzer, [ex 8ap,
[ex $eb.
9( Bhat are varia'lesM
A. 3ariables are parameters of a /uery that are set in the parameter /uery definition and are not
filled with alues until the /ueries are inserted into workbooks. !here are different types of ariables
which are used in different application? :haracteristics ariables, 6ierarchies and hierarchy node,
!exts, Formulas, 0rocessing types, &ser entry2Default type, 1eplacement 0ath.
9( Bhat is AB/M. Bhat is its purposeM
A. A$[ stands for Admiistrator Bor!/ech. A$[ is a tool for controlling, monitoring and
maintaining all the processes connected with data staging and processing in the business
information warehousing.
9( Bhat is the si"ificace of &DS i /#BM
A. An 7D% 7bject seres to store consolidated and debugged transaction data on a document leel
-atomic leel.. "t describes a consolidated dataset from one or more "nfo%ources. !his dataset can
be analyzed with a [=x ùery or "nfo%et ùery. !he data of an 7D% 7bject can be updated with a
delta update into "nfo:ubes and2or other 7D% 7bjects in the same system or across systems. "n
contrast to multi9dimensional data storage with "nfo:ubes, the data in 7D% 7bjects is stored in
transparent, flat database tables.
9( Bhat is *5tractorM
A. =xtractors is a data retrieal mechanisms in the %A0 source system. $hich can fill the extract
structure of a data source with the data from the %A0 source system datasets. !he extractor may be
able to supply data to more fields than exist in the extract structure.

Previous Pa"e Ne5t Pa"e
9( <ow do # cha"e the ame of master / paret role !eepi" the ame of derived/child
role sameM # would li!e to !eep the ame of derived /child role same ad also the profile
associated with the child roles(
A. First copy the master role using 0F:; to a role with new name you wish to hae. !hen you hae
to generate the role. Now open each deried role and delete the menu. 7nce the menus are
remoed it will let you put new inheritance. #ou can put the name of the new master role you
created. !his will help you keep the same deried role name and also the same profile name. 7nce
the new roles are done you can transport it. !he transport automatically includes the 0arent roles.
Bhat is the differece 'etwee C +Chec!- ad U +Umaitaied-M
A. [ackground?
$hen defining authorizations using 0rofile ;enerator, the table &%7[bD: defines which
authorization checks should occur within a transaction and which authorization checks should be
maintained in the 0;. #ou determine the authorization checks that can be maintained in the 0;
using :heck "ndicators. "t is a :heck !able for !able &%7[!D:.
"n &%7[bD: there are 4 :heck "ndicators.
e :8 -:heck28aintain.
9 An authority check is carried out against this object.
9 !he 0; creates an authorization for this object and field alues are displayed for changing.
9 Default alues for this authorization can be maintained.
e : -:heck.
9 An authority check is carried out against this object.
9 !he 0; does not create an authorization for this object, so field alues are not displayed.
9 No default alues can be maintained for this authorization.
e N -No check.
9 !he authority check against this object is disabled.
9 No default alues can be maintained for this authorization.
e& -&nmaintained.
9 No check indicator is set.
9 An authority check is always carried out against this object.
9 No default alues can be maintained for this authorization..
9( Bhat does user compare doM
A. :omparing the user master? !his is basically updating profile information into user master record.
%o that users are allowed to execute the transactions contained in the menu tree of their roles, their
user master record must contain the profile for the corresponding roles.
#ou can start the user compare process from within the 0rofile ;enerator -&ser tab and &ser
compare pushbutton.. As a result of the comparison, the profile generated by the 0rofile ;enerator
is entered into the user master record. Neer enter generated profiles directly into the user master
record -using transaction %&)*, for example.I During the automatic user compare process -with
report pfcgDtimeDdependency, for example., generated profiles are remoed from the user masters
if they do not belong to the roles that are assigned to the user.
"f you assign roles to users for a limited period of time only, you must perform a comparison at the
beginning and at the end of the alidity period. #ou are recommended to schedule the background
job pfcgDtimeDdependency in such cases
9( Ca wildcards 'e used i authorizatiosM
A. Authorization alues may contain wildcardsE howeer, the system ignores eerything after the
wildcard. !herefore, A>[ is the same as A>.
9( Bhat does the P,C8AT#)*AD*P*ND*NC: clea upM
A. !he Q0F:;D!"8=DD=0=ND=N:#Q background report only cleans up the profiles -that is, it does not
clean up the roles in the system.. Alternatiely, you may use transaction Q0F&DQ.
9( Bhat happes to cha"e documets whe they are trasported to the productio
systemM
A. :hange documents cannot be displayed in transaction Q%&"8Q after they are transported to the
production system because we do not hae the Qbefor inputQ method for the transport. !his means
that if changes are made, the Q&%1*)Q table is filled with the current alues and writes the old
alues to the Q&%6*)Q table beforehand. !he difference between both tables is then calculated and
the alue for the change documents is determined as a result. 6oweer, this does not work when
change documents are transported to the production system. !he Q&%1*)Q table is automatically
filled with the current alues for the transport and there is no option for filling the Q&%6*)Q table in
adance -for the history. because we do not hae a Qbefor inputQ method to fill the Q&%6*)Q table in
adance for the transport.
9( Bhat is the differece 'etwee the ta'le 'uffer ad the user 'ufferM
A. !he table buffers are in the shared memory. [uffering the tables increases performance when
accessing the data records contained in the table. !able buffers and table entries are ignored during
startup. A user buffer is a buffer from which the data of a user master record is loaded when the
user logs on. !he user buffer has different setting options with regard to the Qauth2newDbufferingQ
parameter.
9( Bhat does the Profile 8eerator doM
A. !he 0rofile ;enerator creates roles. "t is important that suitable user roles, and not profiles, are
entered manually in transaction Q%&)*Q. !he system should enter the profiles for this user
automatically.
9( <ow may authorizatios fit ito a profileM
A. A maximum of *') authorization fit into a profile. "f the number of authorizations exceed this
marker, the 0rofile ;enerator will automatically create more profiles for the role. A profile name
consists of twele -*+. characters and the first ten -*). may be changed when generated for the
first time.
9( Bhat authorizatio o'.ects are eeded for P,C8M

SAP Security Online

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

SAP Security Online

Hochgeladen von

Copyright:

Verfügbare Formate

R/3 Security

Bho has sapAall adsapAew

Das könnte Ihnen auch gefallen