Introduction to SAP Security

Ramesh Gurram
2014.02.14
CGI Group Inc. CONFIDENTIAL

 Introduction Why is Security Important?

Security Architecture
User Master Record
Creation of user
Types of users
Mass user creation
Roles
Profiles
Authorization Objects
User Buffer
4 Doors to SAP Security

SAP Security Components:

Why is Security Important?

Security is the doorway to the SAP system.
Security is a way of protecting information from unauthorized use.
Security can unlock the flexibility of the system and customize it for each
user.
Information stored in SAP is one of your companys most valuable
business assets.

What is SAP Security?

SAP application security controls who can do what in SAP.

Examples: Who can approve purchase requisitions over $10,000

(ME54N)?
Who can view other employees social security numbers in the system
(PA20)?
Who can update vendor bank information (XK02)?
Who can create or modify users (SU01)?

Security Architecture:
Authorization Objects Intro
User Master Record
Roles Single, Derived, Composite
Task-based vs. Job-based Roles
Profiles
Authorization Objects
User Buffer
4 Doors to SAP Security

User Master Records :

User Master Record information includes: Name, Password, Address,
Company information
User Group (used for security administration or searching capabilities)
Reference to Roles and Profiles (access capabilities are not stored
directly in user master records)
User type
Dialog typical for most users
System cannot be used for dialog login, can communicate between
systems and start background jobs
Communications Data cannot be used for dialog login, can communicate
between systems but cannot start background jobs
Reference cannot log in, used to assign additional Authorizations to Users
Service can log in but is excluded from password rules, etc. Used for
Support users and Internet services

Validity dates (from/to)

User defaults (logon language, default printer, date/decimal formats)
7

Authorization Objects :
Authorization Objects are the keys to SAP Security
When you attempt actions in SAP, the system checks to see whether
you have the appropriate Authorizations
Groups 1 to 10 authorization fields together. These fields are then
checked simultaneously..

Authorization field: Smallest unit against which a check should be run

(ACTVT, BUKRS).
Authorization fields are creating in t-code SU20.
Activity:
It is a type of action which going to take place on a filed.
All possible activities (ACTVT) are stored in table TACT (transaction
"SM30").
The valid activities for each authorization object can be found in table
TACTZ
(transaction "SE16").

10

Authorization Concept :

11

Roles :
Roles are built on top of Profiles and include additional components
such as: User menus
Personalization
Workflow

In modern SAP systems, users are typically assigned the appropriate

Roles by the security team
The system will automatically add the appropriate Profile(s) for each Role
assigned****Authorization Objects only exist in Profiles (either on their
own or when nested in roles)

12

There are 3 types of Roles:

Single

an independent Role

Derived

has a parent and differs only in Organization Levels.

Maintain Transactions, Menu, Authorizations only at the
parent level.

Composite

container that contains one or more Single or Derived

Roles

13

14

15

Profiles :
Authorization Objects are stored in Profiles
Profiles are the original SAP Authorization infrastructure
Ultimately a users Authorization comes from the Profile/s that they
have assigned
Profiles are different from Roles

16

User Buffer:
When a User logs into the system, all of the Authorizations that the User
has are loaded into a special place in memory called the User Buffer

As the User attempts to perform activities, the system checks whether

the user has the appropriate Authorization Objects in the User Buffer.

You can see the buffer in Transaction SU56

17

Authorization Checks Executing a Transaction:

1) Does the Transaction exist?
All Transactions have an entry in table TSTC

2) Is the Transaction locked?

Transactions are locked using Transaction SM01.
Once locked, they cannot be used in any client

3) Can the User start the Transaction?

Every Transaction requires that the user have the Object
S_TCODE=Transaction Name
Some Transactions also require another Authorization Object to start
(varies depending on the Transaction)

4) What can the User do in the Transaction?

The system will check to see if the user has additional Authorization
Objects as necessary

18

19

20

21

22

User Information System:

Transaction SUIM
Great place to get information about Users/Roles

23

SU53:
Last Authorization check that failed.
May or may not be the Authorization that the User actually needs. Look
at context clues to determine if it is appropriate.
User may need more Authorization Objects after this one is added.

24

Authorization Trace:
Transaction ST01
Records all Authorization Checks performed while a User is in the
system.
Does not include Structural Authorizations in HR Security.

25

Security Audit Log:

Records information about what Users are doingLogon/logoff
Transactions/reports started or attempted to start
Password changes
Workstation name of User
Is not on by default.
Transactions SM19/SM20.
Does not record what data was changed by the User

26

Authority Check:

27

28

29

30

31

Thank You
Any Questions???

32