Sie sind auf Seite 1von 248

SAP TECHNICAL AUDIT TRAINING

SECURITY & AUTHORIZATIONS CONCEPT

LEAD FACILITATOR:
JOSEPH UGWULALI M.SC, MBA, FCA, CFA, ACTI,
SAP CERTIFIED SECURITY & GRC CONSULTANT

INFOTECH RISKS SECURITY LTD.


www.irslconsulting.com
COURSE OBJECTIVES
At the end of the course and exercises, the participants will be
able to:
Logon to the system with a user name and password and
navigate easily around the SAP ERP system;
Perform basic user administration tasks such as create users, lock
users, unlock users and change user passwords etc;
Create new roles in the system and generate the roles into
profiles;
Use transaction SUIM to perform basic user audit and check-out
various user attributes in the system through Users by complex
criteria functionality;
Examine user roles, authorizations and profiles to ensure they are
not carrying excess authorizations;
Master techniques for deactivating default users in the SAP
system

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 2


COURSE OBJECTIVES Contd.
Display user master record and examine its content for appropriateness;
View system parameters and compare them with default parameters,
view restricted passwords etc;
Understand and use RSUSRxxx to generate various audit and security
Reports from the system;
Setup and read system and security audit logs;
Distinguish between tables USOBT and USOBX and their customer
versions USOBT_C and USOBX_C respectively;
Determining Default Access Requirements Using Table USOBT;
Use Transaction SU24 to resolve missing authorizations;
Use Transaction ST01 to trace and resolve missing authorization issues;
Configure and setup Audit Information System (AIS);
Assign suitable roles to auditors through AIS;
Generate system audit reports using AIS;

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 3


INTRODUCTION
Brief History of SAP and Navigating
within the SAP System

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 4


SA

ER
P
Who is SAP?
P
SAP AG
Founded in Walldorf, Germany in 1972 by 5 IBM employees
Worlds Largest Business Software Company
Worlds Third-largest Independent Software Provider
Company Statistics
Over 55,000 employees in more then 75 countries
183,000+ customers in more then 130 countries.
In Nigeria, we have the likes of Shell, Mobil, MRS, Nigerian
Breweries, Cadbury, FrieslandCampina WAMCO, Unilever,
Dangote Group, Proctor and Gamble, Coca cola, NNPC,
NLNG, FIRS, just to mention a few.
200,000+ installations all over the world
2,500+ Business Partners
www.irslconsulting.com +234 1 453 1559 Page 1-5
SA

ER
P
SAP
P
Systeme, Anwendungen und Produkte in der Datenverarbeitung
(English: Systems, Applications, and Products in Data Processing)
Global Outfit with many companies
SAP AG
SAP America
SAP UK etc.
SAP Business Suite
SAP Enterprise Resource Planning (SAP ERP)
SAP Supplier Relationship Management (SAP SRM)
SAP Customer Relationship Planning (SAP CRM)
SAP Supply Chain Management (SAP SCM)
SAP Product Lifecycle Management (SAP PLM) etc.
SAP Business ByDesign
SAP NetWeaver

www.irslconsulting.com +234 1 453 1559 Page 1-6


SA

ER
P

P
SAP Enterprise Resource Planning (SAP ERP)

Enables a company to support and optimize its business


processes
Ties together disparate business functions (integrated
business solution) such as
Finance (Financial Accounting, Managerial Accounting,
Treasury, )
Logistics (Sales, Procurement, Production, Fulfillment,
)
Human Resources etc.
Helps the organization run smoothly
Real-time environment
Scalable and flexible

www.irslconsulting.com +234 1 453 1559 Page 1-7


SA

ER
P
SAP Architecture
P
Client/Server Environment
Client hardware/software environment that can make a
request for services for a central repository of resources
Server hardware/software combination that can provide
services to a group of clients in a controlled environment

Three Tier Structure (Architecture)


GUI
Graphical User Interface or Web Interface
Application Server
One or more, help distribute work load
Database Server
One single data repository
www.irslconsulting.com +234 1 453 1559 Page 1-8
SA

ER
P
SAP Business Suite
P

SAP PLM

SAP SAP ERP SAP


SRM CRM

SAP SCM

SAP NetWeaver

www.irslconsulting.com +234 1 453 1559 Page 1-9


SA

ER
P
History
P

SD FI
SAP PLM
MM CO
PP AM
SAP SAP
SAP R/3 SRM SAP ERP CRM
Client/Server
QM ABAP PS
PM Basis
WF
SAP SCM
HR IS

SAP NetWeaver

www.irslconsulting.com +234 1 453 1559 Page 1-10


SA

ER
P

P
SAP Software Applications
For small & medium enterprises
For large - SAP All-in-One
enterprises - SAP Business ByDesign
- SAP Business One
SAP ERP
SAP CRM
SAP PLM Platforms
- SAP NetWeaver
SAP SCM - SAP Enterprise Services
SAP SRM Architecture

SAP Business
Objects

www.irslconsulting.com +234 1 453 1559 Page 1-11


SECTION 1
INTRODUCTION TO
SECURITY
Enterprise Security Components

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 13


SAP ENVIRONMENT COMPONENTS

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 14


INFORMATION SECURITY OBJECTIVES

- General Computer Controls -Information


Security
Logical security tools and techniques are
implemented and configured to restrict access
to programs, data, and other information
resources.
Logical security tools and techniques are
administered to restrict access to programs,
data, and other information resources.
Physical access restrictions are implemented
and administered to ensure that only
authorized individuals have the ability to
access or use information resources.
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 15
INFORMATION SECURITY OBJECTIVES
The entitys programs, data, and other
information resources are protected from
viruses.
Software is only loaded on the entitys
computer systems and/or used in
accordance with licensing agreements and
managements authorization.
Information resources are protected
against environmental hazards and related
damage.

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 16


Information Security Topics

Typically we cover the following topics when addressing


information security:
Security policies, procedures, and standards
Application and data ownership
Access approval
Security administration
Information security infrastructure
Access control facilities
Logical access controls
Security logging and monitoring
Physical access
Environmental controls

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 17


INFORMATION SECURITY TOPICS

Your Turn! Describe an example control for


each of these security topics:
Security policies, procedures, and standards
Application and data ownership
Access approval
Security administration
Information security infrastructure
Access control facilities
Logical access controls
Security logging and monitoring
Physical access
Environmental controls
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 18
SAP R/3 Security Services

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 19


SAP R/3 SECURITY
SERVICES
SAP provides the following services to address
our information security controls
requirements:
User Authentication
R/3 Password Rules
Single Sign-On and Smart Card
Authentication
Retributing Unauthorized Logon Attempts
Authorization Concept
Authority Checks
Profile Generator
Authorization Infosystem
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 20
SAP R/3 SECURITY SERVICES CONTINUED

Network Communications
SAP router
Secure Network Communications (SNC)
Secure Store & Forward (SSF) Mechanisms
and Digital Signatures
Auditing and Logging
Audit Information System
Security Audit Log
Management of Internal Controls (MIC)
Application
R/3 Internet Applications Security
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 21
SECURITY PARAMETERS
Security parameters are found in the SAP R/3 profiles,
together with many other parameters.
They control numerous high level aspects of security
including the following:
Login limits
Default clients and start menu
Password length and expiry interval
User buffer size
Authorization tracing
Profile generator
Securing SAP*
Authorization checks
S_TCODE checks
S_RFC checks

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 22


SECURITY REENGINEERING
In an SAP R/3 environment, the way
security is implemented, administered, and
audited changes significantly in all of the
following areas:
Security design
Security implementation
Security administration
Approach to security
Security mechanics
Security tools
Security auditing
23
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com)
Quick Quiz

1.What are the security components


that make up a SAP environment?
2.Where are security parameters
stored in SAP?
3.Name some of the aspects of security
that are controlled by security
parameters?

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 24


Section 2
SECURITY -
AUTHORIZATION CONCEPT
AUTHORIZATION CONCEPT

Describe your past experiences in


assessing SAP security?
Have you experienced problems with
false positives? False negatives? Other
problems?

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 26


SECURITY AUTHORIZATION CONCEPTS
R/3 Authorization Concept allows you to
protect transactions and programs from
unauthorized use.
Access to the system is restricted through
authorization objects.
Access must be explicitly granted through the
use of authorizations.
Users are assigned authorization profiles (or
roles)which determine the specific access a
user is granted.
Only users with active User Master Records
can log on to the system. 27
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com)
Security Authorization Concept

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 28


Authorization Object - Naming
Convention
In general, SAP has established a
naming convention for Authorization
Objects as follows:
Sample Object: F_BKPF_BUK (Acctg Doc
Comp Code Auth)
1st Character = Indicates the SAP
application/module which the object is
associated with. Examples are:

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 29


Authorization Object

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 30


K= Controlling
L= MM: Warehouse Management
A= Asset Management, Investment
Management
C= Production Planning, Project
System, Class System, Document
Management
E= Enterprise Controlling
F= Financial Accounting, Treasury
I= Plant Maintenance
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 31
M= Materials Management, Logistics
Information System,
P= Human Resources
Q= Quality Management
S= Basis
V= Sales & Distribution, Conditions
W= Retail
Z/Y= Custom Authorization Object

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 32


Authorization Object
Naming Convention
2nd Character = _ (Underscore)
3rd -6th Characters = Abbreviation for
function or relational table being
accessed.
Examples:
F_BKPF... = Accounting Documents
S_BTCH... = Batch functions

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 33


Authorization Object
Naming Convention
S_SPO... = Spool functions
K_CSKS... = Cost Centers
F_BNKA... = Bank Accounts
F_KNA1= Customer Accounts
F_LFA1= Vendor Accounts
F_SKA1= General Ledger Accounts
M_BEST= Purchase Orders

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 34


Authorization Object
Naming Convention
M_BANF= Purchase Requisitions
M_MATE= Material Master Accounts
V_VBAK= Sales Documents
V_VBRK= Billing Documents
7th Character = _ (Underscore)
8th -10th Characters = Restricting field
or hierarchy element in the table/record

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 35


Authorization Object
Naming Convention
Examples:
F_BKPF_GSB =Business Area for Accounting
Documents
S_BTCH_NAM =Session Names for Batch
functions
S_SPO_DEV =Devices for Spools
K_CSKS_SET=Cost Center Groups
F_BNKA_BUK =Company Code for Bank Accounts
F_KNA1_BED=Customer Account Type/Group for
Customers

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 36


Authorization Object Naming
Convention
F_LFA1_BUK = Company Code for Vendor Accounts
F_SKA1_KTP = Chart of Accounts for G/L Accounts
M_BEST_EKO = Purchasing Organization for Purch.
Orders
M_BANF_WRK = Plant for Purchase Requisitions
M_MATE_STA = View/Screens for Material Master
Accounts
V_VBAK_AAT=Document Type for Sales
Documents
V_VBRK_VKO=Sales Organization for Billing
Document

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 37


Authorization Object
Classes

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 38


Sample Authorization Objects

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 39


Authorizations

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 40


Sample Authorizations

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 41


Sample Custom Authorization

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 42


Profiles (or Roles)

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 43


List of Profiles

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 44


Sample Simple Profile

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 45


Composite Profiles (or
Roles)

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 46


Sample Composite Profile

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 47


User Master Records

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 48



Sample User Master Records List

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 49


Sample User Master Record

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 50


Security Configuration

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 51


Company A Example

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 52


Security Mechanics

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 53


S_TCODE Object

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 54


Check Objects

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 55


Authority Checks in Programs

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 56


Required vs. Optional
Authorization Objects

For each transaction or function, SAP has


defined required authorization objects.
In order for a user to access these
transactions, a user must be assigned the
relevant authorizations for these objects.
SAP has also defined optional
authorization objects to allow for
implementation of additional security
restrictions.

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 57


Required vs. Optional
Authorization Objects
Example:
A transaction to post an accounting
document might require company code
authorization (F_BKPF_BUK).
An optional authorization to restrict the
posting of the document to a specific
Business Area within the Company Code
(F_BKPF_GSB) may also be implemented.

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 58


Authorization Checking and User Buffer

User Buffer
When a user logs in, all assigned
authorizations are loaded from the user
master record into the user buffer.
The user buffer is checked every time a
user attempts to execute a transaction or
run a program.
The user buffer does not contain values of
authorizations these are verified against
the actual authorizations in table USR12
during the check.
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 59
Authorization Checking and
User Buffer
Authorizations are loaded into the user
buffer alphabetically.
The user buffer is created and loaded each
time a user logs on to SAP.
The user buffer is checked for both online
and background processing.
Auditors can use transaction SU56 to
check the buffer.

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 60


Quick Quiz
1.What is the difference between an authorization
object and an authorization?
2.What is the maximum number of fields an
authorization object can have?
3.What is the maximum number of authorizations
that a profile can contain?
4.What is the most common field for authorization
objects?
5.What is the implication of assigning the value *
to a field?
6.What is an appropriate naming convention for
profiles and authorizations? Why is this important?
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 61
Quick Quiz

7.What are the 3 levels of authorization


checks performed when a transaction is
executed?
8.Explain the use of an authorization check.
9.Is the authorization check of an object
carried out with AND or OR logic for
authorizations assigned to a user?
10.Explain the difference between a required
and an optional authorization object.
11.What transaction is used to view the user
buffer?

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 62


Computer Exercises

1.Displaying an Authorization (SUIM)

2.Displaying a Profile (SUIM)

3.Displaying User Master Records and


Profiles

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 63


Section 3
SECURITY
ADMINISTRATION
Security Policies and Procedures

It is critical to have Policies and


Procedures in an SAP environment
because security is so complex.
Policies should address all important
aspects of security, but should
specifically include:
Security organization and administration
System, client, and data ownership
Naming conventions

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 65


Security Policies and
Procedures
User access request and approval procedures
Password and parameter administration
Transports and change control management
Program security
Table security
Transaction security
Job scheduling and batch input security
Output or spool security
Security monitoring procedures
Operating system and database security
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 66
Security Administration Tasks
Some important SAP Security
Administration tasks include:
Create or change SAP user master records
Create and maintain the SAP profiles and
authorizations
Keep track of all SAP user master records
and access modifications
Reset passwords and lock and unlock users
Perform acceptance testing of new profiles
and authorizations
Administer system security parameters
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 67
Security Administration Tasks
Research and create an SAP access strategy as well as
Users, Roles, Profiles, and
Authorizations for future phases of project
development
Create and update documentation concerning security
Create and maintain policies and procedures for
corporate-wide security
Perform security monitoring and analysis according to
security policies and
procedures
Analyze the effects of system upgrades on the access
security strategy, and
implement changes
Administer OSS
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 68
Segregating Security
Administration Tasks
Security administration can be centralized,
decentralized, or a combination of the two.
Security administration can be divided by:
A particular user group
Security administration tasks
Why should maintenance be divided?
Improve security by preventing the misuse of
authorizations and user accounts.
Avoid having a single user perform both
authorization update and activation (i.e.,
ensure appropriate segregation of duties).
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 69
Security Administration Organization

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 70


Security Authorization Objects
User Maintenance
Transaction SU01
Significant Authorization Object S_USER_GRP
Profile Maintenance
Transaction SU02, SU01
Significant Authorization Object S_USER_PRO
Authorization Maintenance
Transaction SU03, SU02
Significant Authorization Object S_USER_AUT
Profile Generator
Transaction PFCG
Significant
INFOTECH Authorization
RISKS SECURITY LIMITED (www.irslconsulting.com) Object S_USER_AGR
71
Security Authorization Objects
S_USER_GRP
Primary authorization object checked when performing user
maintenance.
Has 2 fields
User Group-Used to specify on which groups of users a
person can perform user maintenance.
Activity-Used to specify what user maintenance activities a
person can perform. Some common values include:
..01: Create
..02: Change
..03: Display
..05: Lock, unlock
..06: Delete
..08: Display change documents

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 72


Security Authorization Objects
S_USER_PRO
Primary authorization object checked when
performing profile maintenance or assignment.
Has 2 fields
Authorization Profile - Used to specify which
authorization profiles a person can maintain or assign
Activity - Used to specify what profile maintenance
activities a person can perform. Some common values
include:
..01: Create
..02: Change
..03: Display
..06: Delete
..07: Activate
..08: Display change documents
..22: Assign profile to users and remove assignment Security
Authorization Objects
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 73
Security Authorization Objects
S_USER_AUT
Primary authorization object checked when
performing authorization maintenance or assignment.
Has 3 fields
Authorization Object - Used to specify which
authorization objects a person can maintain or assign.
Authorization Name - Used to restrict the names a
person can give an authorization object.
Activity - Used to specify what authorization activities a
person can perform. Some common values include:
..01: create
..02: change
..03: display
..06: delete
..07: activate
..08: display change documents
..22:
INFOTECHRISKS assign
SECURITY authorization
LIMITED profiles
(www.irslconsulting.com) 74
Security Authorization Objects
S_USER_AGR
Primary authorization object checked when
maintaining activity groups using profile
generator.
Has 3 fields
Activity Group - Used to specify on which activity
groups a person can perform maintenance.
Activity - Used to specify what maintenance
activities a person can perform. Some common
values include:
..01: Create
..02: Change
..03: Displaying
..06: Delete
..21: Transporting activity group
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 75
Security Authorization Objects

22: Comparing activity group user master


records. The profiles generated in the
Profile Generator are transferred into the
user master record for the relevant
activity group users.
36: Processing additional objects that are
assigned to users. Activity groups contain
additional settings that are assigned to
users.
TCODE-determines which administration
transactions may be assigned to a user.
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 76
Ownership and Access Authorization

Owners should be identified for all SAP


systems and clients.
Data ownership should also be established.
System and client owners should be
responsible for:
Approving all significant changes to their
systems
Authorizing overall access to a system
Data owners should be responsible for:
Control over all data in the system and clients
Authorizing specific access to data within the
production client(s)
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 77
Security Design

The Security Design process usually involves


the following steps:
Definition of activities and job roles For each
application area in the company, activities and job
roles should be defined and approved.
Creation of roles and authorization profiles Roles and
authorization profiles are created based on the
activities and job roles and have been defined.
Authorization profiles are generated or activated
Profile generator will generate profiles based on
roles.
User master records are assigned profiles Once
approved by data owners, users are assigned
relevant authorization profiles that match the
activities or job roles they perform.
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 78
System Parameters

SAP has a number of global system


parameters which determine how the
system will function:
Viewing System Parameters:
RSPARAM displays system profile parameters
in effect for the application server you are
logged onto
Use transaction SE38 or SA38 to produce the
report
Globally effective when defined in
DEFAULT.PFL, the system default profile
Instance-specific when defined in the profile of
each application server in the SAP System 79
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com)
System Security Parameters
Automatic Terminal Inactivity Logout
rdisp/gui_auto_logout
Number of secondsof inactivity before
automatically disconnecting inactive users from
the system
(0 = no log out). Recommendation: 1800 seconds
(30minutes)
Unsuccessful Logon Attempts
login/fails_to_session_end
Number of unsuccessful attempts at logon that
are allowed before the users session is
terminated
Default:3, Range:1 to 99, Recommendation:3
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 80
System Security Parameters
Failed Logon Attempts with Lock Out
login/fails_to_user_lock
Number of times a user can enter an incorrect
password before the system locks the user
against further logon attempts
Default: 12, Range:1 to 99, Recommendation:3
Minimum Password Length
login/min_password_lng
Minimum number of characters that must be
used for a
password
Default: 3, Range:3 to 8, Recommendation:6
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 81
System Security Parameters
Password Change Frequency
login/password_expiration_time
Number of days after which a password must be
changed
Default: 0, Recommendation: 30 -60 days

External Security
login/ext_security
Specifies whether an external security tool (e.g.
Kerberos) is used
If set, an additional identification can be set for
each user
To activate, set value to X
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 82
System Security Parameters
SAP* Status login/no_automatic_user_sapstar
If this parameter is set to a value greater than
zero, then SAP* has no special default properties
Default value is 0
User Authorizations
auth/auth_number_in_userbuffer
The number of authorizations that the
users buffer can hold at any one time
Profile Generator
auth/no_check_in_some_cases
The switch for the Profile Generator
Default is N, it must be set to Y to work

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 83


Additional Parameters
Additional parameters have recently
been made available
for:
Enforcing more complex passwords
(required digits, etc.)
Restricting multiple, concurrent GUI
sessions

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 84


SAP Default Password Controls
First-time dialog users must change their initial
password when logging on for the first time.
The default minimum password is 3 characters.
Passwords cannot be SAP* or PASS.
Passwords cannot contain any three character
string contained in the user ID.
The first character cannot be an ! or a ?.
The first 3 characters cannot include space
characters.
One cannot reuse the last five passwords used.
Passwords cannot begin with three identical
characters.
Administrators can forbid certain passwords by
entering them in table USR40.
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 85
Quick Quiz
1.Why should security administration
responsibilities be divided? Give a
recommendation as to how this should be done.
2.Name the more important security
transactions and authorization objects.
3.What is the default minimum password length
in SAP R/3?
4.How many generations of passwords does
SAP remember, and prevent you from reusing?
5.What is the name of the table that can be
used to forbid the use of certain passwords?

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 86


Computer Exercises

1. View System Parameters

2. Review Restricted Passwords

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 87


Default Clients

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 88


Default Users
SAP*
The R/3 system super user
DDIC
User responsible for database management
SAPCPIC
The CPI-C account through which the R/3 system
communicates with external systems
EarlyWatch
Interactive user for the EarlyWatch service in
client 066
All default users (except EarlyWatch) are
created in all default clients with standard
passwords 89
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com)
Securing SAP*
Must be secured.
Present in all clients.
Default password is 06071992.
If deleted, SAP* automatically
regenerates itself with the default
password PASS, unless the
corresponding parameter has been
disabled

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 90


Securing SAP*
SAP* user master record should not be
deleted!
System Parameter available
Set login/no_automatic_user_sapstar to a
value greater than zero
Securing SAP* - some options
Change password
Copy all profiles to another super user ID
Remove all profiles from SAP*
Manually lock the user ID
Set the valid from and to dates to a past date

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 91


Securing DDIC
Present in all clients
Default password is 19920706
Special privileges for software logistics and
ABAP dictionary
May be required for certain installation and
setup tasks
Secure DDIC
Change passwords in all clients including 000 and
001
Do not delete the DDIC user master record
Default Accounts
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 92
Default Accounts
SAPCPIC
Default password is ADMIN
Is a CPIC user and cannot be used to logon
as a dialog user
EarlyWatch
Default password is SUPPORT
Only in client 066
Can check default passwords in all
clients via the use of program
RSUSR003
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 93
Default Authorizations and
profiles
SAP is shipped with a large number of
predefined authorizations and
profiles.
Default authorizations may have more
access than is necessary for job functions.
May have *values in authorization where
more granularity is needed for adequate
security.
Default profiles may have more access
than is necessary for job functions.

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 94


Default Authorizations and Profiles

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 95


Default Authorizations and Profiles
SAP_NEW profile
Grants all authorizations required when a system
is upgraded and new authorization objects are
introduced.
Usually granted to all users immediately after an
upgrade to allow them to continue using the
system.
Security administrator should assign relevant new
authorizations to users and subsequently REMOVE
the SAP_NEW profile from all users.
SAP_NEW profile should also be CLEANED UP after
each upgrade, so that during future upgrades, only
the latest authorizations are assigned to users
through SAP_NEW.
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 96
SAP_NEW profile

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 97


User Master Records
All users have a unique user master
record:
Contain the following:
User information (address & logon data)
User defaults
User access rights (authorization profiles)
User parameters
Client-specific
Can be created from scratch or copied
from another user record

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 98


User Types
All users are assigned to a specific user
type.
The user type determines how the user
interacts with the system.
It is critical in analyzing security
reports.
There are five main types.
The user type can be noted in the user
master record or USR02 table.
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 99
User Types
Dialog 'A'
A normal dialog user is used by exactly one person
for all logon types.
Dialog logons are checked for obsolete or initial
passwords that must be changed.
Multiple dialog logons are checked and logged.
System 'B'
Is used for dialog-free communication within one
system (for RFC or CPIC service users) or for
background processing in one system.
Dialog logon is not possible.
A user of this type is excluded from the standard
settings for password validity period. The password
can only be changed by user administrators.100
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com)
User Types
Communication 'C'
Used for dialog-free communication between systems (for
RFC or CPIC service users of different applications, for
example, ALE, Workflow, TMSZBV).
Dialog logon is not possible.
Service 'S
A user of type Service is a dialog user available to a large
anonymous set of users. It usually has closely-restricted
authorizations.
Service users are, e.g., used for anonymous system access
via an ITS service. You can change a session which began as
an anonymous session with a service user into a personal
session under a dialog user with an individual authentication.
There is no check for obsolete/initial passwords at logon. Only
the user administrator can change the password.
Multiple logon is allowed.

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 101


User Types

Reference 'L'
A Reference user is a general impersonal
user like the Service user. You cannot
logon with a Reference user. The
Reference user is to give Internet users
identical authorizations.
This assignment applies to all systems in a
CUM landscape. If the assigned Reference
user does not exist in a CUM subsidiary
system, the assignment is ignored.

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 102


User Details and Address

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 103


User Logon Data

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 104


Roles Assigned to User

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 105


Profiles Assigned to User

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 106


Groups a User Belongs To

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 107


User Defaults

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 108


User Master Records

Locking and unlocking users


Locks prevent users from logging on
Does not affect users who are logged in
Manual lock
Done by administrator
Automatic lock
Done automatically after unsuccessful logon
attempts
Change Password
After a password is reset, the user is
prompted to change the password
immediately during the next logon session.
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 109
Central User Administration

An SAP system group consists of several


SAP systems with several clients. The same
users are frequently created and
maintained in each client.
Using central user administration, you can
maintain these users centrally in one
system. The information is then
automatically distributed to the dependent
systems.
Uses system users to distribute users to
SAP systems within the SAP systems group.
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 110
Security Logging and Monitoring

SAP R/3 keeps a variety of logs for:


System administration
Monitoring
Problem solving
Auditing
Tracking
The following audit tools and logs are available:
Audit Information System
Security Audit Log
System Log
CCMS Monitoring Tools and Statistic Records
Logging of Specific Activities
Security Related Reports and Transactions (RSUSRxxx
and SUIM)
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 111
Audit Information System (AIS)

A collection of SAP reports and queries


based on a reporting tree
A tool for auditing an SAP system
Primarily uses existing SAP functionality
Designed to rationalize and facilitate
the audit
Organizes all audit related activities
under one umbrella
Aims to improve the quality of an audit

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 112


Security Audit Log
Designed for auditors who require detailed data
from the system
Used to record the following security related
information
Successful and unsuccessful dialog log-on attempts
Successful and unsuccessful RFC log-on attempts
RFC calls to function modules
Changes to User Master Records
Successful and unsuccessful transaction starts
Changes to the audit configuration
Can be used to select the information to audit (SM19 )
Can be used to select the information to review
and display (SM 20)
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 113
Selecting Information to be Logged

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 114


Selecting Information to be Displayed

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 115


Sample Security Audit Log Information

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 116


Security Audit Log

Other Considerations
Audit log is maintained on a daily basis on
each application server.
Logs from previous days are neither deleted
nor overwritten.
Due to amount of information accumulated,
it may be necessary to archive and purge
files (using SM18).

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 117


System Log
The R/3 system logs all system errors, warnings, user
locks due to failed log-on attempts and process messages
in the System Log.
There are 2 types of logs: Local Logs and Central Logs.
Each application server has a local log for local messages.
Central logging must be explicitly activated.
Local logs are held in a single circular file that is
overwritten when full.
The central log has an active file and an old file . The
system switches between them and starts overwriting the
old file with current log details.
The log sizes must be large enough to hold messages for
problem analysis.
The log is accessed through transaction SM21. 118
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com)
System log-important parameters

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 119


CCMS Statistical Records
CCMS logs activities in statistical
records categorized by transaction,
program, and user.
Records can be accessed through
transaction STAD.
To access statistical records, the
following authorization are required:
S_ADMI_FCD (field value of ST0R)
S_TOOLS_EX (field value of S_TOOLS_EX_A)
S_TCODE (field value of STAD)

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 120


Logging of specific activities
Logging changes to table data
Can log changes to critical tables
Logging must be explicitly activated
Logging changes to user master
records, profiles, and authorizations
R/3 logs changes made by user
administrators
Changes to authorizations, user information,
profiles, passwords, etc.
Can use SU01 or SUIM to view these
changes
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 121
Logging of Specific
Activities
Logging using change documents
Can log changes to critical objects
R/3 may not automatically use change
documents
May need to activate the process
Application logging
Records progress of execution of an
application
Transaction SLG0 used to define entries for
applications in the application log
Transaction SLG1 is used to analyze the log
Logging workflow execution
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 122
Quick Quiz

1.What are the default clients that SAP R/3 is supplied


with?
2.What are the default users that SAP R/3 is supplied
with?
3.What is the name of the report that can be run to
check whether the default passwords for the default
users have been changed?
4.Which SAP-delivered settings should be changed for
user ID SAP*? Why cant the user ID just be deleted?
5.Are users client-specific or instance-specific? Why
does this matter?

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 123


Computer Exercises

1.Testing a User Account (SU01)


2.Reviewing a User Master Record
3.Using the Security Audit Log
4.Using the System Log

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 124


Chapter 4
AUTHORIZATION OBJECT
DOCUMENTATION
Authorization Object Documentation

Authorization object documentation provides


detailed information on authorization
objects, including the following:
What the authorization object controls
Fields contained within the authorization object
Field values and what they control
Primary sources of authorization object
documentation are:
Documentation within SAP application
SAP online documentation

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 126


Authorization Object
Documentation

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 127


Authorization Object Documentation

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 128


Authorization Field Documentation

Authorization objects can contain as many as 10 fields.


Object fields control different aspects of the activity or
function that the authorization object protects.
With multiple fields and multiple possible field values,
there are endless possible permutations of authorizations
for a single authorization object.
Fields can be specific to a single authorization object or
they could appear in many different objects.
Examples of common fields include:
Activity
Organizational structure elements
e.g., company code, group company, controlling area, purchasing
organization, plant, storage type, sales area, distribution channel,
division
Authorization group
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 129
Activity Field Information

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 130


Other Field Information

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 131


Determining Access Requirements
In order to effectively audit security in a R/3 system, we
need to be able to determine the SAP access
requirements for the specific functionality we are
auditing.
R/3 presents us with a number of tools to help determine
relevant authorization objects and authorization values.
Some of these tools can be used for specific areas of the
security mechanics model, others can be used for all
areas.
In the slides that follow, we discuss these tools under the
following headings:
Transaction Codes
Check Objects
Authority Checks
Other Tools
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 132
Identifying Transaction Codes

There are a number of methods of


identifying required transaction codes,
including:
Menu path: System>Status
Dynamic Menu

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 133


Identifying Check Objects

There are two key ways of identifying


the check object of a transaction code:
Maintain Transaction -SE93
Table TSTCA

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 134


Identifying Authority-
Checks
In order to identify authority-checks in
programs, one must:
Identify the program name
Search the program (and any program
which is called by that program) for
authority-checks
The primary tools are:
Program Identification Maintain
transaction: SE93
Program Search -ABAP Editor: SE38
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 135
Other Identification Tools

There are numerous other tools


available including:
Debugging Security Authorization Failures:
SU53
System Trace: ST01
Determining Default Requirements: SU24
or Table USOBT and USOBT_C

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 136


Security Tools, Reports &
Transactions
Having determined the access requirements for
specific SAP functionality, the next step is to
determine who has such access. R/3 provides
us with numerous security review tools:
Common Security Transactions
SUIM -Authorization InfoSystem
SU01 -Maintain Users
SU02 & SU03 should not be used in 4.6b and above
Security Reports
RSUSRxxx Reports (executed through SA38)
These transactions and reports are used
throughout the remainder of this course.

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 137


Authorization Infosystem

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 138


RSUSRxxx Reports

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 139


Quick Quiz

1.Name three ways of identifying a


transaction code.
2.Name two ways of identifying the
check object for a transaction.
3.What transaction is used to view the
source code of a program?
4.What transaction is used to access the
Authorization Infosystem?

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 140


Computer Exercises

Find the Computer Exercises for Day Two in


your Participants Guide.
Viewing authorization documentation (SUIM)
Using the area menu editor (SE43) to identify
transaction codes
Reviewing check objects
Determining authority checks
Determining default access requirements using
table USOBT
Using SUIM to determine who has access to
perform user security administration
Understanding RSUSRxxx reports
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 141
Section 5
TRANSACTION SECURITY
Security Mechanics - Recap

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 143


Transaction Code History

Prior to R/3 release 3.0D:


Transactions were not protected by the S_TCODE
authorization object.
Transactions relied upon check objects and authority
checks within programs to ensure that they were secure.

Disadvantages:
In 3.0C -approximately 600 check objects but thousands
of transactions. Therefore, many transactions are
protected by the same check object.
Many standard SAP transactions are not protected by
check objects or authority checks in the programs that
these transactions call.

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 144


Transaction Code History
From R/3 release 3.0D onward:
S_TCODE authorization object introduced.
Whenever a transaction is started, an
authorization check takes place against
the authorization object S_TCODE (also
known as the authorization check for
transaction start).
Transactions are still protected by check
objects and authority checks within
programs.

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 145


Transaction Code History

Advantages:
This guarantees that each transaction is
protected by at least one authorization
check.
It is easy to determine which transactions
a user is allowed to execute (or start).
The security administrator is able to
restrict individual users or user groups to
the transactions they require by restricting
authorizations for this object.
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 146
Security Authorization
Objects
S_TCODE
Authorization object checked whenever a
transaction is started
Has one field
TCD (Transaction Code)-Used to specify
which transactions or groups of
transactions a user can start

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 147


Reviewing Transaction Start
Security

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 148


Reviewing Transaction Start
Security
Guidelines
S_TCODE authorization object should be
used to secure all SAP transactions. In order
for this control to be effective, all users
should be authorized to execute only those
specific transactions that they require to
perform their job functions.
No user should be assigned an
authorization for the S_TCODE authorization
object with a value of *in the transaction
field and the use of ranges should be
discouraged (e.g., A* -B*).
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 149
Reviewing Transaction
Start Security
Sample Audit Steps
Using authorization infosystem transaction
(SUIM):
Determine which users, if any, have been
assigned an authorization for S_TCODE with
a field value of *
Review a sample of S_TCODE authorizations
to ensure that explicit values or limited
ranges are being used in the transaction
field

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 150


Reviewing Transaction Start Security

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 151


Reviewing Transaction Start
Security

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 152


Reviewing Check Object
Security

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 153


Reviewing Check Object Security

Guidelines
Check objects should be assigned to all
transactions (including custom
transactions).
When assigning users the relevant
authorizations for these check objects,
specific values should be used in the
authorization fields. The use of the
*value in these fields should be avoided
wherever possible.

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 154


Reviewing Check Object
Security
Sample Audit Steps:
Using the table view transaction
(SE16/SE17):
View table of transactions (using table TSTC)
and compare to table of transactions
protected by check objects (table TSCTA)
Using transaction SE93:
Review a sample of sensitive SAP
transactions to determine whether they are
protected by check objects
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 155
Reviewing Check Object
Security

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 156


Reviewing Check Object
Security

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 157


Reviewing Check Object
Security

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 158


Transaction Locking
R/3 allows locking of specific transactions.
Transaction locking prevents users from executing
certain transactions, even if they have the necessary
authorizations to execute those transactions.
Transaction locking is useful if there are sensitive
transactions to which nobody should have access.
Transactions can be easily locked and unlocked.
Use transaction SM01 to lock and unlock
transactions, and to view which transactions have
been locked.
There is no display only mode for SM01, so
auditors may wish to have an SAP administrator
provide this list.
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 159
Transaction Locking

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 160


Transaction Logging

R/3 logs transactions in a number of ways, including:


Statistical Records
Security Audit Log (if transaction starts are being
logged)
System Log
To view the Statistical Records, use transaction STAD
To view the Security Audit Log, use transaction SM20
(Use SM19 to enable logging of transaction starts)
To view the System Log, use transaction SM21
AIS can also be used to view these logs

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 161


Quick Quiz

Prior to R/3 release 3.0D, what types of authorization checks


were performed?
What are some of the advantages of using the S_TCODE
authorization object?
How many fields does the S_TCODE authorization object have?
What is the name of that field?
What are the implications of using a field value of * in the
S_TCODE authorization object?
What is the name of the table that lists all SAP R/3 transactions
and their associated check objects and values?
What other transaction can be used to view the check object of
a transaction code?
What transaction can be used to view, lock, and unlock
transactions?
Name three ways in which R/3 logs transactions.

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 162


Computer Exercises

Reviewing transaction security


Reviewing check object security
Reviewing a check object for a single
transaction
Using statistical records to view
transactions

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 163


Section 6
TABLE SECURITY
Table Data vs. Table Structure Access

Table Data Access


Refers to access to data contained within tables.
Most users are given access to table data.
Table data access should be granted through the
R/3 applications.
Direct access to table data should be restricted.
Table Structure Access
Refers to access to table elements controlling the
structure of tables.
Users should not be given access to table
structures.
Typically only the Database Administrator would be
granted table structure access.
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 165
Table Data Access

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 166


Table Data Access
Table Access via transactions
Access is controlled through the transaction or
program.
R/3 validation routines help ensure data integrity.
Table data access is limited to the specific table(s)
called by the transaction or program.
Direct table access
Access is not controlled by a transaction or program.
There are no robust validation routines to ensure
data integrity.
If granted direct table access, a user can access any
table (unless other security controls have been
implemented).
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 167
Table-Related Authorization Objects

Table Viewing
Transaction SE17
Significant Authorization Objects S_TABU_DIS,
S_TABU_CLI
Table Data Maintenance
Transaction SE16, SM30, SM31
Significant Authorization Objects S_TABU_DIS,
S_TABU_CLI
Table Structure Maintenance
Transaction SE11, SE12, SE13, SE14
Significant Authorization Object S_DEVELOP
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 168
Table-Related Authorization
Objects
S_TABU_DIS
Primary authorization object checked when
performing table data viewing or
maintenance.
Has two fields:
Authorization Group-Used to specify which
groups of tables a person can view or maintain.
Activity-Used to specify what activities a
person can perform related to table data.
Possible values are:
..02: Create, change or delete table entries
..03: Display table entries only
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 169
Table-Related Authorization Objects

S_TABU_CLI
Authorization object checked when
performing client-independent table
maintenance
Has one field
ID Client-independent maintenance -Used to
specify whether a person can perform client-
independent table maintenance.
Possible value:
..X: Allow Client-Independent table maintenance

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 170


Securing Direct Table Data Access

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 171


Table Authorization Groups

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 172


Restricting Changes to Client Objects

R/3 allows overall protection of all objects (both


client-dependent and client-independent) in a client.
For client-dependent objects, the choices are:
Changes without automatic recording.
Automatic recording of changes.
No changes allowed.
No transports allowed.
For client-independent objects, the choices are:
Changes to repository and client-independent customizing
allowed.
No changes to client-independent customizing objects.
No changes to repository objects.
No changes to repository and client-independent custom
objects
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 173
Reviewing Table Data Security
Guidelines
The ability to view table data directly (through transaction
SE17) should be restricted to a limited number of
authorized individuals in the production environment.
The ability to maintain table data directly in the
production environment (through transaction SM30, SM31
or SE16) should be prohibited. Such changes should be
made through the application, or alternatively should be
done in the development environment, and be subject to
the change control process.
All tables (including newly created tables) should be
assigned to authorization groups.
When granting the ability to access tables directly, access
should be restricted to specific tables through the use of
the authorization group field in the S_TABU_DIS
authorization object.
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 174
Reviewing Table Data Security
Sample Audit Steps
Using the table view transaction (SE16/SE17):
View table TDDAT and determine the extent to which
tables (including custom tables) are being assigned to
table authorization groups.
Using the authorization info system transaction
(SUIM):
Determine which users, if any, have been assigned the
necessary authorizations to view table data directly.
Determine which users, if any, have been assigned the
necessary authorizations to maintain table data directly.
Determine whether table authorization groups are being
used to restrict direct table access.
Using the table maintenance transaction (SM31):
Select table T000 and view the client settings for the
INFOTECHproduction client..
RISKS SECURITY LIMITED (www.irslconsulting.com) 175
Reviewing Table Authorization
Groups

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 176


Reviewing Table Data
Access

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 177


Reviewing Client Maintenance
Settings

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 178


Quick Quiz

1.What is the difference between table data


access and table structure access?
2.What transactions can be used to view tables
data directly?
3.What are the key authorization objects that
control direct table data access?
4.What is R/3s method of limiting direct access to
table data?
5.What is the implication of assigning value of
*in the authorization group field of S_TABU_DIS?
6.What is the name of the table used to
determine whether tables been assigned to
specific authorization groups?
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 179
Computer Exercises

1.Identify the table accessed by a


transaction
2.Examine table data
3.Viewing table authorization groups
4.Identify tables not assigned to
authorization groups

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 180


Section 7
PROGRAM SECURITY
Program Access Paths

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 182


Paths to Running Programs
or Reports
Running Programs or Reports via Transactions
Access is controlled through the transaction.
Program access is limited to the specific program
called by the transaction.
Transaction Start (S_TCODE) and check object
checks performed each time a transaction is
executed.
Running Programs or Reports Directly
If granted the ability to run programs directly, a
user can run any program (unless other security
controls have been implemented).
Transaction Start (S_TCODE) and check object
verifications are performed only once (when SA38
or SE38 is executed).
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 183
Program Related Authorization
Objects
Running Programs and Reports
Transaction SA38, SE38
Significant Authorization Object S_PROGRAM
Running Queries
Transaction SQ00
Significant Authorization Object S_ QUERY
Maintaining Queries
Transaction SQ00, SQ01,SQ02,SQ03
Significant Authorization Object S_QUERY

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 184


Program Related Authorization Objects

S_PROGRAM
Primary authorization object checked when
running programs directly.
Two fields:
Authorization Group-Used to specify which groups of
programs a person can run.
User Action-Used to specify what actions a person
can
perform related to programs. Possible values include:
..SUBMIT: Start the program
..BTCSUBMIT: Schedule the program to run as a background
job
..VARIANT: Maintain variants

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 185


Program Related Authorization
Objects
S_QUERY
Specifies whether a user can create and
change queries, maintain the environment
for ABAP Query (functional areas and user
groups), or translate Query object texts.
Has one field:
Activity-Used to specify what activities a
person can perform related to queries.
Possible values are:
..02: Change -create and change queries
..23: Maintain -maintain environment
..67: Translate
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 186
Securing Direct program Access

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 187


Program Authorization Groups

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 188


Authority Checks in Programs

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 189


Reviewing Program Security
Guidelines
The ability to run programs directly (through
transaction SA38 or SE38) should be
restricted to a limited number of authorized
individuals.
All custom programs should be assigned to
authorization groups.
When granting the ability to run programs
directly, access to programs should be
restricted to specific groups of programs
through the use of the authorization group
field in the S_PROGRAM authorization object.
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 190
Reviewing Program Security
Sample Audit Steps
Using the table view transaction (SE16/SE17):
View table TRDIR and determine the extent to which
custom programs are being assigned to program
authorization groups.
Using the authorization infosystem transaction (SUIM):
Determine which users, if any, have been assigned the
necessary authorizations to run programs.
Determine which users, if any, have been assigned the
necessary authorizations to maintain programs.
Determine whether program authorization groups are
being used to restrict direct access to programs.
Using transaction SE38:
Review the source code of a sample of custom programs to
determine whether they include authority-check
statements.
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 191
Reviewing Program
Authorization Groups

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 192


Reviewing Program Access

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 193


Reviewing Programs for Authority-
Checks

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 194


Reviewing Programs for Authority-
Checks

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 195


Quick Quiz
1.What transactions can be used to run
programs directly?
2.What is the key authorization object
that controls the running of programs?
3.What is R/3s method of limiting direct
access to programs?
4.What is the implication of assigning
value of *in the authorization group field
of S_PROGRAM?

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 196


Quick Quiz
5.What is the name of the table used to
determine whether programs have been
assigned to specific authorization
groups?
6.What is the name of the program
authorization group for unassigned
programs?
7.What are the shortcomings of
searching for authority-checks in
programs?
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 197
Computer Exercises

1.Viewing program authorization groups


2.Reviewing program security
3.Finding the name of a program
associated with a transaction
4.Checking source code and finding
authority checks in programs

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 198


Section 8
PROFILE GENERATOR
Profile Generator Overview
Profile Generator (PG) is a tool used for
security design and configuration.
PG replaces the manual creation and
maintenance of authorizations and simple
profiles.
A different methodology is used for profile
generation:
User selects the functions required and PG
automatically determines the appropriate
Authorization Objects and values.
Profile Generator is renamed the Role
Administrator (4.6c and Enterprise).
Functionality is essentially the same.
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 200
Profile Generator Overview
Roles (Activity Groups)
Security development with the PG is based
on Roles (or Activity Groups).
Roles are a collection of linked or associated
activities that are created using PG.
Roles usually represent a job or function.
Accounts Payable Clerk, Payroll Manager, Sr.
Tax Accountant, Analyst, Distribution Manager

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 201


Profile Generator Overview
Roles -continued
Profile Generator (PG) is driven by
transaction codes (activities performed by
users) assigned to each Role.
Authorization (simple) profiles are created
and updated when Roles are generated.
PG requires substantial manual
intervention during the Role generation
process for fine tuning of specific values.
Each Role is assigned a unique SAP
internal number.
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 202
Profile Generator Overview
Profile Generator automates authorization
assignment for transaction codes via the
relationship delivered in SAP table USOBT.
Running transaction SU25 creates the modifiable
customer version of this table USOBT_C.
Profile Generator references USOBT_C once it is
created.
USOBT_C is modifiable via transaction SU24.
Allows customization of which authorization
objects and values are automatically added for
each transaction
Allows limited ability to select which Authorization
Objects are checked by a transaction
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 203
Why Use Profile Generator
Profile Generator (PG) speeds up the process
of security development.
Authorization Objects and default field values for
each transaction code are pre-loaded in the
system.
Necessity of System traces greatly diminished
Transaction code is selected and appropriate
Authorizations for required Authorization Objects
are automatically added to Role.
Organization Level values are maintained centrally
(Company Code, Sales Organization, Distribution
Channel, Division, Plant, etc.).
*Tables USOBX_C and USOBT_C (via transaction SU24) need to
be updated or customized to fit a specific implementation.
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 204
Using Profile Generator
Transaction Code: PFCG
Menu path: Tools > Administration > User
Maintenance > Roles (Activity Groups)

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 205


Creating a Role
Role > Create (F5)
Example: A/R Clerk
Role Name: YF_ARCLK

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 206


Menu Tab
Click on Menu tab to enter Role transaction
codes. Then, click on + Transaction.

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 207


Menu Tab Assigning Transactions

Assign transactions codes and save12

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 208


Automatically Created Authorizations
Go to Authorizations and click on Change authorization
data. Close pop up window.

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 209


Automatically Created Authorizations

Observe that by
selecting the
transactions, Profile
Generator assigned
the relevant
authorization
objects.
Note that there are
several red and
yellow indicators
(Not ready yet).
Click on generate
(Beach Ball).
Click Generate.
Change Profile name.

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 210


Authorization Profile
An Authorization Profile was created by profile
generator for the role that has all the
authorization objects defined in USOBT_C.

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 211


USOBT_C vs. Profile Generator

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 212


Organizational Level
Organizational Level
values are centrally
maintained
Company Code, Sales
Organization, Controlling
Area, Business Area, etc
Fields values can be
added as Org Level
requirements change.
Plant -easier to maintain if
the same Plant must be
entered throughout
various Roles
Once a field is added as
an Org Level, it must
be maintained as Org
Level in all Roles.
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 213
Authorizations

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 214


Assigning Role to User
Transaction SU01 (Maintain User)
Add a Task Profile to a User Master Record

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 215


Assigning Role to User
Role has been assigned to user.

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 216


Assigning Role to User
The authorization profile ZBFU_H0__ for Role
ZFBU_HO___000 is transferred to the user master record.

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 217


Assigning Role to User
Users can also be assigned to Roles
from Profile Generator

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 218


Missing or Customizing
Authorizations
Based on the transaction codes selected on the menu
Tree, Profile Generator sometimes pulls in authorizations
with:
A missing authorization to a specific object required to
complete a transaction code
Too much access (e.g., activity 02for a Display transaction)
Not enough access (e.g., activity 03for a Change transaction)
Inappropriate access (e.g., activity 04for a Delete
transaction)
Access that does not fit the projects requirements (e.g.,
account type *instead of K for vendors)
The default authorization checks for transactions can
be customized to fit the projects needs using SU24
(Maintain Assignment of Authorization Objects to
Transactions).
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 219
Standard Authorizations
Without any
customizing, all
authorizations
within a Role are
Standard
Authorizations.

For example:
Authorization
Object
F_BKPF_BUK is
missing. An
authorization for
the object can be
manually
inserted.
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 220
Manual Authorizations
All manually inserted
Authorizations are
identified as
Manual.

PG will NOT update


any of the Manual
authorization objects
or authorizations
(i.e., these objects
and authorizations
will remain in the
Role until they are
manually removed).

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 221


Customizing Authorizations
If the Standard
authorizations do
not reflect your
organizations
needs, then
customizing is
required.

For example,
change access
(02) should be
removed from
Authorization
object
V_VBAK_VKO.
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 222
Customizing Authorizations
All changes made to
Standard
authorizations
(except for blank
authorizations) are
indicated as
Changed

Similar to Manual
authorizations, PG
will NOT update any
of the Changed
authorizations (i.e.,
these authorizations
will remain in the
Role until they are
manually removed).
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 223
Deleting Authorizations
Unnecessary authorizations brought in
by Profile Generator can be deleted.
Issues:
If a standard Authorization was manually
deleted from an Role, it will re-appear
when Read old status and merge with new
data is executed in PG.
New authorizations are categorized as
New Authorizations
The deleted Authorization Object is a
default tied to a specific transaction code.

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 224


Updating Authorization Default
Values
Instead of manually adding/deleting
Authorization Objects and/or editing default
values, you can use SU24 to customize the
default values of authorizations.
SU24 can be used to:
Add missing authorization objects to specific
transaction codes (e.g., for transaction VA01, add new
authorization object F_BKPF_BUK)
Remove excess authorization objects that are not
checked within a transaction
Change the default value for a authorization object for
a specific transaction (e.g., for transaction F150,
remove activity 02from authorization object
V_VBAK_VKO)
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 225
Note: Authority checks are carried out
wherever they are specifically written
into the source code of a program.
Therefore, unless this object is already
checked within the program being
executed, adding a new authorization
object using SU24 may NOT result in an
authority check,.

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 226


Updating Default Values Using
SU24
New, customized values appear in Roles as
Standard authorizations.
As t-codes are added or removed from Roles, these
Authorizations will be updated accordingly.
Changes resulting in Manual or Changed
Authorizations must be maintained manually.
The old default Authorizations will reappear in the
Role when Read old status and merge with new
data is selected in PFCG
In the long run, security maintenance is easier
and more efficient with customization.

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 227


Quick Quiz
1.How are profiles maintained if they were
generated using Profile Generator?

2.How are Roles identified on the system?

3.How is maintenance of Organization


Level values different from maintenance
of other values in a Role? Why is that
true?
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 228
Section 9
AUDIT APPROACH
Processing Environments

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 230


SAP REVIEW COMPONENTS

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 231


Basis Component

Basis Review
Should be performed every year
Must be performed for all production
systems
Should be performed prior to any business
cycle testing
Should be considered for other systems
(development or testing) based on risk
assessment

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 232


TECHNICAL INFRASTRUCTURE REVIEW

SAP technical infrastructure must be reviewed:


-Network
-Operating system
-Database
This environment is often completely separate
from other processing environments.
May share some elements and control features
with
other processing environments (e.g., hardware)
This review should be performed prior to
business cycle testing .
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 233
BUSINESS CYCLE TESTING

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 234


DATA INTERFACES AND
CONVERSIONS

Data Interfaces
Need to test data interfaces
Garbage In -Garbage Out phenomenon
Environments may have multiple interfaces
Evaluate materiality and risk

Data Conversions
Need to review and test conversions
Usually only relevant in the first year after
implementation

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 235


AUDIT PLANNING
Understand total environment
Legacy systems, SAP, distributed applications
Determine scope of SAP implementation
Processes implemented
Number of systems
Version
Level of customization
Organization model
Hot packages

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 236


Audit Planning
Understand technical architecture
Network, database, and operating
system
Which platforms have been selected
Platform versions
Understand interfaces
Interface types
Custom vs. bolt-on
What data is transferred
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 237
Audit Planning
Define team members and roles
Operational auditors
IT auditors
Compliance auditors
Integration of different types of auditors
may produce the best results

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 238


Audit Planning
Obtain high level overview of security and
control
How implemented
Obtain documentation if available
How managed
Define work paper and reporting standards
How will tests be documented
How will reporting be accomplished

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 239


Quick Quiz

What information should be gathered


about the SAP environment as part of
the audit planning process?

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 240


SECTION 10
SAP AUDIT TOOLS
What Is AIS?
A report tree with a collection of SAP
reports or queries.
A tool for auditing an SAP system
Both systems and business audits
A tool that primarily uses existing SAP
functionality.
Purpose: to organize and facilitate the
audit process.

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 242


What Can Auditors Do With AIS?
Provides auditors with the ability to
document notes during an audit (additional
audit documentation tools now available
via SAPs MIC application)
Provides capability to customize reports
and queries for each user.
Allows auditors to evaluate information or
download data to be used by CAAT tools,
such as ACL and IDEA
Allows multiple auditors to use the system
simultaneously through different views
Can take database snapshots
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com)
243
What Does AIS Do?

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 244


Requirements To Use AIS
Auditors will still require a good
knowledge of SAP to use AIS
effectively.

Auditors need a user master record in


the production SAP system in order to
use the Auditing Information System.

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 245


Using the Tree
Navigation:

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 246


Features & Functions
Documentation and help
Inconsistently applied to nodes
Need to have SAP Script turned on for
certain types of documentation.
Auditors may append notes to nodes.
Auditors may display programs and
variants for the nodes.
Indicates SAP functionality called by nodes

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 247


Computer Exercise

Configuring Audit Information System


Roles
Maintaining Audit roles and generating
profiles
Assigning the audit roles to users.

INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 248

Das könnte Ihnen auch gefallen