AMI Security Policies & Procedures

Security & Controls

I. AMI Security Approach....................................................................................2 II. Establish the Development Environment Security Settings.........................................4 III. SAP Access Policies & Procedures......................................................................

I. AMI Security Approach A. !b"ective

The objective of this AMI Security Approach document is to demonstrate how the security configuration will be implemented and assign and maintain security roles and profiles for the project team members. This is to ensure the access control standards are in place and followed.

#. Policies & Procedures

The SA Authori!ation Concept will be utili!ed to secure access to the system.

Creating user accounts is accomplished via the "ser Maintenance #S"$%& transaction.
The rofile 'enerator # (C'& will be utili!ed to create )oles that reflect project responsibilities performed by project team members. Manual rofiles will also be used to secure access to the system for project team members. The )oles and rofiles will be assigned to individual "ser I*+s, user I*s will not be shared. -o default access will be given to project team members, users will have access only to the specific functions within the SA application as re.uired based on their job responsibilities.

$. Access $ontrol Management

The Security and /asis teams will be responsible for developing and monitoring application security0 creating and processing access re.uests. The users on all SA clients will be monitored on a regular basis to ensure that all users are approved and that access is authori!ed. 1nly the Security and /asis teams will be responsible for creating and updating user master records and security rofiles.

D. %oles & Pro&iles &or Pro"ect Members

This section lists the security roles that have been identified for team members and the related )oles and rofiles that will be granted for the roles in the project. The appropriate security access is achieved by assigning one or more roles to each team member. IS-U Development (AMU) Client 770 (Development and Configuration) Team Member Roles A/A *eveloper /asis Administrator (unctional Configuration (unctional "ser #All Application access& Security Administrator Roles / Profiles to Assign *eveloper )ole0 *isplay *eveloper )ole0 *isplay Application )ole /ASIS Admin )ole Configuration )ole0 *isplay Application )ole0 *isplay *evelopment )ole *isplay Application )ole0 2nd "ser )oles Security Admin )ole

CRM Development (AMZ) Client 770 (Development and Configuration) Team Member Roles A/A *eveloper /asis Administrator (unctional Configuration (unctional "ser #All Application access& Security Administrator Roles / Profiles to Assign *eveloper )ole0 *isplay *eveloper )ole0 *isplay Application )ole /ASIS Admin )ole Configuration )ole0 *isplay Application )ole0 *isplay *evelopment )ole *isplay Application )ole0 2nd "ser )oles Security Admin )ole

I Development (AMI) Client 00! (Development and Configuration) Team Member Roles A/A *eveloper /asis Administrator (unctional Configuration (unctional "ser #All Application access& Security Administrator Roles / Profiles to Assign *eveloper )ole0 *isplay *eveloper )ole0 *isplay Application )ole /ASIS Admin )ole Configuration )ole0 *isplay Application )ole0 *isplay *evelopment )ole *isplay Application )ole0 2nd "ser )oles Security Admin )ole

E. %ole $hange Management Process

Security & Controls

%454654$%3

/ *esign *ocs

<alidate <alidate S** S** and and Security Security )ole )ole design design

"nit "nit Test Test

Sign91ff Sign91ff

Security Security *esign *esign *ocument *ocument #S**& #S**& End User Role Design Process

>es

-o
Changes= Changes= Changes= Changes=

-o 'roup 'roup authori!ations0 authori!ations0 navigations navigations and and content content logically logically to to map map to to position position

>es

*esign *esign /usiness /usiness )oles )oles and and Authori!ation Authori!ation )oles )oles

Configure Configure /usiness /usiness )oles )oles and and (C' (C' )oles )oles

Changes to roles must be approved by the project team and tested by a member of the project team. If a transaction is added to a role that transactions must be tested. If any transactions are removed from the role all remaining transactions in that role must be retested to ensure that the role is still wor7ing correctly. Any roles that have no transactions in them will be deleted.

II. Establish the Development Environment Security Settings A. Security 'aming $onvention
8ell9designed and organi!ed naming conventions provide much needed information and documentation for the Security Administrator. Consistent compliance with defined naming standards leads to more efficient0 effective0 organi!ed0 and cohesive security. (or the AMI project a standardi!ed naming convention will be used for each of the following objects: %. )oles 4. rofiles 3. ositions5;obs #composite roles& 6. Custom )eports0 Transactions0 Interfaces0 Authori!ation 1bjects0 and 2nhancements

Roles and Profiles

)ole names are limited to 3$ characters in length. rofiles are generated from roles but are limited to only %$ freely associated characters. It is critical to always follow the defined naming standard for profiles, otherwise they will be assigned a randomly generated internal number0 beginning with T90 from SA 0 which can not be easily be renamed. It is considered best practice to synchroni!e the naming of the role and profile where possible to ease security maintenance and create greater visibility into authori!ations. /elow is the proposed naming convention to be used the AMI project.

Customer and Vendor Role Naming Standards

Customer and <endor roles are a collection of transactions re.uired by business users to perform their regular business functions. These roles may be up to 3$ characters in length. /elow is a sample naming convention for Customer and <endor roles.

Security & Controls

%454654$%3

*/+/S System Identifier

" rocess Indicator

""" Three letter uni.ue identifier

# Separator

"""" (our letter identifier

The %st character0 identifies the object as a AMI9defined Customer5<endor role o 2 ? 2CC 2nd "ser role o C ? C)M 2nd "ser role o ? I 2nd "ser )ole The 4nd character identifies the rocess Indicator o @ ? @) Team o ( ? (inance & reporting Team o ? rocure to payment Team o * ? Construction & *evelopment team The 3rd through Ath character identifies a uni.ue code for 2nd "ser roles for e.g. 3$%0 3$40 4$% The Bth character will use underscore#C& as a separator The Dth through %$th characters will be used to define a meaningful code #e.g. $$$$ for Master roles and %$%$ for a derived role with company code %$%$ restriction&

SAP Technical Role naming Standards

Customi!e d rofile ! Separator """ /rief description for -on9 roduction )oles or a numbering scheme for roduction end9 user roles # Separator """ $% to &%' System I* #*2<0 EAS0 )3T0 etc.&

)ole names can be up to 3$ characters in length0 the first %$ of which will be identical to the rofile nameF.

The %st character0 G0 identifies the object as a custom AMI defined )ole The 4nd character will use a colon #:& as a separator. The 6th through Bth characters identify a brief description of the technical role for the non9production environments #i.e. S2C for security0 C(' for Configuration0 *2< for *evelopment&. The D th character0 an underscore #C&0 is used as a separator The Hth through%$th characters represent the System I* that the technical role will be assigned in #i.e. AMI0 AM"0 AMG0 etcI&

SAP Com(osite Role $)ob' Naming Standards ;obs are a collection of individual roles and may be up to 3$ characters in length. /elow is a sample naming convention for ;obs #Composite )oles&. , Customi!ed Composite )ole ! Composite )ole Type """ System I* """"""" *escription of ;ob

Security & Controls

%454654$%3

The %st character0 >0 identifies the object as a AMI9defined job #composite role& The 4nd character identifies the separator The 3rd character identifies the system I* i.e. AM"0 AMG0 AMI The 6th through 3$th characters will be used to define a meaningful job description #e.g. Configuration&

#. Super (ser IDs

This procedure establishes how the **IC and SA F super user I*s will be used in development SA systems. The procedure has been developed in order to maintain controls in these environments. The approach will be to change the password for **IC and SA F and loc7 SA F in all clients. The **IC I* cannot be loc7ed0 since it is used to support some critical system functions. /oth **IC and SA F I*s will be maintained by the Security Team. In general0 **IC and SA F should not be used in development clients.

$. Assignment o& SAP)A** and SAP)'E+

SA CAJJ and SA C-28 profiles provide access to all SA (unctionality. 'enerally0 this access is restricted to Super "ser I*s0 which are controlled by the Security Administrators and given out to the roject Team on an emergency basis. The following Super I*s eKist in the systems and are assigned SA CAJJ or SA C-28 in *evelopment: -ser I. **IC5SA F **IC5SA F **IC5SA F **IC5SA F /ull Name 2mergency I* **IC5SA F 2mergency I* **IC5SA F 2mergency I* **IC5SA F 2mergency I* **IC5SA F SA SA SA SA SA SA SA SA Profile CAJJ5SA CAJJ5SA CAJJ5SA CAJJ5SA CAJJ5SA CAJJ5SA CAJJ5SA CAJJ5SA C-28 C-28 C-28 C-28 C-28 C-28 C-28 C-28

Also0 several System I*s used by the /asis Team to perform batch processing have SA CAJJ and SA C-28 assigned. 1ne cannot log on with the System I* directly into SA . The following System I*s eKist in the systems and are assigned SA CAJJ or SA C-28 in *evelopment: -ser I. AJ2)2M1T2 /ASIS/ATC@ /ull Name S>ST2M I* /atch I* for /asis Profile SA CAJJ5SA C-28 SA CAJJ5SA C-28

A*S"S2) /ATC@CIIn general0 project team members do not have SA CAJJ and SA C-28 assigned in *evelopment. An eKception can be made for project team members0 including several SA /asis team members0 who re.uire significant access to the system at all times. This eKception should be based on a decision by rogram Management.

Security & Controls

%454654$%3

D. Security %eports &or the Development Instances

Standard SA pac7age reports are used to eKecute security monitoring for the development environment in accordance with the *evelopment 2nvironment Security rocedures. Programs and Re(orts Re(ort )SA*)CL4 )@M1<23$ )SCJAS*" )SCJAC1 )SCSA"T@ )S A)AM )S"S)$$$ )S"S)$$% )S"S)$$4 )S"S)$$4CA**)2SS )S"S)$$3 )S"S)$$6 )S"S)$$A )S"S)$$B )S"S)$$D )S"S)$$H )S"S)$$M )S"S)$%$ )S"S)$%4 )S"S)$4$ )S"S)$3$ )S"S)$6$ )S"S)$A$ )S"S)$B$ )S"S)$B% )S"S)$D$ )S"S)%$$ )S"S)%$% )S"S)%$4 )S"S)4$$ )S"S)3$3 0ia SA%1 or S*%1 .escri(tion Mass "pdate "sers w5o Address #Central Address Management& Manual Transport Jin7 *isplay Jist of Client9Independent Tables Copy auths0 profiles0 users between clients in an instance Auth groups on programs rofile 5 system arameters Current Active "sers Info system authori!ations Jists of users according to compleK selection criteria "ser according to address data Chec7 the asswords of "sers SA F and **IC in All Clients )estrict "ser <alues to the (ollowing Simple rofiles and Auth. 1bjs. Jist of "sers 8ith Critical Authori!ations Jist of "ser Master )ecords Joc7ed *ue to Incorrect Jogon Jist "sers 8hose Address *ata is Incomplete Critical Combinations of Authori!ations at Transaction Start Jist of "sers 8ith Critical Authori!ations Transaction Jists According to Selection 8ith "ser0 rofile or 1bject Search authori!ations0 profiles and users with specified object values Jist rofiles by CompleK Selection Criteria Jist Authori!ations According to CompleK Selection Criteria Jist Authori!ation 1bjects by CompleK Selection Criteria Comparisons 8here9used lists 2nter Authori!ation (ields Jist of Activity 'roups According to CompleK Selection Criteria (or user (or profiles (or authori!ations Jist of "sers According to Jogon *ate and assword Change Save Table TSTCA in TSTCACC and (ill TSTCA with SA Tcode

AJ$H

S"IM

S"IM S"IM S"IM

S"IM S"IM S"IM S"IM S"IM S"IM

S"IM S"IM S"IM S"IM

Security & Controls

%454654$%3

)S"S)3$6 )S"S)6$$ )S"S)6$% )S"S)6$4 )S"S)6$3 )S"S)6$6 )S"S)6$A )S"S)6$B )S"S)6$BC1J* )S"S)6$H )S"S)6$M )S"S)64% )S"S)A$$ )S"S)MMH )S"S)2NTI*

1bject SCTC1*2 )eload Table TSTCA (rom Table TSTCACC Test 2nvironment Authori!ation Chec7s #SA Systems 1nly& )eport to give all SA C IC users profile SCA.C IC *ownload user data for CA manager from Secude Assign rofile SCA.C IC to "ser SA C IC in Current Client Conversion rogram for Authori!ations of /asis *evelopment 2nvironment )eset all user buffers in all clients #uncritical& Automatically 'enerate rofile SA CAJJ Automatically 'enerate rofile SA CAJJ N )A: Conversion of "S1/N91L(JA'0 "S1/N9 M1*I(I2* for upgrade tool S"4B Transfer all translated titles to generated transaction codes Clean9up report: TSTC9CI-(1 if no chec7 in TSTCA "ser Administration: Compare "sers in Central System Call )eporting Tree Info System Set the 2Kternal Security -ame for All "sers

III. SAP Access Policies & Procedures A. !btaining Access to SAP

Ne2/Modified Accounts A SAP Non3Production Access Re4uest /orm has been established5 Instructions around re4uest submission and approval is documented in the re.uest form #see embedded re.uest form below& along with a list of authori!ed approvers and system owners.

#. %emoval o& SAP (ser Access

Members of the AMI project team will need to notify the security administrator if anyone has left the project and no long re.uires access. The I* will be loc7ed but not deleted. The security administrator will periodically review user I*s for I* that appear to be inactive.

$. SAP Access Problems

All SA access problems should be reported to the Security Administrator. 8hen reporting an access problem0 provide the menu path0 transaction code and the authori!ation error message details. To obtain the error message details0 run transactions S"A3 when the authori!ation error appears at the bottom of

Security & Controls

%454654$%3

the screen. The system will display the following information: Authori!ation 1bject0 Authori!ation needed0 and Authori!ation available for the "ser.

Security & Controls

%454654$%3