Professional Documents
Culture Documents
AGENDA
• Introducción
• Curricula Map P_ADM_SEC_70
• ADM940 ABAP AS Authorization Concept
• Goals
• Content
S_USER_TCD PFCG
S_USER_PRO *
S_USER_AUT *
S_USER_GRP *
Exercise 2
Authorization Checks in the SAP System
Authorization Checks at Transaction Start
Authorization Check in the Program
Return codes for the authority-check
•12: The user does not have any authorizations for the
authorization object.
S_USER_GRP
S_USER_PRO
S_USER_AUTH
S_USER_AGR
S_USER_TCD
S_USER_VAL
Additional measures
. System passwords
. Database accesses
. Transport system
User Master Record: Address Data
Tab Page: Logon Data
SAP User Types*
Tab Page: Defaults
Tab Page: Parameters
Tab Page: Roles
Tab Page: Profiles *
Predefined profiles
SAP_ALL
SAP_NEW
Tab Page: Personalization
Tab Page: License Data
Mass Changes
Change Documentation and Archiving
Exercise 4
Working with the Profile Generator
The Profile Generator
The Profile Generator: Process Steps
Maintenance views for Profile Generator*
Process Steps: Defining Role Names
Defining the Role Name and Description
Process Step: Define Activities
Defining Activities
Process Step: Structuring Role Menus
Creating and Structuring Menus
Process Step: Maintaining Authorization Data
Maintaining Authorization Data
Manual Insertion of Authorizations
Process Step: Generating the Authorization Profile
Generating the Authorization Profile
Process Step: Assigning Users
Assigning Users to Roles
Process Step: Comparing the User Master Record
Comparing the User Master Record*
Exercise 5
Special PFCG Roles
Customizing Roles
Composite Roles*
Menus of Composite Roles
Building Composite Role Menus
Derived Roles
Menus of Derived Roles
Exercise 6
Authorization Maintenance: Traffic Light Legend *
Authorization Maintenance: Icon Legend
Authorization Maintenance: Status Texts *
Exercise 7
Profile Generator: Installation and
Upgrade
Checking Profile Parameter
auth/no_check_in_some_cases*
Where do the Default Values Come From?
Initial Fill of the Default Tables *
Optional: Adjusting Check Indicators
Upgrade Profile: SAP_NEW
Exercise 8
Access Control and User
Administration
Password Rules
Password Checks with System Profile Parameters
01
Password Checks with System Profile Parameters
02
Special Users
Authorization Check for Transaction Start
Table Maintenance Authorization
Table Maintenance Authorization (Cross-Client)
Row-Oriented Authorizations for Tables
ABAP: Program Flow Check
Authorization Objects: Users
Authorization Objects: Roles
Authorization Objects: Profiles and Authorizations
Segregation of Duties
Decentralized User Administration
Authorization Management: Scenario 1
Authorization Management: Scenario 2
Authorization Management: Scenario 3
Exercise 9
Analyzing Authorization Checks
SU53 Authorization Error Analysis
Authorization Trace ST01
Information System
Audit Information System
Excerpt from the search results “SAP*AUDITOR*”in role
maintenance
Exercise 10
Transporting Authorization
Components
Transporting User Master Records
Transporting Roles Without Central User
Authorization
Transporting Roles With Central User
Authorization
Transporting Check Indicators
Exercise 11
Central User Administration (CUA)
Decentralized User Administration
Central User Administration*
What Can be Distributed?
Setting Up CUA
Setup of the Central User Administration*
Integration of Existing Systems
Copying User Master Records
Central User Maintenance*
Exercise 12
Integration into Organizational
Management
Structure of an SAP Organizational Management
Organization Plan Objets Types
• Organizational unit
• Position
• Job
• Task
Organization Plan User Interface
Simple Maintenance of an Organizational Plan
Creating an Organizational Plan in Simple
Maintenance*
Step 2: Creating Additional Organizational Units
Step 2: Editing the Organizational Structure
Step 3: Creating Jobs
Step 4: Creating Positions
Step 5: Assigning Tasks
Step 6: Assigning Holder
Agent Assignment View (Role)
Indirect User Assignment Reconciliation
User master record comparison
Exercise 13
ADM950
Secure SAP System Management
Goals
Identify and protect sensitive data and mechanisms in live solutions
based on SAP NW AS
• Who is attacking?
• Trace tools
• General system
SAP_AUDITOR_ADMIN
• Copy the roles and create users using your own naming
convention.
• Set up the online help with a link to the documentation
server.
• Maintain selection variables for business reports.
• Activate a user exit for downloading data from SAP
Financials.
Preparatory Work
Using AIS from a System Audit Perspective
Security audit log*
Location : rsau/local/file..
Instance parameters
• Verify that the CCMS alert monitor is being used to monitor security issues.
Standard ISO 17799 for the area of information security. It was developed
by the British Standard Institute (BSI) in 1995 and was called BS 7799. It
provides best practices for guidelines, methods and processes, as well as roles
and responsibilities, for ensuring that information in a company is sufficiently
secured.
Related Standards*
• Application logging
• Logging workflow execution
• Logging using change documents
• Logging changes to table data
• Logging changes made using correction and transport
system
• Logging changes made to user and authorization
information
Application Log
Logging Webflow Execution
Logging Change Documents
Table Logging*
Table Logging parameters*
Role
Profiles
Authorizations
Authorization Objects
Transactions
Comparisons
Comparison Report Across Systems
Comparison Report SUIM
System Trace Tool
Securing SAP Standard Users
SAP recommends that you deactivate SAP* and define your own
super user.
(logon/no_automatic_user_sapstar).
DDIC
EARLYWATCH
Specifying and Reviewing Password Exceptions
table USR40
Preconditions:
1. The System has to be connected to the SAP Solution Manager
2. The System needs the support Plug-Ins ST-PI and ST-A/PI
3. Implementation of SAP Note 696478
4. Implementation of SAP Note 873038 if customer specific checks
should
be created (only for ST-A/PI 01F*)
2006/
ST14 Download
The Questionnaire
4. Completing the Questionnaire for the Service Session
The Service Session- Action Item List
5. Include the ST14 download in your analysis session and create the
service report
Customer Report: Check Example
Securing Production Systems
Change Management and Security
Recommended Three-Tier System Landscape
The three-tier system landscape security advantages
• You make sure that changes take place in only one location, namely the
development system.
• You can thoroughly test changes in a separate QA system before they take effect
in your production system.
• You control the point in time when changes take effect in the production
system.
• Each SAP system can have its own landscape (SAP ECC, SAP BI,
SAP CRM)
Transports
In general, the following individual activities are involved in transport in
SAPsystems:
2. Review the log files to make sure that the export was successful. If
errorsoccur, you need to correct them before continuing.
3. Import the SAP system objects into the database of the target system.
5. Test your imports thoroughly. If errors occur, repair the objects in the
source system and re-export them into the QA system.
Roles and Responsibilities
Certain security-relevant configurations are contained in the following system profile files
(for example, the profile parameters login/no_automatic_user_sap* or
login/fails_to_user_lock).
• usr/sap/<SID>/sys/profile:
• S_BTCH_JOB
• S_BTCH_NAM
• S_BTCH_ADM
• S_RZL_ADM
Users Creating Background Jobs
Here are some reasons to use specific user IDs for background
jobs:
• User ID is stable; the user never changes jobs or departments.
• When using a System user ID, the password does not have to be
reset.
• ABAP program
• External command
• External program
External commands can include any command that you would normally execute at
the operating system.
Restrict Authorizations for Maintaining External
Commands SM69
Restrict Authorizations for Executing External
Commands SM49
Authorization object External Comands
Object S_ICF
Values
Field DEST
Field CHECK
Transaction RSRFCCHK
Parameter auth/rfc_authority_check
• 0 = No authorization check
• Default
• SAP_BC_ENDUSER
• SAP_USER_B
Authorization Object S_ADMI_FCD
• Spool Administration
• SAPForms Administration
• System Monitoring
SAP_BC_BASIS_ADMIN
• Note all users who can look at the data of spool requests for all
users (S_ADMI_FCD and S_SPO_ACT).
Content
• Network Security in an SAP Landscape
• Network Topology
• SAProuter
• SAP Web Dispatcher
• Understanding Authentication
• Authentication
• Authorizations
• Confidentiality
• Integrity
• Non-repudiation
• Availability
Security Threats
Threats in Client-Server Communication
Communication in open Networks
Threats
Threats in the digital world are similar to threats in the real world
but are dangerous because attacks can be:
• Automated
• Executed remotely
• Performed by people with little knowledge of technology
Security Safeguards
Types of Security Safeguards
Safeguards (Technical)
Security Policies
Security Implementation Cycle
Risk analysis - Activities
• Measure the associated risk of a threat and the cost of securing your
system against the risk. As a result, you can make a cost-benefit analysis.
SAP Solutions and Applications
SAP Business Suite
The SAP Business Suite provides:
• High scalability
The SAP GUI for Windows security module has three status levels:
• Disabled
• Customized
• Strict Deny
Administration of Security Settings registry
To create a rule file as an administrator, use the rule editor in the Security node
of the Options dialog. The administrator then needs to copy the generated
saprules.xml file from the files system directory %APPDATA%\SAP\Common to
the location specified in the registry value.
SAP GUI for Windows 7.20: Security Rules
Exercise 3
User Security in SAP Systems
User Security in SAP Systems
Controlling access (questions)
• PFCG
• SU01
Authorization objects user master records
The Config tool allows create new User Types (Security Policy Profiles)*
AS ABAP Users and Authorization
Authorization Objects
Role Maintenance
Password Management in AS ABAP
Password Management in AS ABAP
Password Control with System Profile Parameters 1/2
Password Control with System Profile Parameters 2/2
Security of the password hashes (actions)
• The most important parameters can be changed in the UME Configuration UI.
SAP applications use the secure storage to store
passwords:
• RFC destinations
• ICF services
• SAPphone
• SAPconnect
• Analyze all system trust relationships between ABAP systems using transactions
SMT1 and SMT2. Identify the trust relationships in which systems of higher
security classification trust systems of lower security classification (e.g. test to
production, or development to production). Remove this system trust wherever
possible.
• Identify RFC destinations with stored user credentials from systems of lower
security classification to systems of higher security classification (using report
RSRFCCHK). The stored credentials should be removed wherever possible. This
way, user authentication is enforced for every access.
• Create a list of RFC destinations with stored credentials and ensure that user
accounts have minimum authorizations (especially not SAP_ALL) assigned in the
destination target and that the user type is set to SYSTEM.
Trusted Relationships Between AS ABAP based SAP
Systems*
Trusted relationships between SAP systems have the
following advantages*
• Create secinfo and reginfo ACL files manually or with the tool. (SAP Notes 1408081:
Basic settings for reg_info and sec_info and 1425765: Generation of sec_info reg_info
prxy_info)
Advantages:
SUIM
User Information System: Transaction SUIM
System Trace: Special Recording
Alert Monitor
Alert Monitor: Alert Monitoring Tree
Exercise 6
Secured SAP Connections
Security Audit Log: Security Audit Profile
Parameters
Security Audit Log: Audit Log Transaction SM20N
Security Audit Log: Audit Log Details
AS Java Security Audit Log
SUIM
User Information System: Transaction SUIM
System Trace: Special Recording
Alert Monitor
Alert Monitor: Alert Monitoring Tree