Curso: NetWeaver Security with SAP NetWeaver

AGENDA
• Introducción
• Curricula Map P_ADM_SEC_70
• ADM940 ABAP AS Authorization Concept
• Goals
• Content

• ADM950 Secure SAP System Management

• Goals
• Content

• SAP NetWeaver AS – Security

• Goals
• Content
Curricula Map P_ADM_SEC_70
ADM940 ABAP AS Authorization Concept
Goals

• Learn about the elements, strategies, and tools of

the SAP authorization concept

• *Create and assign authorizations using the Role

Administration / Profile Generator

• Principle usage of the Central User Administration

(CUA)

*No incluido en el curso

ADM940 ABAP AS Authorization Concept
Content
• - Introduction - Elements of the SAP authorization concept
- User master record

- *Using the Role Administration/Profile Generator (roles,

composite roles, reference roles, derived roles, Customizing
roles)

- *Profile Generator: installations and upgrades

- *Access control and user administration (password rules,

special users, user and authorization administration)

*No incluido en el curso

ADM940 ABAP AS Authorization Concept
Content
- Trace/analysis and monitoring functions

- Troubleshooting and Administration Aids and Special

authorization components

- Transport of authorization components

- Central User Administration (CUA); Integration with organizational

management, with reference to an example (without structural
authorization in HR)
Authorizations in General
SECURITY OVERVIEW
SAP SECURITY LEVELS
System Access Control and Role-Based Access
Control
User, Roles and Authorizations
Technical Implementation of Roles
SAP Easy Access - User-Specific Menus
Creating and Implementing an Authorization
Concept
Implementation Methods and Authorizations
Role and Authorization Concept: Steps
Step 1: Preparation
Working Party for Roles and Authorizations
Step 2: Analysis & conception
Technical Conception: Role Implementation (1)
Analysis: Determining User Roles
Conception: Completing User Roles (1)
Conception: Completing User Roles (2)
Step 3: Implementation
Step 4: Quality assurance & tests
Step 5: Cutover
Strategy for User and Authorization Administration
Organization of User and Authorization Administration
Exercise 1
Elements and Terminology of the Authorization
Concept (ABAP)
Overview of the Elements of the SAP Authorization
Concept
Authorization Fields, Objects, Object Classes
Authorization
Authorizations and Authorization Profiles
Roles and Authorization Profiles
Roles and the Easy Access Menu
Authorizations for Admin Roles

authorization object Value

S_USER_TCD PFCG
S_USER_PRO *
S_USER_AUT *
S_USER_GRP *
Exercise 2
Authorization Checks in the SAP System
Authorization Checks at Transaction Start
Authorization Check in the Program
Return codes for the authority-check

0: The user has the authorization for the authorization

object with the correct field values.

•4: The user has an authorization for the authorization

object, but the values checked are not assigned to the
user.

•12: The user does not have any authorizations for the
authorization object.

•16: No profile is entered in the user master record.

User Buffer
Exercise 3
Maintaining and Evaluating User Data
Components of the User Master Record
Objects to maintain user master records

S_USER_GRP
S_USER_PRO
S_USER_AUTH
S_USER_AGR
S_USER_TCD
S_USER_VAL
Additional measures

Secure communication in the network (Secure Network

Communication, SNC)

. Secure data formats (Secure Store and Forward, SSF)

. Security in the Internet

. System passwords

. Database accesses

. Transport system
User Master Record: Address Data
Tab Page: Logon Data
SAP User Types*
Tab Page: Defaults
Tab Page: Parameters
Tab Page: Roles
Tab Page: Profiles *
Predefined profiles
SAP_ALL
SAP_NEW
Tab Page: Personalization
Tab Page: License Data
Mass Changes
Change Documentation and Archiving
Exercise 4
Working with the Profile Generator
The Profile Generator
The Profile Generator: Process Steps
Maintenance views for Profile Generator*
Process Steps: Defining Role Names
Defining the Role Name and Description
Process Step: Define Activities
Defining Activities
Process Step: Structuring Role Menus
Creating and Structuring Menus
Process Step: Maintaining Authorization Data
Maintaining Authorization Data
Manual Insertion of Authorizations
Process Step: Generating the Authorization Profile
Generating the Authorization Profile
Process Step: Assigning Users
Assigning Users to Roles
Process Step: Comparing the User Master Record
Comparing the User Master Record*
Exercise 5
Special PFCG Roles
Customizing Roles
Composite Roles*
Menus of Composite Roles
Building Composite Role Menus
Derived Roles
Menus of Derived Roles
Exercise 6
Authorization Maintenance: Traffic Light Legend *
Authorization Maintenance: Icon Legend
Authorization Maintenance: Status Texts *
Exercise 7
Profile Generator: Installation and
Upgrade
Checking Profile Parameter
auth/no_check_in_some_cases*
Where do the Default Values Come From?
Initial Fill of the Default Tables *
Optional: Adjusting Check Indicators
Upgrade Profile: SAP_NEW
Exercise 8
Access Control and User
Administration
Password Rules
Password Checks with System Profile Parameters
01
Password Checks with System Profile Parameters
02
Special Users
Authorization Check for Transaction Start
Table Maintenance Authorization
Table Maintenance Authorization (Cross-Client)
Row-Oriented Authorizations for Tables
ABAP: Program Flow Check
Authorization Objects: Users
Authorization Objects: Roles
Authorization Objects: Profiles and Authorizations
Segregation of Duties
Decentralized User Administration
Authorization Management: Scenario 1
Authorization Management: Scenario 2
Authorization Management: Scenario 3
Exercise 9
Analyzing Authorization Checks
SU53 Authorization Error Analysis
Authorization Trace ST01
Information System
Audit Information System
Excerpt from the search results “SAP*AUDITOR*”in role
maintenance
Exercise 10
Transporting Authorization
Components
Transporting User Master Records
Transporting Roles Without Central User
Authorization
Transporting Roles With Central User
Authorization
Transporting Check Indicators
Exercise 11
Central User Administration (CUA)
Decentralized User Administration
Central User Administration*
What Can be Distributed?
Setting Up CUA
Setup of the Central User Administration*
Integration of Existing Systems
Copying User Master Records
Central User Maintenance*
Exercise 12
Integration into Organizational
Management
Structure of an SAP Organizational Management
Organization Plan Objets Types

• Organizational unit

• Position

• Job

• Task
Organization Plan User Interface
Simple Maintenance of an Organizational Plan
Creating an Organizational Plan in Simple
Maintenance*
Step 2: Creating Additional Organizational Units
Step 2: Editing the Organizational Structure
Step 3: Creating Jobs
Step 4: Creating Positions
Step 5: Assigning Tasks
Step 6: Assigning Holder
Agent Assignment View (Role)
Indirect User Assignment Reconciliation
User master record comparison
Exercise 13
 ADM950
Secure SAP System Management
Goals
Identify and protect sensitive data and mechanisms in live solutions
based on SAP NW AS

Use the SAP Audit Information System to structure and conduct

thorough security checks and configure important security
monitoring mechanisms

Explain the features of SAP GRC Access Control

Configure standard SAP role maintenance tools to produce secure

company-specific roles and authorization profiles

Implement und use the SAP Security Optimization Service (SSO)

Secure change management mechanisms in production system

landscapes and protect system administration tools from misuse
Content

Introduction and overview

Configuring and using the SAP Audit Information System

Configuring and using the auditing, logging, and tracing tools

provided by SAP

Overview SAP GRC Access Control (former Virsa Suite)

Configuring secure role and authorization maintenance

Secure system administration

Content

SAP Security Optimization Service (SSO)

Securing the change management process

Critical authorizations, authorization combinations, and

authorization groups

Training Assessment on the course content

Secure system administration

SAP Systems
Secure Business in Open Environments
UME
Groups
SAP NetWeaver Identity Management
components*
• Identity Center
• Configuration Data
• Logging
• Status Information
• Indentity Store
• Provisioning
• Workflow States

• Data Synchronization Engine

• Operation Aplications and repositories

• Virtual Directory Server

• Control Access
Netweaver Identity Management Architecture
SAP Services for Security
• Authorization protection
• Authority checks
• Role maintenance tool
• Authorization Information System
• Trace tools

• Auditing and logging

• Audit Information System

• Security audit log
• Application and table logs
Security policy

• Who is responsible for your IT security?

• What needs to be protected?

• Who is attacking?

• What is the risk?

• Which protection mechanisms are required?

• Which procedures are to be enforced?

• How much protection can you afford?

System security audit

• Audit Information System

• Authorization Information System

• System Audit Log

• Computer Center Management System Alerts

• Trace tools

• Role maintenance tool

• SAP solutions for GRC

Major Components of Role Maintenance Tool
Menu Portion of a Role
User Menu
Overview of Audit Information System
Audit Environment
The Audit Information System
Documentation in the User Menu
Business Audit
Audit Information System main areas

• General system

• Users and authorizations

• Repository and tables

Roles Provided by SAP for AIS
Audit Information System Roles

• Menu roles (SAP_AUDITOR*)

• Authorization roles (SAP_CA_AUDITOR*)

Menu versus Authorization Roles (2)
Roles for business audits

AIS Menu Roles Used for Business Audits

SAP_AUDITOR_BA_FI_GL – Closing
SAP_AUDITOR_BA_FI_AA – Tangible Assets
SAP_AUDITOR_BA_MM – Materials Management

AIS Authorization Roles for Business Audits

SAP_CA_AUDITOR_APPL – For applications (except SAP HR)
In addition to the business roles, SAP provides a composite role, which
contains every role in the Audit Information System. That composite
role is
SAP_AUDITOR.
Setup Recommendations for AIS

SAP_AUDITOR_ADMIN

• Copy the roles and create users using your own naming
convention.
• Set up the online help with a link to the documentation
server.
• Maintain selection variables for business reports.
• Activate a user exit for downloading data from SAP
Financials.
Preparatory Work
Using AIS from a System Audit Perspective
Security audit log*

The audit log's main objective is to record:

• Security-related changes to the SAP system environment (for
example,
changes to user master records)

• Information that provides a higher level of transparency (for

example,
successful and unsuccessful logon attempts)

• Information that enables the reconstruction of a series of events

(for example,
successful or unsuccessful transaction starts)
Security audit log RECORDS*

• Successful and unsuccessful dialog logon attempts

• Successful and unsuccessful RFC logon attempts

• Remote function calls (RFCs) to function modules

• Successful and unsuccessful transaction starts

• Successful and unsuccessful report starts

• Changes to user master records

• Changes to the audit configuration

Security Audit Logging
Profile Parameters audit log files

Location : rsau/local/file..

Maximum size: rsau/max_diskspace/local (Default

size 1MB or 1000000 bytes)

Instance parameters

rsau/local/file – name of the security audit log

rsau/max_diskspace/local – maximum size for the
file
Configuring Security Audit Filters
Profile Parameters for Setting Static Filters
Setting Dynamic Filters
Configuring Dynamic Audit Filters
Running the Security Audit Report
Reading the Security Audit Report (1)
Monitoring Alerts with the CCMS Alert Monitor

The CCMS alert monitor provides the following

functions:
• Performs detailed monitoring
• Creates alerts and displays them with color
values
• Provides analysis and auto-reaction methods,
which can be assigned to specific elements in the
CCMS alert monitor
• Allows you to view current alerts and the history
of alerts
Security Monitor Template
Checklist for Verifying the Audit Log and CCMS
Security Alerts
• Ensure the audit log is used as needed

• Ensure the analysis is being performed in transaction SM20N.

• Verify that the CCMS alert monitor is being used to monitor security issues.

• Ensure the following activities are being monitored:

– database backups
– critical file system freespace
– ABAP short dumps
– system log activity
– update processing failures

• Encourage the use of customized monitors to monitor specific areas that

are critical to security. Customized monitors also enable you to monitor
multiple systems.
Exercise 3
Governance Risk and Compliance
Pressure on security today*
SOX
Segregation of Duties
Responsibilities for SOX Requirements*
Segregation of Duties is a primary internal control intended to prevent or decrease
the risk of errors or irregularities by assigning conflicting duties to different
personnel.
Related Standards*
Best Practices in the IT Infrastructure Library (ITIL), or the standard which is
based on this (ISO 20000). ITIL represents a universally applicable framework
for optimal handling of processes in IT management.

Best Practices are based on the Central Computer and Telecommunications

Agency (CCTA) 1989. ISO 20000 is the official standard for ITIL as of 2006.

Standard ISO 17799 for the area of information security. It was developed
by the British Standard Institute (BSI) in 1995 and was called BS 7799. It
provides best practices for guidelines, methods and processes, as well as roles
and responsibilities, for ensuring that information in a company is sufficiently
secured.
Related Standards*

Statement on Auditing Standard No. 70 (SAS 70). It was

developed by the American Institute of Certified Public
Accountants (AICPA) and was first published in 1992. The
statement regulates that service providers have to provide
proof during audits that they have set up suitable controls
and protective measures to operate their customers’ systems
securely and with stability.
Risks in distributed environments
Exercise 4
SAP solutions for GRC
SAP GRC Access Control: Implementation phases*
Risk analysis and remediation
Risk analysis and remediation cockpit*
Risk analysis and remediation is a java based solution which runs in a SAP Netweaver J2EE
server.
Enterprise role management
Enterprise role management Roles and Logs*

Auditable Role Definition

Real-Time Risk Assessment*
Automatic Role Creation
Superuser privilege management
Superuser privilege management- IDs
Compliant user provisioning
Compliant user provisioning Workflow
Exercise 5, 6
Controlling Changes by Examining Logs

• Application logging
• Logging workflow execution
• Logging using change documents
• Logging changes to table data
• Logging changes made using correction and transport
system
• Logging changes made to user and authorization
information
Application Log
Logging Webflow Execution
Logging Change Documents
Table Logging*
Table Logging parameters*

rec/client = ALL logs all clients

rec/client = 000 [,...] logs the specified clients
rec/client = OFF turns logging off

Changes to table entries coming within

transports
rec_client for tp
Logging Changes Made Using the Change and
Transport System
Review Change Logs for Users
HR Report
Exercise 7
Customizing the Role Maintenance
Tools in SAP Solutions
How SU24 is Used
Default Authorizations: Many are Yellow
Manually Adding Authorizations
Example of When to Use SU24 (1)
Example of When to Use SU24 (2)
Example of When to Use SU24 (3)
Adjusting SU24 to Meet Your Needs
Reducing Authorization Checks in SU24
Exercise 8
Securing User and Group
Administration
User Information System

The User Information System has the following components:

• User Overview – Find user IDs that are no longer used

• User – Find details on users
• Roles – Find details on roles
• Profiles – Find details on profiles
• Authorizations – Find details on a specific authorization
• Authorization objects – Find details on authorization objects
• Transactions – View by users, profiles, or authorizations
• Comparisons – Compare users in one system or across systems
• Where-Used List – Find where an authorization object is used
• Change documents – Change documents for users, profiles,
authorizations
User IDs with Initial Password (1)
User IDs with Initial Password (2)
Find User with Specific Authorization Values
Segregation of Duties for Purchasing
RSUSR008_009_NEW
SAP defaults for critical authorization data
Analyzing Users with Critical Authorizations
Variant for critical authorizations
Define critical combinations
Variant for critical combinations
Report RSUSR002
Reports

Role
Profiles
Authorizations
Authorization Objects
Transactions
Comparisons
Comparison Report Across Systems
Comparison Report SUIM
System Trace Tool
Securing SAP Standard Users

SAP recommends that you deactivate SAP* and define your own
super user.

(logon/no_automatic_user_sapstar).

DDIC

EARLYWATCH
Specifying and Reviewing Password Exceptions
table USR40

Managing Logon-related Profile Parameters

Checklist for Securing User and Group
Administration
• Use the User Information System to research all issues related
to specificuser access.

• Encourage use of the segregation of duties report in the User

Information System.

• If your company is decentralized security; ensure the

appropriate authorization objects correctly enforce the company
policy.
Checklist for Securing User and Group
Administration (Cont.)

• Review the profile parameter settings to ensure the settings

enforce company policy.

• Ensure the SAP provided user IDs are appropriately protected.

Exercise 9, 10
SAP Security Optimization Self
Service
SAP Solution Management Optimization- Service
Offerings
What is it all about? *
Process Overview
SAP Security Optimization Service and Self Service
– Overview
What Does the Self Service Offer
The Complete SAP Security Optimization Service*
Creation of the Service Session
ST13 Customer specific checks
2. Only if you want to add own authorization checks: Check the
definition of the customer specific authorization checks
ST14 Download

3. Creation of the ST14 Download in the analyzed system

Preconditions:
1. The System has to be connected to the SAP Solution Manager
2. The System needs the support Plug-Ins ST-PI and ST-A/PI
3. Implementation of SAP Note 696478
4. Implementation of SAP Note 873038 if customer specific checks
should
be created (only for ST-A/PI 01F*)
2006/
ST14 Download
The Questionnaire
4. Completing the Questionnaire for the Service Session
The Service Session- Action Item List
5. Include the ST14 download in your analysis session and create the
service report
Customer Report: Check Example
Securing Production Systems
Change Management and Security
Recommended Three-Tier System Landscape
The three-tier system landscape security advantages

• You make sure that changes take place in only one location, namely the
development system.

• Your developers do not have access to production data.

• You can thoroughly test changes in a separate QA system before they take effect
in your production system.

• You control the point in time when changes take effect in the production
system.

• You can reduce accidental or unauthorized changes to production data by

controlling when, from whom, and from which systems transfers take place.
• You can keep a record of changes for tracing or auditing purposes.
The Common Transport Directory

• Transport directory should be shared in a secure environment

• Only system administrator can execute imports

• Data should be archived regularly

• Each SAP system can have its own landscape (SAP ECC, SAP BI,
SAP CRM)

• A separate transport directory can be used for production

Using the TMS Quality Assurance Approval Procedure*
Setup of QA Approval Procedure
Defining Approval Steps

• Approval by request owner is set to inactive

• Approval by user department is set to inactive
• Approval by system administrator is set to active
Approval levels authorizations
System Change Option
Example of Client Changes on a Development System
Client Change Options for
Configuration/Development Client
Check the Transport Routes

Transports
In general, the following individual activities are involved in transport in
SAPsystems:

1. Release the change request to transport in transaction SE09 or SE10.

2. Review the log files to make sure that the export was successful. If
errorsoccur, you need to correct them before continuing.

3. Import the SAP system objects into the database of the target system.

4. Review the log files created by the Workbench Organizer.

5. Test your imports thoroughly. If errors occur, repair the objects in the
source system and re-export them into the QA system.
Roles and Responsibilities

• Team member or developer

• Project leader
• Transport administrator
• Quality Assurance team
Security checks before migrating a
program from development to production:

• Link custom programs or table access to custom transaction

codes.

• Include AUTHORITY-CHECK statements for all programs where

the custom transaction code is not deemed sufficient protection.

• Ensure proper controls are in place if this custom program (or

function module) accesses critical tables; such as financial
documents or employee
data.
Assign Transaction Codes to access Tables or Programs
(SE93)
Authority-check
Authorizations for this critical object
Protecting Security-Critical Objects

There are certain security-critical objects in SAP systems,

for example, the system profile parameter file or the
system client table (table T000)

• System profile parameter files

• Table for maintaining system clients
• Other security-critical objects
Protecting the System Profile Parameter Files
transaction RZ10

Certain security-relevant configurations are contained in the following system profile files
(for example, the profile parameters login/no_automatic_user_sap* or
login/fails_to_user_lock).

The system profile files include the following:

• usr/sap/<SID>/sys/profile:

• Instance Profile: <SID>_<Instance>: Parameter profile for the application

servers.

• Start Profile: START_<Instance>: Start script and parameters for the

instance.

• Default profile: DEFAULT.PFL: Global profile file

Protecting the Table for Maintaining System
Clients (Table T000)
• Give maintenance access to system administrators only. The
corresponding authorization object is S_ADMI_FCD.

• Define a process for creating and maintaining clients.

• Be aware that T000 can be updated via access to maintenance

transactions SCC4, SM30 and SM31.

• Be aware that authorization object S_TABU_CLI to the value X enables

access to cross-client tables such as T000.

• Anyone with authorization object S_TABU_DIS to the values 02 and 03

for the Activity field and the value SS for the Authorization group field
can maintain T000.
Protecting Other Security-Critical Objects

Set of security-critical objects in table TMSTCRI

Emergency Changes in the Production System
Checklist for Change Management and Security

• Ensure Quality Assurance tests are done in a separate

environment from production or development.

• Ensure the operating system that holds the change requests

(/usr/sap/trans) is adequately protected by the system
administrator. Some companies choose to implement a separate
/usr/sap/trans just for production to enhance security.

• Be aware of access to S_TRANSPRT in a production

environment.

• If change requests are supposed to be released by someone

other than the requester, ensure S_TRANSPRT is set up to enforce
this policy.
Checklist for Change Management and Security

• Be aware of everyone with S_CTS_ADMI because this enables imports

into your production system.

• Confirm the process for approving change requests is consistent with

company policy; use the SAP QA approval procedure when possible.

• Include AUTHORITY-CHECK statements in custom programs where the

custom transaction code does not provide sufficient security. Ensure the
assignment of transaction codes to provide access to certain tables.

• When legacy data is loaded into a development environment, ensure a

process is in place to mask all sensitive data (financial data, employee
personal data).
2006/Q2
Exercise 11
Securing System Administration
Services in Production Systems
Controlling Program Development and Debugging
S_DEVELOP is the general authorization object for ABAP
Workbench objects.
You use it to grant access authorizations for all ABAP Workbench
components,which include the following:

• ABAP development tools

• ABAP Dictionary and Data Modeler
• Screen Painter and Menu Painter
• Function Builder
• Repository Browser and Info System
• SAP Smart Forms
Authorization object S_DEVELOP (DEBUG)
Secure Background Processing

Primary authorization objects

• S_BTCH_JOB
• S_BTCH_NAM
• S_BTCH_ADM
• S_RZL_ADM
Users Creating Background Jobs

For a user to schedule a background job, no special

authorizations are required.

Sometimes an SAP transaction or report includes a menu

path or button such as Execute in Background.

This enables the user to run the report in the

background, which creates a background job.
User Scheduling a Report
User ID for Job Steps
Setting Up User ID for a Job Step
Define them as system users (non-dialog)

Here are some reasons to use specific user IDs for background
jobs:
• User ID is stable; the user never changes jobs or departments.

• When using a System user ID, the password does not have to be
reset.

• User ID is used only for background processing; no one can log

on with this user ID.

• The user ID facilitates security administration and maintenance

of background schedule.
Authorization object S_BTCH_NAM
Users Monitoring Background Jobs
Administering Background Jobs
External Commands/Programs and Background Jobs

When creating a background job, one of the following job steps

need to be executed;

• ABAP program
• External command
• External program

If the background job is to use external commands or external

programs, additional
security is required.
Types of Job Steps
Secure Spool and Print Processing

When looking at spool and printing, you should check a few

things:
• Ensure printers are correctly secured
• Ensure people can see only their spool requests
• Ensure the management of the physical printers and the spool
system can be
done only by the system administrators
• S_SPO_DEV: which printers can you print to
• S_SPO_ACT: actions you can take with spool requests
• S_ADMI_FCD: administering the spool system
System and spool authorizations
Securing Access to the Operating System

Examples of external commands include the following:

• Database backup tools such as brbackup

• Operating system environment commands
• List directories and space available at the operating system
• Execute saprouter

External commands can include any command that you would normally execute at
the operating system.
Restrict Authorizations for Maintaining External
Commands SM69
Restrict Authorizations for Executing External
Commands SM49
Authorization object External Comands

Users who execute external commands need to have the

authorization object S_LOG_COM in their user master records with
the following fields defined:

• Command (name of external command)

• Opsystem (operating system for the command)
• Host (symbolic host name of target system)
Secure Desktop Downloads and Program File
Input/Output S_GUI
Secure Communication Interfaces
Auditing RFC Destinations
Type of User in the RFC Destination
Current User in RFC Destination
Authorization for destination

Object S_ICF

Values
Field DEST

Field CHECK
Transaction RSRFCCHK
Parameter auth/rfc_authority_check

• 0 = No authorization check

• 1 = Authorization check active (no check for same user, no check

for same user context and SRFC-FUGR) – This is the default setting.

• 2 = Authorization check active (no check for SRFC-FUGR)

• 9 = Authorization check active (SRFC-FUGR also checked)

RFC Connections and Transport Management System

The Transport Management System (TMS) uses RFC to

communicate between systems in the TMS system landscape. To
establish the optimal security for your landscape, you can use
these possible scenarios:

• Default

• TMS Trusted Services

• Secure Network Communications

Default Scenario

• TMSADM is set up as the RFC user to use for those transport

administration tasks that are not security-critical.

• TMSADM has only limited authorizations.

• By default the user TMSADM is set up as a Communications

user with the profile S_A.TMSADM.
TMS Trusted Services Scenario

• Set up a trusted relationship between the TMS systems.

• logging on is granted access based on this trust relationship,

instead of having to log on with user ID and password

• The user ID in the calling system must be identical to the user ID

in the target system.
Basis Authorizations Required by Each User

• SAP_BC_ENDUSER
• SAP_USER_B
Authorization Object S_ADMI_FCD

• System Administration Functions

• Spool Administration

• SAPForms Administration

• System Monitoring

• Live Cache Administration

Values for S_ADMI_FCD

SAP_BC_BASIS_ADMIN

• NADM: Network administration (SM54, SM55, SM58, SM59)

• PADM: Process administration (SM50, SM51, SM04); intercept

background job (debugging function in background job administration,
transaction SM37)

• SM02: Authorization to create, change, and delete system messages

• SPAD: Authorization for spool administration in all clients

• T000: Create new clients

Guidelines for Securing System Administration
Services in Production
• You should be aware of anyone who has debug authorization in
production. Activity: 02 is prohibited !

• Most users do not need access to: S_BTCH_JOB, S_BTCH_NAM,

S_BTCH_ADM, S_RZL_ADM, S_ADMI_FCD.

• S_ADMI_FCD is a authorization object that should be carefully

guarded. While administrators need generous access to this object,
most end users will need very limited access.

• Background jobs that run periodically should be set up with

specific user IDs reserved only for background processing.
Guidelines for Securing System Administration
Services in Production (cont.)

• SAP provides many roles and templates that can be used as a

guideline of what users need. You can use those provided roles as a
general guideline of system access a user may require.

• Users in RFC destinations should be Communications or System

users. These user IDs should be reserved for use for the RFC
destinations.

• Note all users who can look at the data of spool requests for all
users (S_ADMI_FCD and S_SPO_ACT).

• Be aware of who can execute and create external commands

(S_RZL_ADM and S_LOG_COM).
Exercise 12
 ADM960
Security in SAP System
Environments
Goals

• Raise awareness about security topics

• Improve security of your SAP NetWeaver AS based SAP Systems

Content
• Network Security in an SAP Landscape
• Network Topology
• SAProuter
• SAP Web Dispatcher

• Basic Security for SAP Systems

• Frontend Security
• User Security
• Interface Security (RFC, Gateway, ICM)
• Development Protection
• Security Patching
• Security Monitoring
Content (cont.)
• Cryptography Fundamentals
• Encryption
• Authentication and Digital Certificates

• Setting up Secure Network Communication (SNC)

• Setting up Secure Socket Layer (SSL)

• Understanding Authentication

• Configuring Single Sign-On

Computer Security: An Overview
Security awareness

The Computer Crime and Security Survey is conducted by CSI annually.

• Authentication

• Authorizations

• Confidentiality

• Integrity

• Non-repudiation

• Availability
Security Threats
Threats in Client-Server Communication
Communication in open Networks
Threats

On the Internet, there are several threats to consider because there

are various components over which you have no control:

• Network Components of Internet Service Provider (ISP)

• DNS-Servers
• Landscape of communication Partner

Threats in the digital world are similar to threats in the real world
but are dangerous because attacks can be:
• Automated
• Executed remotely
• Performed by people with little knowledge of technology
Security Safeguards
Types of Security Safeguards
Safeguards (Technical)
Security Policies
Security Implementation Cycle
Risk analysis - Activities

• Determine your security requirements with reference to availability,

confidentiality, and integrity of data.

• Identify the threats that could compromise your security.

• Determine the relevance of a threat to your company (vulnerability).

• After you know the risks, determine the measures or safeguards to

protect your system.

• Measure the associated risk of a threat and the cost of securing your
system against the risk. As a result, you can make a cost-benefit analysis.
SAP Solutions and Applications
SAP Business Suite
The SAP Business Suite provides:

• A complete spectrum of business solutions

• A technological infrastructure that combines openness and

flexibility with maturity and stability

• Interfaces for integrating non-SAP products

• Components that can be adapted to meet multiple business

requirements

• Numerous industry-specific functions

SAP Business Suite: Architecture
Industry Applications
Industry Applications (cont.)
Context of Applications and Components
SAP NetWeaver Application Server
(SAP NetWeaverAS)
SAP NetWeaver AS offers

• A reliable and extensively tested runtime environment, which has

been developed further continuously over more than ten years

• A framework for executing complex business processes that meet the

highest security standards

• A reliable and user-friendly development environment

• Support for open standards, including HTTP, HTTPS, SMTP, WebDAV,

SOAP, SSL, SSO, X.509, Unicode, HTML, XML and WML

• High scalability

• Support for different operating system and database platforms

Installation Options

• SAP NetWeaver AS ABAP: Complete infrastructure in which

ABAP-based applications can be developed and used.

• SAP NetWeaver AS Java: Complete infrastructure in which

J2EE-conform applications can be developed and used.

• SAP NetWeaver AS ABAP+Java (dual stack): Complete

infrastructure in which ABAP-based and J2EE-based
applications can be developed and used.
Historical development for the current SAP ERP
Central Component (ECC 6.0)
Front-End Security
Front-End Security
SAP GUI for Windows 7.20: Security Settings

The SAP GUI for Windows security module has three status levels:

• Disabled

• Customized

• Strict Deny
Administration of Security Settings registry

[HKEY_LOCAL_MACHINE\Software\SAP\SAPGUI Front\SAP Frontend

Server\Security]

To create a rule file as an administrator, use the rule editor in the Security node
of the Options dialog. The administrator then needs to copy the generated
saprules.xml file from the files system directory %APPDATA%\SAP\Common to
the location specified in the registry value.
SAP GUI for Windows 7.20: Security Rules
Exercise 3
User Security in SAP Systems
User Security in SAP Systems
Controlling access (questions)

• What are the tools for User Administration?

• Which standard users exist in an SAP system?

• Why are there different user types?

• In which way are authorizations assigned to users?

• How can an administrator protect user accounts with strong

passwords?

• How are passwords stored in the SAP system?

Tools for User Administration

User Administration AS ABAP

• PFCG
• SU01
Authorization objects user master records

• S_USER_GRP: user master maintenance: assign user groups

• S_USER_PRO: user master maintenance: assign authorization profile

• S_USER_AUT: user master maintenance: create and maintain

authorization
Central User Administration (CUA)
Identity Management*
Comparison between the CUA and SAP NetWeaver
Identity Management*
Relationship between SAP NetWeaver Identity
Management and the Central User Administration (CUA)*

• SAP NetWeaver Identity Management is the strategic solution

for managing identities in SAP and non-SAP environments

• SAP NetWeaver Identity Management can replace the CUA in

order to be able to also manage user IDs in the non SAP system
landscape

• SAP will continue to support CUA in its current functionality

according to the SAP maintenance rules

• A connector from SAP NetWeaver Identity Management to CUA

is available
Standard Users
Standard User in AS ABAP

Standard User in AS Java

User Types in AS ABAP
User Types in AS Java*

The Config tool allows create new User Types (Security Policy Profiles)*
AS ABAP Users and Authorization
Authorization Objects
Role Maintenance
Password Management in AS ABAP
Password Management in AS ABAP
Password Control with System Profile Parameters 1/2
Password Control with System Profile Parameters 2/2
Security of the password hashes (actions)

• Restrict access to tables containing password hashes (USR02, USH02

and in later releases USRPWDHISTORY) by changing the table
authorization group of these tables. Non-administrative users must not
have access to this new table authorization group.

• Activate the latest password hashing mechanism (code version)

available for
your release. Downward-compatible password hashes should not be
stored
in releases 7.0 and higher.
Activate the latest hashing
Password Rules in AS Java
• Password rules in AS Java are controlled by UME parameters.

• The most important parameters can be changed in the UME Configuration UI.
SAP applications use the secure storage to store
passwords:

• Web Service Security

• RFC destinations

• ICF services

• CTS (Correction and Transport System)

• SAPphone

• SAPconnect

• GRMG (Generic Request and Message Generator)

Interface Security in SAP Systems
Product Overview
RFC Connections
The SAP System as an RFC Client
Several connection types (partner system/program) are possible:

• R/2 connections: Partner system is an R/2 System.

• R/3 connections: Partner system is a different SAP System.

• TCP/IP connections: Partner is an external RFC program based on

TCP/IP.
ABAP RFC Communication Recommendations
Security measures to mitigate the risk of unauthorized
access via RFC destinations

• Analyze all system trust relationships between ABAP systems using transactions
SMT1 and SMT2. Identify the trust relationships in which systems of higher
security classification trust systems of lower security classification (e.g. test to
production, or development to production). Remove this system trust wherever
possible.

• Identify RFC destinations with stored user credentials from systems of lower
security classification to systems of higher security classification (using report
RSRFCCHK). The stored credentials should be removed wherever possible. This
way, user authentication is enforced for every access.

• Create a list of RFC destinations with stored credentials and ensure that user
accounts have minimum authorizations (especially not SAP_ALL) assigned in the
destination target and that the user type is set to SYSTEM.
Trusted Relationships Between AS ABAP based SAP
Systems*
Trusted relationships between SAP systems have the
following advantages*

• Single Sign-On is possible beyond system boundaries.

• No passwords are transmitted in the network.*

• Timeout mechanism protects against replay attacks.

• User-specific logon data is checked in the trusting system.

Categories of RFC Communication
The following security measures should be taken
to protect the SAP gateway
• Verify the minimum SAP kernel patch levels (SAP Note 1298433: Bypassing security in
reginfo & secinfo)

• Set profile parameters gw/sec_info, gw/reg_info and gw/reg_no_conn_info (SAP Notes

1408081: Basic settings for reg_info and sec_info and 1444282: gw/reg_no_conn_info
settings).

• Create secinfo and reginfo ACL files manually or with the tool. (SAP Notes 1408081:
Basic settings for reg_info and sec_info and 1425765: Generation of sec_info reg_info
prxy_info)

• Reload ACL files dynamically on each application server to activate changes.

• If necessary, missing configurations can be identified by

– Activation of SAP gateway logging and log file review (SAP Note 910919: Setting up
Gateway logging);
– Analysis of the error messages shown on the RFC client.
System Change Option
System Change Recommendations
Client Change Options
Client Change Recommendations
Critical Authorizations
TMS Authorization Concept
TMS Quality Assurance
Configuring the QA Approval Procedure
QA Approval
Modification Browser SE95
Security Patch Management

Advantages:

• Better planning for SAP Security Notes implementation with this

dedicated, regular schedule

• More efficient review and selection of SAP Security Notes

relevant for your organization

• More efficient patching of SAP systems as it is on the same day

as with other software providers

• RSECNOTE (Automatic checks for security notes)

Monitoring SAP Systems
Monitoring SAP Systems Overview

• SAP Early Watch Alert (EWA)

• SAP Security Optimization Service (SOS)

• SAP Computing Center Management System (CCMS)

• SAP Solution Manager Diagnostics (SMD)

Security Audit Log: Audit Log Event Filter
Security Audit Log: Audit Configuration Selection Criteria
Security Audit Log: Security Audit Profile
Parameters
Security Audit Log: Audit Log Transaction SM20N
Security Audit Log: Audit Log Details
AS Java Security Audit Log

Default the log files are available at

/usr/sap/<SID>/<Instance>/j2ee/cluster/serverX/security_audit.X.l
og..

They can be viewed with SAP NetWeaver Administrator, Visual

Administrator and Log Viewer.
AS Java Security Audit Log
User Information System: What is monitored?

SUIM
User Information System: Transaction SUIM
System Trace: Special Recording
Alert Monitor
Alert Monitor: Alert Monitoring Tree
Exercise 6
Secured SAP Connections
Security Audit Log: Security Audit Profile
Parameters
Security Audit Log: Audit Log Transaction SM20N
Security Audit Log: Audit Log Details
AS Java Security Audit Log

Default the log files are available at

/usr/sap/<SID>/<Instance>/j2ee/cluster/serverX/security_audit.X.l
og..

They can be viewed with SAP NetWeaver Administrator, Visual

Administrator and Log Viewer.
AS Java Security Audit Log
User Information System: What is monitored?

SUIM
User Information System: Transaction SUIM
System Trace: Special Recording
Alert Monitor
Alert Monitor: Alert Monitoring Tree