Auditing SAP Security – The Basics

ISACA Presentation
Section 1:
Auditing SAP Security –
The Basics
SAP Overview
April 25th 2006

!
!" # $
%" &
! !
%" ' ()
* + ! ,
! - %
.!
0 %" # 1$
2 1 3 $$ 3 ! $
4! 567 "" 8! 9 3
& 1
+ : , 1$ 3 "
: " ; $ !$$
5 1 ! 3763
< 353
=
$
! >7?/ @ A0 3 !
1 !" " "
1$ 63 $ $ 1 " = !
+ =B ! ,C
" " " ! 1 1$
/
0 %" !
$ ! ,D " 1 1
! 567/
,D ! 1 $ 1
566
$ ! ! " $ $
! $ * D/
E ,D F
0 ? "
0 ? 3? 3 ? 3 ?5 3 ?5"3 ?5
0/?
0/?=
0/? 3/?
0 $ /?7
=
0 %" !
1 *! !
0 $$ ! ! 1 !
$
+ ! !
0 $ ! ! $
! 8! 1 0 ? ? * G 3+ ! 3
+ !
- $$
0# ; $$ 1$ " $ 1! $
! ! ! @
! $ A
1 *! !
4 1 1 ? 1
!
1 #! 1 , "$E 1
1 , @
,D A
1 ! H E 1
1 !$$ , "$E 1
1 !$$ #" E 1
7
1 ,
1 ! "
4 1 ,D
1 ! ! 1 F
04
0 !1 #$ E 1
0 $
0# $
<
E ! 0 4!
#
Functional Category
Financials
Operations
Human Capital
Corporate Services
!"
6
1 , 4 !
4 !
"
# 1$ " !
# 1$ - ! !
$
; $! ; 1 !$
, 8! $$ G
#! $ I ! ! "
#! ! $ "
5
* # 1$
% " ,D
4! " $$
4 ! ! F
0 * D
/ $1 9 G "
0# 1$! # E 1 1
0 !" I # $
0% $ 1
0 1
/? 3* # 1$ $ 9
$$ @9 A
55
# D " !
,D ;
1
0 ! 1 $
! 1! $ 1$! 1 "
$ I !
0# " 1 1 1
" "" 1$! $ 1
$
! ! "" @ A"
F
0%" ! @ H A
0%" $$ $ @ $$ H A
0%" !$$ @ H A
5
! " !
database
information
end user application server database server
5
%" ,D % "
1
Hardware UNIX Systems AT&T Data IBM (Intel)
Bull IBM Bull/Zenith General Sequent
Digital SNI Compaq Digital SNI
...
HP SUN HP (Intel)
Operating
AIX LINUX
Systems
HP-UX SOLARIS Windows NT/2000
Digital UNIX
Databases ORACLE 8i/9 ORACLE 8i/9

Informix Online ADABAS D
ADABAS D MS SQL Server
DB2/6000* (for AIX only)
Dialog
SAP-
SAP-GUI Windows 3x, Windows 9x, Windows XP
Presentation Manager, Macintosh
Languages
ABAP/4, C, C+ +
5/
!
1 # 1$
5=
$$ !
%" !
1$ J 4 F
SAP Functional Modules
Financials
Operations
Human Capital
Corporate Services
Basis Component/Web Application Server
5
4 ! * H
%" ,D * 1$ $ " 1
1 " ,D " !
4 1 ! $ $ 3" G *
% D
! ! F
5? %" &
? * D
/9 G " % $ 1
! " *
G " " 1 !
!$$ K
57
! !" I
# $
$$ * ! 1$
,D ! " I $ !
$ $ 1 1
! !" I ! ?
" 1 " !"
!" I ?
1! -$ " !"
" ! !" I ?
L !" I $
" " 1 " $ !
?
! " L E ,
" 1?
5<
1
!"
!" 1 !
! !
! " $ 1 ?
!" 1 ?
!" 1 !
!" ? 1
!" 8! 1$
@ A ?
%" ! $ " !
56
?
$ !" 8!
$ 1 $ G? ! ?
1$ ! $ 1$
! $ @ A !
$ "1 " " !"
$ 1 $ @ GA
L 1 " ! "
,D 1 1 "
! ?L 1
$ ! ,D ! !
$ 1 ?
! !" I # $
Purchase
PurchaseOrder
Order
1.1.Activity
Activity
# $ %& ' 2.2.Company
Companycode
code
( % ) *% +
# $ ' Authorization
Authorization#1 #1 Authorization
Authorization#2 #2
, , 1.1.Activity = Create
Activity = Create 1.1.Activity = View
Activity = View
2.2.Company
Companycode
code==11 2.2.Company
Companycode
code==All
All
# $ %&
Profile
Profile#1
#1 Profile
Profile#2
#2
, ' (Create PO)
(Create PO) (Receive
(ReceiveGoods)
Goods)
- &% + •Authorization
•Authorization#1
#1 •Authorization
•Authorization#2
#2
•Additional Auths.
•Additional Auths. •Additional Auths.
Composite
CompositeProfile
Profile Composite
CompositeProfile
Profile
, ' (Purchasing Clerk) (Receiving Clerk)
(Purchasing Clerk) (Receiving Clerk)
- &% •Profile
•Profile#1
#1 •Profile
•Profile#2
#2
•Additional
•AdditionalProfiles
Profiles •Additional
•AdditionalProfiles
Profiles
5
!" I
# $ %& ' Purchase Order

( % ) *% + 1. Activity
2. Company code
1$ !" I
!" I
Purchase
PurchaseOrder
Order
1.1.Activity
Activity
# $ %& ' 2.2.Company
Companycode
code
( % ) *% +
Authorization #1 Authorization #2
# $ ' 1. Activity = Create 1. Activity = View
, , 2. Company code = 1 2. Company code = All
# $ %&
/
1$ #! 1 !" I
=
Purchase
PurchaseOrder
Order
1.1.Activity
Activity
# $ %& ' 2.2.Company
Companycode
code
( % ) *% +
# $ ' Authorization
Authorization#2 #2
Activity = View
2.2.Company
Companycode
Companycode
code==All
All
# $ %&
, ' Profile #1 Profile #2

- &% + (Create PO) (Receive Goods)
•Authorization #1 •Authorization #2
1$ 1$
7
# 1$
Purchase
PurchaseOrder
Order
1.1.Activity
Activity
# $ %& ' 2.2.Company
Companycode
code
( % ) *% +
# $ ' Authorization
Authorization#2 #2
Activity = View
2.2.Company
Companycode
Companycode
code==All
All
# $ %&
Profile
Profile#1
#1 Profile
Profile#2
#2
, ' (Create PO)
(Create PO) (Receive
(ReceiveGoods)
Goods)
- &% + •Authorization
•Authorization#1
#1 •Authorization
•Authorization#2
#2
Composite Profile Composite Profile

, ' (Purchasing Clerk) (Receiving Clerk)
- &% •Profile #1 •Profile #2
•Additional Profiles •Additional Profiles
<
1$ # 1$
6
L E ,
%" 1 1 "
! F
* L @M 1 3$ 3 3
1$ 1 A
L ! @ H ! 3 ! $ 3
1 1 3 ! 1 I A
L + 1 @ ,D !
3! !$ 3$ 1 +) 3
& !$ 3 -$ ! )
! A
%" ! 1 " G !
G ! $ ?
%" !1 ! $ 0 $$
1 !
1$ L E ,
5
Authorization Authorizations: Profiles (or Composite Users:
Objects: Roles): Profiles (or Roles):
Security configuration is very complex!

&
& @ &A ! !
! ?
+ ,D ?5& ?
& $ " 1 ! 1
!" I 1$ $ ?
1 " ! $ F
0L " ! 8! &
! 1 1 " $$ $
!" I ! $ "1
& !$ ?
&
/
! !
$$ " ! ! 1 1
" ! ! 0 %" ' () K
5? 9" - ! ! !$
1 @ $$ 3! 1 3
$ 1 A
N
? 9" ! !" 8!
N
? 9" ! " N !
" !" "
$ N+ " 8! ! N
5? ? 11 1$
? 1 1$ $
=
! #" C ! + !
E !
04 ! 1 !
0 E! ! 1 !
0 E! ! ! ;1 !
! $ CE ! #
! 1$ -
*! $ $ " " $ !
! $ ! 1$ 1
!$ ! !
! "! 1$ "!
!
9" N
& $ * !
1 !
! 1$ 1 0 " 1 -
! $
!1 G$ 1 $ 1
+ 1 ! 1 $
" " 1 ! !
@ $ 3 A ! $
+ ! ! 1$
1 1 3" ! ! 1 !
- ! 1 1
! ?
7
! L 1
, 8! ; $$ $ $$ L$
,1 0% 1
1 1 0O " PM D1
$
, N
+ "$ N
$ ! !1 N
+ " 1 -N
+ " ! !$ 1
$ N
<
, 1 #
! 1 $
$ ! 0 G $ ! N
1$ 3 3 3
$ C !" " !
!1 $ !
%" $ $
" 1 @
,! <AF
L " ; , L ,5
#" ; , L ,5 5?
!" " ; , L ,5 ?
6
, 1 #
#" G ! ! ! 1$
! ! !
#" G " " ! !"
! ; "! $$ $
$
,! L+
E
!
"
! ! ""
1 ! 3$ 3 !"
/
! L + C
!"
+ " $ ! "
@
! 3$ ! A 1 " ?
!" $ " 1 "
?
+ !" $ "
! ! 3 !"
3 ! ?
, L ! !
! 8!
/5
!
! $ 1 "! !$$
!
L $ , , E3 ! $ 1
! F
H D
1 Q$ Q
H D
$ Q -$ Q1
, $D !Q ! Q !
H D Q Q! Q G
H D Q Q Q
H D Q! Q ! Q! G
/
# 11 ! $ "! 1
! " 1
,! 5 L ,/
$ " "
% $ G 3
$ $ ! !
" ! ! "
/
! !
! $ !+ " !
$$ $ ?
%" ! ,D $ ! R3
+#3 #+#" " ?
R3 +
#3 #+#"
" ! !$ L ,?
1 " ! !$ L ,
$$ $
! ! + ! $$ $ ?
$ E ! R !
//
L !"
!" I " $ " " " !
! ! " ! :
?
$ $ ! 3 ! 3 3
"
!" # $?
L 1 !"
$ 1 G
4 ! * ! ! "
$ $$ $
4 ! ! ! ! "
! $$ $
$ 8! !
/=
" Q HH QM 9 $ "
$$ $ ! ?
; 1$ $ !$ @? ?
Q( HE %(Q HHA 1 $$ $
$ ?
! ! $ 1 $$ $
$ ?
! "
1 $$ $ ?
& ' R( ! $$ $
?
/
% C
!"
55@ * D
/ E A
5 @
E % " D A
##/ # 1
Q , &, E @ 1 !1 A
Q JH @ A
QMLE* , @
# M!1 , A
H G ; %" 1
" " !
$1 1 $ ! $ ! ? %"
$1 "! $ 1
G " $ ! 1
/7
" #
#" # C ! #
Q%, M ,%
!
, D
,D " 1
/<
, 4! E !
1 0 $ * "$ !
! ! ! 3$ 3
!"
!" 0 $ *
!" 0 $ 4! 1 ! D!
1 ! !
9" " !"

"
9 G "4! 1
L ! - C !
1
H 1 !
/6
;. 1
;. 1 ; ! 3 $
1 ,D 1
%" ! " " ,D ! 3
* $ 1
+ ! ! ! $
! $ 1 3! " 3 !
!" I ?
+ 3 ! ! ! $
! 8! 1 ?
J ! ! ! ! ! !
1 ! *
H !1
G
=
!11
! # 1$ -
!" # $
* $ 1
!
! ! " ' ( S 1 3
!" 3 !" T ! 8!
G !
9 G "" ! 1
L ! - 1
1 !
=5
E
$ , G
?
" U ?
? ? 1D

Auditing SAP Security – The Basics

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Auditing SAP Security – The Basics

Uploaded by

Copyright:

Available Formats

ISACA Presentation

April 25th 2006

end user application server database server

Databases ORACLE 8i/9 ORACLE 8i/9

Basis Component/Web Application Server

# $ %& ' Purchase Order

, ' Profile #1 Profile #2

Composite Profile Composite Profile

Security configuration is very complex!

9" " !"

You might also like