Introduction to SAP Security Questions & Answers

The archived presentation from Wednesday March 31 can be found online at http://www.sym-corp.com/component/k2/item/93-webinar-introduction-to-sapsecurity .

Q: Do you recommend synching User Master data (Name, address, etc) with the employees HR record if SAP HR module is active? If so, what would you recommend as the synch operation? A: We have used HR in the past to help provision employees, but have not often used it for ongoing synchronization of User Master Data. Most of our customers are more interested in synchronizing data from LDAP/AD (i.e., to ensure the correct e-mail address is populated on their User Master Record).

Q: Did I correctly hear that SAP does not recommend doing profiles from scratch? I would like to better understand the reasons, if security related, etc. A: SAP has moved to the role model from the profile model. Transaction SU02 is where you modify/create profiles directly and if you go to that transaction you will notice a message from SAP recommending that you use the Profile Generator instead (PFCG). You can still create and maintain profiles in SU02 if you like and they will work since ultimately it is the authorization objects that matter. One reason to use roles is that that you can leverage SU24 to propose the appropriate authorization objects when you add a transaction to the role menu.

Q: Where does "structural security" fit in to what you just presented? A: Structural authorizations are outside the scope of this presentation. HR security can be very complex and requires a special skill set. In general, the organizational structure is a way of granting users access to specific employees, positions, or organizations. These restrictions are not possible with standard authorizations. The restrictions can be dynamic based on an employees position in the organization (i.e., provide access to employees that report to me).

Q: How can we define HR roles? A: This is a very general question but, as with all role implementations, the first step is requirements gathering.

Q: Thank You for mentioning that SUIM doesn't always work correctly. A: Yes, I love and hate SUIM. Not too long ago we found a bug where SUIM was showing the wrong ending valid to date for users. It looked as if users were logging in after they were expired, but in reality they were not expired. This was verified by looking at table USR02. Note 1229694 resolved the issue. In response to the short comings of SUIM, we have added functionality in our ControlPanelGRC Risk Analyzer to enable ad-hoc querying of security.

Q: Isn't SAP doing away with CUA in favor of NetWeaver IdM? A: There have been rumors that SAP will stop supporting CUA in favor of NetWeaver IdM. I have seen no official documentation from SAP on this matter and have seen SAP recommend implementing CUA at companies that are only interested in managing ABAP-based systems.

Q: Can you please briefly explain how security is related to SAP IDM as a Security administrator what will be the roles and responsibilities? A: SAP NetWeaver IdM provides a way to provision users in both SAP and nonSAP systems. The security administrator would still be responsible for maintaining roles (modifying authorizations) in SAP and would likely play a role in maintaining IdM role/position/group mappings.

Q: I have a question related to NetWeaver Portal and SAP R/3 security role mapping A: All SAP ABAP roles in the UME appear as Groups in the Portal. They should appear within an hour after they are created if they are new. These must be mapped to Java Roles to grant the Java access portion.

Q: Please provide another quick explanation as to a scenario where a profile is used without a role? A: Only profiles that were created in SU02 by the security team or that came delivered with the system can be assigned to users directly. Profiles that are created through Profile Generator for roles will be assigned to users when the corresponding Role is assigned. We recommend using roles in todays SAP

systems. However, it is fairly common to assign some of the delivered profiles to the Basis team before go-live or to system IDs.

Q: Can you please provide information on how to start with GRC, tutorials, links etc. A: The SDN link below can get you started on SAPs GRC solution. However, the customers interested in lowering their total cost of compliance will also want to check out ControlPanelGRC, a second generation compliance solution. http://www.sap.com/solutions/sapbusinessobjects/large/governance-riskcompliance/index.epx http://www.controlpanelgrc.com/

Q: Do you recommend table logging? A: Yes, if there is an audit requirement. By default only configuration tables will be logged and you would need to flag the tables you are interested in logging so that changes are recorded.

Q: Do we need to map the role from Portal to R/3 or just maintain roles in Portal A: This depends on your requirements. You have to first differentiate between Java Actions that occur in the Portal and any back end access that is required in R/3. The next thing to decide is where your User Management Engine is located. This could be the Portal, backend ABAP system, or even LDAP.

Q: Does SAP provide a role that gives a user authorization for "Display Only" so the user can see all the information in the system but no authorization to change? A: No, you must create one. Creating an SAP_ALL display role is a difficult task that Symmetry has completed for a number of customers. In general, you need to insert the SAP_ALL template into a new role and change all authorization fields that relate to Activity in the authorization objects to Display.