CONTENT:SAP Security Roles and Responsibilities:Different type of SAP systems:1. R/3(old) or ECC(new)2. APO3. CRM4. BI5. SRM6. Central User Administration(CUA)7. Portal8. GRC toll for SAP Security (old toll - VIRSA)User Administration Tasks:1. Password Reset2. User lock and unlocking3. User creation – IT user and Business user
4. Different type of users OSS & RFC5. User Groups creation6. User Parameters updating7. Changing user group8. Updating user date format, decimal notation, Time zone & Printers9. Adding roles to users on permanent or temporary basis10. Deleting roles from user11. Adding or deleting profiles to user (not required..just to know)12. Down loading security reports from SUIM13. Finding missing authorizations with the SU53 dump14. Finding role with SU53 missing authorization15. Assigning additional roles to the user with or without validity
16. Assigning a role to the 100 users at a time(SU10)17. Locking and unlocking 100 users at a time18. Changing user group or time zone to 100 users at a time19. Creation of RFC,BATCH and OSS users20. Extending user validity and extending role validity21. User inactivation and user reactivation22. User termination23. Downloading STAD report from user24. Checking the audit logs - SM2025. Tracing the user authorizations26. CUA Administration27. Transaction lock and unlock
28. Mass role deletion( 2 Types)Role Administration:1. Following roles naming convection while creation of roles2. Creation of single roles3. Creation of composite Roles4. Creation of Derived roles5. Adding Tcode to a role6. Removing Tcode from a role7. Updating objects in the roles as per missing authorization dump8. Updating organizational values in to the roles9. Creating global roles in all the systems10. Updating roles while creation and modification with the reference of SU24
11. Role transportation (including inter client)12. Template role creation13. Area menu role creation14. Role upload and download15. Role Deletion16. Pfud & supc ( Monthly maintenance security Activities)Other Key Activities:1. Client open2. OSS connection open and access details update in service market place3. RFC connection creation4. Providing sensitive Tcode, objects and Roles access
5. Providing fire call access (User firecall/Role firecall)6. Providing developer key7. Providing access key for object8. PFUD and SUPC for maintenance activity9. SAP Licensing(Measurement Data)10. Portal user administration including mass changesSAP Security Reporting for SOX Compliance:1. Downloading user’s login report who are not login to the system from past 7 daysafter creation user ID2. Downloading user’s report who are not login to the system from past 45 days3. Down loading user’s report who are not login to the system from past 90 days4. Client Settings status scc4, scc1
5. Security System Parameter checking – RZ116. Forbidden Password Report---SE16---USR407. Tracking security users list and their roles---SUIM8. List the non dialog users and make sure those users should not be in locked status--SUIM9. Random request checking for quality of work10. User termination as per weekly HR termination report11. Download SM20-audit log report on weekly basis12. Users with Incomplete Address Data - rsusr007(Last Name, First Name, Email)13. No User should have SAP_ALL & SAP_NEW profiles assigned to dialog users-SUIM14. RSUSR003 is used for checking SAP* and DDIC in all clients along with loginparameters. This report is used to ensure SAP* and DDIC have been secured in allclients. This report also allows checking of login parameters, such as number of invalidlogin attempts until user lock, login/system and client.
15. Document details steps of Emergency ID process for debug access.(AGR_USERS) DebugRoles should be expired for users.16. Review Batch, RFC and Sensitive Accounts – SUIM (Users should not be locked)SAP Security Tables :( SE16 or SE16N)AGR_USERS - Users list for a roleAGR_TCODES - Tcodes list for a roleAGR_AGRS - LIST OF SINGLE ROLES IN COMP ROLEAGR_DEFINE - LIST OF DERIVED ROLES IN A PARENT ROLEAGR_1251 - ROLE COMPLETED INFORMATIONAGR_1252 - ORG VALUES DETAILS FOR A ROLEAGR_PROF PROFILE NAME FOR ROLEUSER_ADDR -ADDRESS DATA FOR USERSUSR01 -USER MASTER DATA(RUNTIMEDATA)USR02 -LOGON DATA(PASSWORD, USERNAME, VALIDITY DATE ETC..)USR04 -USER MASTER AUTHORIZATION(ONE ROW PER USER)USR06 -LICENSE DATAUSR40 - ILLEGAL PASSWORDS LISTUSOBT RELATION -TRANSACTION TO AUTHORIZATION OBJECT (SAP)USOBT_C RELATION -TRANSACTION TO AUTH. OBJECT (CUSTOMER)USOBX CHECK -TABLE FOR TABLE USOBT
USOBXFLAGS -TEMPORARY TABLE FOR STORING USOBX/T* CHANGUSOBX_C CHECK -TABLE FOR TABLE USOBT_CBI SECURITY:OVERVIEW OF BI SYSTEM (BI 7.0)REPORTING AUTHORIZATION OBJECTSBI ANALYSIS AUTHORIZATIONSTROUBLE SHOOTING.SAP ECC systems:ECC DEV (DR2) -100 and 200ECC Test (QR2) -100 and 200ECC PRD (PR2) -100CRM DEV (DC2) -100,200 and 400CRM TEST (QC2) -100,200 and 400CRM PRD (PC1) -100SAP three system landscape with transport root:
Role:1. Role is a combination of the Tcodes2. 3 type of rolesa) Single Roleb) Composite Rolec) Derived or Base Role3. Role structureUser..Role (Tcodes)..Profile..Auth Class (MM, PP, SD, BC, BS)..Auth Object.
.Field Values4. Common authorization class AAAB5. Common authorization object S_TCODEWhat is SOX and SOD?Sarbanes-Oxley is a best practice for all types of companies who wish to identifywith good governance practices.SOX have become the ad hoc standard for financial transparency, trust, andcorporate accountability.Sox guidelines have been built based on the Sections 302 and 404.Those sections will describe the good governance practices.For full filling SOX compliance, we are using a tolls called VIRSA,GRC and Bizright.RULEWhat is SOD?Across an enterprise there are various functions and these functions areperformed, together by a set of roles/responsibilities.SoD says that these set of Roles/responsibilities should be assigned in such a waythat, across an enterprise, any individual should not have end to end access rightsover any function
Segregation of Duties deals with access controls. Access Control ensures that oneindividual should not have access to two or more than two incompatible dutiesGRC Topics:GRC Access control 5.3IntroductionSOX Rules and SOD ConceptsRisk Analysis and Remediation (RAR)-Risk Analysis on User and Role Level-Rule set-Mitigation-Configuration of RARSuper User Privilize Management (SPM)-Fire Fighter Configuration-ReportsOver view On Compliance User Provisioning (CUP)1. Performing Fire Fighter activity in EAM2. Approver delegation and approver delegation report3. Owner assigning firefighter id’s and controllers4. User level violation report5. Role level violation report6. Finding mitigated users list7. Background Jobs schedule and monitoring8. How to find the log report of the Firefighter by using SPM