Your SlideShare is downloading. ×
  • Like
SAP Security important Questions
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

SAP Security important Questions

  • 11,200 views
Published

 

Published in Education , Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
  • Thank you sir,I recently came across your blog and have been reading along. nice explanationWe are providing online training on & for more info sap sd online training
    Are you sure you want to
    Your message goes here
No Downloads

Views

Total Views
11,200
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
798
Comments
1
Likes
10

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. 1.what needs to be secured in the company??Material MasterVendor MasterEmployee MasterAsset MasterProfit & Loss ReportsFinancial Information.2.From Whom????The AUthenticated Users who are created in SAP.3. How to Protect???????????????1.who does what and upto what level and which jurisdiction......Example: A Purchasing Officer Creates and Approves Purchase Order forvalue not more then 10,000(ten thousand only)for his division(028)2.Define the SOD(Seggregation of Duties/Separation of Duties)SOD is a Matrix which is used to specify the position along with Roles andResponsibilities.4. what tools are Used???????????1.VIRSA tool a third party tool owned by SAP2.Approva toolFrom SAPSU01,Su10,Su20,Su21,Su22,Su23,Su24,Su25,Su53,Su56SUIM,SU99,PFCG,PFUD,SU02,SU3,Sm30,Se38,SE54,SA38,sE12St01_____________________________________________________SOX (Sarbanes Oxley Act-404).it specifies that a Single Business transaction Should not be assigned to aSingle User to avoid the malpractices and misutilization if public Funds.Example:1.Hire Requisition2.Hiring(Recruiting)3.Job Assignment4.Time Recording5.Pay Roll Processing6.Salary Disbursement.
  • 2. 1.Purchase Requisition2.Purchase Approval and Release3.Invoice and Billing4.Goods Delivery5.Goods Receipt6.Payment to the vendor7.ReconciliationAll the above activities should not be assigned to a single User.They need to spread across the users.Role Matrix/SODIt is a matrix which contains positions/jobs along with assignedtransactions.The Roles are assigned to Users to get authorizations to transactions.Authentication:it is a process of Providing UserID and Password to Login.Authorization:it is the process of assigning roles to user to perform certainactivity.There is no role to restrict authorizations.if a user is authorised means heis allowed to perform certain activities.Designing Security:it is also implemented in similar and parallel to SAP Implementation.i.e ASAP Methodology is used to design,develop,tranport,test andproduction use.1.Analysis and Conception Phase:2.Desiging Phase3.Implementation4.Testing5.Cutover Phase1.Analysis and Conception Phase:Understand the Security Requirements of the Customer.Assemble the Project Implementation Team and gather the Requirementsrelated to security.Identify the Assests,Materials,Financial Structure(AccountReceivables,Account Payables)
  • 3. Identify the Actions(activities that needs to be protected) on a SpecificField,Area,ObjectCreate,modify,display,reverse,approve,print,upload,download etc are theactions on an Object PO for Field(purchasing Area)(02)* means all the possible areas.Do not Specify Asterick(*) for any Open Field.Get the Requirements and Design a Role Matrix for Each Module.Identify the jobs/positions and Responsibilities and Define the matrix.*************************************************************Desiging Phase:Define the Role Matrix/SOD Blue Print and refine till it gets approved/sign-of.*************************************************************Development/Implementation/Realization Phase:Develop the Roles in the Cust Client and Transport them to TEST Client forTesting.Assign the roles to Business Process Owners and Test Them.*************************************************************Testing/Quality Assurance/Final Preprelease the roles in Developement for transportation.Import the Same inQTST Client in QAS System.After Sucessfull Testing Import them to TRNG Client(where END Users aretrained on the system Roles___________________________________________________________Cutover Phase/Go-live PhaseTransport them to Production System_____________________________________________________Initializing Profile Generator:SU25: initially fill the customer tablesThis is the first step to be executed before starting to work on Security.USOBT and USOBX are the SAP Standard Tables
  • 4. USOBT--------Transaction vs Authorization ObjectUSOBX--------Check Indicators Tablewhen you execute above transaction(SU25 initial fill) it copies the entriesfrom USOBT and USOBX to Customer Tables USOBT_C andUSOBX_C.Then Customer can modify accordingly.if this is run after certain settings all the customer settings will be lost.How Security Works??????????????????????????????????????1.User ID and Password(authentication of User)To stop misusing system credentials or impersonation by others variuossecurity parameters for UID and password are set.(30 Days expiry,alpanumeric passwords,min length,disallow multiple logons)2.when a user executes a Transaction it checks whether it is locked or notin SM013.it checks whether transaction is allowed to execute in AuthorizationObject S_TCODE4.it checks the table TSTCA to check for minimum authorizations that arerequired to execute the transaction.5.it checks all the Authorization objects assigned to transaction in Su24 areavaialble in the User Context.6.it also checks for Authorization Objects which are included in theprogram using command AUTHORITY-CHECKEach Transaction is checked under Object S_TCODE field name is TCDSU24:it gets the values from tables USOBT and USOBXUSOBT contains the List of Authorization Objects assigned to aTransaction which can be checked when a transaction is executed.USOBX Contains the list of Authorization Objects that needs to be(checked,not checked,check and Maintain,unmaintained4)There are certain Objects which needs security but may not require to bechecked.So they can set to CHECK-NO in SU24.Each Change is Client Independent(Repository) and requires a Work benchRequest.
  • 5. Programming AuthorizationsEach Program that needs to be secured Uses CommandAUTHORITY-CHECK followed by Authorization Object,Field,Value andActivity.The Authorization is controlled at field level and based on activity.Theseare used in the programs and checked by using Authority-check command.it is recommended to advice developers to use this command in theirprograms to secure programs.Authorizations:Authorization Field:The Lowest granular field that needs to protected isknown as authorization field.These are defined in Transaction SU20.These are performed at repositorylevel so,they are at cross-client level.each New field requires namingconvention(Y,Z).These are also referred as database table Fields.(PO,SO,Salary)Authorization Activity:The Type of action that will be performed on theField.Create,Modify/Update,Display,Delete,Approve etcThese Activities are defined in table "TACT". it is editable in SM30.Activities are identified by using two alpa numeric letters.AuthorizationThe Field with activity or value is referred as an Authorization.PO--Create(01),Display(03).Modify(03)PO--Purchasing org(0001),Area(002),Plant(SRN)The Group of not more then 150 Authorizations are called as anAuthorization Profile.if the authorizations exceed ie. more then 150,then another prfoile iscreated with name_1 and grouped into a composite Profile.Authorization Object:
  • 6. The Group of not more then 10 Relative Authorization Fields is known asAuthorization Object.These are defined in SU21 .Each Authorization Object is assigned withpredefined Activities that are stored in the table "TACTZ"Authorization Classes:The Group of relative Authorization Objects are called asAuthorization/object Class which are defined in Su22This Authorization Object is assigned to Transaction in SU24 and markedto check/uncheck to maintain in PFCG.Authorization Role: These are referred as Activity Groups until version 46B.from 46C Activity Groups are named as Roles.Role is a synonym which contains Profile,Menus,URL,Reports etc..Role is only a Name but Authorizations are available through Profiles only.Roles are created in Transaction PFCG(Profile Create and Generate)_____________________________________________________1.Su012.Sm013.S_TCODE4.TSTCA5.SU246.Authority-check_____________________________________________________User Context:it is a part of roll area(roll file) where User Related information is stored.it islike a Cookie on the Browser.it is available till the user is logged-in.User Context is lost when the log-ofSU56 is used to display the User Context Information.User Context Contains Authorizations,screens etc-----------------------------------------------------Missing Authorizations:1.user Executes a Transaction2.it checks in the USer Context i.e Su56 for availability3.if it is not available it records in SU53.
  • 7. IT CHECKS FOR MISSING Authorization Object,AuthorizationField,TCODE,Field Value,Activitity, and Oraganization Value and recordsthen in SU53SU53 records only the last missing Authorization.Su53 Could not log missing authorizations for the earlier sessions exceptthe current Session.So ST01 is used to trace the authorizations.----------------------------------------------------Role:Roles are defined in PFCG and Roles Contains AuthorizationFields,Values,activities,Authorization Objects,Profiles,CompositeProfiles,Authorization Classes,Transactions,Menus,URLS,Reports etc.Execute PFCG and Create Role1.Define the Roles as per naming conventions2.Create Roles in one Client(Golden Client) and Transport them to otherclients and Systems in the Landscape3.Role can be uploaded and Downloaded into the System4.Roles can be transported using transports massively5.Ensure that roles does not contain Duplicate Authorizations.6.ASSIGN ONLY THE ROLES THAT ARE APPROVED/REQUIRED as perSOD****************************************************************PFCG is used for the following:1.Create/Modify/Display/Delete a role.2.Role can be download to File System.(Download)3.Role can be Uploaded into SAP System(Upload)Specify the Role Name and Click on Create:(you can also copy a Role fromthe existing Role)Describe the Role with short DescriptionDescribe the Role with Description Tab(This Role is Created for PlantMaintenance(Planning Division)this Role contains the Following Transactions(specify the list of Transactions along with Role Owner)DEscirption is used to identify the role Creater/Modifier/Owner of the RoleFurther chnages to the role should be performed by obtaining approvalfrom role ownerClick on menu Tabit is used to include Transactions,Reports,Menus,URL and OtherApplications
  • 8. Menu:Menus are used to provide user freindly navigational Elements.These aredefined in SE43.SAP provides SAP Easy Access Menu which can be overwritten by UserMenu.we can create our own menus in Se43.we can include authorizations based on Menus.we can copy transactions from SAPmenu/UserMenu/Area Menus(SE43)Note:when custom Programs/Reports are included they are automaticallycreated/assigned with a TransactionCode that starts with "Y"menus are only used to include a Transaction but The authorizations arerequired to be maintained as per SU24 Check and Maintain Options(Yes/NO)Click on Authorizations TABClick on Change Authorization Data to maintain the Open Fields andActivities.Example Su01 is assigned to the role.The User Who is assigned with therole can create USer but with certain Restrictions(Only to aclient,group,role,profile etc)Change authorization Data provides the List of Open Fileds(forAuthorization Objects that are checked in Su24)The Auth Classes,objects,profiles,Fileds are displayed in Traffic LightColoursYELLOW---------Activity or Field Value is MissingRED------------Organizational Value is Missing(SALES Organisation,salesArea,Distribution Channel,Plant,storage location etc)Green---------all the values are maintained.Click on Organizational values and Provide the details as per SOD toensure that all the red lights are turned off.
  • 9. For Yellow Lights we need to open manually and Mainain the fields andActivities.we can also include objects manually(it is not recommended,inturn assignthem to Transaction in Su24 for automatic availability in PFCG)save the Role,Generate Profile(Profile contains Authorizations).The Role is effective only after generation of Profilesfor each change in a role profile generation is Required.Assign the Role to the User and perform USER COMPARISON so,that roleis effective immediatly.miniAPps are no more Use which are used upto 46CPersonalization:it is used to restrict the out put of a report/programduring time recording-it should display last one week and future one weeksalary last monthThese Personalization objects are recorded using transaction "PERSREG"Profiles are widely used upto 46B with the combination of Activity Groups.Activity Groups are renamed as Roles in 46C.So while working with system versions less then 46CAG,CAG(composite),DAG(derived) are widely discussedEarlier Profiles are created in Su02 like SAP_ALL and SAP_new.SAP Discontinued the Usage of Profiles and Introduced the Roles since46C.but the Profile tab is till available in Su01 Transaction.SAp_ALL and SAP_new are only the Composite profiles that are stillavailable in the systems(Current Versions)Profiles are no more Created only Generated while creating a Role.Profiles can be massivley generated(after a Role Upload,RoleTranport)using SUPC.During the Transport only Roles are transported(i.e no profiles aretransported along with Roles)So it is required to generate the Profiles using SUPCDepending up on the Number of Authorizations in the role CompositeProfiles are created automatically.
  • 10. it is not recommended to assign profiles in the current systems based onNetweaver,instead assign Roles which contains Profiles.SAP_ALL and SAP_NEW are only assigned in TEST/SAND/QTST/TRNGsystems,but not on CUST/PROD Systems.Single Role:The Role That is created in PFCG in the Customer naming Convention. itprovides certain authorizations when assigned to a user.Single Role can be Referencing Role which will be a base to create otherRoles(Copy Role).Single Role Can be a Parent Role to create childRoles.Single Roles can be grouped to create Composite Roles.These Roles cannot be differentiated physically but only identified by usingnaming Conventions.WILL_COMP_MM_DIV_10WILL_DER_SD_SAREA_345WILL_PARENT_SD_SAREA_______________________________________________________cOMPOSITE rOLES: The Group of Roles for Administrative Convenience orfor easy maintenance.Example;A Zonal Manager Belongs to a Distribution Channel likeVishakapatnam(Srikakulam,VZNAGRAM,EG,WG)Each District has a District Manager where he can work only on hisallocated district.The Four Distrcit Manager Roles are grouped and assigned to ZonalManager. The Role Enhancement(assign,reassign,delete)for all the rolesautomatically Result in Zonal Manager Role.go to pfcgspecify a role name Company Code,Contr Area,DIV,Sales org,DC1.00101 0001 01,02,0001,01,12,14,10-----------------------------Creeate a Composite RoleAuthorization TAB is missing because we cannot assign any additionalAuthorizations only we can include Roles.No Profiles are generated(only the profiles in the included Roles are used).
  • 11. Menus can be Compressed by avoiding duplicateswhat ever the Changes in the Roles will be effected in the Composite Role.we can only Composite compress menus in Composite Rolesand Include Roles.Profiles are transported along with Composite Roles.----------------------------------------------------Parent Role:it is a Single Role which will be referenced to create child roles.in most of the scenarios the parent role is not assigned to any user.it is considered as a Template to create other roles.The major advantage is the changes in Parent roles are automaticallyadjusted to child/derived roles. but it is not possible while copyingroles.copying is only one time activity.where as parent-child reationship islife long until relation is broken/deleted.Creating a Child Role/Derived Role:1.go to pfcg2.specify Role name that should identify the Derived Role.3.Click on Create4.go to description TAB Specify the Parent Role Name in derived from Roleand save....5.menu TAB is missing i.e you cannot add any object through Menu TABand we can say MENUS are FIXED6. while modifying parent role derived roles cannot be modified.7.Maintain the Open Fields(Org levels,field values,actvts)8.save and generate the profileUpdating or Enhancing a Parent Role:go to PFCgSelect the parent RoleInclude or exclude in the menusclick on change authorization datamaintain the open Fileds.save and generate the Profile for parent Role
  • 12. Click on Adjust Derived Roles.It automatically adjust all the derived Roles except the org values.parent Role Impart all the authorizations to Child/derived roles but not theORG VALUES.Parent Role and Child Roles are differed by Organization valuesThese are used to create a PLANT Manager,warehouse Incharge,DivisionManager,DEpot manager etc roles which are similar in all the activities butonly differed by ORG Values.The parent role impart all the properties to the child roles.the child inherits all the roles except organizational values which needs tobe maintained in the child Roles.Delete InheritanceThe Child Role can break the relationship with parent,since then noupdates/inheritance/imparting applies.go to pfcgselect the rolego to description tabclick on delete inheritance***************************************************************Profile Update/User Comparisonwhen ever there is a change in role assignment in the User Master Recordsit may not effective immediatly.1.Transaction PFUD should be executed to to update the profiles in UserMaster Records.2.Use Option User Comaparison in PFCG(User TAB) to update UMR.3.Run a Report PFCG_TIME_DEPENDENCY in SA38 or scheduleperiodically in SM36.it is also referred as User Master Reconciliation.it is recommended to use the 3 option because it is scheduled in thebackground mode during off peak hours.remaining two options may consume more time in the dialog mode andhence may congest the system as well.***************************************************************User AdministrationThe User Administration can be controlled in the Following ways
  • 13. 1.Single Control----small oraganizations,partnership firms,individualcompanies2. Principle of Dual Control----The User administration is performed by anadministrator and role assignment,authorization changes are performed byanother administrator3.Principle of TRIPLET Control: a.User Administrator can be scattered based on Groups b.Role Assigner c.Authorization Administrator1.User Administrator: who works with SU01,Su10 but only based on hisUser Group.He may/may not be be allowed to assign roles and profiles.2.Role Assigner: User ADMinistrator or Business Process Owner isauthorized to assign Roles/profiles to the users.3.Authorization Administrartor; Creation/Modification/Deletion of Roles arePerformed by an Authorization Administrator who can generateProfiles.(also called as Profile Administrator).The User administration is restricted by Using UserGroups,Roles,Clients,Authorizations and Profiles.----------------------------------------------------------------User Groups:User Groups are created in SUGRThese are used to maintain the users massively in SU10 while assigningRoles to the users.User Group for Authorization Check:This is used to facilitate the Usermanagement to manage the users thosewho are assigned with the user group in their Role(S_USER_GRP)Similarly the Roles also can be controlled by usingS_USER_AGR,S_USER_AUT (ZMM*-------ZMZ*)(ZSD*------ZSZ*)________________________________________________________________User ManagementUsers are created in Su01 and or maintained massively in Su10.Some companies opt to use third party tools like LDAP,CustomPrograms,IDM Tools to poulate users into SAP Systems.1.Su012.Su103.LDAP
  • 14. 4.Z Programs to create Users based on HR Excel Sheet with differentroles,profiles and parameters.5.SECATT6.SCUA_____________---------------___________________________Su01 is used to create,modify,delete,display,lock,unlock,changepassword,copy user etc but only a single user.Su10 is used to create users massivley but with same details.SU01/Su10Address TABit is used to maintain the details of the users like firstname,lastname,title,language,department and location.Logon Data:Alias it is used for internet Users for additional Authorizationit is mostly used in CRMUser type: There are 5 types of Users1.Dialog ;is the only user who can communicate with the systeminteractively .Each of the session can be logged/traced and responsible forthe actions during audit.Multiple logons are allowed.but we can restrcit them.SAP recommends notto allow multiple logons for Sensitive areas like P&L,Finance and HRdivisions.2.Service User is also similar to Dialog but not eligible for tracing,logging.itis an anonymous user used for reporting and other general activities.Multiple logons are allowed3.System User: no Dialog is allowed.only to login in the backgroundmode.This user is used to communicate with in the System(example:CUA,ALE,IDOC,standard background jobs etc)4.Communication: no Dialog is allowed.only to login in the backgroundmode.This user is used to communicate between the Systems(example:SCC9(remote Client Copy),CUA,ALE IDOC)5.Reference user: this is used to provide additional authorizations to theexisiting users.it is used only when a user goes on leave/vacation etc.The Exisiting User is marked as Reference user so that logon is disabled.The USer id is specified in the delegated User Role(Reference user foradditional Rights).The User is responsible for complete activities and may be logged andtraced..
  • 15. Note: tracing should only be allowed under exceptionalcircumstances.Tracing writes enormous log files on the system.Default:Specify Printer ,Decimal Notation,Date Format,time zone etcThese are used by default when not specified.They are overridden byprogram values.Parameters:These are used to provide default values to the input fileds.The Frequently keyed inputs can be configured as parameters.example(companycode,sales organization,sales areas,sales divisions etc).it is used to reduce the dialog steps.Process:1.go to the input field2.press F13.go to technical properties4.select parameter id5.specify paramter id and value in su01Roles:These are defined in PFCgProfiles:These are generated in PFCG.Do not assign any profiles,They are automatically assigned based on the role,Groups;These are used for mass maintenance for a group of usersPersonalization:it is used to restrict the user selection criteria and out putmostly the output is restricted in terms of 20 lines per page.currentmonth,last week(today-7)License data:Need to Specify the USer type to calculate the Licenses used.however this is maintained in USMM during year end SAP Auditing.SAP Calculates Users based on this information.______________________________________
  • 16. Calling Transactions:when one transaction is assigned the user may be able to call one moretransactions example SM51.Sm50 etcTable TCDCOUPLES stores the details of calling and called transactions.Use Transaction Se97 to check the Indicator to Yes if they need to bechecked_____________________________________________________________List of Critical Transactions that should not be assigned together :::::::SU99 transaction is used to provide the list of transactions that are criticalfor security..Customer can maintain their exception listThese details are stored in Table SUKRI.**************************************************************Restricting Access to tables and Programs:if SA38 is assigned to a user he can execute all the programs.if SM30 is assigned to a user he can maintain all the tables.Restricting Programs:SAP Recommends to use AUTHORITY-CHECK to program internally tosecure the programs. but due to lack of programming skills most of theprogrammers does not use above commands.So, SAP Recommends to use Authorization Groups to bind the programsexternally.go to SE54 to define Authorization Groups*************************************************************Handling MissingAuthorizationsCUALDAPGRCSAP Security parameters******************************************Handling Missing Authorizations:1.user creates a ticket that while accessing certain transactions it isdisplayed with a pop message that "you are not authorized".example Va01transaction.it can be due to following reasons:
  • 17. a.)transaction is not assigned to the userresol: Assign the transaction to the user based on approvalb.)Transaction is assigned in UMR but user could not access. resol: User Master reconciliation-----PFCG User Comparison,PFUD orschedule PFCG_TIME_DEPENDENCY in BTCc.)user can access the transaction but could not create sales document,POfor specific Field(Company,sales Organization,Division,plant,etc)Identify the Missing Field through SU53 and assign themD.)User is able to access the role until yesterday.today morning he couldnot access.......Role Expired or Role is Updated,or the user is assigned roles temporarliyfor 30days or role is assigned through a reference user.e.)User is an RFC User and could not communicate using RFC.resol:The User is Locked in the Source/Target System. The details arebuffered in the system and could not take new values(/$sync,/$tab--------refresh the buffer).it is not recommended in PRD Systems whichdramatically shoots up reponse time.User Encounters high response times.Clear hostname buffer in SM51)Note: it is not recommended to assign the roles/modify/create the roleswithout any B&W document(email,Fax,Print Form) along with NecessaryApprovals.f.)BTC jobs failed to due to logon failure/logon denied.This is displayed inSM37 logs.when a user leaves the company his user account is locked for3 months- 6months and later scheduled for deletion.Mean while all the jobsscheduled by him are cancelled.So,delete all the jobs(if permitted) andreschedule the jobs with a BTC User.Note: Do not activate the Users who are scheduled for deletion.g.)Transports stopped due to the user TMSADM(Reset the password inSTMS)Process:1.User Complained of Missing Authorizations through a ticket.2.Communicate via email or call the user to send an immediate SU53screen after transaction failure.
  • 18. (Some times we may not get authorization failure for runtime objecs).ThenTrace the user using ST013.The User is not assigned with a Transaction,Authorization Field,Value ororganizational Field.4.Execute SUIM and Identify the Role With the Above missingAuthorizations.Ensure that role does not have more authorization then required.Run a Mitigation Control and identify the risks involved and send all thedetails to the Approver/Business Process Owner/Role OwnerBased on Mitigation/Risks the Approver May allow to assign or reject.Approver may suggest to modify the Role,but after running mitigation ifrole is modified it will effect "XY" USers who are assigned with that role.(which is not allowed as per SOX)Note: Do not Provide any excessive authorizations to usersIdentify the Least effected Role,or define a Temp Roleand assign theauthorizations to the Users(based on approval from Role Owner---mail,ticket,case,Request,fax,print).ST01Authorization Trace:When missing authorization could not be traced in Su53 then run ST01 .specify the Username and switch on the trace and ask the user to run thetransaction.Switch of the trace.*************************************************************SAP Security Parameters:Login/System_client=<Client-Number>to set the default client for login.login/accept_sso2_ticketlogin/create_sso2_ticketlogin/disable_multi_gui_login--to disable multiple logins with same user.login/disable_password_logon --deactivate password logonlogin/failed_user_auto_unlock--Enable automatic unlock off locked user atmidnight
  • 19. login/fails_to_session_end----login/fails_to_user_locklogin/min_password_difflogin/min_password_digitslogin/min_password_letterslogin/min_password_lnglogin/min_password_lowercaselogin/min_password_specialslogin/min_password_uppercaselogin/multi_login_users---login/password_change_for_SSOlogin/password_change_waittimelogin/password_charsetlogin/password_expiration_timelogin/password_history_sizelogin/password_logon_usergrouplogin/system_clientlogin/ticketcache_entries_maxlogin/ticketcache_offlogin/ticket_expiration_timelogin/ticket_only_by_httpslogin/ticket_only_to_hostlogin/update_logon_timestamplogin/password_max_idle_productivelogin/no_automatic_user_sapstar=0login/password_max_idle_initiallogin/password_downwards_compatibilityDocumentation is available in Rz11.Restart is required when the parameters are chnagedMost of the parameters are set by default when SAP is installed.you cancustomise them as per security policy.`set them in default profileso that they are effective in all the application servers.***********************************************LDAPLightweight Directory Access Protocolit is a protocol which is used to transfer the users or access the users fromDirectory Server.Directory Server(Lotus from IBM,Microsoft Active Directory Server,SunIPlanet ) are some of the servers which are used to maintain the Users inthe Company.
  • 20. The Users are required in the Following scenario.1.Login to Domain Server2.Login to Mail Server3.Login to Web Server4.Login to Print and File Servers.5.Login to SAP Systems.(ERP,SCM,SRM,BI and XI)Too Many Systems,too many users,too many passwords,SAP Recommends to configure CUA between the clients and systems.SAP also Supports LDAP,so that Users are created in Directory Server andpopulated to other Systems Using LDAP Protocol.i,e Users are created in DirectoryServer and pouplated to other systems.(1-5)Configuring DS in SAP.1.Use Transaction LDAP to define connection to Directory Server.2.Define RFC Connection of type T in SM59 pointing to Directory Server i.eusing Program ID3.Create a System User(not in Su01).Create User in LDAP Transaction.4.Distinguished Name:it is specifies the User Attributesc= companycn=common namesn=suernameo= organizationThese details are provided by System Admin.5.Server--Name of the LDAP Server Connector-----RFC Connection Defined in SM596.USer---User Defined in LDAPUSER Table7.DEfine the Mapping between Fields in LDAPMAP8.schedule a Report RSLDAPSYNC_User to synchronise between DirectoryServer and SAP System.9.Use report RSLDAPTEST to check LDAPDefining LDAP Server
  • 21. Click on LDAP ServerProvide Server nameHostname-----name of the DSPornumber----389Product-----MS ADSProtocol---LDAP Version3System Logon -Specify User***********************************************SOX(sarbanes Oxley Act 404)After Enron Scandal US govt passed an ACT(SOX 404 to protect theinterest of all the stake holder/share holders of the company.Each public limited Company has to ensure that their share holdersinterests are protected by using Internal Controls.SAP provided PFCG to create Roles and assign them to the Users.it is not intelligent in the following areas.1.why,when and how a role is created and assigned.2.what is the change history of the role(modification History)3.What are risks involved in modifying the role and assiging the role.4.How to identify the Risks in the system5.How to ensure that all the security compliances are met.SAP Could not address all the above using SAP Security.SAP certified third party tools like VIRSA,APPROVA,security weaverperform most of the above tasksThese Tools has their own programs ,Tables,Reports.SAP Procured VIRSA and released a Product SAP GRCGovernance,risks and Compliance with the Following Tools1.Virsa Role Expert2.Virsa Compliance Calibrator3.Virsa Access Enforcer4.Virsa Fire Fighter