RM
Uploaded byRagu M
DOCX, PDF22,672 views

SAP Security important Questions

1. The document discusses how to secure various assets in SAP like master data, financial reports, and user authentication. 2. It describes tools like VIRSA and Approva that are used for security, as well as the use of roles to assign authorizations to users and enforce segregation of duties. 3. Processes like authentication, authorization, and defining authorization objects, classes, and profiles are explained in relation to implementing security controls in SAP.

Embed presentation

Downloaded 1,701 times
1.what needs to be secured in the company?? Material Master Vendor Master Employee Master Asset Master Profit & Loss Reports Financial Information. 2.From Whom???? The AUthenticated Users who are created in SAP. 3. How to Protect??????????????? 1.who does what and upto what level and which jurisdiction...... Example: A Purchasing Officer Creates and Approves Purchase Order for value not more then 10,000(ten thousand only)for his division(028) 2.Define the SOD(Seggregation of Duties/Separation of Duties) SOD is a Matrix which is used to specify the position along with Roles and Responsibilities. 4. what tools are Used??????????? 1.VIRSA tool a third party tool owned by SAP 2.Approva tool From SAP SU01,Su10,Su20,Su21,Su22,Su23,Su24,Su25,Su53,Su56 SUIM,SU99,PFCG,PFUD,SU02,SU3,Sm30,Se38,SE54,SA38,sE12 St01 _____________________________________________________ SOX (Sarbanes Oxley Act-404). it specifies that a Single Business transaction Should not be assigned to a Single User to avoid the malpractices and misutilization if public Funds. Example: 1.Hire Requisition 2.Hiring(Recruiting) 3.Job Assignment 4.Time Recording 5.Pay Roll Processing 6.Salary Disbursement.
1.Purchase Requisition 2.Purchase Approval and Release 3.Invoice and Billing 4.Goods Delivery 5.Goods Receipt 6.Payment to the vendor 7.Reconciliation All the above activities should not be assigned to a single User. They need to spread across the users. Role Matrix/SOD It is a matrix which contains positions/jobs along with assigned transactions. The Roles are assigned to Users to get authorizations to transactions. Authentication: it is a process of Providing UserID and Password to Login. Authorization:it is the process of assigning roles to user to perform certain activity. There is no role to restrict authorizations.if a user is authorised means he is allowed to perform certain activities. Designing Security: it is also implemented in similar and parallel to SAP Implementation. i.e ASAP Methodology is used to design,develop,tranport,test and production use. 1.Analysis and Conception Phase: 2.Desiging Phase 3.Implementation 4.Testing 5.Cutover Phase 1.Analysis and Conception Phase: Understand the Security Requirements of the Customer. Assemble the Project Implementation Team and gather the Requirements related to security. Identify the Assests,Materials,Financial Structure(Account Receivables,Account Payables)
Identify the Actions(activities that needs to be protected) on a Specific Field,Area,Object Create,modify,display,reverse,approve,print,upload,download etc are the actions on an Object PO for Field(purchasing Area)(02) * means all the possible areas. Do not Specify Asterick(*) for any Open Field. Get the Requirements and Design a Role Matrix for Each Module. Identify the jobs/positions and Responsibilities and Define the matrix. ************************************************************* Desiging Phase: Define the Role Matrix/SOD Blue Print and refine till it gets approved/sign- of. ************************************************************* Development/Implementation/Realization Phase: Develop the Roles in the Cust Client and Transport them to TEST Client for Testing. Assign the roles to Business Process Owners and Test Them. ************************************************************* Testing/Quality Assurance/Final Prep release the roles in Developement for transportation.Import the Same in QTST Client in QAS System. After Sucessfull Testing Import them to TRNG Client(where END Users are trained on the system Roles ___________________________________________________________ Cutover Phase/Go-live Phase Transport them to Production System _____________________________________________________ Initializing Profile Generator: SU25: initially fill the customer tables This is the first step to be executed before starting to work on Security. USOBT and USOBX are the SAP Standard Tables
USOBT--------Transaction vs Authorization Object USOBX--------Check Indicators Table when you execute above transaction(SU25 initial fill) it copies the entries from USOBT and USOBX to Customer Tables USOBT_C and USOBX_C.Then Customer can modify accordingly. if this is run after certain settings all the customer settings will be lost. How Security Works?????????????????????????????????????? 1.User ID and Password(authentication of User) To stop misusing system credentials or impersonation by others variuos security parameters for UID and password are set.(30 Days expiry,alpa numeric passwords,min length,disallow multiple logons) 2.when a user executes a Transaction it checks whether it is locked or not in SM01 3.it checks whether transaction is allowed to execute in Authorization Object S_TCODE 4.it checks the table TSTCA to check for minimum authorizations that are required to execute the transaction. 5.it checks all the Authorization objects assigned to transaction in Su24 are avaialble in the User Context. 6.it also checks for Authorization Objects which are included in the program using command AUTHORITY-CHECK Each Transaction is checked under Object S_TCODE field name is TCD SU24: it gets the values from tables USOBT and USOBX USOBT contains the List of Authorization Objects assigned to a Transaction which can be checked when a transaction is executed. USOBX Contains the list of Authorization Objects that needs to be (checked,not checked,check and Maintain,unmaintained4) There are certain Objects which needs security but may not require to be checked.So they can set to CHECK-NO in SU24. Each Change is Client Independent(Repository) and requires a Work bench Request.
Programming Authorizations Each Program that needs to be secured Uses Command AUTHORITY-CHECK followed by Authorization Object,Field,Value and Activity. The Authorization is controlled at field level and based on activity.These are used in the programs and checked by using Authority-check command. it is recommended to advice developers to use this command in their programs to secure programs. Authorizations: Authorization Field:The Lowest granular field that needs to protected is known as authorization field. These are defined in Transaction SU20.These are performed at repository level so,they are at cross-client level.each New field requires naming convention(Y,Z). These are also referred as database table Fields.(PO,SO,Salary) Authorization Activity:The Type of action that will be performed on the Field. Create,Modify/Update,Display,Delete,Approve etc These Activities are defined in table "TACT". it is editable in SM30. Activities are identified by using two alpa numeric letters. Authorization The Field with activity or value is referred as an Authorization. PO--Create(01),Display(03).Modify(03) PO--Purchasing org(0001),Area(002),Plant(SRN) The Group of not more then 150 Authorizations are called as an Authorization Profile. if the authorizations exceed ie. more then 150,then another prfoile is created with name_1 and grouped into a composite Profile. Authorization Object:
The Group of not more then 10 Relative Authorization Fields is known as Authorization Object. These are defined in SU21 .Each Authorization Object is assigned with predefined Activities that are stored in the table "TACTZ" Authorization Classes: The Group of relative Authorization Objects are called as Authorization/object Class which are defined in Su22 This Authorization Object is assigned to Transaction in SU24 and marked to check/uncheck to maintain in PFCG. Authorization Role: These are referred as Activity Groups until version 46B. from 46C Activity Groups are named as Roles. Role is a synonym which contains Profile,Menus,URL,Reports etc.. Role is only a Name but Authorizations are available through Profiles only. Roles are created in Transaction PFCG(Profile Create and Generate) _____________________________________________________ 1.Su01 2.Sm01 3.S_TCODE 4.TSTCA 5.SU24 6.Authority-check _____________________________________________________ User Context: it is a part of roll area(roll file) where User Related information is stored.it is like a Cookie on the Browser. it is available till the user is logged-in.User Context is lost when the log-of SU56 is used to display the User Context Information. User Context Contains Authorizations,screens etc ----------------------------------------------------- Missing Authorizations: 1.user Executes a Transaction 2.it checks in the USer Context i.e Su56 for availability 3.if it is not available it records in SU53.
IT CHECKS FOR MISSING Authorization Object,Authorization Field,TCODE,Field Value,Activitity, and Oraganization Value and records then in SU53 SU53 records only the last missing Authorization. Su53 Could not log missing authorizations for the earlier sessions except the current Session. So ST01 is used to trace the authorizations. ---------------------------------------------------- Role:Roles are defined in PFCG and Roles Contains Authorization Fields,Values,activities,Authorization Objects,Profiles,Composite Profiles,Authorization Classes,Transactions,Menus,URLS,Reports etc. Execute PFCG and Create Role 1.Define the Roles as per naming conventions 2.Create Roles in one Client(Golden Client) and Transport them to other clients and Systems in the Landscape 3.Role can be uploaded and Downloaded into the System 4.Roles can be transported using transports massively 5.Ensure that roles does not contain Duplicate Authorizations. 6.ASSIGN ONLY THE ROLES THAT ARE APPROVED/REQUIRED as per SOD **************************************************************** PFCG is used for the following: 1.Create/Modify/Display/Delete a role. 2.Role can be download to File System.(Download) 3.Role can be Uploaded into SAP System(Upload) Specify the Role Name and Click on Create:(you can also copy a Role from the existing Role) Describe the Role with short Description Describe the Role with Description Tab(This Role is Created for Plant Maintenance(Planning Division) this Role contains the Following Transactions (specify the list of Transactions along with Role Owner) DEscirption is used to identify the role Creater/Modifier/Owner of the Role Further chnages to the role should be performed by obtaining approval from role owner Click on menu Tab it is used to include Transactions,Reports,Menus,URL and Other Applications
Menu: Menus are used to provide user freindly navigational Elements.These are defined in SE43. SAP provides SAP Easy Access Menu which can be overwritten by User Menu. we can create our own menus in Se43. we can include authorizations based on Menus. we can copy transactions from SAPmenu/UserMenu/Area Menus(SE43) Note:when custom Programs/Reports are included they are automatically created/assigned with a Transaction Code that starts with "Y" menus are only used to include a Transaction but The authorizations are required to be maintained as per SU24 Check and Maintain Options (Yes/NO) Click on Authorizations TAB Click on Change Authorization Data to maintain the Open Fields and Activities. Example Su01 is assigned to the role.The User Who is assigned with the role can create USer but with certain Restrictions(Only to a client,group,role,profile etc) Change authorization Data provides the List of Open Fileds(for Authorization Objects that are checked in Su24) The Auth Classes,objects,profiles,Fileds are displayed in Traffic Light Colours YELLOW---------Activity or Field Value is Missing RED------------Organizational Value is Missing(SALES Organisation,sales Area,Distribution Channel,Plant,storage location etc) Green---------all the values are maintained. Click on Organizational values and Provide the details as per SOD to ensure that all the red lights are turned off.
For Yellow Lights we need to open manually and Mainain the fields and Activities. we can also include objects manually(it is not recommended,inturn assign them to Transaction in Su24 for automatic availability in PFCG) save the Role,Generate Profile(Profile contains Authorizations). The Role is effective only after generation of Profiles for each change in a role profile generation is Required. Assign the Role to the User and perform USER COMPARISON so,that role is effective immediatly. miniAPps are no more Use which are used upto 46C Personalization: it is used to restrict the out put of a report/program during time recording-it should display last one week and future one week salary last month These Personalization objects are recorded using transaction "PERSREG" Profiles are widely used upto 46B with the combination of Activity Groups. Activity Groups are renamed as Roles in 46C. So while working with system versions less then 46C AG,CAG(composite),DAG(derived) are widely discussed Earlier Profiles are created in Su02 like SAP_ALL and SAP_new. SAP Discontinued the Usage of Profiles and Introduced the Roles since 46C. but the Profile tab is till available in Su01 Transaction. SAp_ALL and SAP_new are only the Composite profiles that are still available in the systems(Current Versions) Profiles are no more Created only Generated while creating a Role. Profiles can be massivley generated(after a Role Upload,Role Tranport)using SUPC. During the Transport only Roles are transported(i.e no profiles are transported along with Roles) So it is required to generate the Profiles using SUPC Depending up on the Number of Authorizations in the role Composite Profiles are created automatically.
it is not recommended to assign profiles in the current systems based on Netweaver,instead assign Roles which contains Profiles. SAP_ALL and SAP_NEW are only assigned in TEST/SAND/QTST/TRNG systems,but not on CUST/PROD Systems. Single Role: The Role That is created in PFCG in the Customer naming Convention. it provides certain authorizations when assigned to a user. Single Role can be Referencing Role which will be a base to create other Roles(Copy Role).Single Role Can be a Parent Role to create child Roles.Single Roles can be grouped to create Composite Roles. These Roles cannot be differentiated physically but only identified by using naming Conventions. WILL_COMP_MM_DIV_10 WILL_DER_SD_SAREA_345 WILL_PARENT_SD_SAREA _______________________________________________________ cOMPOSITE rOLES: The Group of Roles for Administrative Convenience or for easy maintenance. Example; A Zonal Manager Belongs to a Distribution Channel like Vishakapatnam(Srikakulam,VZNAGRAM,EG,WG) Each District has a District Manager where he can work only on his allocated district. The Four Distrcit Manager Roles are grouped and assigned to Zonal Manager. The Role Enhancement(assign,reassign,delete)for all the roles automatically Result in Zonal Manager Role. go to pfcg specify a role name Company Code,Contr Area,DIV,Sales org,DC 1.00101 0001 01,02,0001,01,12,14,10 ----------------------------- Creeate a Composite Role Authorization TAB is missing because we cannot assign any additional Authorizations only we can include Roles. No Profiles are generated(only the profiles in the included Roles are used).
Menus can be Compressed by avoiding duplicates what ever the Changes in the Roles will be effected in the Composite Role. we can only Composite compress menus in Composite Roles and Include Roles. Profiles are transported along with Composite Roles. ---------------------------------------------------- Parent Role: it is a Single Role which will be referenced to create child roles. in most of the scenarios the parent role is not assigned to any user. it is considered as a Template to create other roles. The major advantage is the changes in Parent roles are automatically adjusted to child/derived roles. but it is not possible while copying roles.copying is only one time activity.where as parent-child reationship is life long until relation is broken/deleted. Creating a Child Role/Derived Role: 1.go to pfcg 2.specify Role name that should identify the Derived Role. 3.Click on Create 4.go to description TAB Specify the Parent Role Name in derived from Role and save.... 5.menu TAB is missing i.e you cannot add any object through Menu TAB and we can say MENUS are FIXED 6. while modifying parent role derived roles cannot be modified. 7.Maintain the Open Fields(Org levels,field values,actvts) 8.save and generate the profile Updating or Enhancing a Parent Role: go to PFCg Select the parent Role Include or exclude in the menus click on change authorization data maintain the open Fileds. save and generate the Profile for parent Role
Click on Adjust Derived Roles. It automatically adjust all the derived Roles except the org values. parent Role Impart all the authorizations to Child/derived roles but not the ORG VALUES. Parent Role and Child Roles are differed by Organization values These are used to create a PLANT Manager,warehouse Incharge,Division Manager,DEpot manager etc roles which are similar in all the activities but only differed by ORG Values. The parent role impart all the properties to the child roles. the child inherits all the roles except organizational values which needs to be maintained in the child Roles. Delete Inheritance The Child Role can break the relationship with parent,since then no updates/inheritance/imparting applies. go to pfcg select the role go to description tab click on delete inheritance *************************************************************** Profile Update/User Comparison when ever there is a change in role assignment in the User Master Records it may not effective immediatly. 1.Transaction PFUD should be executed to to update the profiles in User Master Records. 2.Use Option User Comaparison in PFCG(User TAB) to update UMR. 3.Run a Report PFCG_TIME_DEPENDENCY in SA38 or schedule periodically in SM36. it is also referred as User Master Reconciliation. it is recommended to use the 3 option because it is scheduled in the background mode during off peak hours. remaining two options may consume more time in the dialog mode and hence may congest the system as well. *************************************************************** User Administration The User Administration can be controlled in the Following ways
1.Single Control----small oraganizations,partnership firms,individual companies 2. Principle of Dual Control----The User administration is performed by an administrator and role assignment,authorization changes are performed by another administrator 3.Principle of TRIPLET Control: a.User Administrator can be scattered based on Groups b.Role Assigner c.Authorization Administrator 1.User Administrator: who works with SU01,Su10 but only based on his User Group.He may/may not be be allowed to assign roles and profiles. 2.Role Assigner: User ADMinistrator or Business Process Owner is authorized to assign Roles/profiles to the users. 3.Authorization Administrartor; Creation/Modification/Deletion of Roles are Performed by an Authorization Administrator who can generate Profiles.(also called as Profile Administrator). The User administration is restricted by Using User Groups,Roles,Clients,Authorizations and Profiles. ----------------------------------------------------------------User Groups: User Groups are created in SUGR These are used to maintain the users massively in SU10 while assigning Roles to the users. User Group for Authorization Check: This is used to facilitate the Usermanagement to manage the users those who are assigned with the user group in their Role(S_USER_GRP) Similarly the Roles also can be controlled by using S_USER_AGR,S_USER_AUT (ZMM*-------ZMZ*)(ZSD*------ZSZ*) ________________________________________________________________ User Management Users are created in Su01 and or maintained massively in Su10. Some companies opt to use third party tools like LDAP,Custom Programs,IDM Tools to poulate users into SAP Systems. 1.Su01 2.Su10 3.LDAP
4.Z Programs to create Users based on HR Excel Sheet with different roles,profiles and parameters. 5.SECATT 6.SCUA _____________---------------___________________________ Su01 is used to create,modify,delete,display,lock,unlock,change password,copy user etc but only a single user. Su10 is used to create users massivley but with same details. SU01/Su10 Address TAB it is used to maintain the details of the users like first name,lastname,title,language,department and location. Logon Data: Alias it is used for internet Users for additional Authorization it is mostly used in CRM User type: There are 5 types of Users 1.Dialog ;is the only user who can communicate with the system interactively .Each of the session can be logged/traced and responsible for the actions during audit. Multiple logons are allowed.but we can restrcit them.SAP recommends not to allow multiple logons for Sensitive areas like P&L,Finance and HR divisions. 2.Service User is also similar to Dialog but not eligible for tracing,logging.it is an anonymous user used for reporting and other general activities. Multiple logons are allowed 3.System User: no Dialog is allowed.only to login in the background mode.This user is used to communicate with in the System(example: CUA,ALE,IDOC,standard background jobs etc) 4.Communication: no Dialog is allowed.only to login in the background mode.This user is used to communicate between the Systems(example: SCC9(remote Client Copy),CUA,ALE IDOC) 5.Reference user: this is used to provide additional authorizations to the exisiting users.it is used only when a user goes on leave/vacation etc. The Exisiting User is marked as Reference user so that logon is disabled. The USer id is specified in the delegated User Role(Reference user for additional Rights). The User is responsible for complete activities and may be logged and traced..
Note: tracing should only be allowed under exceptional circumstances.Tracing writes enormous log files on the system. Default: Specify Printer ,Decimal Notation,Date Format,time zone etc These are used by default when not specified.They are overridden by program values. Parameters: These are used to provide default values to the input fileds. The Frequently keyed inputs can be configured as parameters. example(companycode,sales organization,sales areas,sales divisions etc ).it is used to reduce the dialog steps. Process: 1.go to the input field 2.press F1 3.go to technical properties 4.select parameter id 5.specify paramter id and value in su01 Roles: These are defined in PFCg Profiles: These are generated in PFCG.Do not assign any profiles, They are automatically assigned based on the role, Groups; These are used for mass maintenance for a group of users Personalization: it is used to restrict the user selection criteria and out put mostly the output is restricted in terms of 20 lines per page.current month,last week(today-7) License data: Need to Specify the USer type to calculate the Licenses used. however this is maintained in USMM during year end SAP Auditing. SAP Calculates Users based on this information. ______________________________________
Calling Transactions: when one transaction is assigned the user may be able to call one more transactions example SM51.Sm50 etc Table TCDCOUPLES stores the details of calling and called transactions. Use Transaction Se97 to check the Indicator to Yes if they need to be checked _____________________________________________________________ List of Critical Transactions that should not be assigned together ::::::: SU99 transaction is used to provide the list of transactions that are critical for security.. Customer can maintain their exception list These details are stored in Table SUKRI. ************************************************************** Restricting Access to tables and Programs: if SA38 is assigned to a user he can execute all the programs. if SM30 is assigned to a user he can maintain all the tables. Restricting Programs: SAP Recommends to use AUTHORITY-CHECK to program internally to secure the programs. but due to lack of programming skills most of the programmers does not use above commands. So, SAP Recommends to use Authorization Groups to bind the programs externally. go to SE54 to define Authorization Groups *************************************************************Handling Missing Authorizations CUA LDAP GRC SAP Security parameters ****************************************** Handling Missing Authorizations: 1.user creates a ticket that while accessing certain transactions it is displayed with a pop message that "you are not authorized".example Va01 transaction. it can be due to following reasons:
a.)transaction is not assigned to the user resol: Assign the transaction to the user based on approval b.)Transaction is assigned in UMR but user could not access. resol: User Master reconciliation-----PFCG User Comparison,PFUD or schedule PFCG_TIME_DEPENDENCY in BTC c.)user can access the transaction but could not create sales document,PO for specific Field(Company,sales Organization,Division,plant,etc) Identify the Missing Field through SU53 and assign them D.)User is able to access the role until yesterday.today morning he could not access....... Role Expired or Role is Updated,or the user is assigned roles temporarliy for 30days or role is assigned through a reference user. e.)User is an RFC User and could not communicate using RFC. resol:The User is Locked in the Source/Target System. The details are buffered in the system and could not take new values(/$sync,/$tab-------- refresh the buffer).it is not recommended in PRD Systems which dramatically shoots up reponse time.User Encounters high response times. Clear hostname buffer in SM51) Note: it is not recommended to assign the roles/modify/create the roles without any B&W document(email,Fax,Print Form) along with Necessary Approvals. f.)BTC jobs failed to due to logon failure/logon denied.This is displayed in SM37 logs. when a user leaves the company his user account is locked for 3 months- 6months and later scheduled for deletion.Mean while all the jobs scheduled by him are cancelled.So,delete all the jobs(if permitted) and reschedule the jobs with a BTC User. Note: Do not activate the Users who are scheduled for deletion. g.)Transports stopped due to the user TMSADM(Reset the password in STMS) Process: 1.User Complained of Missing Authorizations through a ticket. 2.Communicate via email or call the user to send an immediate SU53 screen after transaction failure.
(Some times we may not get authorization failure for runtime objecs).Then Trace the user using ST01 3.The User is not assigned with a Transaction,Authorization Field,Value or organizational Field. 4.Execute SUIM and Identify the Role With the Above missing Authorizations. Ensure that role does not have more authorization then required. Run a Mitigation Control and identify the risks involved and send all the details to the Approver/Business Process Owner/Role Owner Based on Mitigation/Risks the Approver May allow to assign or reject. Approver may suggest to modify the Role,but after running mitigation if role is modified it will effect "XY" USers who are assigned with that role. (which is not allowed as per SOX) Note: Do not Provide any excessive authorizations to users Identify the Least effected Role,or define a Temp Roleand assign the authorizations to the Users(based on approval from Role Owner--- mail,ticket,case,Request,fax,print). ST01 Authorization Trace: When missing authorization could not be traced in Su53 then run ST01 . specify the Username and switch on the trace and ask the user to run the transaction. Switch of the trace. ************************************************************* SAP Security Parameters: Login/System_client=<Client-Number> to set the default client for login. login/accept_sso2_ticket login/create_sso2_ticket login/disable_multi_gui_login--to disable multiple logins with same user. login/disable_password_logon --deactivate password logon login/failed_user_auto_unlock--Enable automatic unlock off locked user at midnight
login/fails_to_session_end---- login/fails_to_user_lock login/min_password_diff login/min_password_digits login/min_password_letters login/min_password_lng login/min_password_lowercase login/min_password_specials login/min_password_uppercase login/multi_login_users--- login/password_change_for_SSO login/password_change_waittime login/password_charset login/password_expiration_time login/password_history_size login/password_logon_usergroup login/system_client login/ticketcache_entries_max login/ticketcache_off login/ticket_expiration_time login/ticket_only_by_https login/ticket_only_to_host login/update_logon_timestamp login/password_max_idle_productive login/no_automatic_user_sapstar=0 login/password_max_idle_initial login/password_downwards_compatibility Documentation is available in Rz11. Restart is required when the parameters are chnaged Most of the parameters are set by default when SAP is installed.you can customise them as per security policy.` set them in default profile so that they are effective in all the application servers. *********************************************** LDAP Lightweight Directory Access Protocol it is a protocol which is used to transfer the users or access the users from Directory Server. Directory Server(Lotus from IBM,Microsoft Active Directory Server,Sun IPlanet ) are some of the servers which are used to maintain the Users in the Company.
The Users are required in the Following scenario. 1.Login to Domain Server 2.Login to Mail Server 3.Login to Web Server 4.Login to Print and File Servers. 5.Login to SAP Systems.(ERP,SCM,SRM,BI and XI) Too Many Systems,too many users,too many passwords, SAP Recommends to configure CUA between the clients and systems. SAP also Supports LDAP,so that Users are created in Directory Server and populated to other Systems Using LDAP Protocol. i,e Users are created in DirectoryServer and pouplated to other systems.(1- 5) Configuring DS in SAP. 1.Use Transaction LDAP to define connection to Directory Server. 2.Define RFC Connection of type 'T' in SM59 pointing to Directory Server i.e using Program ID 3.Create a System User(not in Su01).Create User in LDAP Transaction. 4.Distinguished Name: it is specifies the User Attributes c= company cn=common name sn=suername o= organization These details are provided by System Admin. 5.Server--Name of the LDAP Server Connector-----RFC Connection Defined in SM59 6.USer---User Defined in LDAPUSER Table 7.DEfine the Mapping between Fields in LDAPMAP 8.schedule a Report RSLDAPSYNC_User to synchronise between Directory Server and SAP System. 9.Use report RSLDAPTEST to check LDAP Defining LDAP Server
Click on LDAP Server Provide Server name Hostname-----name of the DS Pornumber----389 Product-----MS ADS Protocol---LDAP Version3 System Logon -Specify User ***********************************************SOX(sarbanes Oxley Act 404) After Enron Scandal US govt passed an ACT(SOX 404 to protect the interest of all the stake holder/share holders of the company. Each public limited Company has to ensure that their share holders interests are protected by using Internal Controls. SAP provided PFCG to create Roles and assign them to the Users. it is not intelligent in the following areas. 1.why,when and how a role is created and assigned. 2.what is the change history of the role(modification History) 3.What are risks involved in modifying the role and assiging the role. 4.How to identify the Risks in the system 5.How to ensure that all the security compliances are met. SAP Could not address all the above using SAP Security. SAP certified third party tools like VIRSA,APPROVA,security weaver perform most of the above tasks These Tools has their own programs ,Tables,Reports. SAP Procured VIRSA and released a Product SAP GRC Governance,risks and Compliance with the Following Tools 1.Virsa Role Expert 2.Virsa Compliance Calibrator 3.Virsa Access Enforcer 4.Virsa Fire Fighter

More Related Content

PDF
SAP SECURITY GRC
bytechgurusuresh
 
DOCX
SAP Security interview questions
bySiva Pradeep Bolisetti
 
DOCX
What is sap security
bygrconlinetraining
 
DOC
sap security interview_questions
bysumitmsn2
 
PPTX
SAP Security & GRC Framework
byHarish Sharma
 
PDF
Introduction to SAP Security
byNasir Gondal
 
PPT
Sap Security Workshop
bylarrymcc
 
PDF
081712 isaca-atl-auditing sap-grc
byhkodali
 
SAP SECURITY GRC
bytechgurusuresh
 
SAP Security interview questions
bySiva Pradeep Bolisetti
 
What is sap security
bygrconlinetraining
 
sap security interview_questions
bysumitmsn2
 
SAP Security & GRC Framework
byHarish Sharma
 
Introduction to SAP Security
byNasir Gondal
 
Sap Security Workshop
bylarrymcc
 
081712 isaca-atl-auditing sap-grc
byhkodali
 

What's hot

PDF
Sap GRC Basic Information | GRC 12 online training
bygrconlinetraining
 
PPTX
Sap security interview question & answers
byNancy Nelida
 
PPT
Introduction on sap security
byyektek
 
DOC
Authorisation Concept In SAP | http://sapdocs.info
bysapdocs. info
 
PDF
165373293 sap-security-q
byAnywhere Gondodza
 
PPTX
SAP GRC AC 10.1 - ARM Workflows
byRohan Andrews
 
PPT
SAP BI 7 security concepts
bySiva Pradeep Bolisetti
 
PDF
Anil kumar sap security & GRC
byAnil Kumar
 
PDF
Sap security tasks
bySiva Pradeep Bolisetti
 
PDF
Implementing SAP security in 5 steps
byERPScan
 
DOC
Sap security-administration
bynanda nanda
 
PDF
Grc 10 training
bysuresh
 
PDF
Practical guide for sap security
bySiva Pradeep Bolisetti
 
DOC
Derived master roles Configuration screenshots in SAP Security
byBharath Trainings
 
PDF
SAP GRC 10 Access Control
byNasir Gondal
 
PPT
Day5 R3 Basis Security
byGuang Ying Yuan
 
PDF
Creating new users and roles in sap guide
bymehboobhafz
 
PDF
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
byakquinet enterprise solutions GmbH
 
PDF
Sap basis-notes-keylabs-training
bynanda nanda
 
PDF
SAP GRC
byKellton Tech Solutions Ltd
 
Sap GRC Basic Information | GRC 12 online training
bygrconlinetraining
 
Sap security interview question & answers
byNancy Nelida
 
Introduction on sap security
byyektek
 
Authorisation Concept In SAP | http://sapdocs.info
bysapdocs. info
 
165373293 sap-security-q
byAnywhere Gondodza
 
SAP GRC AC 10.1 - ARM Workflows
byRohan Andrews
 
SAP BI 7 security concepts
bySiva Pradeep Bolisetti
 
Anil kumar sap security & GRC
byAnil Kumar
 
Sap security tasks
bySiva Pradeep Bolisetti
 
Implementing SAP security in 5 steps
byERPScan
 
Sap security-administration
bynanda nanda
 
Grc 10 training
bysuresh
 
Practical guide for sap security
bySiva Pradeep Bolisetti
 
Derived master roles Configuration screenshots in SAP Security
byBharath Trainings
 
SAP GRC 10 Access Control
byNasir Gondal
 
Day5 R3 Basis Security
byGuang Ying Yuan
 
Creating new users and roles in sap guide
bymehboobhafz
 
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
byakquinet enterprise solutions GmbH
 
Sap basis-notes-keylabs-training
bynanda nanda
 
SAP GRC
byKellton Tech Solutions Ltd
 

Similar to SAP Security important Questions

PDF
Iia los angeles sap security presentation
byhkodali
 
PDF
Authorization objects a simple guide
byAlbert Shumov
 
PDF
Sap security - How to.pdf
byssuser2e0e7a
 
PDF
Why your works council has nothing to fear from SAP security. [Webinar]
byakquinet enterprise solutions GmbH
 
PPTX
Information Security and the SDLC
byBDPA Charlotte - Information Technology Thought Leaders
 
PDF
Authorization objects a simple guide.doc (1)
byVikram Polinati
 
PDF
Sap basis and_security_administration
byAnil Kumar Reddy Cheppalli
 
PDF
CSI tools SAP Authorization Presentation TROOPERS 2014
byCSI tools
 
PPT
26012 Managing &amp; Auditing Security During Implementation And Beyond 03172009
bydenigoin
 
PPTX
Implementing security and controls in people soft best practices - may 2017
bySmart ERP Solutions, Inc.
 
PPTX
SmartERP PeopleSoft Security
bySmart ERP Solutions, Inc.
 
PPTX
Segregation of Duties and Sensitive Access as a Service
bySmart ERP Solutions, Inc.
 
PPT
OneAccess-UserManager
bySelva Kumar ITIL CGAP CISA GRC10.0 Certified
 
PPTX
How can managed services improve your SAP security and compliance? [Webinar]
byakquinet enterprise solutions GmbH
 
PPTX
Alexey Yudin. Building a GRC System for SAP
byPositive Hack Days
 
PPTX
Grc eng
byPositive Hack Days
 
PPTX
Alexey Yudin
byPositive Hack Days
 
PPTX
Grc eng
byPositive Hack Days
 
DOC
TP Security CV
byvtprasad
 
PPTX
Segregation of Duties and Sensitive Access as a Service webinar
bySmart ERP Solutions, Inc.
 
Iia los angeles sap security presentation
byhkodali
 
Authorization objects a simple guide
byAlbert Shumov
 
Sap security - How to.pdf
byssuser2e0e7a
 
Why your works council has nothing to fear from SAP security. [Webinar]
byakquinet enterprise solutions GmbH
 
Information Security and the SDLC
byBDPA Charlotte - Information Technology Thought Leaders
 
Authorization objects a simple guide.doc (1)
byVikram Polinati
 
Sap basis and_security_administration
byAnil Kumar Reddy Cheppalli
 
CSI tools SAP Authorization Presentation TROOPERS 2014
byCSI tools
 
26012 Managing &amp; Auditing Security During Implementation And Beyond 03172009
bydenigoin
 
Implementing security and controls in people soft best practices - may 2017
bySmart ERP Solutions, Inc.
 
SmartERP PeopleSoft Security
bySmart ERP Solutions, Inc.
 
Segregation of Duties and Sensitive Access as a Service
bySmart ERP Solutions, Inc.
 
OneAccess-UserManager
bySelva Kumar ITIL CGAP CISA GRC10.0 Certified
 
How can managed services improve your SAP security and compliance? [Webinar]
byakquinet enterprise solutions GmbH
 
Alexey Yudin. Building a GRC System for SAP
byPositive Hack Days
 
Grc eng
byPositive Hack Days
 
Alexey Yudin
byPositive Hack Days
 
Grc eng
byPositive Hack Days
 
TP Security CV
byvtprasad
 
Segregation of Duties and Sensitive Access as a Service webinar
bySmart ERP Solutions, Inc.
 

Recently uploaded

PDF
Projecte de la porta de primer B: L'antic Egipte
byeduardrubio1
 
DOCX
Mobile applications Devlopment ReTest year 2025-2026
byDr. Mazin Mohamed alkathiri
 
PDF
IMANI Africa files RTI request seeking full disclosure on 2026 SIM registrati...
bynservice241
 
PPTX
Campfens "The Data Qualify Challenge: Publishers, institutions, and funders r...
byNational Information Standards Organization (NISO)
 
PPTX
How to Manage Package Reservation in Odoo 18 Inventory
byCeline George
 
PDF
Scalable-MADDPG-Based Cooperative Target Invasion for a Multi-USV System.pdf
byMan_Ebook
 
PDF
Projecte de la porta de la classe de primer A: Mar i cel.
byeduardrubio1
 
PDF
Current Electricity for first year physiotherapy
byGanesh Jadhav
 
PDF
Digital Wellness in University Communities: Libraries as Guardians of Healthy...
bySylvester Ebhonu
 
PDF
BỘ TEST KIỂM TRA CUỐI HỌC KÌ 1 - TIẾNG ANH 6-7-8-9 GLOBAL SUCCESS - PHIÊN BẢN...
byNguyen Thanh Tu Collection
 
PPTX
The Cell & Cell Cycle-detailed structure and function of organelles.pptx
byAshish Umale
 
PDF
The Tale of Melon City poem ppt by Sahasra
bybitrasahasra
 
PPTX
ELEMENTS OF COMMUNICATION (UNIT 2) .pptx
byPOOJA KARVANDE
 
PPTX
ATTENTION -PART 2.pptx Shilpa Hotakar for I semester BSc students
bySHILPA HOTAKAR
 
PDF
DHA/HAAD/MOH/DOH OPTOMETRY MCQ PYQ. .pdf
byAnmol Singh
 
PPTX
York "Collaboration for Research Support at U-M Library"
byNational Information Standards Organization (NISO)
 
PPTX
Semester 6 unit 2 Atopic dermatitis.pptx
bysachin7989
 
PPTX
Semester 6 UNIT 2 Dislocation of hip.pptx
bysachin7989
 
PPTX
2025-2026 History in your Hands Class 4 December 2025 January 2026 .pptx
byEilsONeill
 
PPTX
extracting significant information to formulate sound judgement
byMarichelle2
 
Projecte de la porta de primer B: L'antic Egipte
byeduardrubio1
 
Mobile applications Devlopment ReTest year 2025-2026
byDr. Mazin Mohamed alkathiri
 
IMANI Africa files RTI request seeking full disclosure on 2026 SIM registrati...
bynservice241
 
Campfens "The Data Qualify Challenge: Publishers, institutions, and funders r...
byNational Information Standards Organization (NISO)
 
How to Manage Package Reservation in Odoo 18 Inventory
byCeline George
 
Scalable-MADDPG-Based Cooperative Target Invasion for a Multi-USV System.pdf
byMan_Ebook
 
Projecte de la porta de la classe de primer A: Mar i cel.
byeduardrubio1
 
Current Electricity for first year physiotherapy
byGanesh Jadhav
 
Digital Wellness in University Communities: Libraries as Guardians of Healthy...
bySylvester Ebhonu
 
BỘ TEST KIỂM TRA CUỐI HỌC KÌ 1 - TIẾNG ANH 6-7-8-9 GLOBAL SUCCESS - PHIÊN BẢN...
byNguyen Thanh Tu Collection
 
The Cell & Cell Cycle-detailed structure and function of organelles.pptx
byAshish Umale
 
The Tale of Melon City poem ppt by Sahasra
bybitrasahasra
 
ELEMENTS OF COMMUNICATION (UNIT 2) .pptx
byPOOJA KARVANDE
 
ATTENTION -PART 2.pptx Shilpa Hotakar for I semester BSc students
bySHILPA HOTAKAR
 
DHA/HAAD/MOH/DOH OPTOMETRY MCQ PYQ. .pdf
byAnmol Singh
 
York "Collaboration for Research Support at U-M Library"
byNational Information Standards Organization (NISO)
 
Semester 6 unit 2 Atopic dermatitis.pptx
bysachin7989
 
Semester 6 UNIT 2 Dislocation of hip.pptx
bysachin7989
 
2025-2026 History in your Hands Class 4 December 2025 January 2026 .pptx
byEilsONeill
 
extracting significant information to formulate sound judgement
byMarichelle2
 

SAP Security important Questions

  • 1.
    1.what needs tobe secured in the company?? Material Master Vendor Master Employee Master Asset Master Profit & Loss Reports Financial Information. 2.From Whom???? The AUthenticated Users who are created in SAP. 3. How to Protect??????????????? 1.who does what and upto what level and which jurisdiction...... Example: A Purchasing Officer Creates and Approves Purchase Order for value not more then 10,000(ten thousand only)for his division(028) 2.Define the SOD(Seggregation of Duties/Separation of Duties) SOD is a Matrix which is used to specify the position along with Roles and Responsibilities. 4. what tools are Used??????????? 1.VIRSA tool a third party tool owned by SAP 2.Approva tool From SAP SU01,Su10,Su20,Su21,Su22,Su23,Su24,Su25,Su53,Su56 SUIM,SU99,PFCG,PFUD,SU02,SU3,Sm30,Se38,SE54,SA38,sE12 St01 _____________________________________________________ SOX (Sarbanes Oxley Act-404). it specifies that a Single Business transaction Should not be assigned to a Single User to avoid the malpractices and misutilization if public Funds. Example: 1.Hire Requisition 2.Hiring(Recruiting) 3.Job Assignment 4.Time Recording 5.Pay Roll Processing 6.Salary Disbursement.
  • 2.
    1.Purchase Requisition 2.Purchase Approvaland Release 3.Invoice and Billing 4.Goods Delivery 5.Goods Receipt 6.Payment to the vendor 7.Reconciliation All the above activities should not be assigned to a single User. They need to spread across the users. Role Matrix/SOD It is a matrix which contains positions/jobs along with assigned transactions. The Roles are assigned to Users to get authorizations to transactions. Authentication: it is a process of Providing UserID and Password to Login. Authorization:it is the process of assigning roles to user to perform certain activity. There is no role to restrict authorizations.if a user is authorised means he is allowed to perform certain activities. Designing Security: it is also implemented in similar and parallel to SAP Implementation. i.e ASAP Methodology is used to design,develop,tranport,test and production use. 1.Analysis and Conception Phase: 2.Desiging Phase 3.Implementation 4.Testing 5.Cutover Phase 1.Analysis and Conception Phase: Understand the Security Requirements of the Customer. Assemble the Project Implementation Team and gather the Requirements related to security. Identify the Assests,Materials,Financial Structure(Account Receivables,Account Payables)
  • 3.
    Identify the Actions(activitiesthat needs to be protected) on a Specific Field,Area,Object Create,modify,display,reverse,approve,print,upload,download etc are the actions on an Object PO for Field(purchasing Area)(02) * means all the possible areas. Do not Specify Asterick(*) for any Open Field. Get the Requirements and Design a Role Matrix for Each Module. Identify the jobs/positions and Responsibilities and Define the matrix. ************************************************************* Desiging Phase: Define the Role Matrix/SOD Blue Print and refine till it gets approved/sign- of. ************************************************************* Development/Implementation/Realization Phase: Develop the Roles in the Cust Client and Transport them to TEST Client for Testing. Assign the roles to Business Process Owners and Test Them. ************************************************************* Testing/Quality Assurance/Final Prep release the roles in Developement for transportation.Import the Same in QTST Client in QAS System. After Sucessfull Testing Import them to TRNG Client(where END Users are trained on the system Roles ___________________________________________________________ Cutover Phase/Go-live Phase Transport them to Production System _____________________________________________________ Initializing Profile Generator: SU25: initially fill the customer tables This is the first step to be executed before starting to work on Security. USOBT and USOBX are the SAP Standard Tables
  • 4.
    USOBT--------Transaction vs AuthorizationObject USOBX--------Check Indicators Table when you execute above transaction(SU25 initial fill) it copies the entries from USOBT and USOBX to Customer Tables USOBT_C and USOBX_C.Then Customer can modify accordingly. if this is run after certain settings all the customer settings will be lost. How Security Works?????????????????????????????????????? 1.User ID and Password(authentication of User) To stop misusing system credentials or impersonation by others variuos security parameters for UID and password are set.(30 Days expiry,alpa numeric passwords,min length,disallow multiple logons) 2.when a user executes a Transaction it checks whether it is locked or not in SM01 3.it checks whether transaction is allowed to execute in Authorization Object S_TCODE 4.it checks the table TSTCA to check for minimum authorizations that are required to execute the transaction. 5.it checks all the Authorization objects assigned to transaction in Su24 are avaialble in the User Context. 6.it also checks for Authorization Objects which are included in the program using command AUTHORITY-CHECK Each Transaction is checked under Object S_TCODE field name is TCD SU24: it gets the values from tables USOBT and USOBX USOBT contains the List of Authorization Objects assigned to a Transaction which can be checked when a transaction is executed. USOBX Contains the list of Authorization Objects that needs to be (checked,not checked,check and Maintain,unmaintained4) There are certain Objects which needs security but may not require to be checked.So they can set to CHECK-NO in SU24. Each Change is Client Independent(Repository) and requires a Work bench Request.
  • 5.
    Programming Authorizations Each Programthat needs to be secured Uses Command AUTHORITY-CHECK followed by Authorization Object,Field,Value and Activity. The Authorization is controlled at field level and based on activity.These are used in the programs and checked by using Authority-check command. it is recommended to advice developers to use this command in their programs to secure programs. Authorizations: Authorization Field:The Lowest granular field that needs to protected is known as authorization field. These are defined in Transaction SU20.These are performed at repository level so,they are at cross-client level.each New field requires naming convention(Y,Z). These are also referred as database table Fields.(PO,SO,Salary) Authorization Activity:The Type of action that will be performed on the Field. Create,Modify/Update,Display,Delete,Approve etc These Activities are defined in table "TACT". it is editable in SM30. Activities are identified by using two alpa numeric letters. Authorization The Field with activity or value is referred as an Authorization. PO--Create(01),Display(03).Modify(03) PO--Purchasing org(0001),Area(002),Plant(SRN) The Group of not more then 150 Authorizations are called as an Authorization Profile. if the authorizations exceed ie. more then 150,then another prfoile is created with name_1 and grouped into a composite Profile. Authorization Object:
  • 6.
    The Group ofnot more then 10 Relative Authorization Fields is known as Authorization Object. These are defined in SU21 .Each Authorization Object is assigned with predefined Activities that are stored in the table "TACTZ" Authorization Classes: The Group of relative Authorization Objects are called as Authorization/object Class which are defined in Su22 This Authorization Object is assigned to Transaction in SU24 and marked to check/uncheck to maintain in PFCG. Authorization Role: These are referred as Activity Groups until version 46B. from 46C Activity Groups are named as Roles. Role is a synonym which contains Profile,Menus,URL,Reports etc.. Role is only a Name but Authorizations are available through Profiles only. Roles are created in Transaction PFCG(Profile Create and Generate) _____________________________________________________ 1.Su01 2.Sm01 3.S_TCODE 4.TSTCA 5.SU24 6.Authority-check _____________________________________________________ User Context: it is a part of roll area(roll file) where User Related information is stored.it is like a Cookie on the Browser. it is available till the user is logged-in.User Context is lost when the log-of SU56 is used to display the User Context Information. User Context Contains Authorizations,screens etc ----------------------------------------------------- Missing Authorizations: 1.user Executes a Transaction 2.it checks in the USer Context i.e Su56 for availability 3.if it is not available it records in SU53.
  • 7.
    IT CHECKS FORMISSING Authorization Object,Authorization Field,TCODE,Field Value,Activitity, and Oraganization Value and records then in SU53 SU53 records only the last missing Authorization. Su53 Could not log missing authorizations for the earlier sessions except the current Session. So ST01 is used to trace the authorizations. ---------------------------------------------------- Role:Roles are defined in PFCG and Roles Contains Authorization Fields,Values,activities,Authorization Objects,Profiles,Composite Profiles,Authorization Classes,Transactions,Menus,URLS,Reports etc. Execute PFCG and Create Role 1.Define the Roles as per naming conventions 2.Create Roles in one Client(Golden Client) and Transport them to other clients and Systems in the Landscape 3.Role can be uploaded and Downloaded into the System 4.Roles can be transported using transports massively 5.Ensure that roles does not contain Duplicate Authorizations. 6.ASSIGN ONLY THE ROLES THAT ARE APPROVED/REQUIRED as per SOD **************************************************************** PFCG is used for the following: 1.Create/Modify/Display/Delete a role. 2.Role can be download to File System.(Download) 3.Role can be Uploaded into SAP System(Upload) Specify the Role Name and Click on Create:(you can also copy a Role from the existing Role) Describe the Role with short Description Describe the Role with Description Tab(This Role is Created for Plant Maintenance(Planning Division) this Role contains the Following Transactions (specify the list of Transactions along with Role Owner) DEscirption is used to identify the role Creater/Modifier/Owner of the Role Further chnages to the role should be performed by obtaining approval from role owner Click on menu Tab it is used to include Transactions,Reports,Menus,URL and Other Applications
  • 8.
    Menu: Menus are usedto provide user freindly navigational Elements.These are defined in SE43. SAP provides SAP Easy Access Menu which can be overwritten by User Menu. we can create our own menus in Se43. we can include authorizations based on Menus. we can copy transactions from SAPmenu/UserMenu/Area Menus(SE43) Note:when custom Programs/Reports are included they are automatically created/assigned with a Transaction Code that starts with "Y" menus are only used to include a Transaction but The authorizations are required to be maintained as per SU24 Check and Maintain Options (Yes/NO) Click on Authorizations TAB Click on Change Authorization Data to maintain the Open Fields and Activities. Example Su01 is assigned to the role.The User Who is assigned with the role can create USer but with certain Restrictions(Only to a client,group,role,profile etc) Change authorization Data provides the List of Open Fileds(for Authorization Objects that are checked in Su24) The Auth Classes,objects,profiles,Fileds are displayed in Traffic Light Colours YELLOW---------Activity or Field Value is Missing RED------------Organizational Value is Missing(SALES Organisation,sales Area,Distribution Channel,Plant,storage location etc) Green---------all the values are maintained. Click on Organizational values and Provide the details as per SOD to ensure that all the red lights are turned off.
  • 9.
    For Yellow Lightswe need to open manually and Mainain the fields and Activities. we can also include objects manually(it is not recommended,inturn assign them to Transaction in Su24 for automatic availability in PFCG) save the Role,Generate Profile(Profile contains Authorizations). The Role is effective only after generation of Profiles for each change in a role profile generation is Required. Assign the Role to the User and perform USER COMPARISON so,that role is effective immediatly. miniAPps are no more Use which are used upto 46C Personalization: it is used to restrict the out put of a report/program during time recording-it should display last one week and future one week salary last month These Personalization objects are recorded using transaction "PERSREG" Profiles are widely used upto 46B with the combination of Activity Groups. Activity Groups are renamed as Roles in 46C. So while working with system versions less then 46C AG,CAG(composite),DAG(derived) are widely discussed Earlier Profiles are created in Su02 like SAP_ALL and SAP_new. SAP Discontinued the Usage of Profiles and Introduced the Roles since 46C. but the Profile tab is till available in Su01 Transaction. SAp_ALL and SAP_new are only the Composite profiles that are still available in the systems(Current Versions) Profiles are no more Created only Generated while creating a Role. Profiles can be massivley generated(after a Role Upload,Role Tranport)using SUPC. During the Transport only Roles are transported(i.e no profiles are transported along with Roles) So it is required to generate the Profiles using SUPC Depending up on the Number of Authorizations in the role Composite Profiles are created automatically.
  • 10.
    it is notrecommended to assign profiles in the current systems based on Netweaver,instead assign Roles which contains Profiles. SAP_ALL and SAP_NEW are only assigned in TEST/SAND/QTST/TRNG systems,but not on CUST/PROD Systems. Single Role: The Role That is created in PFCG in the Customer naming Convention. it provides certain authorizations when assigned to a user. Single Role can be Referencing Role which will be a base to create other Roles(Copy Role).Single Role Can be a Parent Role to create child Roles.Single Roles can be grouped to create Composite Roles. These Roles cannot be differentiated physically but only identified by using naming Conventions. WILL_COMP_MM_DIV_10 WILL_DER_SD_SAREA_345 WILL_PARENT_SD_SAREA _______________________________________________________ cOMPOSITE rOLES: The Group of Roles for Administrative Convenience or for easy maintenance. Example; A Zonal Manager Belongs to a Distribution Channel like Vishakapatnam(Srikakulam,VZNAGRAM,EG,WG) Each District has a District Manager where he can work only on his allocated district. The Four Distrcit Manager Roles are grouped and assigned to Zonal Manager. The Role Enhancement(assign,reassign,delete)for all the roles automatically Result in Zonal Manager Role. go to pfcg specify a role name Company Code,Contr Area,DIV,Sales org,DC 1.00101 0001 01,02,0001,01,12,14,10 ----------------------------- Creeate a Composite Role Authorization TAB is missing because we cannot assign any additional Authorizations only we can include Roles. No Profiles are generated(only the profiles in the included Roles are used).
  • 11.
    Menus can beCompressed by avoiding duplicates what ever the Changes in the Roles will be effected in the Composite Role. we can only Composite compress menus in Composite Roles and Include Roles. Profiles are transported along with Composite Roles. ---------------------------------------------------- Parent Role: it is a Single Role which will be referenced to create child roles. in most of the scenarios the parent role is not assigned to any user. it is considered as a Template to create other roles. The major advantage is the changes in Parent roles are automatically adjusted to child/derived roles. but it is not possible while copying roles.copying is only one time activity.where as parent-child reationship is life long until relation is broken/deleted. Creating a Child Role/Derived Role: 1.go to pfcg 2.specify Role name that should identify the Derived Role. 3.Click on Create 4.go to description TAB Specify the Parent Role Name in derived from Role and save.... 5.menu TAB is missing i.e you cannot add any object through Menu TAB and we can say MENUS are FIXED 6. while modifying parent role derived roles cannot be modified. 7.Maintain the Open Fields(Org levels,field values,actvts) 8.save and generate the profile Updating or Enhancing a Parent Role: go to PFCg Select the parent Role Include or exclude in the menus click on change authorization data maintain the open Fileds. save and generate the Profile for parent Role
  • 12.
    Click on AdjustDerived Roles. It automatically adjust all the derived Roles except the org values. parent Role Impart all the authorizations to Child/derived roles but not the ORG VALUES. Parent Role and Child Roles are differed by Organization values These are used to create a PLANT Manager,warehouse Incharge,Division Manager,DEpot manager etc roles which are similar in all the activities but only differed by ORG Values. The parent role impart all the properties to the child roles. the child inherits all the roles except organizational values which needs to be maintained in the child Roles. Delete Inheritance The Child Role can break the relationship with parent,since then no updates/inheritance/imparting applies. go to pfcg select the role go to description tab click on delete inheritance *************************************************************** Profile Update/User Comparison when ever there is a change in role assignment in the User Master Records it may not effective immediatly. 1.Transaction PFUD should be executed to to update the profiles in User Master Records. 2.Use Option User Comaparison in PFCG(User TAB) to update UMR. 3.Run a Report PFCG_TIME_DEPENDENCY in SA38 or schedule periodically in SM36. it is also referred as User Master Reconciliation. it is recommended to use the 3 option because it is scheduled in the background mode during off peak hours. remaining two options may consume more time in the dialog mode and hence may congest the system as well. *************************************************************** User Administration The User Administration can be controlled in the Following ways
  • 13.
    1.Single Control----small oraganizations,partnershipfirms,individual companies 2. Principle of Dual Control----The User administration is performed by an administrator and role assignment,authorization changes are performed by another administrator 3.Principle of TRIPLET Control: a.User Administrator can be scattered based on Groups b.Role Assigner c.Authorization Administrator 1.User Administrator: who works with SU01,Su10 but only based on his User Group.He may/may not be be allowed to assign roles and profiles. 2.Role Assigner: User ADMinistrator or Business Process Owner is authorized to assign Roles/profiles to the users. 3.Authorization Administrartor; Creation/Modification/Deletion of Roles are Performed by an Authorization Administrator who can generate Profiles.(also called as Profile Administrator). The User administration is restricted by Using User Groups,Roles,Clients,Authorizations and Profiles. ----------------------------------------------------------------User Groups: User Groups are created in SUGR These are used to maintain the users massively in SU10 while assigning Roles to the users. User Group for Authorization Check: This is used to facilitate the Usermanagement to manage the users those who are assigned with the user group in their Role(S_USER_GRP) Similarly the Roles also can be controlled by using S_USER_AGR,S_USER_AUT (ZMM*-------ZMZ*)(ZSD*------ZSZ*) ________________________________________________________________ User Management Users are created in Su01 and or maintained massively in Su10. Some companies opt to use third party tools like LDAP,Custom Programs,IDM Tools to poulate users into SAP Systems. 1.Su01 2.Su10 3.LDAP
  • 14.
    4.Z Programs tocreate Users based on HR Excel Sheet with different roles,profiles and parameters. 5.SECATT 6.SCUA _____________---------------___________________________ Su01 is used to create,modify,delete,display,lock,unlock,change password,copy user etc but only a single user. Su10 is used to create users massivley but with same details. SU01/Su10 Address TAB it is used to maintain the details of the users like first name,lastname,title,language,department and location. Logon Data: Alias it is used for internet Users for additional Authorization it is mostly used in CRM User type: There are 5 types of Users 1.Dialog ;is the only user who can communicate with the system interactively .Each of the session can be logged/traced and responsible for the actions during audit. Multiple logons are allowed.but we can restrcit them.SAP recommends not to allow multiple logons for Sensitive areas like P&L,Finance and HR divisions. 2.Service User is also similar to Dialog but not eligible for tracing,logging.it is an anonymous user used for reporting and other general activities. Multiple logons are allowed 3.System User: no Dialog is allowed.only to login in the background mode.This user is used to communicate with in the System(example: CUA,ALE,IDOC,standard background jobs etc) 4.Communication: no Dialog is allowed.only to login in the background mode.This user is used to communicate between the Systems(example: SCC9(remote Client Copy),CUA,ALE IDOC) 5.Reference user: this is used to provide additional authorizations to the exisiting users.it is used only when a user goes on leave/vacation etc. The Exisiting User is marked as Reference user so that logon is disabled. The USer id is specified in the delegated User Role(Reference user for additional Rights). The User is responsible for complete activities and may be logged and traced..
  • 15.
    Note: tracing shouldonly be allowed under exceptional circumstances.Tracing writes enormous log files on the system. Default: Specify Printer ,Decimal Notation,Date Format,time zone etc These are used by default when not specified.They are overridden by program values. Parameters: These are used to provide default values to the input fileds. The Frequently keyed inputs can be configured as parameters. example(companycode,sales organization,sales areas,sales divisions etc ).it is used to reduce the dialog steps. Process: 1.go to the input field 2.press F1 3.go to technical properties 4.select parameter id 5.specify paramter id and value in su01 Roles: These are defined in PFCg Profiles: These are generated in PFCG.Do not assign any profiles, They are automatically assigned based on the role, Groups; These are used for mass maintenance for a group of users Personalization: it is used to restrict the user selection criteria and out put mostly the output is restricted in terms of 20 lines per page.current month,last week(today-7) License data: Need to Specify the USer type to calculate the Licenses used. however this is maintained in USMM during year end SAP Auditing. SAP Calculates Users based on this information. ______________________________________
  • 16.
    Calling Transactions: when onetransaction is assigned the user may be able to call one more transactions example SM51.Sm50 etc Table TCDCOUPLES stores the details of calling and called transactions. Use Transaction Se97 to check the Indicator to Yes if they need to be checked _____________________________________________________________ List of Critical Transactions that should not be assigned together ::::::: SU99 transaction is used to provide the list of transactions that are critical for security.. Customer can maintain their exception list These details are stored in Table SUKRI. ************************************************************** Restricting Access to tables and Programs: if SA38 is assigned to a user he can execute all the programs. if SM30 is assigned to a user he can maintain all the tables. Restricting Programs: SAP Recommends to use AUTHORITY-CHECK to program internally to secure the programs. but due to lack of programming skills most of the programmers does not use above commands. So, SAP Recommends to use Authorization Groups to bind the programs externally. go to SE54 to define Authorization Groups *************************************************************Handling Missing Authorizations CUA LDAP GRC SAP Security parameters ****************************************** Handling Missing Authorizations: 1.user creates a ticket that while accessing certain transactions it is displayed with a pop message that "you are not authorized".example Va01 transaction. it can be due to following reasons:
  • 17.
    a.)transaction is notassigned to the user resol: Assign the transaction to the user based on approval b.)Transaction is assigned in UMR but user could not access. resol: User Master reconciliation-----PFCG User Comparison,PFUD or schedule PFCG_TIME_DEPENDENCY in BTC c.)user can access the transaction but could not create sales document,PO for specific Field(Company,sales Organization,Division,plant,etc) Identify the Missing Field through SU53 and assign them D.)User is able to access the role until yesterday.today morning he could not access....... Role Expired or Role is Updated,or the user is assigned roles temporarliy for 30days or role is assigned through a reference user. e.)User is an RFC User and could not communicate using RFC. resol:The User is Locked in the Source/Target System. The details are buffered in the system and could not take new values(/$sync,/$tab-------- refresh the buffer).it is not recommended in PRD Systems which dramatically shoots up reponse time.User Encounters high response times. Clear hostname buffer in SM51) Note: it is not recommended to assign the roles/modify/create the roles without any B&W document(email,Fax,Print Form) along with Necessary Approvals. f.)BTC jobs failed to due to logon failure/logon denied.This is displayed in SM37 logs. when a user leaves the company his user account is locked for 3 months- 6months and later scheduled for deletion.Mean while all the jobs scheduled by him are cancelled.So,delete all the jobs(if permitted) and reschedule the jobs with a BTC User. Note: Do not activate the Users who are scheduled for deletion. g.)Transports stopped due to the user TMSADM(Reset the password in STMS) Process: 1.User Complained of Missing Authorizations through a ticket. 2.Communicate via email or call the user to send an immediate SU53 screen after transaction failure.
  • 18.
    (Some times wemay not get authorization failure for runtime objecs).Then Trace the user using ST01 3.The User is not assigned with a Transaction,Authorization Field,Value or organizational Field. 4.Execute SUIM and Identify the Role With the Above missing Authorizations. Ensure that role does not have more authorization then required. Run a Mitigation Control and identify the risks involved and send all the details to the Approver/Business Process Owner/Role Owner Based on Mitigation/Risks the Approver May allow to assign or reject. Approver may suggest to modify the Role,but after running mitigation if role is modified it will effect "XY" USers who are assigned with that role. (which is not allowed as per SOX) Note: Do not Provide any excessive authorizations to users Identify the Least effected Role,or define a Temp Roleand assign the authorizations to the Users(based on approval from Role Owner--- mail,ticket,case,Request,fax,print). ST01 Authorization Trace: When missing authorization could not be traced in Su53 then run ST01 . specify the Username and switch on the trace and ask the user to run the transaction. Switch of the trace. ************************************************************* SAP Security Parameters: Login/System_client=<Client-Number> to set the default client for login. login/accept_sso2_ticket login/create_sso2_ticket login/disable_multi_gui_login--to disable multiple logins with same user. login/disable_password_logon --deactivate password logon login/failed_user_auto_unlock--Enable automatic unlock off locked user at midnight
  • 19.
    login/fails_to_session_end---- login/fails_to_user_lock login/min_password_diff login/min_password_digits login/min_password_letters login/min_password_lng login/min_password_lowercase login/min_password_specials login/min_password_uppercase login/multi_login_users--- login/password_change_for_SSO login/password_change_waittime login/password_charset login/password_expiration_time login/password_history_size login/password_logon_usergroup login/system_client login/ticketcache_entries_max login/ticketcache_off login/ticket_expiration_time login/ticket_only_by_https login/ticket_only_to_host login/update_logon_timestamp login/password_max_idle_productive login/no_automatic_user_sapstar=0 login/password_max_idle_initial login/password_downwards_compatibility Documentation is availablein Rz11. Restart is required when the parameters are chnaged Most of the parameters are set by default when SAP is installed.you can customise them as per security policy.` set them in default profile so that they are effective in all the application servers. *********************************************** LDAP Lightweight Directory Access Protocol it is a protocol which is used to transfer the users or access the users from Directory Server. Directory Server(Lotus from IBM,Microsoft Active Directory Server,Sun IPlanet ) are some of the servers which are used to maintain the Users in the Company.
  • 20.
    The Users arerequired in the Following scenario. 1.Login to Domain Server 2.Login to Mail Server 3.Login to Web Server 4.Login to Print and File Servers. 5.Login to SAP Systems.(ERP,SCM,SRM,BI and XI) Too Many Systems,too many users,too many passwords, SAP Recommends to configure CUA between the clients and systems. SAP also Supports LDAP,so that Users are created in Directory Server and populated to other Systems Using LDAP Protocol. i,e Users are created in DirectoryServer and pouplated to other systems.(1- 5) Configuring DS in SAP. 1.Use Transaction LDAP to define connection to Directory Server. 2.Define RFC Connection of type 'T' in SM59 pointing to Directory Server i.e using Program ID 3.Create a System User(not in Su01).Create User in LDAP Transaction. 4.Distinguished Name: it is specifies the User Attributes c= company cn=common name sn=suername o= organization These details are provided by System Admin. 5.Server--Name of the LDAP Server Connector-----RFC Connection Defined in SM59 6.USer---User Defined in LDAPUSER Table 7.DEfine the Mapping between Fields in LDAPMAP 8.schedule a Report RSLDAPSYNC_User to synchronise between Directory Server and SAP System. 9.Use report RSLDAPTEST to check LDAP Defining LDAP Server
  • 21.
    Click on LDAPServer Provide Server name Hostname-----name of the DS Pornumber----389 Product-----MS ADS Protocol---LDAP Version3 System Logon -Specify User ***********************************************SOX(sarbanes Oxley Act 404) After Enron Scandal US govt passed an ACT(SOX 404 to protect the interest of all the stake holder/share holders of the company. Each public limited Company has to ensure that their share holders interests are protected by using Internal Controls. SAP provided PFCG to create Roles and assign them to the Users. it is not intelligent in the following areas. 1.why,when and how a role is created and assigned. 2.what is the change history of the role(modification History) 3.What are risks involved in modifying the role and assiging the role. 4.How to identify the Risks in the system 5.How to ensure that all the security compliances are met. SAP Could not address all the above using SAP Security. SAP certified third party tools like VIRSA,APPROVA,security weaver perform most of the above tasks These Tools has their own programs ,Tables,Reports. SAP Procured VIRSA and released a Product SAP GRC Governance,risks and Compliance with the Following Tools 1.Virsa Role Expert 2.Virsa Compliance Calibrator 3.Virsa Access Enforcer 4.Virsa Fire Fighter