of 61
8/8/2019 Introduction to Security Sap
1/61
Introduction to SAPSecurity
Kyle BalcerzakSAP Security Consultant
Wednesday March 31, 2010
8/8/2019 Introduction to Security Sap
2/61
Download the presentation recording with audio from the
Symmetry Knowledge Center
www.sym-corp.com/knowledge-center
http://www.sym-corp.com/knowledge-center?utm_source=slideshare&utm_medium=social&utm_campaign=slidesharehttp://www.sym-corp.com/knowledge-center?utm_source=slideshare&utm_medium=social&utm_campaign=slideshare8/8/2019 Introduction to Security Sap
3/61
Upgrade & Project Support
Security Design & Administration
SAP NetWeaver / Basis administration
SAP Certified Hosting
Implementation Support
Lifecycle Support for any SAP application on any platform combination
Symmetry Corporation
8/8/2019 Introduction to Security Sap
4/61
QualityProactive support deliveredby US-based experts
Accessibility24x7 direct access to yoursupport team
AffordabilityHighly competitive fixed-pricecontracts
Symmetrys 21st Century Approach to Managed Services
8/8/2019 Introduction to Security Sap
5/61
Introducing
Kyle Balcerzak
SAP Security Consultant
8/8/2019 Introduction to Security Sap
6/61
What Well Cover
Introduction Why is Security Important?
Legal RequirementsSOX, HIPAA, ITARRisks & ControlsWhy Unregulated Companies Should Care
Security ArchitectureUser Master Record
RolesProfilesAuthorization ObjectsUser Buffer4 Doors to SAP Security
Managing SecuritySecurity TeamRole owners and the approval processPeriodic Access ValidationTroubleshooting and informationSecurity Tools
8/8/2019 Introduction to Security Sap
7/61
Why is Security Important?
Security is the doorway to the SAP system.
Security is a way of protecting information from unauthorized use.Security can unlock the flexibility of the system and customize it foreach user.
Information stored in SAP is one of your companys most valuablebusiness assets.
8/8/2019 Introduction to Security Sap
8/61
What is SAP Security?
SAP application security controls who can do what in SAP.
Examples:
Who can approve purchase requisitions over $10,000 (ME54N)?
Who can view other employees social security numbers in the system
(PA20)?
Who can update vendor bank information (XK02)?
Who can create or modify users (SU01)?
8/8/2019 Introduction to Security Sap
9/61
Security Objectives
Confidentiality - prevent users from viewing and disclosing
confidential information.Integrity - ensure the accuracy of the information in your companyssystem.
Availability - prevent the accidental or deliberate loss or damage ofyour companys information resources.
8/8/2019 Introduction to Security Sap
10/61
Security Against Whom?
When people think about system security, they usually think about
people outside the companybusiness espionage
political rivals
In reality, you need to protect against your own people
Curiosity
Accidental access
Intentional access
8/8/2019 Introduction to Security Sap
11/61
Factors to Consider
How important is your SAP system and the data stored in it to your
business?
Do you have a policy requiring certain levels of security?
Do your internal or external auditors require a certain level ofsecurity for the information stored in your system?
Will you need some degree of security in the foreseeable future?
8/8/2019 Introduction to Security Sap
12/61
Legal Requirements
SOX, HIPAA, ITAR
Segregation of Duties vs. Excessive AccessControls Preventive vs. Detective
Why Smaller Companies Should Care
8/8/2019 Introduction to Security Sap
13/61
Sarbanes-Oxley (SOX) Act
Executives are ultimately responsible for confirming the design andeffectiveness of internal controls
Excessive access and Segregation of Duties issues are key points
Ultimately data integrity is key
8/8/2019 Introduction to Security Sap
14/61
SOX Continued
Segregation of DutiesOne user can perform two or more conflicting actions that causes a risk.
Example:Activities: Someone can create vendor master records and then processaccounts payable payments
Risk: Gives someone the access to create a fictitious vendor and generate
fraudulent payments to that vendor
Excessive AccessOne action that a user can perform that is outside their area ofexpertise, jurisdiction, or allows critical access
Example:
Activity: End user can use SP01 to see the spool request for all users
Risk: Users may view sensitive financial documents or payroll information forexample.
8/8/2019 Introduction to Security Sap
15/61
HIPAA and ITAR
Health Insurance Portability and Accountability Act
Personal health information can be shared with appropriate people forpatient care.
Typically comes into play in SAP HR systems.
Data privacy concernsIf an employee has a potentially embarrassing injury at work, these detailsare stored in the system and should only be viewed by authorized personnel.
International Traffic in Arms RegulationsControls the import/export of defense related articles and information.
Data privacy concernsInformation and material specifically about defense and military technologiesmust only be shared with US Persons or those who are approved.
Shipping concernsUnauthorized users should not have access to change shipping informationof customer.
8/8/2019 Introduction to Security Sap
16/61
Controls Preventive vs. Detective
In order to prevent fraud, accidental errors, and protect sensitive
information we must have controls.
There are two main categories of controls:
Preventive controls: prohibit inappropriate access
Authorizations, configuration, User-Exits, and so on
Detective controls: rely on other processes to identify inconsistencies
Alerts, periodic reporting, system monitoring
8/8/2019 Introduction to Security Sap
17/61
Why Unregulated Companies Should Care
Why should we care about segregating duties, excessive access or
documenting our business processes if we are not publicly traded orsubject to legal requirements?
Documentation
Reduction in errors
Cost of errors
Loss of customersFraud happens
Protection of trade secrets
Preserve confidential information
8/8/2019 Introduction to Security Sap
18/61
Security Architecture
Authorization Objects Intro
User Master RecordRoles Single, Derived, Composite
Task-based vs. Job-based Roles
Profiles
Authorization ObjectsUser Buffer
4 Doors to SAP Security
8/8/2019 Introduction to Security Sap
19/61
Authorization Concept
UserUser Master
Record
Roles
Profiles
Authorization
Objects
SAP
Functionality
8/8/2019 Introduction to Security Sap
20/61
Authorization Objects
Authorization Objects are the keys to SAP security
When you attempt actions in SAP the system checks to see whetheryou have the appropriate Authorizations
The same Authorization Objects can be used by differentTransactions
Example in order to display a table, a user must have the
Authorization Object S_TABU_DIS with the appropriate values
8/8/2019 Introduction to Security Sap
21/61
User Master Records
Required to establish access for Users.
Created when a User is created.
User Master Records are client-dependent!
8/8/2019 Introduction to Security Sap
22/61
User Master Records
User Master Record information includes:
Name, Password, Address, Company informationUser Group (used for security administration or searching capabilities)
Reference to Roles and Profiles (access capabilities are not storeddirectly in user master records)
User type
Dialog typical for most usersSystem cannot be used for dialog login, can communicate betweensystems and start background jobs
Communications Data cannot be used for dialog login, can communicatebetween systems but cannot start background jobs
Reference cannot log in, used to assign additional Authorizations to Users
Service can log in but is excluded from password rules, etc. Used forSupport users and Internet services
Validity dates (from/to)
User defaults (logon language, default printer, date/decimal formats)
8/8/2019 Introduction to Security Sap
23/61
User Master Record
8/8/2019 Introduction to Security Sap
24/61
Roles and Profiles
Profiles contain Authorization Objects
Roles contain Profiles
Profiles that come delivered with thesystem or were created from scratchcan be assigned directly to users
Profiles that were created for a Roleare attached to that Role cannot be
assigned directly. You must assignthe Role and the system will thenassign the user the correct Profile
UserUser Master
Record
Roles
Profiles
Authorization
Objects
SAP
Functionality
Users are assigned Roles and Profiles which contain Authorization
Objects
8/8/2019 Introduction to Security Sap
25/61
Roles
Roles are built on top of Profiles and include additional components
such as:User menus
Personalization
Workflow
In modern SAP systems, users are typically assigned the
appropriate Roles by the security teamThe system will automatically add the appropriate Profile(s) for eachRole assigned
****Authorization Objects only exist in Profiles (either on their own orwhen nested in roles)
A Role has several parts, including:Description Documentation
Menu Profile
8/8/2019 Introduction to Security Sap
26/61
Tips for Managing Roles
Roles typically do not change often
It is strongly recommended that they be created in a Developmentclient, then transported to Quality (tested, hopefully) and finallypromoted to Production.
Roles should originate from the same client (pick one to be yoursecurity development client).
It is much easier to assign an existing Role to a User than to createor modify a Role.
SAPs template Roles are intended only for example.
Best practice is to have Users tell you the exact Transactions theyrequire and build Roles from scratch.
At the very least, copy them into your own namespaceBe aware that many of them contain too much access so be careful!
8/8/2019 Introduction to Security Sap
27/61
Roles
8/8/2019 Introduction to Security Sap
28/61
Roles
Profile for a Role:
8/8/2019 Introduction to Security Sap
29/61
Roles Types
There are 3 types of Roles:
Single an independent RoleDerived has a parent and differs only in Organization Levels. MaintainTransactions, Menu, Authorizations only at the parent level
Composite container that contains one or more Single or DerivedRoles
Derived Role example:Purchaser Parent
ME21N, ME22N for all or no Purchasing Organizations
Purchaser Child 1
ME21N, ME22N for Purchasing Organization 0001
Purchaser Child 2ME21N, ME22N for Purchasing Organization 0002
8/8/2019 Introduction to Security Sap
30/61
Roles Types
Composite Role example:
8/8/2019 Introduction to Security Sap
31/61
Task-based vs. Job-based Roles
Task-based
Each Role can performs one function (usually one or only a fewTransactions)
Vendor master creation
Create sales order
Job-basedEach Role contains most functions that a user will need for their job inthe organization
A/P Clerk
Buyer
Warehouse Manager
Hybrid approach
8/8/2019 Introduction to Security Sap
32/61
Profiles
Authorization Objects are stored in Profiles
Profiles are the original SAP Authorization infrastructureUltimately a users Authorization comes from the Profile/s that theyhave assigned
Profiles are different from Roles.
UserUser Master
Record
Roles
Profiles
Authorization
Objects
SAP
Functionality
8/8/2019 Introduction to Security Sap
33/61
Examples of Delivered Profiles
SAP_ALL
Delivered with the systemContains almost all Authorization Objects
SAP_NEW
Contains the new objects in the current release that are required to
keep old transactions functioning.It does NOT contain all new Authorization Objects for that release
S_A.xxxxxxx
Standard BASIS Profiles for various job functions (i.e. customizing,
development, administration, etc.)
8/8/2019 Introduction to Security Sap
34/61
Authorization Objects
Authorization Objects are the keys to SAP Security
When you attempt actions in SAP, the system checks to seewhether you have the appropriate Authorizations
The same Authorization Objects can be used by differentTransactions
Example in order to display a table, a user must have the
Authorization Object S_TABU_DIS with the appropriate values
8/8/2019 Introduction to Security Sap
35/61
User Buffer
When a User logs into the system, all of the Authorizations that the
User has are loaded into a special place in memory called the UserBuffer
As the User attempts to perform activities, the system checkswhether the user has the appropriate Authorization Objects in theUser Buffer.
You can see thebuffer inTransactionSU56
8/8/2019 Introduction to Security Sap
36/61
Example of Authorization Check
When attempting to execute a Transaction, each instance of a
required Authorization Object that a user has is checked by thesystem until the system finds a match.
Example: User would like to create a Sales Order of the DocumentType Standard Order (OR).
One of the Authorization Objects that the system looks for is:V_VBAK_AAT
There are two fields Activity and Order Type
To create a sales order for this type, the user will need:
V_VBAK_AAT with:
Activity 01 (Create)Order Type OR (Standard Order)
8/8/2019 Introduction to Security Sap
37/61
Example of Authorization Check
To create a sales order for the Standard Order type, the user will need:
V_VBAK_AAT with:Activity 01 (Create)
Order Type OR (Standard Order)
The user might have this Object several times from several Roles. Thesystem keeps checking until it finds a match:
Role 1
V_VBAK_AAT
Activity 03 (Display)
Order Type * (All Order Types)
V_VBAK_AAT
Activity 01 (Create)
Order Type B1, B2, CS
Role 2V_VBAK_AAT
Activity 01 (Create)
Order Type OR, RE
8/8/2019 Introduction to Security Sap
38/61
Authorization Checks
How does SAP test whether the user has Authorization to execute
functions? What happens when I try to start and run a Transaction?
8/8/2019 Introduction to Security Sap
39/61
Authorization Checks Executing a Transaction
1. Does the Transaction Exist?
8/8/2019 Introduction to Security Sap
40/61
Authorization Checks Executing a Transaction
1. Does the Transaction Exist?
2. Is the Transaction locked?
8/8/2019 Introduction to Security Sap
41/61
Authorization Checks Executing a Transaction
1. Does the Transaction Exist?
2. Is the Transaction locked?
3. Can the User start the Transaction?
8/8/2019 Introduction to Security Sap
42/61
Authorization Checks Executing a Transaction
4. What can the User do in the Transaction?
1. Does the Transaction Exist?
2. Is the Transaction locked?
3. Can the User start the Transaction?
8/8/2019 Introduction to Security Sap
43/61
Authorization Checks Executing a Transaction
1) Does the Transaction exist?
All Transactions have an entry in table TSTC2) Is the Transaction locked?
Transactions are locked using Transaction SM01
Once locked, they cannot be used in any client
3) Can the User start the Transaction?
Every Transaction requires that the user have the ObjectS_TCODE=Transaction Name
Some Transactions also require another Authorization Object to start(varies depending on the Transaction)
4) What can the User do in the Transaction?
The system will check to see if the user has additional AuthorizationObjects as necessary
8/8/2019 Introduction to Security Sap
44/61
Managing Security
Security Team
Role Owners and the Approval ProcessPeriodic Access Validation
Troubleshooting and Information
User Information System (SUIM)
SU53
Authorization Trace (ST01)
Security Audit log (SM19/SM20)
Security Tools
Central User Administration
SAP NetWeaver Identity Management
SAP GRC Access Control Suite
Symsoft ControlPanelGRC
8/8/2019 Introduction to Security Sap
45/61
SAP is a Complex Ecosystem
There are many different SAP applications with different areas ofexpertise required
Some of these require specialized security knowledge, e.g. HCMand BI/BW
Examples:ECC (Sales and Distribution (SD), Materials Management (MM),Financial and Cost Accounting (FICO), Warehouse Management (WM),
Quality Management (QM), Plant Maintenance (PM), Human CapitalManagement (HCM))
Business Information Warehouse (BI/BW)
Customer Relationship Management (CRM)
Supplier Relationship Management (SRM)
Advanced Planner and Optimizer/Supply Chain Management(SCM/APO)Portal
And whatever else SAP dreams up!
8/8/2019 Introduction to Security Sap
46/61
Security Team
Important to select an appropriate security team.
Size consideration based on your organizationAuditing requirements
Amount of changes
Security staff knowledge
Role changes should be done by the security team
User assignments can be processed by the security team or thebasis team
Unlocking Users/resetting passwords of Users can be done by thehelpdesk
8/8/2019 Introduction to Security Sap
47/61
Security Team
Outsourcing is a good option for many companies.
Key reasons to outsource
Expert help available its hard for part-time security staff to understandall of the complexities of SAP Security
Internal staff may get overloaded and need extra help.
Project workProvide coverage during vacations/sick days
Key considerations in choosing an outsourcing provider
Ongoing access to a team vs. consultant randomly assigned by a help
desk24x7 access to support
Fixed rate support vs. charge by the hour
8/8/2019 Introduction to Security Sap
48/61
Role Owners and the Approval Process
The security team may know how to make changes to access, but
will need to work with the business to determine what changesshould be made.
Changes include making changes to Roles (modifyingAuthorizations, adding/removing Transactions) and assigning thoseRoles to users.
Have Role changes approved by the Role owner
Have User assignment changes approved by both a manager and theRole owner.
The business is often not aware of the implications of changes that arerequested. Your security team should be able to point out potential riskswhen access is requested.
8/8/2019 Introduction to Security Sap
49/61
Periodic Access Validation
Its a good idea to have Role matrix reports generated and reviewed
periodically by Role ownersEnsures that inappropriate changes were not made
Accountability
Consider doing this quarterly or at least yearly
8/8/2019 Introduction to Security Sap
50/61
Periodic Access Validation
Example output of a report that was generated by
ControlPanelGRC:
8/8/2019 Introduction to Security Sap
51/61
User Information System
Transaction SUIM
Great place to get information about Users/RolesTIP has had bugs over the years. If something seems incorrect, querythe appropriate table directly.
8/8/2019 Introduction to Security Sap
52/61
SU53
Last Authorization check that failed.
May or may not be the Authorization that the User actually needs.Look at context clues to determine if it is appropriate.
User may need more Authorization Objects after this one is added.
8/8/2019 Introduction to Security Sap
53/61
Authorization Trace
Transaction ST01
Records all Authorization Checks performed while a User is in thesystem.
Does not include Structural Authorizations in HR Security.
ControlPanelGRC Security
Troubleshooter makes thisprocess easier by recordingthe steps to recreate theissue, the AuthorizationTrace, and sending theoutput the Security Team.
8/8/2019 Introduction to Security Sap
54/61
Security Audit Log
Records information about what Users are doing
Logon/logoffTransactions/reports started or attempted to start
Password changes
Workstation name of User
Is not on by default.
Transactions SM19/SM20.Does not record what data was changed by the User.
8/8/2019 Introduction to Security Sap
55/61
Central User Administration (CUA)
Manage Users from one SAP client
Simplifies User administration and can save a lot of time especially forlarge environments
If you own SAP, you already own this. All you need is someone to configureit
There are several gotchas that frequently come up when installing. Werecommend contacting a consultant who is CUA savvy
Asynchronous! Ultimately, the Users and Roles exist in each client. CUA isonly the place you log in to make changes!
SOL-100
CUA Central
System
DEV-100
PRD-100
QAS-100
8/8/2019 Introduction to Security Sap
56/61
SAP Netweaver Identity Management
SAPs Identity Management Solution
Cross system/cross vendor integrationSeparate landscape/installation
Highly configurable, contact someone who specializes in thisproduct.
8/8/2019 Introduction to Security Sap
57/61
SAP GRC Access Controls
Risk Analysis and Remediation
Find SoDs, excessive access for both Roles and UsersAlert Monitoring
Compliant User Provisioning
Workflow for User creations/modifications
Incorporates SoD checks
Superuser Privilege ManagementEmergency, temporary access
Logs some of the users actions, notifies managers when used
Enterprise Role Management
Workflow for Role creations/modifications
Incorporates SoD checks
8/8/2019 Introduction to Security Sap
58/61
SymSoft ControlPanelGRC
2nd generation compliance automation solution
User & Role ManagerAccelerates User and Role change management
Risk Analyzer
Real time risk analysis and mitigation of Segregation of Duties and Sensitive Authorization risks
Usage Analyzer
Monitors Transaction executions to provide
Notification of executed risks
Reverse Business Engineering (RBE) tool
License Optimization tool
Transport Manager
Automates processing of change requests with auditable workflow
Batch Manager
Cross system infrastructure for compliant scheduling, monitoring and tracking of batch jobs
Emergency Access Manager
Manages temporary access access is tracked by User and reports are routed for review
AutoAuditor
Allows compliance reports to be scheduled and sent to Users for documented review
8/8/2019 Introduction to Security Sap
59/61
Key Points
Security is the doorway to the SAP system
Security is a way of protecting information from unauthorized use
Security can unlock the flexibility of the system and customize it for each user
Information stored in SAP is one of your companys most valuable business
assets.
SAP Security is complex and often difficult to manage and understand
There are legal requirements that influence SAP Security
Not all companies are required to comply with these regulations
All businesses benefit from having well defined processes
There are tools available to help manage security but ultimately a goodsecurity team is key
8/8/2019 Introduction to Security Sap
60/61
Download the presentation recording with audio from the
Symmetry Knowledge Center
www.sym-corp.com/knowledge-center
http://www.sym-corp.com/knowledge-center?utm_source=slideshare&utm_medium=social&utm_campaign=slidesharehttp://www.sym-corp.com/knowledge-center?utm_source=slideshare&utm_medium=social&utm_campaign=slideshare8/8/2019 Introduction to Security Sap
61/61
Kyle Balcerzak414-732-2743