SAP Security

SAP SecurityAn Overview

Presented to: BCO6181

AgendaWhat is SecurityBuilding blocksCommon terminologies usedMost Common tools in SecurityCUA

What is Security?Security concept is same around the globe like in your normal life, security - means removing or restricting unauthorized access to your belongings. For example your Car, laptop or cared cards etcIn the same context of InfoSec. SAP security have the same meaning or in other words - who can do what in SAP?IT Security?

Information security (sometimes shortened to InfoSec) is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (electronic, physical, etc...)SAP Security?

Building BlocksUser Master RecordRolesProfilesAuthorization Objects

4

User Master Record?

Dialog typical for most usersSystem cannot be used for dialog login, can communicate between systems and start background jobsCommunications Data cannot be used for dialog login, can communicate between systems but cannot start background jobsReference cannot log in, used to assign additional Authorizations to UsersService can log in but is excluded from password rules, etc. Used for Support users and Internet services

User Types:When we create access in system it defines UMRUser Master Record information includes: Name, Password, Address, User type, Company informationUser GroupRoles and ProfilesValidity dates (from/to)User defaults (logon language, default printer, date format, etc)A User initially has no access in SAPSU01

5

Roles and Profiles

Roles is group of tcode (s), which is used to perform a specific business task. Each role requires specific privileges to perform a function in SAP that is called AUTHORIZATIONSThere are 3 types of Roles:Single an independent RoleDerived has a parent and differs only in Organization Levels. Maintain Transactions, Menu, Authorizations only at the parent levelComposite container that contains one or more Single or Derived RolesPFCG

6

Authorization ObjectsAuthorization Objects are the keys to SAP securityWhen you attempt actions in SAP the system checks to see whether you have the appropriate AuthorizationsThe same Authorization Objects can be used by different Transactions

Field: Smallest unit against which a check should be run. It is a least granular element/data element to secure the data/information.

Authorizations: Authorizations are used to control access at the application level.

Authorization Object: Groups 1 to 10 authorization fields together. These fields are then checked simultaneously.

Authorization Object Class: Logical grouping of authorization objects.

Profile: Profiles is to provide Authorization based on provided Authorizations and Authorization Objects. We used to create profiles up to 4.6C version in SU02 Transaction Code, after 4.6C version these profiles will create automatically while modifying/creating roles or generation roles.

Role: Its is a combination of Menus, Authorizations, Profiles and personalization. A role is a group of activities performed within business scenarios. Or Activities assigned to the user. Or a role is a set of functions describing a specific work area. Roles consist of Menu, Authorizations, Organizational values.8

SAP Application Security

User Buffer?When a User logs into the system, all of the Authorizations that the User has are loaded into a special place in memory called the User Buffer

As the User attempts to perform activities, the system checks whether the user has the appropriate Authorization Objects in the User Buffer.

You can see the buffer in Transaction ???SU56

Executing a Transaction (Authorization Checks)

Does the Transaction exist?All Transactions have an entry in table TSTC

2) Is the Transaction locked?Transactions are locked using Transaction SM01Once locked, they cannot be used in any client

3) Can the User start the Transaction?Every Transaction requires that the user have the ObjectS_TCODE=Transaction NameSome Transactions also require another Authorization Object to start (varies depending on the Transaction)

4) What can the User do in the Transaction?The system will check to see if the user has additional Authorization Objects as necessary

Live Demo

How to trace missing AuthorizationThis process kicks when security guy receives: Email or,phone call or ticket

Why It happens?Negligence of tester or some other reasonHow process initiated?

Frequently you find that the role you built has inadequate accesses and will fail during testing or during production usage. Why?

SAP has various tools to analyse access errors and determine correct Authorizations required:

Use Last Failed Authorization check - SU53 (60% effective)Use Assignment of Auth Object to Transactions - SU24 (60% effective)Trace the Authorizations for a function - ST01 (90% effective)

How do we determine correct accesses required?SU53SU24SU56ST01

Common TerminologiesAuthorityCheckUser menusAuthorizationObjectsProfilesAuthorizationsRolesUser master RecordsAuthorization Errorsuser buffersecurity matrix

There are some Standard SAP password Controls delivered by SAP which cannot be changedFirst-time users forced to change their passwords before they can log onto the SAP system, or after their password is reset.*Users can only change their password when logging on.Users can change their password at most, once a day Users can not re-use their previous five passwords. The first character can not be ? or !.The first three characters of the password cannot appear in the same order as part of the user name.all be the same.include space characters.The password cannot be PASS or SAP*.

SAP Password controls

Password Controls - cont.SAP Password System Parameters - system wide settings that can be configured by MPLMinimum Password LengthPassword locked after unsuccessful login attemptsPassword Expiration timePassword complexityIllegal Passwords MPL can define passwords that cannot be usedEnter impermissible passwords into SAP table USR40 MPL = Master parts List

MPL = Master parts List17

Tools:SU01User Maintenance PFCG Role MaintenanceSUIMAuthorization Reporting Tree SU02Maintain ProfilesSU03Maintain Authorisations SU10User Maintenance: Mass ChangesSU21Maintain Authorization ObjectsSU24Auth Object check under transactionsSU3Maintain default settingsSU53Display Authority Check ValuesSU56Display user bufferST01 User traceSM19Audit Log ConfigurationSM20Display Audit LogS_BCE_68002111 List of users with Critical Authorisations

CUA

Central User Administration is a feature in SAP that helps to streamline multiple users account management on different clients in a multi SAP systems environment. This feature is laudable when similar user accounts are created and managed on multiple clientsCentralized AdminData consistency & accuracy Eliminate redundant efforts

Thank you very much

Nasir Gondalwww.about.me/nasirgondal