8/10/2019 Sap Security Concept

http://slidepdf.com/reader/full/sap-security-concept 1/33

A Guide to Securing Your SAPECC SystemRaymond Mastre, CISA, CRISC

Director SAP Security/GRC

PwC

8/10/2019 Sap Security Concept

http://slidepdf.com/reader/full/sap-security-concept 2/33

Agenda

• Introduction• Basic SAP ECC Security Concepts

• Securing your SAP ECC System

• Choosing Your Role Design Methodology

•  Audit Compliance Topics (SoD and SA) andSecurity Design Monitoring

• Case Study

• Wrap-up

8/10/2019 Sap Security Concept

http://slidepdf.com/reader/full/sap-security-concept 3/33

Introduction

• Over 10 years of SAP Securityand SAP GRC Experience

• Completed 10-15 Global SAP

Security Design/Redesigns

• Experience working in Beauty,

Pharma, Public, Defense and

Chemicals Industries

• CRISC and CISA certified

Raymond Mastre,

Director SAP Security/GRC

PwC

8/10/2019 Sap Security Concept

http://slidepdf.com/reader/full/sap-security-concept 4/33

Agenda

• Introduction• Basic SAP ECC Security Concepts

• Securing your SAP ECC System

• Choosing Your Role Design Methodology

•  Audit Compliance Topics (SoD and SA) andSecurity Design Monitoring

• Case Study

• Wrap-up

8/10/2019 Sap Security Concept

http://slidepdf.com/reader/full/sap-security-concept 5/33

Basics SAP ECC Security Concepts

1

User master record

User requires valid user

ID and password

Authority check

User requires an

authorization for

business objects

T-code check

User requires an

authorization

for transactions

2

3

8/10/2019 Sap Security Concept

http://slidepdf.com/reader/full/sap-security-concept 6/33

Authorization Analogy

The proper key must be cut specifically for a certain lock

8/10/2019 Sap Security Concept

http://slidepdf.com/reader/full/sap-security-concept 7/33

Authorization Analogy

Profile

AuthorizationAuthorization

Object 

Authorization

Field values

Authorization

Object Fields 

User

The proper authorization is needed to unlock the SAP program

SAP Program

8/10/2019 Sap Security Concept

http://slidepdf.com/reader/full/sap-security-concept 8/33

SAP Security Key Components

• Authorization (fields and values)• Profiles

• Users

• Roles

8/10/2019 Sap Security Concept

http://slidepdf.com/reader/full/sap-security-concept 9/33

Authorizations and Profiles

AuthorizationAuthorization

Object 

Authorization

Field values

Authorization

Object Fields 

Profile

SAP Authorization

Structure

SAP Program

 Access Element

There are also

composite profiles thatcan have other assigned

single or composite

profiles. For example,

SAP_ALL or SAP_NEW

are composite profiles.

8/10/2019 Sap Security Concept

http://slidepdf.com/reader/full/sap-security-concept 10/33

Users

Profile

SAP Authorization

Structure

SAP Program

 Access Element

AuthorizationAuthorization

Object 

Authorization

Field values

Authorization

Object Fields 

User

8/10/2019 Sap Security Concept

http://slidepdf.com/reader/full/sap-security-concept 11/33

Profile Generator

Profile

SAP Authorization

Structure

SAP Program

 Access Element

AuthorizationAuthorization

Object 

Authorization

Field values

Authorization

Object Fields 

SAP ProfileGenerator

Menu

Items

Authorization

Data

USOBT_C

USOBX_C(SU24)

Roles

User

•Security Admin

creates role and

assigns T-code

menu item(s)

•SAP generates

 Authorization Data

based on the menuitems and

corresponding

USOBT_C tables

8/10/2019 Sap Security Concept

http://slidepdf.com/reader/full/sap-security-concept 12/33

Relevant Security Tables

• T-code to Role Mapping• Role to User Mapping

• Role to Role Name

• Roles Within a Composite

• Authorizations in a Role

• Organization Values in a

Role

• Fields Within an Object

• AGR_TCODES• AGR_USER

• AGR_DEFINE

• AGR_AGRS

• AGR_1251

• AGR_1252

• TOBJ

8/10/2019 Sap Security Concept

http://slidepdf.com/reader/full/sap-security-concept 13/33

Agenda

• Introduction• Basic SAP ECC Security Concepts

• Securing your SAP ECC System

• Choosing Your Role Design Methodology

•  Audit Compliance Topics (SoD and SA) andSecurity Design Monitoring

• Case Study

• Wrap-up

8/10/2019 Sap Security Concept

http://slidepdf.com/reader/full/sap-security-concept 14/33

Leading Practice Security Designs

Job Based Methodology Task Based Methodology

User General

FI CommonDisplay

FIDocumentReversal FI

DocumentProcessing

 AP Clerk

 APManager

 AP

Processor

 Redundant Access

8/10/2019 Sap Security Concept

http://slidepdf.com/reader/full/sap-security-concept 15/33

What is Job Based?

AP

Supervisor

AP

Clerk

 AP Manager

Security roles are built based on positions/jobs for a group of users (e.g.

 Accounts Receivable Manager)  A single role contains all of the access to perform a job

Transaction codes and authorizations typically duplicated in many roles

8/10/2019 Sap Security Concept

http://slidepdf.com/reader/full/sap-security-concept 16/33

What is Task Based?

Security is built based on small, definable tasks executed by a user (e.g. Process

Cash Receipts)

Multiple roles are assigned to the user for them to perform their day to day tasks

Transaction codes exist in a single role, with minimal exceptions

User General

SU53

SBWP

FBV3

FB03

F.81

F.80

FB02

FB01

 FI Document

 Reversing

 FI Document Processing

 FI Common Display

8/10/2019 Sap Security Concept

http://slidepdf.com/reader/full/sap-security-concept 17/33

Job vs. Task

 1-3

 25-40

 Significant

 Role Content Change

 Limited

High number of roles with SOD’s and SOD

remediation is difficult

8-10

6-10

 Minimal

 Role Assignment Change

 Highly Scalable

Low or no roles with SOD’s and remediation is

easy

 Job Based Task Based

Number of roles

assigned to users

Tcodes per Role

T- code

Duplication

On-going change

management

Scalability

SOD

8/10/2019 Sap Security Concept

http://slidepdf.com/reader/full/sap-security-concept 18/33

Common Challenges with ECC Security

• Introduction• Basic SAP ECC Security Concepts

• Securing your SAP ECC System

• Choosing Your Role Design Methodology

•  Audit Compliance Topics (SoD and SA) andSecurity Design Monitoring

• Case Study

• Wrap-up

8/10/2019 Sap Security Concept

http://slidepdf.com/reader/full/sap-security-concept 19/33

Key Areas to Review

The following are key areas to consider when reviewing SAPsecurity:

 – SoD and sensitive access

 – Monitoring of sensitive objects

 – Security strategy assessment

8/10/2019 Sap Security Concept

http://slidepdf.com/reader/full/sap-security-concept 20/33

What are SoD’s and SAs? 

• Segregation of Duties (SoD)

Helps to establish adequate division of responsibilities

between those that create master data and perform

transactional data

Example: “Create G/L Account” and “Post to G/L” 

• Sensitive Access (SA)

Helps to establish that critical functions in a system are

restricted to authorized individuals Example: “Post to G/L” 

8/10/2019 Sap Security Concept

http://slidepdf.com/reader/full/sap-security-concept 21/33

How to Monitor SoDs/SAs

Companies have many different ways to monitor SoDs/SAs – SAP GRC Access Control

 – Other access control systems (Bizrights, ControlPanel, etc.) or

“homegrown” monitoring tools 

 – Transaction “SUIM” 

8/10/2019 Sap Security Concept

http://slidepdf.com/reader/full/sap-security-concept 22/33

SUIM

Use transaction SUIM to check for users with sensitive

transactions, objects, or SoDs

8/10/2019 Sap Security Concept

http://slidepdf.com/reader/full/sap-security-concept 23/33

Monitor Sensitive Security Objects

S_DEVELOP

S_RFC

S_TABU_DIS

S_PROGRAM

Controls “debug” access inSAP. Value 01 and 02 shouldgenerally not be given inproduction.

Allows a user to potentially

perform remote calls to othersystems

Controls the ability to view orchange tables in SAP. Star

values should be avoided.

Controls program calls in SAP.As with S_TABU_DIS, avoidstars.

8/10/2019 Sap Security Concept

http://slidepdf.com/reader/full/sap-security-concept 24/33

Security Design Assessment

A security design assessment benchmarks several keyperformance indicators against a successful security design

Is less concerned with the access a user has and more

concerned with how they got it

Is completed by performing a statistical analysis of the SAP

Security Environment

8/10/2019 Sap Security Concept

http://slidepdf.com/reader/full/sap-security-concept 25/33

Statistical Analysis of SAP Security

Environment

Below are example benchmarks for examining an SAPsecurity design:

Number of duplicated transaction codes in roles

Number of authorization objects in assigned roles

Number of changed and manually-inserted authorization objects

Number of roles

Number of roles with transaction code ranges or wildcards

Number of changed authorizations

8/10/2019 Sap Security Concept

http://slidepdf.com/reader/full/sap-security-concept 26/33

Example: Duplicated Transaction

Duplication of transaction codes complicates the provisioningprocess

Example: User needs access to transaction code VD01. If thistransaction code sits in seven different roles, which one canwe assign?

SAP tables to query

 AGR_1251

 AGR_TEXTS

TSTCT

Expected query result: 5%-8% transaction codes should beduplicated

Exceptions are transaction codes with different functionality; forexample, F110 (create payment proposal, run payment proposal)

8/10/2019 Sap Security Concept

http://slidepdf.com/reader/full/sap-security-concept 27/33

Assessing SAP Security Design

8/10/2019 Sap Security Concept

http://slidepdf.com/reader/full/sap-security-concept 28/33

Agenda

• Introduction• Basic SAP ECC Security Concepts

• Securing your SAP ECC System

• Choosing Your Role Design Methodology

•  Audit Compliance Topics (SoD and SA) andSecurity Design Monitoring

• Case Study

• Wrap-up

8/10/2019 Sap Security Concept

http://slidepdf.com/reader/full/sap-security-concept 29/33

Case Study Profile

Company Profile

Consumer Products (Beauty)

Original SAP Implementation: Completed in early 2000’s 

Total User Count: ~5,000 SAP User IDs

SAP GRC 5.3 Installed at time of project start

8/10/2019 Sap Security Concept

http://slidepdf.com/reader/full/sap-security-concept 30/33

Before

Prior to Project

Role Count: 18,000+

Users: 5,000 (3,000 user with more than just T&E)

Firefighter Usage: 3,000,000 transactions in first six months

Business ownership: Limited

SAP GRC Version: 5.3

8/10/2019 Sap Security Concept

http://slidepdf.com/reader/full/sap-security-concept 31/33

After

Prior to Project

Role Count: 300 task roles (350 enabler roles)

Users: 5,000 (3,000 user with more than just T&E)

Firefighter Usage: 150,000 transactions in first six months

Business ownership: Significant

SAP GRC version 10

8/10/2019 Sap Security Concept

http://slidepdf.com/reader/full/sap-security-concept 32/33

Wrap Up

Top Points to Remember:

Core elements of SAP security are authorizations, profiles,

users, and roles

There are two main methodologies for designing SAP security:

Job and task Transaction “SUIM” and/or SAP GRC can be used to test for

Segregation of Duties and Sensitive Access

Sensitive SAP security objects should be restricted

appropriately

An assessment of SAP security design is one indicator on howsuccessful your security will be long term

8/10/2019 Sap Security Concept

http://slidepdf.com/reader/full/sap-security-concept 33/33

Questions?

Contact me:

raymond.p.mastre@us.pwc.com

This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.

© 2014 PricewaterhouseCoopers LLP, a Delaware limited liability partnership.  All rights reserved. PwC refers to the US member firm, and may sometimes refer to the

PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.