March 31 st , 2010 ISACA Presentation Introduction to SAP Security Cleberson R. Siansi – CISA, CGEIT, ACP Stephen F Rose – MA
March 31st, 2010
ISACA PresentationIntroduction to SAP Security
Cleberson R. Siansi – CISA, CGEIT, ACP
Stephen F Rose – MA
Introduction to SAP SecuritySession Objectives
This session is intended to provide an introduction to SAP security for SAP R/3(4.6c/4.7) and ECC (5.0/6.0) environments, with particular focus on theauthorization concept and how it supports the structural framework used indefining user access requirements.
Introduction to SAP SecuritySession Agenda
• Overview of SAP
• Overview of SAP Security
• SAP Authorization Concept Details
• Profile Generator (PFCG)
Overview of SAP
Overview of SAPWhat is SAP?
SAP = Systems Applications and Products in Data Processing
An order in SAP can automatically generate a inventory movementand purchase order without any “human” intervention
SAP integrates all business processing through one applicationLinks operational results and the financial aspects of those results
SAP can track financial results, procurement, sales,manufacturing, human resources and payroll
SAP comprises of 18 - 20 modules in finance, logistics and HROne or more SAP modules can be implemented
SAP is typically accessible by the entire business organizationMost company information and transactions originate from SAP
Multifunctional
Integrated
Enterprise Wide
Modular
“Real Time”
Overview of SAPHow SAP Works
1. Order -SAP S.D.
2. Availability -SAP MMInventory
3. Production -SAP P.P.
4. Manpower -SAP H.R.
5. Purchasing -SAP P.P.
6. Order Tracking -SAP M.M.
7. Reporting -SAP F.I.C.O
Overview of SAPSAP Modules
MMPurchasingGoods receiptInventory ControlInvoice Verification
PersonnelAdministrationPayroll Accounting
COCost Center / Profit CenterProfitability Analysis
IMInventoryManagement
AMAsset accounting
SD
HR
SalesDistributionInvoicing
FIAccounts payableAccounts receivableGeneral ledgerCash managementConsolidation
PPRe-order controlProductionPlanning & Control
BASISApplication SecuritySegregation of DutiesChange ControlSystem Parameters
Materials Management Sales & Distribution Production Planning Financial Accounting
Human Resources Controlling
Overview of SAPSAP in Numbers
Scope and role SAP plays in today's global economy:
– 85% of the Fortune 500 run SAP software
– 80% of Fortune 1,000 companies run SAP software
– 60% of Fortune 2,000 companies run SAP software
– 70% of the world economy's transactions in some shape or form touch anSAP system
– 2.5 billion utility bills are processed by SAP software each year
– 65% of all chocolate in the world is manufactured using SAP software
Overview of SAPSAP in Numbers
– Based on software revenue, SAP is the number one business softwaresupplier in every industry and solution segment
– SAP has developed and markets more than 25 industry-specific softwaresolutions
– SAP has more the 82,000 customers across 120 countries
– Approximately 64,000 SAP customers are small businesses or midsizecompanies
– SAP is the first leading vendor to deliver a comprehensive suite ofintegrated SOA-based enterprise software solutions
– 43,000 systems currently run on the SOA-ready SAP NetWeaver platform
– 13,000 systems currently run on NetWeaver-based SAP ERP 6.0
Source: http://www.optimalsol.com/NE-Thought-SAP-Economic-Upturn-One.html
Overview of SAP Security
Overview of SAP SecurityRoles, Profiles and Authority Checks
A Role is a bucket containing:
– Transaction Codes
– Authorization Data (Authorization Objects and FieldValues)
– User assignments
A Profile is a “key ring” that containsauthorizations (cut keys)
Authority Checks
– Performed by SAP to ensure that a user ID has the correctauthorization object and field value combination (cut key)to execute a particular task
– There may be multiple authority checks in one program(typically one at the start of the program as well asthroughout the program)
Profile
Authorizations andField Values
An authorization object is a template for security that containsfields with blank values (an uncut key)
– Authorization Object may be reused for many transactions
– Authorization Objects and Field Values are stored in two key SAP tables
> USOBX_C: Transaction-to-object relationships
> USOBT_C: Transaction-to-object field value relationships
» Both tables are maintained via transaction code SU24 and used by PFCG(Profile Generator)
An authorization is an authorization object with completed fields(a cut key)
– It takes one or more “keys” to open the doors to access a particular task,or transaction, within SAP
Overview of SAP SecurityAuthorization Objects vs. Authorizations
Level 3: Authorization AccessExamples: F_BKPF_BUK, M_MATE_BUK
User Master Record
Level 1: User ID AccessLogin w/ UserID and Password
Level 2: Transaction Code AccessObject: S_TCODEExamples: FB01, MM01
Role/Profile
Authorization Object Field Values
Overview of SAP SecurityLevels required to access a particular function in SAP
Overview of SAP SecurityAuthority Check
Overview of SAP SecurityAuthority Check
Overview of SAP SecurityAuthority Check
Overview of SAP SecurityAuthority Check
Overview of SAP SecurityAuthority Check
Overview of SAP SecurityAuthority Check
Example of an SAP Authorization Object
Example: Object F_BKPF_BUK(Accounting Document: Authorization for company code)
In General, objects protect:
• a certain data element / function
• for a specific action
• in a specific context
This object protects:
• accounting document (= posting)
• activity (create, display, etc.)
• for company code (= of a legalentity)
Overview of SAP SecurityAuthorization Concepts
GENERICBUILDING BLOCKS
EXAMPLE
User wants to change a posting for PwC
Object F_BKPF_BUK Authorization XYZ
Field 1 Activity (ACTVT) Change (02)
Field 2 Company (BUKRS) PwC Corporate (Company Code XYZ)
Example of an SAP Authorization Object
Overview of SAP SecurityAuthorization Concepts
Create Vendor
Conventionalapproach
protection viamenu/function
SAP approachprotection oncevia authorization
TransactionMK01 FK01 XK01
Keep in mind! In SAP, you can perform the same function with differenttransactions
Overview of SAP SecurityAuthorization Concepts
SAP Authorization Concept Details
• USOBX_C table
– T-code
– Object
– Flag (N = No Check, C =Check, CM = Check Maintain)
> Ignore U since it is essentially thesame as C
• USOBT_C table
– T-code
– Object
– Field
– Low
– High
Maintaining these tables is the key to increasing efficiency, consistency, and integrityof the role design and future design changes by avoiding manual and changedauthorizations in the roles.
Overview of SAP SecuritySU24 – Relationship of authorizations to transaction codes
Overview of SAP SecuritySU24 – Relationship of authorizations to transaction codes
Maintains the USOBX_C table
• T-code to object relationship andspecial handling flag
Maintains the USOBT_C table
• T-code to object to default fieldvalue relationship
These tables are clientindependent. Modifications viatransaction code SU24modifications will affect allclients in an SAP system.
SAP Tables SAP Building Blocks
USOBT_C
USOBX_C
T-Code
Object
T-code
Object
Flag
Fields
Low High
Flag = CM
Why are These Tables “Misused” and “Underutilized”?
• Many companies do not even use transaction SU24 to maintaintheir customer tables (USOBX_C and USOBT_C)
• Others do some maintenance via transaction SU24, but do notfully understand the relationship between these underlyingtables and the Profile Generator (PFCG)
• These tables are a key to reducing the maintenance and riskassociated with roles!
Overview of SAP SecuritySU24 – Relationship of authorizations to transaction codes
N: No Check
• We do not have the ability to turn on an object that is not checked by SAP, asthat would require changes to the source code. However, we can bypasschecks with the check indicator flags. To bypass a check, set the flag to NoCheck.
• This is useful for objects where we star every value in every instance theobject is used. The object is not used for security control.
• We can only bypass authority checks by moving the check mark to NoCheck.
• Basis objects (S_*) cannot be disabled.
Overview of SAP SecuritySU24 – Relationship of authorizations to transaction codes
C: Check
• SAP default – An authority check is performed by SAP if the ABAP code callsit, but the Profile Generator (PFCG) will not include the object in any rolescreated with the tcode
CM: Check Maintain
• Check Maintain means the same as check, but Maintain means that theauthorizations will be pulled into the role when that T-code is placed in themenu tab of PFCG for a role.
Overview of SAP SecuritySU24 – Relationship of authorizations to transaction codes
U: Unmaintained
• This check status is rarely used
• This status is very similar to the Check status. An authority check statementcan still be called, and no object values will be maintained or entered into theProfile Generator.
Overview of SAP SecuritySU24 – Relationship of authorizations to transaction codes
Profile Generator (PFCG)
Profile Generator (PFCG)Traditional Security Approach
SU01 SU02 SU03
End User Maintenance•Create User•Change User•Delete User•Assign Profiles•Setup Defaults
Profile Maintenance•Create Profile•Change Profile•Delete Profile•Assign Authorizations
Simple Composite
Authorization Maintenance•Create Authorization•Change Authorization•Delete Authorization
Transaction Codes:
Profile Generator (PFCG)Security Administration via Profile Generator
• The profile generator is an automated tool (transaction code PFCG) used toassist in the design, capture and maintenance of profiles
• Simplifies the Authorization process
• Uses transaction codes to define access
• Based on the TRANSACTIONS selected SAP determines the relatedAUTHORIZATION OBJECTS and, where applicable, the FIELD VALUESfrom tables USOBX_C and USOBT_C
• The remaining FIELD VALUES for the selected AUTHORIZATIONOBJECTS to create the AUTHORIZATIONS need to be filled in
• Role is therefore a collection of Authorizations
• When generated, a Role creates a corresponding Profile
PFCG uses the USOBX_C and USOBT_C tables to pre-fill theAuthorizations tab of a role based on the transaction codes enteredon the Menu tab of a role
Based on the tcodesentered on the Menutab…
PFCG will look up the objectswith a Check/Maintain flagand populate theAuthorizations tab
Profile Generator (PFCG)Security Administration via Profile Generator
Simple Role Example:
1. Create a simple role and add t-code SE16 “DataBrowser” to the Menu tab
Profile Generator (PFCG)Security Administration via Profile Generator
Simple Role Example:
2. Assign Authorizations (objects & field values)
Profile Generator (PFCG)Security Administration via Profile Generator
Simple Role Example:
2. Assign Authorizations (objects & field values)Authorization objects which default into the role are defined in tableUSOBX_C, these objects have their flag value set to “Check Maintain”
Profile Generator (PFCG)Security Administration via Profile Generator
Profile Generator (PFCG)Security Administration via Profile Generator
Simple Role Example:
2. Assign Authorizations (objects & field values)Two authorization objects were found with their flag value set to “CheckMaintain”: S_TABU_DISP & S_TABU_LIN
Simple Role Example:
2. Assign Authorizations (objects & field values)Default fields & field values for the auth. objects are then defined onUSOBT_C, these are brought into Profile Generator automatically
Profile Generator (PFCG)Security Administration via Profile Generator
T-Code (PFCG)Table (USOBT_C)
Simple Role Example:
3. Generate the profile
Profile Generator (PFCG)Security Administration via Profile Generator
T-Code (PFCG)
Simple Role Example:
3. Generate the Profile
Profile Generator (PFCG)Security Administration via Profile Generator
Object status definitions
Standard – Auth object was inserted from USOBT_C, and all fieldswere filled in by default. (“Nice, nothing to do”)
Maintained – Auth object was inserted from USOBT_C, and theadministrator filled in the “blank” fields, without changing the defaultvalues from USOBT_C. (“Working with the table”)
Changed – Auth object was inserted from USOBT_C, and theadministrator changed a default field value from the recommendedvalue in USOBT_C. (“Fighting with the table”)
Manual – Auth object was manually inserted into the role, and wasnot brought in by USOBT_C. This object is not “related” to anytcode on the Menu tab and will not be removed when the Menu tabchanges. (“Ignoring the table”)
Profile Generator (PFCG)Relationship Between SU24 and the Profile Generator
SAP SecurityQuestions
SAP SecurityContact Us
Cleberson R. Siansi
(248) 219 5394
Stephen F. Rose
(248) 312-8923