SAP Audit Information and Approach Authorization Example 1. User Master Record User: Frank W. Lyons Profile: Example 2. Profile: Example Object : Authorizations : S_Program ABAP: 3. Authorization: ABAP: Object: S_Program Values: Fields: * Program Group SUBMIT, VARIANT Activity 1
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
SAP Audit Information and Approach
Authorization Example
1. User Master Record
User: Frank W. LyonsProfile: Example
2. Profile: Example Object: Authorizations: S_Program ABAP: 3. Authorization: ABAP: Object: S_Program Values: Fields: * Program Group SUBMIT, VARIANT Activity
1
Authorization System:
1. Profiles One or more assigned to a user
2. Objects Must be unique names with one or more fields
3. Fields Contain values for authority checking
4. Authorizations Can have the same names as they are physically and physically linked to an
object
Field group for an object has multiple values and can be shared across objects
2
Initial Defaults
1. Initial Clients
Client 000 Standard model Client 001 Model for user defined clients. (template)
2. Initial User Ids
SAP* Default super user. A user master record is created during installation but it is not needed by SAP* to access the complete system. If the SAP* master record is deleted, the SAP* account has the following special privileges:
It is not subject to authorization checks and therefore has all authorizations
It has the password “PASS”, which can not be changed without creating a new user master record.
To prevent deletion, assign SAP* user to a group called SUPER and only super user should be able to maintain user group SUPER.
3
3. Initial Security Parameters
Parameters for user logon login/min_password/lng
Minimum password length default is (3) login/password_expiration_time
Number of days after which a password must be changed. The default is zero, which does not enforce password changes. Recommended value = 45.
login/fails_to_session_end Number of times a user can enter an incorrect
password before the system ends the login attempt. The default is (3).
login/fails_to_user_lock Number of times a user can enter an incorrect
password before the system locks the user against further logon attempts. The default is (12). Recommend (3). When a password is locked in this manner, it is automatically unlocked by the system at the start of the next day (midnight).
4
Adding Users
1. Each user must have a master record.
2. Each user master record refers to one or more profiles that determine the access rights for the user.
3. Master record contains:
User ID Password User groups User type Period of validity references to authorization profiles
Master records can be deleted but it will affect the audit trail. Better to lock the user’s master record Menu Path: Tools - Administration - User Maintenance - User - Lock/Unlock.
4. User Group
If a person is assigned to a user group, only the administrators who are authorized for that user group can alter user master records. If a user is not assigned to a group then any user administrator can alter the user master record.
5
Adding Profiles
Profiles and Authorizations exist in both maintenance and active versions. Allows for updates to maintenance before it is activated. Separation of maintenance and activation functions.
1. System Profiles
SAP Standard and Super User ProfilesS_A.SYSTEM Unlimited access to all users,
profiles, and authorizationsS_A.ADMIN Authorizations for SAP system
administration. This includes all authorizations except for: Maintenance of users in user
group SUPER Maintenance of profiles and
authorizations with names beginning “S_A.”
S_A.CUSTOMIZ Authorizations for use in the SAP Customizing system
S_A.DEVELOP Authorizations for use in the SAP Development environment (excludes any user or profile authorizations)
S_A.USER Basis system authorizations for end-users (e.g., S_Program, S_DBC_MONI, etc.
6
2. Startup Profiles
Profile Name DescriptionS_ABAP_ALL All ABAP/4 authorizationsS_ADMI_ALL All system administration functionsS_BDC_ALL All batch input activitiesS_BTCH_ALL All batch processing authorizationsS_DDIC_ALL DDIC: All authorizationsS_DDIC_SU Data Dictionary: All authorizationsS_NUMBER Number range maintenance: All
authorizationsS_SCD0_ALL Change documents: All
authorizationsS_SCRP_ALL All SAPscript text, styles, layout sets
maintenanceS_SPOOL_ALL All spool authorizationsS_SYST_ALL All system authorizationsS_TABU_ALL Standard table maintenance: All
authorizationsS_TSKH_ALL All system administration
authorizationsS_USER_ALL User maintenance: All authorizationsSAP_ALL Provides unlimited access to
maintain all SAP R/3 system authorizations, with the following exceptions: Maintenance of users in user
group SUPER Maintenance of profiles and
authorizations with names beginning S_USER
SAP_ANWEND All SAP R/3 (excluding system) application authorizations
SAP_NEW Provides unlimited access to all authorizations added with new releases of SAP R/3.
Z_ANWEND All user authorizations (excluding BC system)
7
3. Profiles and their associated authorization value sets are stored in USRxx tables.
8
Adding Authorizations
Authorization objects are used to check a user’s authority to perform actions and access data in R/3. A user’s action is approved only if the user passes the authorization test for each field listed in an object.
1. Authorization Objects
SAP contains a number of authorization objects that are used to restrict the ability of users to perform certain functions and access information. Authorization objects can contain up to ten authorization IDs representing such system elements as transactions, tables, fields, or programs.
A user is allowed access if the their master record lists the object for which the authorization is being tested and the user passes the authorization test for each authorization ID.
An authorization value set is required for access 02 = change Authorization Profiles are used to grant the authorization value sets
to a user. The user master record refers to profiles and the profiles, in turn, refer, to value sets that determine the access capabilities of the user.
New authorization objects can be created by Menu Path: System - Services - Table Maintenance. Merely creating a new object does not initiate any authorization checking. Either ABAPs need to be modified to test the new objects, or additional authorization checks need to be defined.
First assign a object class for the new object. Next use AUTHORITY-CHECK for ABAP/4 programs Or add additional authorization checks to the TSTC
(transaction table) Menu Path: System - Services - Table Maintenance.
9
2. Objects
Objects are defined in the system and contain one or more fields that are used to test user access.
3. Authorization Value Sets
Are lists of all values (for each field) for which a user is authorized.
Usually used to define tasks Profile allocate the tasks (authorization value set) to logical
functions. These profiles are assigned to a physical user (master record).
10
4. Basis System Authorization Objects
Object Fields UsesS-PROGRAM Program group Activity ABAP/4 programs that
may be run.S_EDITOR Program group Activity ABAP/4 programs that
may be displayed or edited
ABAP/4 QueryS_QUERY
Activity Whether a user can run queries and whether the user can maintain ABAP/4 Query user groups
System Administration Functions
Administration Functions
A variety of system functions such as:
1. Whether a user may enter a value interactively to pass an authorization test that he does not have authorization for in his user master record2. Access to the ABAP/4 Dictionary3. Access to the interface painter4. System trace authority5. Ability to add or delete additional authorization tests in the TSTC table6. Execute host operating system commands
Central Field Selection ActivityAuthorization group
Which ABAP/4 programs a user can use
11
to dynamically alter attributes of fields
Table Maintenance Authorization class Activity
Authorize users to view and/or modify table contents
Batch Processing: Batch Administrator
Administrator Give user administrator authorization over background processing
Batch Processing: Batch User Name
Authorized user Specify user Ids that a user may specify as the authorization for running background jobs
Batch Processing: Operations on Batch Jobs
Operations Job Group Specify the operations that users may perform on background jobs (Release, delete, etc.)
Batch Input Authorizations
Queue group name Activity
Authorize a user to work with batch input sessions
Queue Management Authorizations
Queue group nameActivity
Management of queues for trouble-shooting or problem analysis
Authorization Check for SM04, SM50
Administration To authorized users to lock or unlock transactions and to manage user sessions other than their own.
Authorization for Update Administration
Administration Authorization to manage update records for other users
Enqueue:Displaying and Deleting Lock Entries
Activities Authorize users to maintain lock entries of other users
Spool: Device Authorization
Output Device Authorizes users to use particular printers
Spool Actions Spool action Value Authorizes an administrator to perform specified actions on the spool system
12
Public Holiday and Calendar Access Privileges
Activity Authorization to display and/or maintain calendars
1. Batch Number of transactions entered into the system as a batch. Batch inputs can take place in the background where no changes can be made or in
the foreground where transactions containing errors
can be interactively corrected.
Restricting Access The Batch Input object restricts user activities in different batch
input sessions. ANAL Analyze sessions. Display session, log, and queue dump DELE Delete sessions LOCK Lock and unlock sessions FREE Release sessions ABTC Submit sessions for background execution AONL Run sessions in interactive modes
2. On-Line
3. Background Program executes on a background processing server without interactive user input. To run it must
be scheduled.
This can be done two ways:
Menu Path: ABAP/4 - System Services - Reporting - Batch Request function
From background processing menu by selecting goto - Batch Request
In either case the user must have a User ID to run the job. Users could be authorized to run background jobs but not foreground jobs.
Before a background job can run, it must be released. The releasing of jobs is usually restricted to “Batch Administrators”.
16
Restricting Access The field Admin in the Batch Admin object is used to give a user
administration authorizations. If this field contains a “Y”, the user has access to all background jobs in a SAP system and can perform any operation on any job.
The field Activity in the S_PROGRAM object determines activities users are able to perform on an ABAP. A value of BTCSUBMIT allows a user to schedule the ABAP/4 program for background execution.
The Auth user field of the Batch User Name object is used to restrict user-IDs specified as the authorized user for running a job.
The Operation field of the Operations on Batch Jobs object is used to specify the operations that a user can perform on their own jobs. This is used to restrict users from deleting or releasing jobs.
4. Services
Can run on different servers.
Dialog Update Enqueue Background Message Server CPI-C Gateway Server Spool
5. Work Processes
TSKH Task Handler DYNP Screen Processor ABAP Program Processor DB-SS Database interface that converts ABAP/4 SQL into
DBMS SQL.
17
Transactions
SAP transactions allow different functions to be performed within R/3. Menu selection also generates transactions. To see which transaction is currently executing select Menu Path: System - Status.
System transactions are applicable to the basis system and application transactions are specific to a certain module.
Transactions can be locked and unlocked using Menu Path: Administration - Tcode Administration. When a transaction is locked, users can not execute that transaction. To perform this function, a user requires the authorization object Authorization check for SM04, SM05 with a value of S in the Admin field.
1. Controlled by DYNP processor
Checks whether additional authorization checks are required to run the transaction (in TSTC Table).
Interprets the Dynpros, which involves creating the screens and applying the logic defined in the dynpro (field checks, etc.).
2. All transactions are listed in the TSTC Table. This table includes:
An indicator that the transaction has been locked or is available to be used. The ability to lock and unlock transactions is controlled using authorization object Authorization Check for SM04, SM50.
Additional authorization checks to be performed. Only users with the value TCOD in the field, Admin Functions in object, System Admin Functions have the ability to add, alter, or delete these additional authorization tests.
If a transaction is not marked as requiring authorization checks then any user can run the transaction.
18
Transaction types:
SU93 and SU91 Displays changes master records and profiles
SE30 Trace function SU53 Authorization check failures SU02 Activation of profiles SU03 Activation of authorizations SU0 Assignment of user ID SU01 Assignment of users to profiles and alter the
password of any user SU10 Assignment of profiles for a range of users SU12 Delete all users TU02 View logon parameters SM52 Unix command line prompt SU21 Grouping of objects into object classes
(example is Basis Administration, Financial Accounting)
19
Tables
SAP is characterized by the use of thousands of application and control tables. The setup of the control tables, to a large extent, determines in which way a SAP installation functions.
Logical views provided by the ABAP/4 Dictionary of all data (control data, master data, and transaction data) stored in SAP system.
All control tables start with the letter “T”.
Control tables can be displayed and maintained on-line. Menu Path: System - Services - Table Maintenance. In order to restrict tables a number of table authorization classes should be defined. All standard tables have been assigned to authorization classes. Authorization object, Table Maintenance is used to maintain the tables in each authorization class. Two levels of access are allowed value = 02 (add, change, or delete) and 03 (display only).
To modify a table structure Menu Path: Tools - CASE - Development - Data Dictionary - Maintenance.
Logging of changes can be accomplished by using change document objects to specify which tables are logged and the level of logging performed on each table.
20
1. TSTC Transactions
2. MAC Matchcodes
3. T001 Details about a company
4. T001B Defines accounting periods for company T001.
5. USRxx Profiles
6. TUSR04 Authorization Profiles
7. TUSR01 User master record
8. TUSR02 User ID and password
9. TUSR03 Extended information about the user.
10. TUSR05 Field defaults for each R/3 user and field.
11. TOBJ Pre-defined authorization objects and fields
12. TOBJT Descriptive text of the authorization objects.
13. TUSR10 Authorization Profiles and DescriptionsandTUSR11
14. T055 Field group fields
15. T055G Field groups
16. T055T Field Group descriptions
17. AUTH Internal table - Financial objects
18. TACT Activity codes
19. TACTT Activity codes descriptions
21
20. TACTZ Valid activity codes for each authorization object
21. USR40 Custom password checks
22. TDDAT Defines the link between tables and their authorization classes
23. T000 SAP Clients
24. T001 SAP companies
25. TGSB Business Areas and Plants
22
Logs
Errors and important events are logged in the system logs. These logs should be reviewed daily.
The servers in an SAP system record events and problems in a set of local and central system logs. These logs may be displayed and maintained on-line from the Menu Path: Tools - Administration - Monitoring - System log.
Local logs keep only messages issued by the local application server. Each application server has a local log file.
System logs are configured by setting parameters in the system profile.
Transaction SU93 and SU91 display changes made to a user’s master record or profiles.
Logging of Changes to Authorizations:
All changes to user master records, profiles, and authorization value sets. For example, user master records will display added or deleted from the list in the user master records. It will not display modified profiles rather, the log of changes to profiles could be used to identified changed profiles.
Changes to a user’s password, user type, user group, period of validity, and account number.
For each item in the log, the system reports both the old and new version of any lines that have changed. This log is a valuable control over unauthorized changes to users’ access capabilities and needs to be reviewed daily.
23
Reports for Auditing Security
Menu Path: Information - Current Information
Displays detailed information on user master records, authorization profiles, authorization objects, and authorization value sets. With this facility, it is possible to display all user master records and/or profiles that contain a specific object.
Modules
SAP application modules.
1. BC SAP Basis module
2. Logistics: SD, MM, PP, QM, PM
3. Human Resources: HR
4. Financial and Administration: FI, CO, AM, PS, OC
Change Management
Backup and Recovery
Daily backups are necessary to ensure the recoverability of data, in the event of a disaster.
SAP includes SAPDBA program that is used to perform database administration tasks.
SAP can be backed up on-line.
Redo logs (Oracle) should also be archived daily.
24
Security Administration
Users who are able to change user master records, profiles and/or authorization value sets need to be tightly controlled. The system provides a number of standard authorization objects that can be used.
User Groups S_USER_GRP
Fields ValuesUser group Names of the user groups for
which an administrator is authorized.
Administrator 01: Create user master recordsactions add profiles to new or
existing records 02: Edit03: Display05: Lock or unlock user06: Delete a user master record08: Display user change records
25
Authorization Profile S_USER_PRO
Fields ValuesProfile name The profile names for which an administrator is
authorized.
Administrator 01: Create profiles and enter actions authorizations into them
02: Edit03: Display06: Delete a profile08: Display change records22: Add profiles to user master
record Authorizations Value Sets S_USER_AUT
Fields ValuesObject name The names of the authorization objects for which an
administrator is authorized.
Authorization The names of the authorizationname value sets for which an
administrator is authorized
Administrator 01: Create authorization value actions set
02: Edit03: Display06: Delete 07: Activate08: Display change records 22: Enter authorizations into a
profile Table Maintenance S_TABU_DIS
26
Fields Values
DICBERCLS Table classes for which a user access is authorized
ACTVT Activity code
Table Maintenance Across Clients S_TABU_CLI
Fields Values
CLIDMAINT Access indicator
Object S_USER_GRP
Determines which user groups can be administered and consequently all users who are assigned to those groups.
27
Object S_ADMI_FCD
“Systems Administration Functions” provides powerful systems administration functions, including the following (field = “Systems Administration Functions”):
NADM - Network Administration (SM54, 55, 59)
UADM - Update Administration (SM13) T000 - Create New Client TLCK - Lock/Unlock Transactions SPAD - Authorization for spool administration in all clients SPAR - Authorization for client-dependent spool administration SP01 - Authorization for administration of spool
requests in spool output control (all users and clients)
SPOR - Spool administration BTCH - Test environment, batch UNIX - Execute UNIX commands from
SAPMSOS0 RSET - Reset/delete data without archiving SYNC - Reset buffers
28
ABAP/4 Dictionary
R/3 uses an external database (Oracle in most cases) to hold application data, but it makes use of its own ABAP/4 Dictionary. This Dictionary gives R/3 the functionality to control the environment.
1. Each field in the ABAP/4 Dictionary is described by a domain. When any input is not valid in terms of the domain, it will not be accepted and the user will have to correct the entry in the DYNPRO screen before continuing. The ABAP/4 Dictionary provides the following domain checks:
The format of the field must match the definition in the ABAP/4 Dictionary (character, numeric, date, etc.)
A number of discrete values may be contained in the domain that are valid for the field.
A table can be specified that contains all the values allowed for a particular field. If a table is specified, there must be procedures for ensuring that the table’s contents are kept up-to-date.
Restricting Access Controlled by the authorization object System Admin
Functions. Only users with the value = DDIC in the Admin Function fields can make changes to the ABAP/4 Dictionary or use the database table utility.
It is not possible to further restrict access to alterable tables. Changes are logged by the system and can be queried using the
ABAP/4 Dictionary Information System Menu Path: Development - ABAP/4 Dictionary - Info System
Dictionary changes should be reviewed daily.
29
ABAP/4 Programming
ABAP/4 is the fourth generation interpretative language in which all R/3 applications are written. The Basis System is written in C.
ABAP/4 is a comprehensive programming language. ABAP statements can be written that will read and update data, create new records, etc. ABAP also can contain SQL statements allowing almost unrestricted access to the database.
ABAP/4 must be tightly controlled. No ABAP statement changes should be allowed in the production system’s environment.
1. Location
On Application Server
Restricting Access
Each ABAP needs to be assigned to an authorization group in the report attributes set when creating an ABAP report. Any ABAP that has not been assigned to an authorization group may be run by any user with authorization for object S_PROGRAM.
30
ABAP that have been assigned to a program group can only be run by users who are authorized to that program group using object S_PROGRAM. This object further restricts the manner in which a user is able to run an ABAP.
SUBMIT The user may start programs interactively BTCSUBMIT The user may submit programs for execution in the background partition. EDIT The user can maintain attributes and text elements
and use utilities for copying and deleting reports ( This does not allow the user to edit ABAP/4 programs).
VARIANT The user may maintain variants. Variants are parameters that are passed to an ABAP program.
In the standard system, none of the ABAPs are assigned to authorization groups. Therefore any user that can run transaction SA38 (or SE38 to develop ABAP/4 programs), can run any of the standard ABAPs. It is recommended that all ABAPs be placed in authorization classes and that users should only have authorization for authorization classes (ABAPs) that are required for their job functions. No matter what, the database interface checks are still in play for all ABAPs and the user will not be able to act on data for which they have no authority.
ABAPs may be developed on-line using the SAP ABAP editor. The ABAP programs can be assigned to authorization groups. The S_EDITOR authorization object is used to restrict authorization groups a user is able to edit. Any user with S_EDITOR authorization object is able to edit any ABAP program that has not been assigned to an authorization group.
No users should have S_EDITOR. Otherwise they may write a dynamic SQL that allows complete access to all client’s data.
31
ABAP/4 Query
ABAP/4 Query is the report writing software that allows users to generate reports quickly and easily without programming knowledge. It generates an ABAP program. Users cannot access any information to which the user would otherwise not have access.
Restricting Access Must be assigned to a user group before they can be run User group contains the functional areas and the names of all
people authorized to run queries. Ensure that procedures are in effect to update the user groups when
job assignments change. Any user can run any queries defined for a user group of which
he/she is a member, regardless of who wrote the query. In order to create or maintain ABAP/4 Queries, a user must be a
member of one or more user groups and have a value = 02 (change) in the activity field of the ABAP/4 Query authorization object.
In order to maintain the ABAP/4 Query user groups, a user needs the value = 23 (Maintain Environment) in the activity field of the ABAP/4 Query authorization object. This should be restricted to administrators.
32
Operating Systems
1. Unix
Start-Up Profiles are stored in /usr/sap<SAP System Name>/sys/profile
2. NT
Database Management Systems
1. Oracle
Dynpros Screen Generator
Dynpros are the input screens used when processing SAP transactions. They include details of the processing logic to be performed on the fields.
1. Dynpros can be developed on-line using the standard SAP Dynpro Screen Painter Menu Path: Tools - Case - Development - Screen Painter.
2. Controls need to be in place to ensure that changes to Dynpros are authorized, tested, and approved.
33
Number Ranges
SAP provides an “internal” and “external” numbering mechanism
1. Internal numbers are sequential codes given by the system for documents, article numbers, personnel numbers, etc.
2. Both internal and external numbers are stored in a file SYSV.
Matchcodes
These are secondary indexes to enable users to find specific records when the primary key is unknown.
1. Stored in Table MAC
2. Table MAC can be edited on-line using transaction SM31 and accessible through the Menu Path: System - Services - Table Maintenance.
34
Weaknesses
1. In the standard system, none of the ABAPs are assigned to authorization groups.
2. Do not use native SQL calls in ABAPs as they will bypass the dictionary consistency checks. Use open SQL statements.
Unlike normal ABAP statements, native SQL and open SQL do not trigger any authorization checks at run time. But using ABAPs with AUTHORITY-CHECK statement, the users authority can be checked at run time for specified objects.
3. SAP* is the default user ID and it has unlimited access capabilities. Itshould only be given to the system administrators (SUPERUSER).
4. Default system profiles may provide too much authority.
Sys password = change_on_install System password = manager Sapr3 password = sapr3 SAP/R3 application ID
SAPDBA Front-end to SQL*DBA Can perform all DBA functions within SAP Authentication is completed in UNIX
35
6. Ad-hoc Queries
SQL*Plus ODBC
7. Oracle Tables
User02 Table contains all SAP user IDs and passwords
36
Standard Reports
RSAVGL00 Table comparison across clientsRSDECOMP Comparing tables across two systemsRSDELSAP Delete SAP* from client 066 (EarlyWatch client)RSKEYS00 Tables comparison: system versus sequential fileRSTABL00 As for RSKEYS00RSSTAT92 Table changes for a selected monthRSSTAT95 Table access statisticsRSPARAM Display system parameters settingsRSUSER01 Test SAP_ALLRSUSR000 List all active users
37
Financial
Authorization Objects
Master Data- GL- Customer- Vendor- Bank
DocumentsBalance SheetsCredit Control DataPayment RunsDunning Runs