SAP AG CSU Chico 1 02/14/98 1 SAP Security Lecture MINS 298C SAP Configuration & Use: Security Copyright 1996, 1997, 1998- James R. Copyright 1996, 1997, 1998- James R. Mensching, Gail Corbitt Mensching, Gail Corbitt Contents of this file are for the Contents of this file are for the exclusive use of the special exclusive use of the special MINS 298C class dealing with SAP software MINS 298C class dealing with SAP software at CSU Chico at CSU Chico for the Fall, 1998 semester. Any other for the Fall, 1998 semester. Any other use in either electronic use in either electronic or hardcopy form is prohibited without the or hardcopy form is prohibited without the express written express written permission of the author. This material permission of the author. This material is confidential. is confidential. Do not share it with anyone not enrolled Do not share it with anyone not enrolled in the class. in the class. Security Lecture Security Lecture
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
SAP AG
CSU Chico102/14/98 1SAP Security Lecture
MINS 298CSAP Configuration & Use: Security
Copyright 1996, 1997, 1998- James R. Mensching, Gail CorbittCopyright 1996, 1997, 1998- James R. Mensching, Gail Corbitt
Contents of this file are for the exclusive use of the specialContents of this file are for the exclusive use of the specialMINS 298C class dealing with SAP software at CSU Chico MINS 298C class dealing with SAP software at CSU Chico for the Fall, 1998 semester. Any other use in either electronicfor the Fall, 1998 semester. Any other use in either electronicor hardcopy form is prohibited without the express writtenor hardcopy form is prohibited without the express writtenpermission of the author. This material is confidential. permission of the author. This material is confidential. Do not share it with anyone not enrolled in the class. Do not share it with anyone not enrolled in the class.
Security LectureSecurity Lecture
SAP AG
CSU Chico202/14/98 2SAP Security Lecture
SAP Security
Purpose of Security: Assign users rights to perform job tasks that they need to do.
Prohibit users from doing tasks that they are not supposed to do.
Objectives of presentation Define key security concepts
Examine relationship between user and security concepts
Apply concepts to real situations
SAP AG
CSU Chico302/14/98 3SAP Security Lecture
SAP Security
Security is performed at the object level 30 + Object classes, such as Basis Administration, FI, MM Master Data
(View Objects within classes by using SU03)
About 500 + objects within the 30 + classes
SAP Security works on a pass-fail system. It checks constraints until if finds a failure.
Levels of Setting: Authorization Object in the form of authorization (test on an object)
Profile (sets of authorizations)
User ID
SAP AG
CSU Chico402/14/98 4SAP Security Lecture
SAP Security Framework
ObjectAuthorization
ObjectAuthorization
ObjectAuthorization
FunctionalProfile
FunctionalProfile
JobProfile
USER
User ID
SAP AG
CSU Chico
SAP Security Framework
FunctionalProfile
FunctionalProfile
JobProfile
USER
User ID
ClassProfile
SAP AG
CSU Chico502/14/98 5SAP Security Lecture
SAP Security Components
Authorization Object: something in the system that potentially needs protecting (company code, document type, etc.)
Fields: attributes that can be used to set protection (1-10 fields per object that vary with object) Activity: such as create, update, delete, view..
Authorization Group: Values that the object needs
IDOC Type
Profile (set of authorizations) User Master Record (all profiles for that user)
SAP AG
CSU Chico602/14/98 6SAP Security Lecture
SAP Security Components
Levels of Security Administration:
SAP Super User
User IDMaintenance
ActivationAdministration
AuthorizationMaintenance
ProgramDeveloper
Objects &Classes
Authorizations(values of objects)
ProfilesUser IDs
SAP AG
CSU Chico702/14/98 7SAP Security Lecture
SAP Security and Business Processes
Business Task
Business Task
PROCESS
ObjectAuthorization
ObjectAuthorization Functional
ProfileJob
Profile
FunctionalProfile
User ID
User
SAP AG
CSU Chico802/14/98 8SAP Security Lecture
SAP Security
Authorization: Set of specified values for fields in an Authorization Object = test conditions for the object
Standard Authorizations provided by SAP Object: F_BKPF_BED: Customer Account
Activity: *
Account Group: *
Never Change or Delete an SAP authorization Custom Authorizations (should start with Z)
Account Activity: 01-03, 10 (create, change, print,post) Account Group: CALF, HAW SAP programs perform AUTHORITY-CHECK on objects
for values in fields
SAP AG
CSU Chico1002/14/98 10SAP Security Lecture
SAP Security: Creating an Authorization
Create a name for the authorization Start with the letter Z
Don’t use underscore as second character
Example: ZS_D01
Use SU03 to create the authorization (Tools --> Administration -->Maintain Users) Create (first icon: sheet of paper)
Maintain values sets the values you want
Save
Activate
SAP AG
CSU Chico1102/14/98 11SAP Security Lecture
SAP Security
Profile: Set of Authorization Objects Simple Profile: 1 Authorization Object Composite Profile: more than one authorization object Can have a composite made up of composites
SAP AG
CSU Chico1202/14/98 12SAP Security Lecture
SAP Security
User Master Record
Composite Profile Profile
SimpleProfile
CompositeProfile Authorization
Object Authorization
Fields
SAP AG
CSU Chico1302/14/98 13SAP Security Lecture
SAP Security
SAP Standard Profile: F_BKPF_KANZ (Display vendor Accounts)
Custom Profile: AA:FIAR_M01 Create profile then activate Copy from existing profile then rename To look at, change or create profiles use SU02
SAP AG
CSU Chico1402/14/98 14SAP Security Lecture
SAP Security
Standard Profiles common to all SAP installations SAP_ALL (unlimited access to system)
SAP_NEW (allows older standard profiles to work in newer SAP releases)
S_A_SYSTEM: System Administrator
S_A_SHOW: Display authorizations only
SAP AG
CSU Chico1502/14/98 15SAP Security Lecture
SAP Security: Users
User Profiles assign profiles to specific user IDs Users can belong to Group, I.e. ABAP Developers, C&I
Admin Can’t assign authorizations to groups only to individual
users User Group is a field in some authorization objects Groups useful to separate responsibility, I.e. more than
one security administrator, each responsible for a group of users
SAP AG
CSU Chico1602/14/98 16SAP Security Lecture
SAP Security: Users
Name the ID for the User Set the password Lock/unlock the account Define time period for the ID Set default printer and printing rights Define PIDs (Parameters) Define profiles
SAP AG
CSU Chico1702/14/98 17SAP Security Lecture
SAP Security: Users
Rules for setting passwords: Must be at least 3 characters
Can not begin with ! or ?
First 3 characters can not be a sequence of 3 characters in user ID. I.e. if by user id is gcorbitt, my password can not contain orb, or cor.
First 3 characters can not be the same, I.e. ccc
Can not use “pass” or “sap”
SAP AG
CSU Chico1802/14/98 18SAP Security Lecture
SAP Security: Users
PID :Parameter ID Example of parameter:
default menu options, I.e. fast entry
default currency
posting period options
SAP AG
CSU Chico1902/14/98 19SAP Security Lecture
SAP Security: Users
User types Dialog
BDC: inbound interfaces (I.e. data coming in from a legacy system)
CPIC: machine to machine ID connect through UNIX (I.e. EDI inbound or outbound)
BDC and CPIC do not have expiration dates on the passwords
SAP AG
CSU Chico2002/14/98 20SAP Security Lecture
SAP Security: Transactions SU01: Creates and maintains users SU02: Creates and maintains profiles SU53: Displays LAST authorization failure ST01: Traces keystrokes SU03: Lists objects and classes SM04: Monitors user activity SE16: Looks at specific tables in SAP (T003 = auth. group) SA38: Looks at programs (AUTHORITY-CHECK) SU12: Deletes all users (usually disabled) SU10: Adds or deletes a profile to all users
SAP AG
CSU Chico2102/14/98 21SAP Security Lecture
SAP Security: Coming Attractions
SAP Profile Generator (31.G, R4) Makes it easier to track and maintain multiple profiles per user
Uses menu paths to create authorizations or profiles
Activity Groups similar to our functional profiles
Activity Group Maintenance (31.G) Allows for profile updates, parameter settings by group instead of by
individual user
Hopefully allows for resetting expiration, start dates, printer options, etc. by groups of users instead of one user at a time
SAP AG
CSU Chico2202/14/98 22SAP Security Lecture
Application of SAP Security to Classroom Activity
Define what “jobs” or roles we want the students to have per class --functional profiles
Set up authorizations for each job or role - job profiles Assign job profiles to users Document existing authorizations for Display and Create
Activities for each “application” object Create authorizations for Display and Create where
missing Create a standard profile that any user could have (view