SAP Security Online Doc

8/12/2019 SAP Security Online Doc

1/54


2/54

reports where huge. 6ere is how " did it.First create a CATT script with a dummy role and add one tcode. 8ake the role and

!9code as ariant. 7nce you hae this you can add any number of tcode to any existingrole. "could resuse this tocreate another roles where " had to insert lot of !9codes.

Pro.ect Phases (. 0lease follow the link for detail on project phases

Recommeded oo!s 9 :lick on the books to directly purchase from Amazon

Derived Role

Derived roles

*. Deried roles refer to roles that already exist. !he deried roles inherit the menu structureand the functions included -transactions, reports, $eb links, and so on from the rolereferenced. A role can only inherit menus and functions if no transaction codes hae beenassigned to it before.

+. !he higher9leel role passes on its authorizations to the deried role as default alues whichcan be changed afterwards. 7rganizational leel definitions are not passed on. !hey mustbe created anew in the inheriting role. &ser assignments are not passed on either.

(. Deried roles are an elegant way of maintaining roles that do not differ in their functionality-identical menus and identical transactions but hae different characteristics with regard to

the organizational leel.4. !he menus passed on cannot be changed in the deried roles. 8enu maintenance takes

place exclusiely in the role that passes on its alues. Any changes immediately affect allinheriting roles.

'. #ou can remoe the inheritance relationship, but afterwards the inheriting role is treated likeany other normal role. 7nce a relationship is remoed, it cannot be established again.
http://www.sapsecurityonline.com/tutorials/scat.htmhttp://www.sapsecurityonline.com/r3_security/r3_security_project_phase.htmhttp://www.sapsecurityonline.com/tutorials/scat.htmhttp://www.sapsecurityonline.com/r3_security/r3_security_project_phase.htm


3/54


4/54

Characterizatio of user types

Dialo" user 0A0

"ndiidual system access -personalized

&sers hae the option of changing their own passwords.

Usage: external RFC (individual human users)

Service user 0S0

%hared system access -anonymous

$ith all non9interactie system accesses -that is, not using the %A0;&", the passwordchange rule -which exists for all users except for system and serice users whenpasswords are initial or hae expired is not enforced by the system if there is nointeraction option. 6oweer, proided that you can execute a password update dialog withthe user -@ middleware, such as %A0 "!%, for example,, 1F: client programs shouldrecognize the need to change a password and initiate the subse/uent password change bycalling special function modules -@ see note *4'B*' or 1F:9A0" functions -as of 4.5:.


5/54

!he user interaction -including handling error and exceptional situations is proided herewith the middleware -@ 1F: client.

Profile Parameters for 1o"o

!o make the parameters globally effectie in an %A0 %ystem -system profile parameters,set them in the default system profile D=FA&

!o display the documentation for one of the parameters, choose $ools ** CC%&**Configuration ** +rofile %aintenance -transaction 1C*), specify the parameter name andchoose ispla'-

Password Chec!s

0arameters =xplanation

login2minpasswordlng Defines the minimum length of thepassword.Default alue? (E permissible alues? ( G

login2minpassworddigits Defines the minimum number of digits -)9H in passwords.Default alue? )E permissible alues? ) GAailable as of %A0 $eb A% 5.*)

login2minpasswordletters

Defines the minimum number of letters -A9C in passwords.Default alue? )E permissible alues? ) GAailable as of %A0 $eb A% 5.*)

login2minpasswordspecials Defines the minimum number of specialcharacters in the password 0ermissiblespecial characters are -IJKL MO2-@PQR>STU9.,E?VWXYJJZDefault alue? )E permissible alues? ) GAailable as of %A0 $eb A% 5.*)

login2minpassworddiff Defines the minimum number of charactersthat must be different in the new passwordcompared to the old password.Default alue? *E permissible alues? * GAailable as of %A0 $eb A% 5.*)

login2passwordexpirationtime Defines the alidity period of passwords indays.Default alue? )E permissible alues? anynumerical alue

login2passwordchangefor%%7 "f the user logs on with %ingle %ign97n,checks whether the user must change hisor her password.


6/54

Aailable as of %A0 $eb A% 5.*), as of%A0 [asis 4.5 by %upport 0ackage

login2disablepasswordlogon :ontrols the deactiation of password9based logonAailable as of %A0 $eb A% 5.*), as of%A0 [asis 4.5 by %upport 0ackage

login2passwordlogonusergroup :ontrols the deactiation of password9based logon for user groupsAailable as of %A0 $eb A% 5.*), as of%A0 [asis 4.5 by %upport 0ackage

)ultiple 1o"o


login2disablemultiguilogin :ontrols the deactiation of multiple dialoglogonsAailable as of %A0 [asis 4.5

login2multiloginusers


7/54

for newly created users.Aailable as of %A0 $eb A% 5.*), as of%A0 [asis 4.5 by %upport 0ackage

login2passwordmaxresetalid Defines the alidity period of resetpasswords.Aailable as of %A0 $eb A% 5.*), as of%A0 [asis 4.5 by %upport 0ackage

SS& 1o"o Tic!et


login2acceptsso+ticket Allows or locks the logon using %%7 ticket.Aailable as of %A0 [asis 4.5D, as of %A0[asis 4.) by %upport 0ackage

login2createsso+ticket Allows the creation of %%7 tickets.Aailable as of %A0 [asis 4.5D

login2ticketexpirationtime Defines the alidity period of an %%7ticket.Aailable as of %A0 [asis 4.5D

login2ticketonlybyhttps !he logon ticket is only transferred using6!!0-%.Aailable as of %A0 [asis 4.5D

login2ticketonlytohost $hen logging on oer 6!!0-%, sends theticket olyto the serer that created theticket.Aailable as of %A0 [asis 4.5D

&ther 1o"i Parameters2


login2disablecpic 1efuse incoming connections of type :0":

login2noautomaticusersapstar :ontrols the emergency user %A0> -%A0Notes +(G( and 5G)4G

login2systemclient %pecifies the default client. !his client is

automatically filled in on the system logonscreen. &sers can type in a different client.

login2updatelogontimestamp %pecifies the exactness of the logontimestamp.Aailable as of %A0 [asis 4.5

&ther User Parameters


8/54


rdisp2guiautologout Defines the maximum idle time for a user inseconds -applies only for %A0 ;&"connections.Default alue? ) -no restrictionEpermissible alues? any numerical alue

1ear more a'out this effectsdifferet user type

New Password rules

7eriew of the improements and changes in password rules or logon procedures thatare deliered with $eb A% A[A0 B.)) or Net$eaer +))4s

Passwords2 Differetiatio 'etwee upper ad lower case4 ma5imum

le"th icreased from ei"ht to forty characters

For new passwords, the system distinguishes between upper and lower case E inaddition, passwords can now consist of up to forty characters -up until now, the

maximum has been eight characters. "n newly9installed systems, this appliesimmediately to all usersE in systems that hae been upgraded to $eb A% A[A0B.)) or Net$eaer +))4s from an earlier release, we hae ensured that all userscan continue to log on using their old password. "nformation that tells the systemwhether a user has a new password or a password of the old type is stored in theuser master recordE this information is analyzed when the system checks thepassword? if the user has a password of the old type, the system conerts the firsteight characters of the password into upper caseE the remaining thirty9twocharacters must be spaces. 7therwise, the password is analyzed in its entirety andwithout being conerted into upper case. "n &nicode systems, you can use&nicode characters in passwords.

1eleant -new profile parameters?

o login2minpasswordlowercase

o login2minpassworduppercase

o login2passworddownwardscompatibility

Password history2 size ca ow 'e defied as re6uired +it used to 'e

limited to five etries-!he passwords that the user has assigned in the course of a password change arestored in the password history -passwords set by the user administrator are notstored in the password history. !he system preents the user from reusingpreiously9used passwords. !he password history used to be limited to fieentriesE you can now define the size of the password history -maximum alue?*)) entries using a profile parameter -login2passwordhistorysize.

1oc! period for password cha"e ca 'e selected +it used to 'e limited to

oe day-!o preent the password history from being bypassed, a user may only change hisor her password again after the lock period has passed -exception? the user isasked to change the password by the system. #ou can now select this lock periodusing the profile parameter login2passwordchangewaittime -maximum alue?*))) days.
http://www.sapsecurityonline.com/r3_security/r3_security_user_type.htmhttp://www.sapsecurityonline.com/r3_security/r3_security_user_type.htm


9/54

+Advace- password cha"e with stricter password rules

#ou can now set the system so that it asks only users whose current password nolonger satisfies the current -stricter password rules to change their password -inadance. !o do this, set the profile parameterlogin2passwordcompliancetocurrentpolicy @ *.

alidity period of uused passwords ca 'e restricted

0asswords that are not used by the authorized user are a security risk. For thisreason, you are now able to restrict the alidity period of these passwordsE here,the system distinguishes between initial passwords -that is, passwords that areassigned by the user administrator and that are to be changed by the user at thenext opportunity and non9initial passwords -that is, passwords that hae been setby the user. -!echnical users of the type %=13":= and %#%!=8 are exempt fromthis regulation.

1eleant -new profile parameters?

o login2passwordmaxidleinitial

o login2passwordmaxidleproductie

1o"o2 Compromisi" error messa"es are avoided

"f you attempt to log on using incorrect logon data, the system now only issuesthe "eeric error messa"e KName or password is incorrectK as a ruleE further

reasons for failed logons -for example, locked user accounts, user account isoutside alidity period, and so on are only gien in detail when alid logon datahas been passed. =rror scenarios in which the system could not check the logondata, or where no further check is allowed are the exceptions to this rule?

o K&ser has no password 9 logon using password is not possibleK

o K0assword logon no longer possible 9 too many failed attemptsK

!he default values of certain profile parameters that are releant to security

hae been changed?

o login2faileduserautounlock ? ) -instead of *

1oc!s for failed lo"o attempts remai valid for a ulimitedperiod(

o login2failstouserlock ? ' -instead of *+

The loc! for failed lo"o attempts is set after five failed

passwordlo"o attempts(

o login2noautomaticusersapstar ? * -instead of )

The emer"ecy user must 'e activated e5plicitly(

o login2minpasswordlng ? 5 -instead of (

Passwords must cosist of at least si5 characters(

o login2ticketexpirationtime ? G -instead of 5)

1o"o tic!ets are oly valid for ei"ht hours(

!he profile parameters login2passwordmaxnewalid and

login2passwordmaxresetalid hae been replaced by the profile parameterlogin2passwordmaxidleinitial, which means that the system no longerdistinguishes between the first and the subse/uent setting of a password by theuser administrator regarding the restriction of the alidity of the resulting initial


10/54

passwords.

Authorizatio Aalysis

Aalyze Authorizatio chec! SU73

1. :hoose the menu path &'stem .* Utilities .* ispla' uthoriation Check or transaction

code SU73.#ou now can analyze an error in your system that just occurred because of amissing authorization.

2. #ou can call !ransaction SU73 in all sessions, not just in the session in which the error

occurred. Authorization errors in other usersQ sessions, howeer, cannot be analyzed fromyour own session.

3. "n the below example, user [ob calls !ransaction 3A)( -display sales order. !he message/0ou do not have authoriation for $ransaction 123/ appears-&ser [ob now choosestransaction code /SU73 and the system displays the authorization object that was justchecked and, for comparison purposes, the alues of the object that user [ob has in its usermaster record. "n this case the user [ob don\t hae 3A)( assigned to any of his role.

4. !ransaction %&'5 allows the user to see what current authorizations are in his buffer

Authorizatio Trace ST%$

#ou can analyze authorizations as follows? :hoose $ools9dministration9 %onitor .*$races .*&+ &'stem $race or !ransaction %!)*.

:hoose trace componentuthoriation check and pushbutton $race on-!he trace is automaticallywritten to the hard disk.

!o limit the trace function to your own sessions, choose "dit9 Filter .*&hared. =nter your user "Din field $race for user onl'in the displayed dialog box.

7nce the analysis is completed, choose $race off-

!o display the results of the analysis, choose 4oto .* Files5nal'sis or the pushbutton File list%electthe re/uired file and choosenal'e.

!he results of the authorization check are displayed in the following format? ZAuthorization

object?ZField@Z!ested alue

!he return code shows whether or not the authorization code was successful.


11/54

%!)* 1eturn :ode

) Authorization check passed

* No Authorization

+ !oo many parameters for authorization check

( 7bject not contained in user buffer

4 No profile contained in user buffer

5 Authorization check incorrect

B,G,H "nalid user buffer

Authorizatio Chec!s

Authorizatio Chec!s Starti" SAP Trasactios

$hen a user starts a transaction, the system performs the following checks?

!he system checks in table !%!: whether the transaction code is alid and

whether the system administrator has locked the transaction.

!he system then checks whether the user has authorization to start the

transaction. !he %A0 system performs the authorization checks eery time a userstarts a transaction from the menu or by entering a command. "ndirectly calledtransactions are not included in this authorization check. For more complextransactions, which call other transactions, there are additional authorizationchecks.

o !he authorization object %!:7D= -transaction start contains the field

!:D -transaction code. !he user must hae an authorization with a aluefor the selected transaction code.

o "f an additional authorization is entered using transaction %=H( for the

transaction to be started, the user also re/uires the suitable definedauthorization object -!%!A, table !%!:A."f you create a transaction in transaction %=H(, you can assign anadditional authorization to this transaction. !his is useful, if you want tobe able to protect a transaction with a separate authorization. "f this isnot the case, you should consider using other methods to protect thetransaction -such as A&!671"!#9:6=:] at program leel.

!he system checks whether the transaction code is assigned an authorization


12/54

object. "f so, a check is made that the user has authorization for this authorizationobject.!he check is not performed in the following cases?

o #ou hae deactiated the check of the authorization objects for the

transaction -with transaction %&+4 using check indicators, that is, youhae remoed an authorization object entered using transaction %=H(.#ou cannot deactiate the check for objects from the %A0 Net$eaer and61 areas.

o !his can be useful, as a large number of authorization objects are often

checked when transactions are executed, since the transaction calls otherwork areas in the background. "n order for these checks to be executed

successfully, the user in /uestion must hae the appropriateauthorizations. !his results in some users haing more authorization thanthey strictly need. "t also leads to an increased maintenance workload.#ou can therefore deactiate authorization checks of this type in atargeted manner using transaction %&+4.

o #ou hae globally deactiated authorization objects for all

transactions with transaction %&+4 or transaction %&+'.o %o that the entries that you hae made with transactions %&+4 and %&+'

become effectie, you must set the profile parameterA&!62N7:6=:]"N%78=:A%=% to #_ -using transaction 1C*).

All of the aboe checks must be successful so that the user can start the transaction.7therwise, the transaction is not called and the system displays an appropriate message.

Chec!i" Assi"met of Authorizatio 8roups to Ta'les#ou can also assign authorization groups to tables to aoid users accessing tables usinggeneral access tools -such as transaction %=*5. A user re/uires not only authorization toexecute the tool, but must also hae authorization to be permitted to access tables withthe releant group assignments. For this case, we delier tables with predefinedassignments to authorization groups. !he assignments are defined in table !DDA!E thechecked authorization object is %!A[&D"%.

TIPS AND TRICKS

R/3 Security Tips

9uci!iewer +S9#-

ùick3iewer -%`3" is a tool for generating reports. %A0 ùery offers the user a wholerange of options for defining reports. %A0 ùery also supports different kinds of reportssuch as basic lists, statistics, and ranked lists. ùick3iewer -%`3", on the other hand, is atool that allows een relatiely inexperienced users to create basic lists. " hae created atutorial for %`3". S9# Tutorial

User assi"met

Neer insert generated profiles directly into the user master record -!ransaction %&)*.Assign the role to the user in the Roles tab in transaction %&)* or choose the User tab in

role maintenance -0F:; and enter the user to whom you want to assign the role orprofile. "f you then compare the user master records, the system inserts the generatedprofile in the user master record.

Do ot assi" ay authorizatios for modules you have ot yet istalled

"f you intend to gradually add modules to your system, it is important you do not assignany authorizations for those modules you hae not yet installed. !his ensures that youcannot accidentally change data in your production system you may need at a later stage.


13/54

Creati" SPR& Display oly.#ou might be asked to gie %017 display while implementing your %A0. "generally giethese authoriztion to make it display only. 0lease test it.

&'.ect ,ield alue

%017=:! 017=:!"D >

%017=:! 017:7NF >

%1F: A:!3! )(

%1F: 1F:NA8= >

%1F: 1F:!#0= >

%!A[&:


14/54

R/3 Security Ta'les

%ecurity !ables

!able Description

&%1)+


15/54

*d User

Trasactio Code

)eu Path 0urpose

%&( &'stem -->User +rofile-->7#nata

%et address2defaults2parameters

%&'( &'stem -->Utilities -->ispla'uthoriation Check

Display last authority check that failed

%&'5 $ools -->dministration -->%onitor -->User 6uffer

Display user buffer

Role Admiistratio

Trasactio Code

)eu Path 0urpose

0F:; $ools -->dministration -->User%aintenance -->Roles

8aintain roles using the 0rofile ;enerator

0F&D Znone :ompare user master in dialog.

!his function can also be called in the 0rofile;enerator? "nvironment-->%ass compare!he ob for user master comparison is?0F:;!"8=D=0=ND=N:# -to 1elease 4.)16A&!&0*

%&0: $ools ..* dministration ..* User%aintenance ..*Roles ..*"nvironment ..* %ass 4eneration

8ass ;eneration of 0rofiles

User Admiistratio

Trasactio Code

)eu Path 0urpose

%&)* $ools -->dministration -->User%aintenance -->Users

8aintain &sers

%&)*D $ools -->dministration -->User%aintenance -->ispla' Users

Display &sers

%&*) $ools -->dministration -->User%aintenance -->User %ass

%aintenance

&ser mass maintenance

%&)+ $ools ..* dministration ..* User%aintenance ..* %anual

%aintenance ..* "dit +rofiles%anuall'

8anually create profiles

%&)( $ools -->dministration -->User%aintenance -->%anual%aintenance -->"dit uthoriations

%anuall'

8anually create authorizations

Profile 8eerator Cofi"uratio

Trasactio Code)eu Path 0urpose


16/54

R/3 asis Tcodes

Commo Trasactio Codes for asis Admiistratio

A


17/54

A


18/54

1C** 0rofile 0arameters %85' [ackground0rocessing Analysis!ool

%&'* 8aintain &serAddress

%A1 8aintain !ransaction:odes

%855 %ystem9wide $ork0rocess 7eriew

%&'+ 8aintain &ser0arameters

%A1A Archie 8anagement %85B ob %cheduling %&'( AnalyzeAuthorization =rror

%:A! :omputer Aided !est!ool

%85G ob Administration %&'5 Display list of &serAuthorizations

%::) :lient :opy %8;$ ;ateway 8onitor %3=1 A[A024 3erification

%:&( !able 6istory %8


19/54

R/3 Security= Audit Chec!

!here comes a time when you hae to deal with auditors. " hae put together a check listto go through. "f this is a new implementation you should go through this and may be youcan impress your boss.

"f you hae any doubts as to whether or not reisiting your %A0 infrastructure security isworth your while, take this short test and see how well your %A0 systems security nowfares.... follow the li!

SAP R/3 user #D SAP> ad other system user id has 'ee ade6uately secured(

The productio system has 'ee set to productive(

Access Restrictio2 SCC? ad S*%@

SD**1&P is secured

Cha"e maa"emet is secured ad cotrolled

Trasport access to productio is restricted

Developer access i productio

Cha"e critical um'er ra"e is restricted

Custom ta'les has authorizatio "roup

1oc!i" of sesitive systems trasactio codes

DC user types should has oly re6uired access

Ru Pro"ram i the 'ac! "roud

Cha"es to critical SAP R/3 ta'les are lo""ed

Scheduli" ad )oitori" atch .o's

Access to ru reports should 'e restricted(

Critical ad custom SAP R/3 ta'les are restricted(


SAP R/3 user #D SAP> ad other system user id has 'ee ade6uately secured(

0erformed the following steps to confirm that user "D %A0> has been ade/uately secured?

3erified whether default password of %A0> was changed in all production clients?

=xecute transaction code %A(G, and run report 1%&%1))(.

1eiewed RSUSR%%3report to erify that the parameter

login5no9automatic9user9sapstar is set -alue @).
http://www.sapsecurityonline.com/r3_security/r3_security_audit_check_10.htmhttp://www.sapsecurityonline.com/r3_security/r3_security_audit_sap_star.htmhttp://www.sapsecurityonline.com/r3_security/r3_security_audit_prd.htmhttp://www.sapsecurityonline.com/r3_security/r3_security_audit_scc4.htmhttp://www.sapsecurityonline.com/r3_security/r3_security_audit_s_develop.htmhttp://www.sapsecurityonline.com/r3_security/r3_security_audit_transport.htmhttp://www.sapsecurityonline.com/r3_security/r3_security_audit_transport2.htmhttp://www.sapsecurityonline.com/r3_security/r3_security_audit_s_develop_access.htmhttp://www.sapsecurityonline.com/r3_security/r3_security_audit_snro.htmhttp://www.sapsecurityonline.com/r3_security/r3_security_audit_custom_table.htmhttp://www.sapsecurityonline.com/r3_security/r3_security_audit_lock_tcode.htmhttp://www.sapsecurityonline.com/r3_security/r3_security_audit_bdc_user.htmhttp://www.sapsecurityonline.com/r3_security/r3_security_audit_bdc_moni.htmhttp://www.sapsecurityonline.com/r3_security/r3_security_audit_table_logged.htmhttp://www.sapsecurityonline.com/r3_security/r3_security_audit_bjobs.htmhttp://www.sapsecurityonline.com/r3_security/r3_security_audit_sa38.htmhttp://www.sapsecurityonline.com/r3_security/r3_security_audit_custom_tcode_table.htmhttp://www.sapsecurityonline.com/r3_security/r3_security_audit_check_10.htmhttp://www.sapsecurityonline.com/r3_security/r3_security_audit_sap_star.htmhttp://www.sapsecurityonline.com/r3_security/r3_security_audit_prd.htmhttp://www.sapsecurityonline.com/r3_security/r3_security_audit_scc4.htmhttp://www.sapsecurityonline.com/r3_security/r3_security_audit_s_develop.htmhttp://www.sapsecurityonline.com/r3_security/r3_security_audit_transport.htmhttp://www.sapsecurityonline.com/r3_security/r3_security_audit_transport2.htmhttp://www.sapsecurityonline.com/r3_security/r3_security_audit_s_develop_access.htmhttp://www.sapsecurityonline.com/r3_security/r3_security_audit_snro.htmhttp://www.sapsecurityonline.com/r3_security/r3_security_audit_custom_table.htmhttp://www.sapsecurityonline.com/r3_security/r3_security_audit_lock_tcode.htmhttp://www.sapsecurityonline.com/r3_security/r3_security_audit_bdc_user.htmhttp://www.sapsecurityonline.com/r3_security/r3_security_audit_bdc_moni.htmhttp://www.sapsecurityonline.com/r3_security/r3_security_audit_table_logged.htmhttp://www.sapsecurityonline.com/r3_security/r3_security_audit_bjobs.htmhttp://www.sapsecurityonline.com/r3_security/r3_security_audit_sa38.htmhttp://www.sapsecurityonline.com/r3_security/r3_security_audit_custom_tcode_table.htm


20/54

Bho has sapall adsapew

=xecute transaction code %&"8:lick on ^&ser_:lick on ^


21/54

The productio system has 'ee set to productive(

!o erify that the company codes utilized in the %A0 12( systems are set to productie.!here are arious company codes that come as default within %A0. !his is to ensure thatonly the company codes that are being used should be checked and set9up as productie.%7 team2 %ecurity team should perform the following steps?

=xecute transaction code? 7[1(

1eiew ^0roductie_ column and ensure applicable global settings hae not been checkedoff.

!he production client settings hae been flagged to not allow changes to programs

and configuration.

0erformed the following steps to erify that production client settings hae been flagged tonot allow changes to programs and configuration?

=xecute transaction code SCC? +all cliets- ad S*%@

Double click on the applicable production client.

3erify that changes to client dependent and client independent objects are not

allowed and that the client is set to productie.


Access Restrictio2 SCC? ad S*%@

!ransaction codes %::4 and %=)5 are critical transactions which can be used to preentdirect changes being made to the production system. "f these transactions are notappropriately set there is a risk that unauthorized changes may be made directly in theproduction system, without going through the appropriate change management process.

0erformed the following steps to erify that the ability to make changes to client andsystem settings is restricted and access priileges are appropriately assigned based on jobresponsibilities. 0erform the following steps9uery $

=xecute transaction code? SU#)

%elect &ser by complex criteria

Authorization object? STC&D*

!ransaction code alue? SCC?

Authorization object? STAUD#S

Actiity? %E ad %3

Authorization ;roup? SS

Authorization object? STAUC1#

"ndicator for cross client maintenance? F

9uery E


Authorization object? STC&D*

!ransaction code alue? SCC?

Authorization object? SAD)#,CD


22/54

%ystem Administration Function? T%%%

Authorization object? SCTSAD)#

Administration task? #N#T

9uery 3

=xecute transaction code? %&"8

Authorization object? %!:7D=

!ransaction code alue? %=)5

Authorization 7bjects? stransprt Actiity 3alue? >

1e/uest !ype? >

Authorization 7bjects? sctsadmi

Administration !ask? 1=


23/54

%tart the transaction S*$@, enter the table name and choose option Display.

TC*S:ST =nironments

"nspect the table !:=%#%! which details the arious enironments.

TC*TRA1 :ross !ransports

"nspecte the table !:=!1A


24/54


Developer access i productio

!he ability to make changes to the %A0 12( Data Dictionary is restricted and access

priileges are appropriately assigned based on job responsibilities.0erformed the following procedures to erify that the ability to make changes to the %A012( Data Dictionary is restricted and access priileges are appropriately assigned based onjob responsibilities?=xecuted transaction? SU#)

o Authorization object? STC&D*

o !ransaction code alue? S*$$

o Authorization object? SD**1&P

o Actiity alue? %$ or %E

o 7ther fields? G>H

Ris!2 !he risk here is that users who hae this access, hae the ability to maintain the

%A0 database -data dictionary.

#detify users who ca do developmet i Productio


%!:7D=? S*3

Authorization 7bject? SD**1&P

Actiity? %E ad %3

All fields?


25/54

!able Name? D*ACC*SS

Ris!2 Deeloper key is re/uired along with the open system to make changes withinproduction.


Cha"e critical um'er ra"e is restricted(-company code, charts of accounts etc.

0erformed the following procedures to erify that the %A0 system appropriately restrictsthe ability to change critical number ranges -i.e., company codes, chart of accounts,accounting period data, etc..

=xecute transaction code SU#)Authorization object? STC&D*!ransaction code alue? SNR&Authorization object? SNU)*RActiity? %E

Number of number range? G>H

Ris!2!he risk here is that users who hae this access, hae the ability to maintain criticalnumber ranges.


Custom ta'les has auth "roup

0erformed the following procedures to erify that all customized %A0 12( tables hae beenassigned to the appropriate authorization group?

=xecuted transaction code? S*$@!able name? TDDAT!able name? ;> :>

Ris!? "f tables are not assigned to authorization groups it is not possible to appropriatelycontrol direct access to tables.


1oc!i" of sesitive systems trasactio codes i Productio eviromet(9uery

!he authorization to lock and unlock transaction codes should only granted to selected fewusers. !his also applies to costumer deeloped tcodes proided they are entered in table!%!:A through transaction code %=H(

Do check using the following report in production who has this access.

=xecute transaction? %8)*71=xecute transaction? %=*5


26/54

!able Name? !%!:: info field? +) to +)

Ris!2%A0 recommends that certain sensitie transactions be locked in the productionsystem to preent accidental or malicious use. !he risk therefore is that thesetransactions be accidentally run, or run with malicious intent.9uery

;enerated a list of users who hae access to lock2unlock transaction codes.

o =xecute transaction code? %&"8

o %!:7D=? %8)*

o Authorization object? %AD8"F:D

Field alue? !


27/54


28/54

Ris!2 !he risk here is that users who hae this access, hae the ability to run programsdirectly in the background, bypassing transaction leel security in %A0, and couldpotentially run programs 2transactions they are not explicitly authorized to run.

atch iput = S)37

[atch input transaction code %8(' needs authorizationforobject %[D:87N". #ou canrestrict the priileages tocertain sesssion byentering the respectie session name or namerange. "f you use name range then naming conetion should be used properly.

=xecute transaction code SU#)%tcode? S)37Authorization 7bjects? SDC)&N#[atch "nput monitoring actiity? G>H%ession Name? ^>_

1isk? !he risk here is that users who hae this access, hae the ability to process batchtransactions without being explicitly authorized to do so.


Cha"es to critical SAP R/3 ta'les are lo""ed ad maa"emet re"ularly reviewsthe lo"s(

1un transaction %=*5, table DD)H< and noted that tables hae been selected for logging.`uery

=xecute transaction code? SU#)%!:7D=? S*%$Authorization object? STRANSPRTActiity? %E

Field 7bject in $orkbench 7rganizer? UP8R

1isk? !he risk here is that users who hae this access, hae the ability to transportmatchcodes into the production system. %uch access should be restricted to basisadministrators only.


Scheduli" atch .o's

[y default user is allowed to schedule reports for background processing, but cannotrelease. Authorization for to release jobs is controlled by %[!:67[. Actiity 1=


29/54

system.

%[!:6NA8 can be used to schedule jobs under a different user id. Neer gie > as thiswould allow the user to start batch jobs under any user id.

!o check who all hae acces to this production follow the instruction below.

0erformed the following steps to erify which users hae the ability to change the %A0 12(job schedule?

=xecute transaction code %A(G, 1%&%1))+%tcode? S)3@-%cheduleAuthorization 7bject? STCH >

Ris!2!he potential risk here is that users who hae this access, hae the ability to runprograms directly in the background, bypassing transaction leel security in %A0, andcould potentially run programs or transactions they are not explicitly authorized to run.

)oitori" atch .o's

1un transaction %8(B to check if any of the jobs that had been during the last year arestill actie.

Ris!2"f jobs are not monitored on a regular basis, there is a risk that jobs will not run tocompletion and therefore processing of critical financial information will not be completeand the issue will not be identified on a timely basis


Access to ru reports should 'e restricted(

=xecute transaction code SU#)%tcode? SA3Authorization 7bjects? SPR&8RA)&ser action A[A0 program? SU)#T- foreground and backgroundAuthorization ;roup? >, ^>_

Ris!2!he risk here is that users who hae this access, hae the ability to run programsdirectly, bypassing transaction leel security in %A0, and could potentially run programs2transactions they are not explicitly authorized to run.

=xecute transaction code SU#)%tcode? SA3Authorization 7bjects? SPR&8RA)&ser action A[A0 program? *D#T -maintain attributes, text elements, A[A024 utilities tocopy and delete programsAuthorization ;roup? >

Ris!2 !he risk here is that users who hae this access, hae the ability to maintain


30/54

program attributes.


Critical ad custom SAP R/3 ta'les are restricted(

=xecute transaction %&"8

Authorization 7bject? %!:7D=

!ransaction :ode? %8(* -enhanced tables maintenance

Authorization object? %!A[&D"%

Actiity? )+ AND )(

Ris!2!he risk here is that users who hae this access, hae the ability to maintain tabledata directly in the production system. !his includes transactional, masterfile, securityand configuration data.

=xecute transaction %&"8Authorization 7bject? %!:7D=!ransaction :ode? %8(*Authorization object? %!A[&D"%Actiity? )+ AND )(Authorization 7bject? %!A[&:


31/54

manually in all the clients of all of the %A0 12( %ystems in which it should be alid.

&ser master records can be maintained centrally in one client of a system. "f a new clientis built as a copy of a maintenance client, the new client can initially be filled with the usermaster records of the maintenance client. During this copy, the roles of the maintenanceclient are copied together with the user master records. 6oweer, you cannot select whichusers should be copied and which should not. !he user master records also cannot beautomatically synchronized se/uentially

Advata"e of havi" CUA

Administration of a whole system landscape from one single central system

7eriew of all user data in the whole system landscape

:onsistent user data in the whole system landscape

Additional local maintenance still possible

CUA i separate system vs i PRD

Adantages

No performance impact on 01D system

"ndependence from planned downtime of 01D system

"ndependence from 01D system release -higher release with more functionality

can be used 8aintenance actiities of :&A central system -e.g. import of supportpackages has no impact on 01D system

Access to user management can easily be controlled

Disadantages

Additional hardware and administration cost

CUA i PRD

Adantages

No additional hardware and administration cost

Disadantages

0erformance impact on 01D system

No user administration during downtime of 01D system. 01D system release determines :&A functionality -no higher release can be used

8aintenance actiities of :&A central system -e.g. import of support packages

causes downtime of 01D system

Access to user management can be controlled only if separate client on 01D

serer is set up


32/54

Pro K Cos2 Si"le CUA

Adantages

1e/uires little resources -hardware and2or diskspace

:onsistent user master data in the whole system landscape

7ne single point of administration and control

Disadantages

8aintenance of :&A central system has immediately impact on production no

test of :&A functionality possible

&naailability of :&A central system has impact on the whole system landscape

0lanned downtime of :&A central system has to be confirmed by all system

owners

6igh olume of user data and high number of changes to user master records

-e.g. caused through client copy in D=3 can result in decrease of performance ofthe :&A central system

Not suitable for customers where responsibilities for user administration are

organizationally split based on systems

&r"aizatioal challe"es

!echnical :&A configuration does not match the organization of the user

administration

:onflicts due to unclear responsibilities for user management

&ser administrators are not trained in :&A usage

CUA= #stallatio

#troductio

:lients with ery complex landscape with multiple landscape and multiple clients,maintaining the entire enironment become ery challenging. &sing :entral &serAdministration -:&A, you can maintain user mater records centrally in one system.:hanges to the information are then automatically distributed to the child systems. !hismeans that you hae an oeriew in the central system of all user data in the entiresystem landscape. Distribution of the data is based on a functioning Application


33/54

Setti" Up Cetral User Admiistratio

!o set up :entral &ser Administration -:&A, perform the procedures described below.

Steps to Set Up the CUA

%pecify


34/54

:&A child systems

=ery input field of the user maintenance transaction %&)* has a field attribute that yousetonce in the central system with transaction %:&8 during :ustomizing. As far as possible,youshould then not change the field maintenance indicator at all.

"f you later change the distribution from !ocal or +roposal to 4lobal or Redistribution, datainconsistencies can occur. $hen resoling these inconsistencies you must proceed with theutmost care. 7therwise data losses will occur.!he only exception to this is the !ocks tab page. #ou can change the indicatorson this tab page at any time without any risk.

Procedure


35/54

1o"o data

"nitial password is set to 0roposal, and rest is set to ;lobal

Default

All attributes set to 1et3alParameters

All attributes set to 1et3al

Profiles/ Roles All attributes set to ;lobal

1oc! &nlock incorrect logon is set to


36/54

under the same name and are maintained centrally.

%elect all new and changed users and choose !ransfer &sers.

0erform steps ( and 4 successiely for all child systems from which you want to

transfer users.

After you hae completed the user transfer, remoe the roles

%A0[::&A%=!&0:=N!1A< and %A0[:&%1:&A%=!&0:


37/54

corresponding user master record.

Performi" a Te5t Compariso with Tar"et System

Specificatio

"f you hae created, deleted or imported roles and2or profiles in a child system of the:entral

&ser Administration -:&A, there is initially a different data status in the central and childsystems. #ou do not need to perform a text comparison for all child systems, but can cleanupthe data specifically for the affected child system as follows?

"n the central system, you use transaction %&)* to execute the $ext Comparison

from Child &'stem function and specify the changed child system as the targetsystem.

#ou send the changed role data from the child system in which you hae made

the role maintenance -transaction 0F:; changes, to the central system. !o dothis, choose "nvironment $ext Comparison for CU Central &'stem intransaction 0F:; of the child system.

CUA= Tips

Access to the configuration of :entral &ser Administration -:&A transactions should becontrolled. :onsideration should be gien to restricting access to only releant useradministration staff to the following :&A 8aintenance transactions.

CUA Tcode Name ad Descriptio

%A


38/54

administratie access from the communication user\s role.

,or ,urther CUA Trou'leshooti" follow the li!

Si"le Si" &

"f you are one of those admin who faces any of the issues listed below, then %%7 is for you.

&sers access multiple systems, including %A0 and non9%A0 %ystems. %ome systems reside

in a dedicated network zone in the intranet but many systems reside on different networksor on the "nternet.

&sers need to hae different "Ds and passwords to access these systems.

=ach of these systems also maintains its own password policy. For example, in the %A0 61

system, the user has to change his or her password eery () days. "n the next system, theuser has to change the password eery H) days. "n another system, the user does not needto regularly change his or her password at all.

$hat does this lead toP &sers forget their passwords. !he administrator is constantly resettingpasswords. ]eep in mind that this makes social engineering much easier.

%olution is %ingle %ing 7n. %%7 users access multiple systems based on single authentication.

#mplemeti" SS& i Netweaver E%%?s

#mplemeti" SS& +R/3 / *terprise portal-

#mplemeti" SS& i Netweaver E%%?s

erify the followi" profile parameters are set correctly i the 'ac!ed usi" rz$$

login2acceptsso+ticket @ *login2createsso+ticket @ )

8ake sure that in the portal the connector to back end is defined with following setting andpermission is set correct.

Authentication !icket !ype 9 %A0


39/54


40/54

[oth of these steps can be performed with transaction &$RU&$&&7;, which is an extendedersion of transaction &$RU&$. For detailed documentation on transaction &$RU&$, seethe$eb Application %erer documentation under &ecurit' *$rust %anager-"n the %A0 %ystem, start transaction &$RU&$&&7;.

A screen with the following layout appears

!he PS* status frame on the left displays the 0%=s that are defined for the system.

!he PS* maiteace section on the top right displays the 0%= information for the

0%= selected in the 0%= status frame.

[elow that, the certificate section displays certificate information for a certificate thatyou hae selected or imported.

!he Si"le Si"=& AC1 section on the bottom right displays the entries in the A:< ofthe system.

Note that the layout of the transaction will ary slightly, depending on therelease of the %A0 %ystem.

+. "n the 0%= status frame on the left, choose the system 0%=.(. "n the certificate section, choose "mport :ertificate.

!he Import Certificate screen appears.

4. :hoose the File tab.'. "n the File path field, enter the path of the portal\s erify.der file.5. %et the file format to D=1 coded and confirm.B. "n the !rust 8anager, choose Add to 0%=.G. :hoose Add to A:


41/54

Result

!he %A0 component systems are able to accept %A0 logon tickets and erify the 0ortal%ererQs digital signature when they receie a logon ticket from a user.

#mporti" Portal Certificate ito SAP System

Prere6uisites

#ou hae downloaded the public9key certificate of the portal serer -erify.pse file. &se

the ]eystore Administration tool for this.

Procedure

*. "n the component system, start transaction %!1&%!.

!he following screen appears.

!his screen displays a list of the certificates contained in the 0%= of the componentsystem.

2. "n the certificate group box, choose Import Certificate.

!he Import Certificate screen appears.


42/54

3. :hoose the File tab.

4. "n the File path field, enter the path of the portal\s erify.der file.

'. %et the file format to D=1 coded and confirm.

6. "n the !rust 8anager, choosedd to +&".B. %ae the new certificate list.

!he new certificate list is automatically replicated to all application serers in thesystem. #ou do not hae to import the portal certificate onto each applicationserer separately.

Sar'aes=&5ley +S&F-

%arbanes97xley has become the ad hoc standard for financial transparency, trust, andcorporate accountability. $hile mandatory for all publicly9owned companies, %arbanes9


43/54

7xley is also becoming a best practice for all types of companies who wish to identify withgood goernance practices.A significant amount of attention is currently focused on %ection ()+ -Disclosure and%ection 4)4 -"nternal :ontrols. %arbanes97xley %ections ()+ and 4)4 are designed toensure information re/uired to be disclosed is initiated, processed, recorded, and reported,and that management has assessed the effectieness of internal controls regarding thereliability of financial reporting.:=7s and :F7s of public companies must?

:ertify that they hae reiewed financial statements and each annual or /uarterly

report.

:ertify that each such report fairly represents the companyQs financial condition.

:ertify that they hae established and are maintaining internal controls

=nsure the effectieness of such internal controls eery /uarter.

Address significant changes in internal controls or other factors that could

significantly affect such controls.

"dentify correctie actions taken regarding deficiencies2weaknesses in controls.

Disclose any significant deficiencies in internal controls and2or any fraud inoling

persons with a significant role in upholding such controls

S&F/SoD= Tool Compariso

Feature 2 Attribute Approa [earing 0oint :%" 3irsa %ystems

0roduction "nstallations ' 4 4 '

0roduct %tability 2 8aturity 4 ( + '

%upport ( ' ( '

%upport %eparation of Dutiesroles2responsibilities identification andresolution

' ( ( '

%upport ease of implementationre/uirements and integration to %A0 4.B

' ( ( '

%upport monitoring -after the fact and auditof compliance to %arbanes97xley %ection 4)4

' ( ( '


44/54

:ross platform conflicts identification ' ) ) 4

=xtend rule sets to include non9systemcontrols for %oD

' ) ) '

Drill down to role definition and changeconfiguration to eliminate %oD conflict

4 4 4 '

%ecurity software does not impactperformance and integrity of =10 system

' 4 4 4

!echnical %upport 1ating ' ( ( '

=stablished &ser ;roup ) ) ) '

"nitial %oftware "nestment :ost =xpensie :heap :heap =xpensie

Annual 8aintenance2%upport Fees =xpensie :heap :heap =xpensie

Additional 6ardware 1e/uired #es No No No

"mplementation :osts ' + + '

=nd9&ser !raining 1e/uired 1e/uired 1e/uired 1e/uired 1e/uired

!o %etup 0roduct Demonstration 4 ( ( '

=xisting :ustomer 1eferences 4 ( + '

1ating ' is good and ) is poor. !his is my personal opinion.

&ther SAP S&F/SoD Tool

Sya5ioproides you with integrated software solutions for %A0 for both 4overnance, Risk

SAP Security Online Doc

Documents