Академический Документы
Профессиональный Документы
Культура Документы
LEAD FACILITATOR:
JOSEPH UGWULALI M.SC, MBA, FCA, CFA, ACTI,
SAP CERTIFIED SECURITY & GRC CONSULTANT
ER
P
Who is SAP?
P
SAP AG
Founded in Walldorf, Germany in 1972 by 5 IBM employees
Worlds Largest Business Software Company
Worlds Third-largest Independent Software Provider
Company Statistics
Over 55,000 employees in more then 75 countries
183,000+ customers in more then 130 countries.
In Nigeria, we have the likes of Shell, Mobil, MRS, Nigerian
Breweries, Cadbury, FrieslandCampina WAMCO, Unilever,
Dangote Group, Proctor and Gamble, Coca cola, NNPC,
NLNG, FIRS, just to mention a few.
200,000+ installations all over the world
2,500+ Business Partners
www.irslconsulting.com +234 1 453 1559 Page 1-5
SA
ER
P
SAP
P
Systeme, Anwendungen und Produkte in der Datenverarbeitung
(English: Systems, Applications, and Products in Data Processing)
Global Outfit with many companies
SAP AG
SAP America
SAP UK etc.
SAP Business Suite
SAP Enterprise Resource Planning (SAP ERP)
SAP Supplier Relationship Management (SAP SRM)
SAP Customer Relationship Planning (SAP CRM)
SAP Supply Chain Management (SAP SCM)
SAP Product Lifecycle Management (SAP PLM) etc.
SAP Business ByDesign
SAP NetWeaver
ER
P
P
SAP Enterprise Resource Planning (SAP ERP)
ER
P
SAP Architecture
P
Client/Server Environment
Client hardware/software environment that can make a
request for services for a central repository of resources
Server hardware/software combination that can provide
services to a group of clients in a controlled environment
ER
P
SAP Business Suite
P
SAP PLM
SAP SCM
SAP NetWeaver
ER
P
History
P
SD FI
SAP PLM
MM CO
PP AM
SAP SAP
SAP R/3 SRM SAP ERP CRM
Client/Server
QM ABAP PS
PM Basis
WF
SAP SCM
HR IS
SAP NetWeaver
ER
P
P
SAP Software Applications
For small & medium enterprises
For large - SAP All-in-One
enterprises - SAP Business ByDesign
- SAP Business One
SAP ERP
SAP CRM
SAP PLM Platforms
- SAP NetWeaver
SAP SCM - SAP Enterprise Services
SAP SRM Architecture
SAP Business
Objects
Network Communications
SAP router
Secure Network Communications (SNC)
Secure Store & Forward (SSF) Mechanisms
and Digital Signatures
Auditing and Logging
Audit Information System
Security Audit Log
Management of Internal Controls (MIC)
Application
R/3 Internet Applications Security
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 21
SECURITY PARAMETERS
Security parameters are found in the SAP R/3 profiles,
together with many other parameters.
They control numerous high level aspects of security
including the following:
Login limits
Default clients and start menu
Password length and expiry interval
User buffer size
Authorization tracing
Profile generator
Securing SAP*
Authorization checks
S_TCODE checks
S_RFC checks
User Buffer
When a user logs in, all assigned
authorizations are loaded from the user
master record into the user buffer.
The user buffer is checked every time a
user attempts to execute a transaction or
run a program.
The user buffer does not contain values of
authorizations these are verified against
the actual authorizations in table USR12
during the check.
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 59
Authorization Checking and
User Buffer
Authorizations are loaded into the user
buffer alphabetically.
The user buffer is created and loaded each
time a user logs on to SAP.
The user buffer is checked for both online
and background processing.
Auditors can use transaction SU56 to
check the buffer.
External Security
login/ext_security
Specifies whether an external security tool (e.g.
Kerberos) is used
If set, an additional identification can be set for
each user
To activate, set value to X
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 82
System Security Parameters
SAP* Status login/no_automatic_user_sapstar
If this parameter is set to a value greater than
zero, then SAP* has no special default properties
Default value is 0
User Authorizations
auth/auth_number_in_userbuffer
The number of authorizations that the
users buffer can hold at any one time
Profile Generator
auth/no_check_in_some_cases
The switch for the Profile Generator
Default is N, it must be set to Y to work
Reference 'L'
A Reference user is a general impersonal
user like the Service user. You cannot
logon with a Reference user. The
Reference user is to give Internet users
identical authorizations.
This assignment applies to all systems in a
CUM landscape. If the assigned Reference
user does not exist in a CUM subsidiary
system, the assignment is ignored.
Other Considerations
Audit log is maintained on a daily basis on
each application server.
Logs from previous days are neither deleted
nor overwritten.
Due to amount of information accumulated,
it may be necessary to archive and purge
files (using SM18).
Disadvantages:
In 3.0C -approximately 600 check objects but thousands
of transactions. Therefore, many transactions are
protected by the same check object.
Many standard SAP transactions are not protected by
check objects or authority checks in the programs that
these transactions call.
Advantages:
This guarantees that each transaction is
protected by at least one authorization
check.
It is easy to determine which transactions
a user is allowed to execute (or start).
The security administrator is able to
restrict individual users or user groups to
the transactions they require by restricting
authorizations for this object.
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 146
Security Authorization
Objects
S_TCODE
Authorization object checked whenever a
transaction is started
Has one field
TCD (Transaction Code)-Used to specify
which transactions or groups of
transactions a user can start
Guidelines
Check objects should be assigned to all
transactions (including custom
transactions).
When assigning users the relevant
authorizations for these check objects,
specific values should be used in the
authorization fields. The use of the
*value in these fields should be avoided
wherever possible.
Table Viewing
Transaction SE17
Significant Authorization Objects S_TABU_DIS,
S_TABU_CLI
Table Data Maintenance
Transaction SE16, SM30, SM31
Significant Authorization Objects S_TABU_DIS,
S_TABU_CLI
Table Structure Maintenance
Transaction SE11, SE12, SE13, SE14
Significant Authorization Object S_DEVELOP
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 168
Table-Related Authorization
Objects
S_TABU_DIS
Primary authorization object checked when
performing table data viewing or
maintenance.
Has two fields:
Authorization Group-Used to specify which
groups of tables a person can view or maintain.
Activity-Used to specify what activities a
person can perform related to table data.
Possible values are:
..02: Create, change or delete table entries
..03: Display table entries only
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 169
Table-Related Authorization Objects
S_TABU_CLI
Authorization object checked when
performing client-independent table
maintenance
Has one field
ID Client-independent maintenance -Used to
specify whether a person can perform client-
independent table maintenance.
Possible value:
..X: Allow Client-Independent table maintenance
S_PROGRAM
Primary authorization object checked when
running programs directly.
Two fields:
Authorization Group-Used to specify which groups of
programs a person can run.
User Action-Used to specify what actions a person
can
perform related to programs. Possible values include:
..SUBMIT: Start the program
..BTCSUBMIT: Schedule the program to run as a background
job
..VARIANT: Maintain variants
Observe that by
selecting the
transactions, Profile
Generator assigned
the relevant
authorization
objects.
Note that there are
several red and
yellow indicators
(Not ready yet).
Click on generate
(Beach Ball).
Click Generate.
Change Profile name.
For example:
Authorization
Object
F_BKPF_BUK is
missing. An
authorization for
the object can be
manually
inserted.
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 220
Manual Authorizations
All manually inserted
Authorizations are
identified as
Manual.
For example,
change access
(02) should be
removed from
Authorization
object
V_VBAK_VKO.
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 222
Customizing Authorizations
All changes made to
Standard
authorizations
(except for blank
authorizations) are
indicated as
Changed
Similar to Manual
authorizations, PG
will NOT update any
of the Changed
authorizations (i.e.,
these authorizations
will remain in the
Role until they are
manually removed).
INFOTECH RISKS SECURITY LIMITED (www.irslconsulting.com) 223
Deleting Authorizations
Unnecessary authorizations brought in
by Profile Generator can be deleted.
Issues:
If a standard Authorization was manually
deleted from an Role, it will re-appear
when Read old status and merge with new
data is executed in PG.
New authorizations are categorized as
New Authorizations
The deleted Authorization Object is a
default tied to a specific transaction code.
Basis Review
Should be performed every year
Must be performed for all production
systems
Should be performed prior to any business
cycle testing
Should be considered for other systems
(development or testing) based on risk
assessment
Data Interfaces
Need to test data interfaces
Garbage In -Garbage Out phenomenon
Environments may have multiple interfaces
Evaluate materiality and risk
Data Conversions
Need to review and test conversions
Usually only relevant in the first year after
implementation