Professional Documents
Culture Documents
Introductiontosecuritysap 100610085129 Phpapp01
Introductiontosecuritysap 100610085129 Phpapp01
Kyle Balcerzak
SAP Security Consultant
Download the presentation recording with audio from the Symmetry Knowledge Center www.sym-corp.com/knowledge-center
Symmetry Corporation
Lifecycle Support for any SAP application on any platform combination Implementation Support
Accessibility
24x7 direct access to your support team
Affordability
Highly competitive fixed-price contracts
Introducing
Security Architecture
User Master Record Roles Profiles Authorization Objects User Buffer 4 Doors to SAP Security
Managing Security
Security Team Role owners and the approval process Periodic Access Validation Troubleshooting and information Security Tools
Security Objectives
Confidentiality - prevent users from viewing and disclosing confidential information. Integrity - ensure the accuracy of the information in your companys system. Availability - prevent the accidental or deliberate loss or damage of your companys information resources.
Factors to Consider
How important is your SAP system and the data stored in it to your business? Do you have a policy requiring certain levels of security? Do your internal or external auditors require a certain level of security for the information stored in your system? Will you need some degree of security in the foreseeable future?
Legal Requirements
SOX, HIPAA, ITAR Segregation of Duties vs. Excessive Access Controls Preventive vs. Detective Why Smaller Companies Should Care
SOX Continued
Segregation of Duties
One user can perform two or more conflicting actions that causes a risk. Example:
Activities: Someone can create vendor master records and then process accounts payable payments Risk: Gives someone the access to create a fictitious vendor and generate fraudulent payments to that vendor
Excessive Access
One action that a user can perform that is outside their area of expertise, jurisdiction, or allows critical access Example:
Activity: End user can use SP01 to see the spool request for all users Risk: Users may view sensitive financial documents or payroll information for example.
Shipping concerns
Unauthorized users should not have access to change shipping information of customer.
Security Architecture
Authorization Objects Intro User Master Record Roles Single, Derived, Composite Task-based vs. Job-based Roles Profiles Authorization Objects User Buffer 4 Doors to SAP Security
Authorization Concept
User Master Record
User
Roles
Profiles
Authorization Objects
SAP Functionality
Authorization Objects
Authorization Objects are the keys to SAP security When you attempt actions in SAP the system checks to see whether you have the appropriate Authorizations The same Authorization Objects can be used by different Transactions
Example in order to display a table, a user must have the Authorization Object S_TABU_DIS with the appropriate values
Validity dates (from/to) User defaults (logon language, default printer, date/decimal formats)
Roles
Profiles
Authorization Objects
SAP Functionality
Roles
Roles are built on top of Profiles and include additional components such as:
User menus Personalization Workflow
In modern SAP systems, users are typically assigned the appropriate Roles by the security team The system will automatically add the appropriate Profile(s) for each Role assigned
****Authorization Objects only exist in Profiles (either on their own or when nested in roles) A Role has several parts, including: Description Menu Documentation Profile
Roles
Roles
Profile for a Role:
Roles Types
There are 3 types of Roles:
Single an independent Role Derived has a parent and differs only in Organization Levels. Maintain Transactions, Menu, Authorizations only at the parent level Composite container that contains one or more Single or Derived Roles
Purchaser Child 1
ME21N, ME22N for Purchasing Organization 0001
Purchaser Child 2
ME21N, ME22N for Purchasing Organization 0002
Roles Types
Composite Role example:
Job-based
Each Role contains most functions that a user will need for their job in the organization
A/P Clerk Buyer Warehouse Manager
Hybrid approach
Profiles
Authorization Objects are stored in Profiles Profiles are the original SAP Authorization infrastructure Ultimately a users Authorization comes from the Profile/s that they have assigned Profiles are different from Roles.
User User Master Record
Roles
Profiles
Authorization Objects
SAP Functionality
SAP_NEW
Contains the new objects in the current release that are required to keep old transactions functioning. It does NOT contain all new Authorization Objects for that release
S_A.xxxxxxx
Standard BASIS Profiles for various job functions (i.e. customizing, development, administration, etc.)
Authorization Objects
Authorization Objects are the keys to SAP Security When you attempt actions in SAP, the system checks to see whether you have the appropriate Authorizations The same Authorization Objects can be used by different Transactions
Example in order to display a table, a user must have the Authorization Object S_TABU_DIS with the appropriate values
User Buffer
When a User logs into the system, all of the Authorizations that the User has are loaded into a special place in memory called the User Buffer As the User attempts to perform activities, the system checks whether the user has the appropriate Authorization Objects in the User Buffer.
You can see the buffer in Transaction SU56
The user might have this Object several times from several Roles. The system keeps checking until it finds a match:
Role 1
V_VBAK_AAT
Activity 03 (Display) Order Type * (All Order Types)
V_VBAK_AAT
Activity 01 (Create) Order Type B1, B2, CS
Role 2
V_VBAK_AAT
Activity 01 (Create) Order Type OR, RE
Authorization Checks
How does SAP test whether the user has Authorization to execute functions? What happens when I try to start and run a Transaction?
1.
2.
1.
3. 2.
1.
1.
Managing Security
Security Team Role Owners and the Approval Process Periodic Access Validation Troubleshooting and Information
User Information System (SUIM) SU53 Authorization Trace (ST01) Security Audit log (SM19/SM20)
Security Tools
Central User Administration SAP NetWeaver Identity Management SAP GRC Access Control Suite Symsoft ControlPanelGRC
Security Team
Important to select an appropriate security team. Size consideration based on your organization
Auditing requirements Amount of changes Security staff knowledge
Role changes should be done by the security team User assignments can be processed by the security team or the basis team Unlocking Users/resetting passwords of Users can be done by the helpdesk
Security Team
Outsourcing is a good option for many companies. Key reasons to outsource
Expert help available its hard for part-time security staff to understand all of the complexities of SAP Security Internal staff may get overloaded and need extra help. Project work Provide coverage during vacations/sick days
SU53
Last Authorization check that failed. May or may not be the Authorization that the User actually needs. Look at context clues to determine if it is appropriate. User may need more Authorization Objects after this one is added.
Authorization Trace
Transaction ST01 Records all Authorization Checks performed while a User is in the system. Does not include Structural Authorizations in HR Security.
ControlPanelGRC Security Troubleshooter makes this process easier by recording the steps to recreate the issue, the Authorization Trace, and sending the output the Security Team.
Transactions SM19/SM20. Does not record what data was changed by the User.
SymSoft ControlPanelGRC
2nd generation compliance automation solution User & Role Manager
Accelerates User and Role change management
Risk Analyzer
Real time risk analysis and mitigation of Segregation of Duties and Sensitive Authorization risks
Usage Analyzer
Monitors Transaction executions to provide
Notification of executed risks Reverse Business Engineering (RBE) tool License Optimization tool
Transport Manager
Automates processing of change requests with auditable workflow
Batch Manager
Cross system infrastructure for compliant scheduling, monitoring and tracking of batch jobs
AutoAuditor
Allows compliance reports to be scheduled and sent to Users for documented review
Key Points
Security is the doorway to the SAP system Security is a way of protecting information from unauthorized use Security can unlock the flexibility of the system and customize it for each user Information stored in SAP is one of your companys most valuable business assets. SAP Security is complex and often difficult to manage and understand There are legal requirements that influence SAP Security
Not all companies are required to comply with these regulations All businesses benefit from having well defined processes
There are tools available to help manage security but ultimately a good security team is key
Download the presentation recording with audio from the Symmetry Knowledge Center www.sym-corp.com/knowledge-center
Kyle Balcerzak
414-732-2743 kbalcerzak@sym-corp.com