Introduction to SAP

Security
Wednesday March 31, 2010

Kyle Balcerzak
SAP Security Consultant

Download the presentation recording with audio from the

Symmetry Knowledge Center
www.sym-corp.com/knowledge-center

Symmetry Corporation
Lifecycle Support for any SAP application on any platform combination
Implementation Support

SAP Certified Hosting

SAP NetWeaver / Basis administration

Security Design & Administration

Upgrade & Project Support

Symmetrys 21st Century Approach to Managed Services

Quality
Proactive support delivered
by US-based experts

Accessibility
24x7 direct access to your
support team

Affordability
Highly competitive fixed-price
contracts

Introducing

Kyle Balcerzak
SAP Security Consultant

What Well Cover

Introduction Why is Security Important?
Legal Requirements
SOX, HIPAA, ITAR
Risks & Controls
Why Unregulated Companies Should Care

Security Architecture
User Master Record
Roles
Profiles
Authorization Objects
User Buffer
4 Doors to SAP Security

Managing Security
Security Team
Role owners and the approval process
Periodic Access Validation
Troubleshooting and information
Security Tools

Why is Security Important?

Security is the doorway to the SAP system.
Security is a way of protecting information from unauthorized use.
Security can unlock the flexibility of the system and customize it for
each user.
Information stored in SAP is one of your companys most valuable
business assets.

What is SAP Security?

SAP application security controls who can do what in SAP.
Examples:
Who can approve purchase requisitions over $10,000 (ME54N)?
Who can view other employees social security numbers in the system
(PA20)?
Who can update vendor bank information (XK02)?
Who can create or modify users (SU01)?

Security Objectives
Confidentiality - prevent users from viewing and disclosing
confidential information.
Integrity - ensure the accuracy of the information in your companys
system.
Availability - prevent the accidental or deliberate loss or damage of
your companys information resources.

Security Against Whom?

When people think about system security, they usually think about
people outside the company
business espionage
political rivals

In reality, you need to protect against your own people

Curiosity
Accidental access
Intentional access

Factors to Consider
How important is your SAP system and the data stored in it to your
business?
Do you have a policy requiring certain levels of security?
Do your internal or external auditors require a certain level of
security for the information stored in your system?
Will you need some degree of security in the foreseeable future?

Legal Requirements
SOX, HIPAA, ITAR
Segregation of Duties vs. Excessive Access
Controls Preventive vs. Detective
Why Smaller Companies Should Care

Sarbanes-Oxley (SOX) Act

Executives are ultimately responsible for confirming the design and
effectiveness of internal controls
Excessive access and Segregation of Duties issues are key points
Ultimately data integrity is key

SOX Continued
Segregation of Duties
One user can perform two or more conflicting actions that causes a risk.
Example:
Activities: Someone can create vendor master records and then process
accounts payable payments
Risk: Gives someone the access to create a fictitious vendor and generate
fraudulent payments to that vendor

Excessive Access
One action that a user can perform that is outside their area of
expertise, jurisdiction, or allows critical access
Example:
Activity: End user can use SP01 to see the spool request for all users
Risk: Users may view sensitive financial documents or payroll information for
example.

HIPAA and ITAR

Health Insurance Portability and Accountability Act
Personal health information can be shared with appropriate people for
patient care.
Typically comes into play in SAP HR systems.
Data privacy concerns
If an employee has a potentially embarrassing injury at work, these details
are stored in the system and should only be viewed by authorized personnel.

International Traffic in Arms Regulations

Controls the import/export of defense related articles and information.
Data privacy concerns
Information and material specifically about defense and military technologies
must only be shared with US Persons or those who are approved.

Shipping concerns
Unauthorized users should not have access to change shipping information
of customer.

Controls Preventive vs. Detective

In order to prevent fraud, accidental errors, and protect sensitive
information we must have controls.
There are two main categories of controls:
Preventive controls: prohibit inappropriate access
Authorizations, configuration, User-Exits, and so on

Detective controls: rely on other processes to identify inconsistencies

Alerts, periodic reporting, system monitoring

Why Unregulated Companies Should Care

Why should we care about segregating duties, excessive access or
documenting our business processes if we are not publicly traded or
subject to legal requirements?
Documentation
Reduction in errors
Cost of errors
Loss of customers
Fraud happens
Protection of trade secrets
Preserve confidential information

Security Architecture
Authorization Objects Intro
User Master Record
Roles Single, Derived, Composite
Task-based vs. Job-based Roles
Profiles
Authorization Objects
User Buffer
4 Doors to SAP Security

Authorization Concept
User Master
Record

User

Roles

Profiles

Authorization
Objects

SAP
Functionality

Authorization Objects
Authorization Objects are the keys to SAP security
When you attempt actions in SAP the system checks to see whether
you have the appropriate Authorizations
The same Authorization Objects can be used by different
Transactions
Example in order to display a table, a user must have the
Authorization Object S_TABU_DIS with the appropriate values

User Master Records

Required to establish access for Users.
Created when a User is created.
User Master Records are client-dependent!

User Master Records

User Master Record information includes:
Name, Password, Address, Company information
User Group (used for security administration or searching capabilities)
Reference to Roles and Profiles (access capabilities are not stored
directly in user master records)
User type
Dialog typical for most users
System cannot be used for dialog login, can communicate between
systems and start background jobs
Communications Data cannot be used for dialog login, can communicate
between systems but cannot start background jobs
Reference cannot log in, used to assign additional Authorizations to Users
Service can log in but is excluded from password rules, etc. Used for
Support users and Internet services

Validity dates (from/to)

User defaults (logon language, default printer, date/decimal formats)

User Master Record

Roles and Profiles

Users are assigned Roles and Profiles which contain Authorization
Objects
Profiles contain Authorization Objects
Roles contain Profiles
Profiles that come delivered with the
system or were created from scratch
can be assigned directly to users

User Master
Record

User

Roles

Profiles

Profiles that were created for a Role

are attached to that Role cannot be
assigned directly. You must assign
the Role and the system will then
assign the user the correct Profile

Authorization
Objects

SAP
Functionality

Roles
Roles are built on top of Profiles and include additional components
such as:
User menus
Personalization
Workflow

In modern SAP systems, users are typically assigned the

appropriate Roles by the security team
The system will automatically add the appropriate Profile(s) for each
Role assigned
****Authorization Objects only exist in Profiles (either on their own or
when nested in roles)
A Role has several parts, including:
Description

Documentation

Menu

Profile

Tips for Managing Roles

Roles typically do not change often
It is strongly recommended that they be created in a Development
client, then transported to Quality (tested, hopefully) and finally
promoted to Production.
Roles should originate from the same client (pick one to be your
security development client).
It is much easier to assign an existing Role to a User than to create
or modify a Role.
SAPs template Roles are intended only for example.
Best practice is to have Users tell you the exact Transactions they
require and build Roles from scratch.
At the very least, copy them into your own namespace
Be aware that many of them contain too much access so be careful!

Roles

Roles
Profile for a Role:

Roles Types
There are 3 types of Roles:
Single an independent Role
Derived has a parent and differs only in Organization Levels. Maintain
Transactions, Menu, Authorizations only at the parent level
Composite container that contains one or more Single or Derived
Roles

Derived Role example:

Purchaser Parent
ME21N, ME22N for all or no Purchasing Organizations

Purchaser Child 1
ME21N, ME22N for Purchasing Organization 0001

Purchaser Child 2
ME21N, ME22N for Purchasing Organization 0002

Roles Types
Composite Role example:

Task-based vs. Job-based Roles

Task-based
Each Role can performs one function (usually one or only a few
Transactions)
Vendor master creation
Create sales order

Job-based
Each Role contains most functions that a user will need for their job in
the organization
A/P Clerk
Buyer
Warehouse Manager

Hybrid approach

Profiles
Authorization Objects are stored in Profiles
Profiles are the original SAP Authorization infrastructure
Ultimately a users Authorization comes from the Profile/s that they
have assigned
Profiles are different from Roles.
User Master
Record

User

Roles

Profiles

Authorization
Objects

SAP
Functionality

Examples of Delivered Profiles

SAP_ALL
Delivered with the system
Contains almost all Authorization Objects

SAP_NEW
Contains the new objects in the current release that are required to
keep old transactions functioning.
It does NOT contain all new Authorization Objects for that release

S_A.xxxxxxx
Standard BASIS Profiles for various job functions (i.e. customizing,
development, administration, etc.)

Authorization Objects
Authorization Objects are the keys to SAP Security
When you attempt actions in SAP, the system checks to see
whether you have the appropriate Authorizations
The same Authorization Objects can be used by different
Transactions
Example in order to display a table, a user must have the
Authorization Object S_TABU_DIS with the appropriate values

User Buffer
When a User logs into the system, all of the Authorizations that the
User has are loaded into a special place in memory called the User
Buffer
As the User attempts to perform activities, the system checks
whether the user has the appropriate Authorization Objects in the
User Buffer.
You can see the
buffer in
Transaction
SU56

Example of Authorization Check

When attempting to execute a Transaction, each instance of a
required Authorization Object that a user has is checked by the
system until the system finds a match.
Example: User would like to create a Sales Order of the Document
Type Standard Order (OR).
One of the Authorization Objects that the system looks for is:
V_VBAK_AAT
There are two fields Activity and Order Type
To create a sales order for this type, the user will need:
V_VBAK_AAT with:
Activity 01 (Create)
Order Type OR (Standard Order)

Example of Authorization Check

To create a sales order for the Standard Order type, the user will need:
V_VBAK_AAT with:
Activity 01 (Create)
Order Type OR (Standard Order)

The user might have this Object several times from several Roles. The
system keeps checking until it finds a match:
Role 1
V_VBAK_AAT
Activity 03 (Display)
Order Type * (All Order Types)

V_VBAK_AAT
Activity 01 (Create)
Order Type B1, B2, CS

Role 2
V_VBAK_AAT
Activity 01 (Create)
Order Type OR, RE

Authorization Checks
How does SAP test whether the user has Authorization to execute
functions? What happens when I try to start and run a Transaction?

Authorization Checks Executing a Transaction

1.

Does the Transaction Exist?

Authorization Checks Executing a Transaction

2.

Is the Transaction locked?

1.

Does the Transaction Exist?

Authorization Checks Executing a Transaction

3.

Can the User start the Transaction?

2.

Is the Transaction locked?

1.

Does the Transaction Exist?

Authorization Checks Executing a Transaction

4.

What can the User do in the Transaction?

3.

Can the User start the Transaction?

2.

Is the Transaction locked?

1.

Does the Transaction Exist?

Authorization Checks Executing a Transaction

1) Does the Transaction exist?
All Transactions have an entry in table TSTC

2) Is the Transaction locked?

Transactions are locked using Transaction SM01
Once locked, they cannot be used in any client

3) Can the User start the Transaction?

Every Transaction requires that the user have the Object
S_TCODE=Transaction Name
Some Transactions also require another Authorization Object to start
(varies depending on the Transaction)

4) What can the User do in the Transaction?

The system will check to see if the user has additional Authorization
Objects as necessary

Managing Security
Security Team
Role Owners and the Approval Process
Periodic Access Validation
Troubleshooting and Information
User Information System (SUIM)
SU53
Authorization Trace (ST01)
Security Audit log (SM19/SM20)

Security Tools
Central User Administration
SAP NetWeaver Identity Management
SAP GRC Access Control Suite
Symsoft ControlPanelGRC

SAP is a Complex Ecosystem

There are many different SAP applications with different areas of
expertise required
Some of these require specialized security knowledge, e.g. HCM
and BI/BW
Examples:
ECC (Sales and Distribution (SD), Materials Management (MM),
Financial and Cost Accounting (FICO), Warehouse Management (WM),
Quality Management (QM), Plant Maintenance (PM), Human Capital
Management (HCM))
Business Information Warehouse (BI/BW)
Customer Relationship Management (CRM)
Supplier Relationship Management (SRM)
Advanced Planner and Optimizer/Supply Chain Management
(SCM/APO)
Portal
And whatever else SAP dreams up!

Security Team
Important to select an appropriate security team.
Size consideration based on your organization
Auditing requirements
Amount of changes
Security staff knowledge

Role changes should be done by the security team

User assignments can be processed by the security team or the
basis team
Unlocking Users/resetting passwords of Users can be done by the
helpdesk

Security Team
Outsourcing is a good option for many companies.
Key reasons to outsource
Expert help available its hard for part-time security staff to understand
all of the complexities of SAP Security
Internal staff may get overloaded and need extra help.
Project work
Provide coverage during vacations/sick days

Key considerations in choosing an outsourcing provider

Ongoing access to a team vs. consultant randomly assigned by a help
desk
24x7 access to support
Fixed rate support vs. charge by the hour

Role Owners and the Approval Process

The security team may know how to make changes to access, but
will need to work with the business to determine what changes
should be made.
Changes include making changes to Roles (modifying
Authorizations, adding/removing Transactions) and assigning those
Roles to users.
Have Role changes approved by the Role owner
Have User assignment changes approved by both a manager and the
Role owner.
The business is often not aware of the implications of changes that are
requested. Your security team should be able to point out potential risks
when access is requested.

Periodic Access Validation

Its a good idea to have Role matrix reports generated and reviewed
periodically by Role owners
Ensures that inappropriate changes were not made
Accountability
Consider doing this quarterly or at least yearly

Periodic Access Validation

Example output of a report that was generated by
ControlPanelGRC:

User Information System

Transaction SUIM
Great place to get information about Users/Roles
TIP has had bugs over the years. If something seems incorrect, query
the appropriate table directly.

SU53
Last Authorization check that failed.
May or may not be the Authorization that the User actually needs.
Look at context clues to determine if it is appropriate.
User may need more Authorization Objects after this one is added.

Authorization Trace
Transaction ST01
Records all Authorization Checks performed while a User is in the
system.
Does not include Structural Authorizations in HR Security.
ControlPanelGRC Security
Troubleshooter makes this
process easier by recording
the steps to recreate the
issue, the Authorization
Trace, and sending the
output the Security Team.

Security Audit Log

Records information about what Users are doing
Logon/logoff
Transactions/reports started or attempted to start
Password changes
Workstation name of User
Is not on by default.

Transactions SM19/SM20.
Does not record what data was changed by the User.

Central User Administration (CUA)

Manage Users from one SAP client
Simplifies User administration and can save a lot of time especially for
large environments
If you own SAP, you already own this. All you need is someone to configure
it
There are several gotchas that frequently come up when installing. We
recommend contacting a consultant who is CUA savvy
Asynchronous! Ultimately, the Users and Roles exist in each client. CUA is
only the place you log in to make changes!
SOL-100
CUA Central
System

DEV-100
QAS-100
PRD-100

SAP Netweaver Identity Management

SAPs Identity Management Solution
Cross system/cross vendor integration
Separate landscape/installation
Highly configurable, contact someone who specializes in this
product.

SAP GRC Access Controls

Risk Analysis and Remediation
Find SoDs, excessive access for both Roles and Users
Alert Monitoring

Compliant User Provisioning

Workflow for User creations/modifications
Incorporates SoD checks

Superuser Privilege Management

Emergency, temporary access
Logs some of the users actions, notifies managers when used

Enterprise Role Management

Workflow for Role creations/modifications
Incorporates SoD checks

SymSoft ControlPanelGRC
2nd generation compliance automation solution
User & Role Manager
Accelerates User and Role change management

Risk Analyzer
Real time risk analysis and mitigation of Segregation of Duties and Sensitive Authorization risks

Usage Analyzer
Monitors Transaction executions to provide
Notification of executed risks
Reverse Business Engineering (RBE) tool
License Optimization tool

Transport Manager
Automates processing of change requests with auditable workflow

Batch Manager
Cross system infrastructure for compliant scheduling, monitoring and tracking of batch jobs

Emergency Access Manager

Manages temporary access access is tracked by User and reports are routed for review

AutoAuditor
Allows compliance reports to be scheduled and sent to Users for documented review

Key Points
Security is the doorway to the SAP system
Security is a way of protecting information from unauthorized use
Security can unlock the flexibility of the system and customize it for each user
Information stored in SAP is one of your companys most valuable business
assets.
SAP Security is complex and often difficult to manage and understand
There are legal requirements that influence SAP Security
Not all companies are required to comply with these regulations
All businesses benefit from having well defined processes

There are tools available to help manage security but ultimately a good
security team is key

Download the presentation recording with audio from the

Symmetry Knowledge Center
www.sym-corp.com/knowledge-center

Kyle Balcerzak
414-732-2743
kbalcerzak@sym-corp.com