Professional Documents
Culture Documents
Introduction To SAP Security: Kyle Balcerzak
Introduction To SAP Security: Kyle Balcerzak
Security
Wednesday March 31, 2010
Kyle Balcerzak
SAP Security Consultant
Symmetry Corporation
Lifecycle Support for any SAP application on any platform combination
Implementation Support
Accessibility
24x7 direct access to your
support team
Affordability
Highly competitive fixed-price
contracts
Introducing
Kyle Balcerzak
SAP Security Consultant
Security Architecture
User Master Record
Roles
Profiles
Authorization Objects
User Buffer
4 Doors to SAP Security
Managing Security
Security Team
Role owners and the approval process
Periodic Access Validation
Troubleshooting and information
Security Tools
Security Objectives
Confidentiality - prevent users from viewing and disclosing
confidential information.
Integrity - ensure the accuracy of the information in your companys
system.
Availability - prevent the accidental or deliberate loss or damage of
your companys information resources.
Factors to Consider
How important is your SAP system and the data stored in it to your
business?
Do you have a policy requiring certain levels of security?
Do your internal or external auditors require a certain level of
security for the information stored in your system?
Will you need some degree of security in the foreseeable future?
Legal Requirements
SOX, HIPAA, ITAR
Segregation of Duties vs. Excessive Access
Controls Preventive vs. Detective
Why Smaller Companies Should Care
SOX Continued
Segregation of Duties
One user can perform two or more conflicting actions that causes a risk.
Example:
Activities: Someone can create vendor master records and then process
accounts payable payments
Risk: Gives someone the access to create a fictitious vendor and generate
fraudulent payments to that vendor
Excessive Access
One action that a user can perform that is outside their area of
expertise, jurisdiction, or allows critical access
Example:
Activity: End user can use SP01 to see the spool request for all users
Risk: Users may view sensitive financial documents or payroll information for
example.
Shipping concerns
Unauthorized users should not have access to change shipping information
of customer.
Security Architecture
Authorization Objects Intro
User Master Record
Roles Single, Derived, Composite
Task-based vs. Job-based Roles
Profiles
Authorization Objects
User Buffer
4 Doors to SAP Security
Authorization Concept
User Master
Record
User
Roles
Profiles
Authorization
Objects
SAP
Functionality
Authorization Objects
Authorization Objects are the keys to SAP security
When you attempt actions in SAP the system checks to see whether
you have the appropriate Authorizations
The same Authorization Objects can be used by different
Transactions
Example in order to display a table, a user must have the
Authorization Object S_TABU_DIS with the appropriate values
User Master
Record
User
Roles
Profiles
Authorization
Objects
SAP
Functionality
Roles
Roles are built on top of Profiles and include additional components
such as:
User menus
Personalization
Workflow
Documentation
Menu
Profile
Roles
Roles
Profile for a Role:
Roles Types
There are 3 types of Roles:
Single an independent Role
Derived has a parent and differs only in Organization Levels. Maintain
Transactions, Menu, Authorizations only at the parent level
Composite container that contains one or more Single or Derived
Roles
Purchaser Child 1
ME21N, ME22N for Purchasing Organization 0001
Purchaser Child 2
ME21N, ME22N for Purchasing Organization 0002
Roles Types
Composite Role example:
Job-based
Each Role contains most functions that a user will need for their job in
the organization
A/P Clerk
Buyer
Warehouse Manager
Hybrid approach
Profiles
Authorization Objects are stored in Profiles
Profiles are the original SAP Authorization infrastructure
Ultimately a users Authorization comes from the Profile/s that they
have assigned
Profiles are different from Roles.
User Master
Record
User
Roles
Profiles
Authorization
Objects
SAP
Functionality
SAP_NEW
Contains the new objects in the current release that are required to
keep old transactions functioning.
It does NOT contain all new Authorization Objects for that release
S_A.xxxxxxx
Standard BASIS Profiles for various job functions (i.e. customizing,
development, administration, etc.)
Authorization Objects
Authorization Objects are the keys to SAP Security
When you attempt actions in SAP, the system checks to see
whether you have the appropriate Authorizations
The same Authorization Objects can be used by different
Transactions
Example in order to display a table, a user must have the
Authorization Object S_TABU_DIS with the appropriate values
User Buffer
When a User logs into the system, all of the Authorizations that the
User has are loaded into a special place in memory called the User
Buffer
As the User attempts to perform activities, the system checks
whether the user has the appropriate Authorization Objects in the
User Buffer.
You can see the
buffer in
Transaction
SU56
The user might have this Object several times from several Roles. The
system keeps checking until it finds a match:
Role 1
V_VBAK_AAT
Activity 03 (Display)
Order Type * (All Order Types)
V_VBAK_AAT
Activity 01 (Create)
Order Type B1, B2, CS
Role 2
V_VBAK_AAT
Activity 01 (Create)
Order Type OR, RE
Authorization Checks
How does SAP test whether the user has Authorization to execute
functions? What happens when I try to start and run a Transaction?
1.
2.
1.
3.
2.
1.
3.
2.
1.
Managing Security
Security Team
Role Owners and the Approval Process
Periodic Access Validation
Troubleshooting and Information
User Information System (SUIM)
SU53
Authorization Trace (ST01)
Security Audit log (SM19/SM20)
Security Tools
Central User Administration
SAP NetWeaver Identity Management
SAP GRC Access Control Suite
Symsoft ControlPanelGRC
Security Team
Important to select an appropriate security team.
Size consideration based on your organization
Auditing requirements
Amount of changes
Security staff knowledge
Security Team
Outsourcing is a good option for many companies.
Key reasons to outsource
Expert help available its hard for part-time security staff to understand
all of the complexities of SAP Security
Internal staff may get overloaded and need extra help.
Project work
Provide coverage during vacations/sick days
SU53
Last Authorization check that failed.
May or may not be the Authorization that the User actually needs.
Look at context clues to determine if it is appropriate.
User may need more Authorization Objects after this one is added.
Authorization Trace
Transaction ST01
Records all Authorization Checks performed while a User is in the
system.
Does not include Structural Authorizations in HR Security.
ControlPanelGRC Security
Troubleshooter makes this
process easier by recording
the steps to recreate the
issue, the Authorization
Trace, and sending the
output the Security Team.
Transactions SM19/SM20.
Does not record what data was changed by the User.
DEV-100
QAS-100
PRD-100
SymSoft ControlPanelGRC
2nd generation compliance automation solution
User & Role Manager
Accelerates User and Role change management
Risk Analyzer
Real time risk analysis and mitigation of Segregation of Duties and Sensitive Authorization risks
Usage Analyzer
Monitors Transaction executions to provide
Notification of executed risks
Reverse Business Engineering (RBE) tool
License Optimization tool
Transport Manager
Automates processing of change requests with auditable workflow
Batch Manager
Cross system infrastructure for compliant scheduling, monitoring and tracking of batch jobs
AutoAuditor
Allows compliance reports to be scheduled and sent to Users for documented review
Key Points
Security is the doorway to the SAP system
Security is a way of protecting information from unauthorized use
Security can unlock the flexibility of the system and customize it for each user
Information stored in SAP is one of your companys most valuable business
assets.
SAP Security is complex and often difficult to manage and understand
There are legal requirements that influence SAP Security
Not all companies are required to comply with these regulations
All businesses benefit from having well defined processes
There are tools available to help manage security but ultimately a good
security team is key
Kyle Balcerzak
414-732-2743
kbalcerzak@sym-corp.com