This action might not be possible to undo. Are you sure you want to continue?
1. 2. 3. 4. 5. 6. Introduction to SAP Security Wednesday March 31, 2010 Kyle Balcerzak SAP Security Consultant Download the presentation recording with audio from the Symmetry Knowledge Center www.sym-corp.com/knowledge-center Symmetry Corporation Lifecycle Support for any SAP application on any platform combination Implementation Support SAP Certified Hosting SAP NetWeaver / Basis administration Security Design & Administration Upgrade & Project Support Symmetry¶s 21st Century Approach to Managed Services Quality Proactive support delivered by US-based experts Accessibility 24x7 direct access to your support team Affordability Highly competitive fixed-price contracts Introducing Kyle Balcerzak SAP Security Consultant What We¶ll Cover Introduction ± Why is Security Important? Legal Requirements SOX, HIPAA, ITAR Risks & Controls Why Unregulated Companies Should Care Security Architecture User Master Record Roles Profiles Authorization Objects User Buffer 4 Doors to SAP Security Managing Security Security Team Role owners and the approval process Periodic Access Validation Troubleshooting and information Security Tools Why is Security Important? Security is the doorway to the SAP system. Security is a way of protecting information from unauthorized use. Security can unlock the flexibility of the system and customize it for each user. Information stored in SAP is one of your company¶s most valuable business assets. What is SAP Security? SAP application security controls who can do what in SAP. Examples: Who can approve purchase requisitions over $10,000 (ME54N)? Who can view other employees¶ social security numbers in the system (PA20)? Who can update vendor bank information (XK02)? Who can create or modify users (SU01)? Security Objectives Confidentiality - prevent users from viewing and disclosing confidential information. Integrity - ensure the accuracy of the information in your company¶s system. Availability - prevent the accidental or deliberate loss or damage of your company¶s information resources. Security Against Whom? When people think about system security, they usually think about people outside the company business espionage political rivals In reality, you need to protect against your own people Curiosity Accidental access Intentional access Factors to Consider How important is your SAP system and the data stored in it to your business? Do you have a policy requiring certain levels of security? Do your internal or external auditors require a certain level of security for the information stored in your system? Will you need some degree of security in the foreseeable future? Legal Requirements SOX, HIPAA, ITAR Segregation of Duties vs. Excessive Access Controls ± Preventive vs. Detective Why Smaller Companies Should Care Sarbanes-Oxley (SOX) Act Executives are ultimately responsible for confirming the design and effectiveness of internal controls Excessive access and Segregation of Duties issues are key points Ultimately ± data integrity is key SOX Continued Segregation of Duties One user can perform two or more conflicting actions that causes a risk. Example: Activities: Someone can create vendor master records and then process accounts payable payments Risk: Gives someone the access to create a fictitious vendor and generate fraudulent payments to that vendor Excessive Access One action that a user can perform that is outside their area of expertise, jurisdiction, or allows critical access Example: Activity: End user can use SP01 to see the spool request for all users Risk: Users may view sensitive financial documents or payroll information for example. HIPAA and ITAR Health Insurance Portability and Accountability Act Personal health information can be shared with appropriate people for patient care. Typically comes into play in SAP HR systems. Data privacy concerns If an employee has a potentially embarrassing injury at work, these details are stored in the system and should only be viewed by authorized personnel. International Traffic in Arms Regulations Controls the import/export of defense related articles and information. Data privacy concerns Information and material specifically about defense and military technologies must only be shared with US Persons or those who are approved. Shipping concerns Unauthorized users should not have access to change shipping information of customer. Controls ± Preventive vs. Detective In order to prevent fraud, accidental errors, and protect sensitive information we must have controls. There are two main categories of controls: Preventive controls: prohibit inappropriate access Authorizations, configuration, User-Exits, and so on Detective controls: rely on other processes to identify inconsistencies Alerts, periodic reporting, system monitoring Why Unregulated Companies Should Care Why should we care about segregating duties, excessive access or documenting our business processes if we are not publicly traded or subject to legal requirements? Documentation Reduction in errors Cost of errors Loss of customers Fraud happens Protection of trade secrets Preserve confidential information Security Architecture Authorization Objects Intro User Master Record Roles ± Single, Derived, Composite Task-based vs. Job-based Roles Profiles Authorization Objects User Buffer 4 Doors to SAP Security Authorization Concept User Master User Record Roles Profiles Authorization SAP Objects Functionality Authorization Objects Authorization Objects are the keys to SAP security When you attempt actions in SAP the system checks to see whether you have the appropriate Authorizations The same Authorization Objects can be used by different Transactions Example ± in order to display a table, a user must have the Authorization Object S_TABU_DIS with the appropriate values User Master Records Required to establish access for Users. Created when a User is created. User Master Records are client-dependent! User Master Records User Master Record information includes: Name, Password, Address, Company information User Group (used for security administration or searching capabilities) Reference to Roles and Profiles (access capabilities are not stored directly in user master records) User type Dialog ± typical for most users System ± cannot be used for dialog login, can communicate between systems and start background jobs Communications Data ± cannot be used for dialog login, can communicate between systems but cannot start background jobs Reference ± cannot log in, used to assign additional Authorizations to Users Service ± can log in but is excluded from password rules, etc. Used for Support users and Internet services Validity dates (from/to) User defaults (logon language, default printer, date/decimal formats) User Master Record Roles and Profiles Users are assigned Roles and Profiles which contain Authorization Objects Profiles contain Authorization Objects User Master Roles contain Profiles User Record Profiles that come delivered with the Roles system or were created from scratch can be
7. 8. 9. 10. 11.
12. 13. 14.
18. 19. 20. 21. 22.
Financial and Cost Accounting (FICO). SAP¶s template Roles are intended only for example. 30. Quality Management (QM).) Authorization Objects Authorization Objects are the keys to SAP Security When you attempt actions in SAP. User Master User Record Roles Profiles Authorization SAP Objects Functionality Examples of Delivered Profiles SAP_ALL Delivered with the system Contains almost all Authorization Objects SAP_NEW Contains the new objects in the current release that are required to keep old transactions functioning. including: Description Documentation Menu Profile Tips for Managing Roles Roles typically do not change often It is strongly recommended that they be created in a Development client. One of the Authorization Objects that the system looks for is: V_VBAK_AAT There are two fields ± Activity and Order Type To create a sales order for this type. customizing. a user must have the Authorization Object S_TABU_DIS with the appropriate values User Buffer When a User logs into the system. RE Authorization Checks How does SAP test whether the user has Authorization to execute functions? What happens when I try to start and run a Transaction? Authorization Checks ± Executing a Transaction 1. Plant Maintenance (PM).25. ME22N for Purchasing Organization 0001 Purchaser Child 2 ME21N. Is the Transaction locked? 1. the user will need: V_VBAK_AAT with: Activity ± 01 (Create) Order Type ± OR (Standard Order) The user might have this Object several times from several Roles. 28. Does the Transaction Exist? Authorization Checks ± Executing a Transaction 3. 41. Menu. Best practice is to have Users tell you the exact Transactions they require and build Roles from scratch. 31. 45. 33. Roles should originate from the same client (pick one to be your ³security development´ client). Does the Transaction Exist? Authorization Checks ± Executing a Transaction 1) Does the Transaction exist? All Transactions have an entry in table TSTC 2) Is the Transaction locked? Transactions are locked using Transaction SM01 Once locked. the user will need: V_VBAK_AAT with: Activity ± 01 (Create) Order Type ± OR (Standard Order) Example of Authorization Check To create a sales order for the Standard Order type.e. 36. 35. 42. administration. assigned directly to users Profiles Profiles that were created for a Role Authorization SAP are attached to that Role cannot be Objects Functionality assigned directly. 38. ME22N for all or no Purchasing Organizations Purchaser Child 1 ME21N. all of the Authorizations that the User has are loaded into a special place in memory called the User Buffer As the User attempts to perform activities. B2. Warehouse Management (WM). Is the Transaction locked? 1. development. Materials Management (MM). 27. You can see the buffer in Transaction SU56 Example of Authorization Check When attempting to execute a Transaction. CS Role 2 V_VBAK_AAT Activity ± 01 (Create) Order Type ± OR. 34. Example: User would like to create a Sales Order of the Document Type ³Standard Order´ (OR). hopefully) and finally promoted to Production. Human Capital Management (HCM)) Business Information Warehouse (BI/BW) Customer Relationship Management (CRM) Supplier Relationship Management (SRM) Advanced Planner and Optimizer/Supply Chain Management (SCM/APO) Portal «And whatever else SAP dreams up! . 32. 44. ME22N for Purchasing Organization 0002 Roles ± Types Composite Role example: Task-based vs. 37. 26. At the very least. Can the User start the Transaction? 2. Job-based Roles Task-based Each Role can performs one function (usually one or only a few Transactions) Vendor master creation Create sales order Job-based Each Role contains most functions that a user will need for their job in the organization A/P Clerk Buyer Warehouse Manager Hybrid approach Profiles Authorization Objects are stored in Profiles Profiles are the original SAP Authorization infrastructure Ultimately ± a user¶s Authorization comes from the Profile/s that they have assigned Profiles are different from Roles. e. 40. 43. users are typically assigned the appropriate Roles by the security team The system will automatically add the appropriate Profile(s) for each Role assigned ****Authorization Objects only exist in Profiles (either on their own or when ³nested´ in roles) A Role has several parts. It is much easier to assign an existing Role to a User than to create or modify a Role. Maintain Transactions. It does NOT contain all new Authorization Objects for that release S_A. HCM and BI/BW Examples: ECC (Sales and Distribution (SD). they cannot be used in any client 3) Can the User start the Transaction? Every Transaction requires that the user have the Object S_TCODE=Transaction Name Some Transactions also require another Authorization Object to start (varies depending on the Transaction) 4) What can the User do in the Transaction? The system will check to see if the user has additional Authorization Objects as necessary Managing Security Security Team Role Owners and the Approval Process Periodic Access Validation Troubleshooting and Information User Information System (SUIM) SU53 Authorization Trace (ST01) Security Audit log (SM19/SM20) Security Tools Central User Administration SAP NetWeaver Identity Management SAP GRC Access Control Suite Symsoft ControlPanelGRC SAP is a Complex Ecosystem There are many different SAP applications with different areas of expertise required Some of these require specialized security knowledge. the system checks to see whether you have the appropriate Authorizations The same Authorization Objects can be used by different Transactions Example ± in order to display a table. What can the User do in the Transaction? 3. 39. Does the Transaction Exist? Authorization Checks ± Executing a Transaction 2. copy them into your own namespace Be aware that many of them contain too much access so be careful! Roles Roles Profile for a Role: Roles ± Types There are 3 types of Roles: Single ± an independent Role Derived ± has a parent and differs only in Organization Levels. each instance of a required Authorization Object that a user has is checked by the system until the system finds a match. Is the Transaction locked? 1.xxxxxxx Standard BASIS Profiles for various job functions (i. The system keeps checking until it finds a match: Role 1 V_VBAK_AAT Activity ± 03 (Display) Order Type ± * (All Order Types) V_VBAK_AAT Activity ± 01 (Create) Order Type ± B1. etc. the system checks whether the user has the appropriate Authorization Objects in the User Buffer. 29. Can the User start the Transaction? 2. You must assign the Role and the system will then assign the user the correct Profile Roles Roles are µbuilt on top¶ of Profiles and include additional components such as: User menus Personalization Workflow In modern SAP systems. then transported to Quality (tested. Does the Transaction Exist? Authorization Checks ± Executing a Transaction 4.g. Authorizations only at the parent level Composite ± container that contains one or more Single or Derived Roles Derived Role example: Purchaser Parent ME21N.
com . Security Team Important to select an appropriate security team. Central User Administration (CUA) Manage Users from one SAP client Simplifies User administration and can save a lot of time ± especially for large environments If you own SAP. 57. Look at context clues to determine if it is appropriate. ControlPanelGRC Security Troubleshooter makes this process easier by recording the steps to recreate the issue. Changes include making changes to Roles (modifying Authorizations. SAP GRC Access Controls Risk Analysis and Remediation Find SoDs. Authorization Trace Transaction ST01 Records all Authorization Checks performed while a User is in the system. If something seems incorrect. User Information System Transaction SUIM Great place to get information about Users/Roles TIP ± has had bugs over the years. consultant randomly assigned by a help desk 24x7 access to support Fixed rate support vs. Project work Provide coverage during vacations/sick days Key considerations in choosing an outsourcing provider Ongoing access to a team vs. 49. Size consideration based on your organization Auditing requirements Amount of changes Security staff knowledge Role changes should be done by the security team User assignments can be processed by the security team or the basis team Unlocking Users/resetting passwords of Users can be done by the helpdesk 47. Transactions SM19/SM20. Role Owners and the Approval Process The security team may know how to make changes to access. excessive access for both Roles and Users Alert Monitoring Compliant User Provisioning Workflow for User creations/modifications Incorporates SoD checks Superuser Privilege Management Emergency.46. Download the presentation recording with audio from the Symmetry Knowledge Center www. Have Role changes approved by the Role owner Have User assignment changes approved by both a manager and the Role owner. charge by the hour 48. the Authorization Trace. query the appropriate table directly. SAP Security is complex and often difficult to manage and understand There are legal requirements that influence SAP Security Not all companies are required to comply with these regulations All businesses benefit from having well defined processes There are tools available to help manage security ± but ultimately a good security team is key 60. Does not include Structural Authorizations in HR Security. May or may not be the Authorization that the User actually needs. We recommend contacting a consultant who is CUA savvy Asynchronous! Ultimately. Periodic Access Validation Example output of a report that was generated by ControlPanelGRC: 51. Security Audit Log Records information about what Users are doing Logon/logoff Transactions/reports started or attempted to start Password changes Workstation name of User Is not on by default. SU53 Last Authorization check that failed. but will need to work with the business to determine what changes should be made. and sending the output the Security Team.sym-corp. User may need more Authorization Objects after this one is added. Key Points Security is the doorway to the SAP system Security is a way of protecting information from unauthorized use Security can unlock the flexibility of the system and customize it for each user Information stored in SAP is one of your company¶s most valuable business assets. adding/removing Transactions) and assigning those Roles to users. temporary access Logs some of the user¶s actions. Key reasons to outsource Expert help available ± it¶s hard for part-time security staff to understand all of the complexities of SAP Security Internal staff may get overloaded and need extra help. CUA is only the place you log in to make changes! SOL-100 DEV-100 CUA Central System QAS-100 PRD-100 56. Your security team should be able to point out potential risks when access is requested. The business is often not aware of the implications of changes that are requested. All you need is someone to configure it There are several ³gotchas´ that frequently come up when installing. 52. SAP Netweaver Identity Management SAP¶s Identity Management Solution Cross system/cross vendor integration Separate landscape/installation Highly configurable. the Users and Roles exist in each client. notifies managers when used Enterprise Role Management Workflow for Role creations/modifications Incorporates SoD checks 58. 55. you already own this. Security Team Outsourcing is a good option for many companies. SymSoft ControlPanelGRC 2nd generation compliance automation solution User & Role Manager Accelerates User and Role change management Risk Analyzer Real time risk analysis and mitigation of Segregation of Duties and Sensitive Authorization risks Usage Analyzer Monitors Transaction executions to provide Notification of executed risks Reverse Business Engineering (RBE) tool License Optimization tool Transport Manager Automates processing of change requests with auditable workflow Batch Manager Cross system infrastructure for compliant scheduling.com/knowledge-center 61. contact someone who specializes in this product. 54. Periodic Access Validation It¶s a good idea to have Role matrix reports generated and reviewed periodically by Role owners Ensures that inappropriate changes were not made Accountability Consider doing this quarterly or at least yearly 50. monitoring and tracking of batch jobs Emergency Access Manager Manages temporary access ± access is tracked by User and reports are routed for review AutoAuditor Allows compliance reports to be scheduled and sent to Users for documented review 59. 53. Kyle Balcerzak 414-732-2743 kbalcerzak@sym-corp. Does not record what data was changed by the User.
This action might not be possible to undo. Are you sure you want to continue?