This action might not be possible to undo. Are you sure you want to continue?
Help Desk • Determine if the help desk is effective
Records incidents reports
Determine how security administration is organized
3. Determine if proper system monitoring is performed 4. Determine if training is properly administrated 5. Determine if key system interfaces are properly controlled. 6. Obtain a list of all system users 7. Obtain a list of custom transactions
List off all transactions within the TSTC table beginning with the letters Y Tables>Data Display>Y*, and then Z*
or Z •
8. Obtain a listing of all Clients
List table T001
9. Obtain a listing of all business areas
List table TGSB and TGSBT
10. Obtain a list of all charts of accounts • List table T004 and T004T
11. Obtain a listing of storage locations • List table T001L
12. ABAP programs
Review ABAP programs to ensure that all system function calls are authorized. System function calls allow are Unix commands that are passed to the operating system to perform a task at the operating system level such as using Oracle SQL commands to query the database during the execution of an ABAP program.
No corrections are flagged as repairs CTS Changes Default No Change No Change No Change Determine if change control procedures are formally documented. Review all relevant SAP change control directories under Unix /usr/sap/trans 15. 16. Any changes are allowed with or without corrections. 17. Correction and Transport (CTS) Control types Default No Change Repairs Unlimited CTS Type Development Integration Consolidation Recipient Changes are allowed in corrections. Review all SAP userids at the Unix operating system level. Other types of changes are allowed with or without corrections. Determine that only authorized users have direct access to the Oracle database management system. And determine that all default system passwords have been changed. (etc/passwd and etc/group files) SIDADM ORASID PCTEMU system administration Oracle administration Terminal administration 14.13. Changes to SAP-provided objects require a repair correction Changes are not allowed Repairs are allowed but all must have corrections and all corrections are flagged as repairs. Ensure that all default passwords have been changed. Determine if separate instances have been defined for development and testing Determine who is responsible for transport administration .
Determine who has the capability to add user master records. List all SAP supplied profiles and authorizations that have been modified and review for completeness. S_USER_GRP and S_USER_ALL 19. Determine if all users have been assigned to a group. List off the system parameter file (RSPARAM) and review the authentication controls login/min_password_lng login/password_expiration_time login/fails_to_session_end login/fails_to_user_lock 23. Review SAP for any new objects/values that have been defined Review changes to table AUTH for new fields and table TOBJ for new objects 25. S_USER_AUT 21.Ensure that control tables are properly established TSYST TASYS TDEVC defines all systems to be used in CTS defines all recipient systems defines all development classes Use transaction code SE06 for CTS verification Use Transaction code SE38 to review the placement of programs in authorization groups SE38 select attributes and select display 18. 22. 24. S_USER_PRO 20. (Table USR02) . Determine who can maintain autorizations. Determine who can maintain profiles. Determine how the profile SAP_NEW is being used.
26. List all users with special SAP system administration S_ADMI_FCD S_BDC_ALL S_DDIC_ALL S_EDI_BUK S_EDITOR S_PROG_ADM S_PROGRAM Access to ABAP/4 Data Dictionary Batch Input DYNPRO and ABAP/4 Creating and modifying ABAP/4 programs and use of screen painter Ability to edit and modify ABAP’s programs Running ABAP/4 programs and submitting background processing Ability to run ABAPs S_TABU_ADM System Table – table maintenance S_BTCH_ADMS_ENQ_ALL Background Processing S_TSKH_ADMS_ENQ_ALL Transactions – lock management for processing 30. 27. Also determine if the password has been stored in a secured location in case of an emergency.DEVELOP S_ABAP_ALL All R/3 privileges All SAP system functions System administration SAP customizing system SAP development environment All authorizations for ABAPs TOOLS>ADMINISTRATION>USER MAINTENANCE>USERS>MAINTAIN USERS>INFORMATION>OVERVIEW>USERS> profile name >LIST>PRINT 29. 28. Determine that the SAP* profile has a user master record and that SAP* has had its password changed and added to the SUPER group. Determine who has access to the ABAP/4 Data Dictionary S_ADMI_FCD For this object list users that have the following values: REPL. Determine who are the members of the SUPER group and ensure that their membership is required.SYSTEM S_A.ADMIN S_A.CUSTOMIZ S_A. SE01 (CTS requests) and/or DDIC in the System Administration Function field SM21 in the Field Administration Function field (allows access to the system log) TCOD which allows the user to change additional authorization checks . Determine how many users have SAP_ALL access in the production environment. List all users with the following standard system profiles: SAP_ALL S_A.
Transaction SM21 or Tools>Administration>Monitoring>System Log Selection Criteria: . Determine who has batch access S_BDC_MONI S_BDC_ALL S_BTCH_ADM S_BTCH_ALL S_BTCH_USR Batch log files (bdc/logfile) should be reviewed and any deletions. 32. modifications. or abended sessions subject to investigation and should be secured through the correct use of the operating system security. Determine which transactions are locked on the production system by viewing additional authority checks in table TSTC (Tools>Administration>Tcode Administration). Ensure that at a minimum the following transactions are locked: SE01 SE38 SE11 Correction and transports Ability to execute ABAP programs Maintain data dictionary objects 33. Determine if the parameters for the trace and log files are adequate With the RSPARAM report. review the rstr/* and rslg/* parameters If a transaction cannot finish correctly. SM50 (S_TSKH_ADM) which grants access to the transaction locking function. The dialog program first generates a log record in the VBLOG table. List users with authorization for SM04.Versions for a particular object are maintained as: Utilities>Version Management Menu. the system rolls it back. Temp Historical Active Revised Use Transactions: SE16 SE12 SE80 SCU3 Data Browser Dictionary Display Object Browser Table history transaction 31.
We will join both these table to get the result. because these transactions can causes all file servers to shut down. S_SPO_ACT. and S_SPO_DEV 35. QuickViewer (SQVI). You can write a SQVI and get this info. Determine if backup procedures are appropriate for data and programs On-line and off-line backups of all the file servers can be controlled through the CCMS. In this tutorial we will write an SQVI to find out role assigned to users with full name of the users. statistics. Determine if Spool access is properly restricted. is a tool that allows even relatively inexperienced users to create basic lists. 36. Trans Code.) SQVI Tutorial QucikViewer (SQVI) QuickViewer (SQVI) is a tool for generating reports. (Table USR10 gives an overview of all authorization objects in a profile.CUSTOMIZ The profile gives all authorizations required for the Basis activities in the customizing menu. menu customizing) S_A. and ranked lists. (Verify which profiles have access to transaction F040). Problem Classes (Messages) 34. SQVI Tutorial SQVI Tutorial There might come a time that you want the information and it is spread in multiple tables. Execute transaction SQVI 2. SAP Query also supports different kinds of reports such as basic lists.Date/Time – To – Date/Time By User. Create a SQVI (z_user_role) . Access to these transactions should be restricted. 1. Determine who has access to the SAP customizing system (IMG. SAP Query offers the user a whole range of options for defining reports. Verify who has the authorization object S_ADMI_FCD. on the other hand. SAP Process. You can get role assigned to users from AGR_USER table and users full name from USER_ADDR. Is access to the SAP archiving function restricted. I have created a tutorial for SQVI.
Put a title and comments. Make sure that you select Table join from Data source 4. Insert AGR_USERS and USER_ADDR tables. 5. Select the correct join. Click to insert tables.and 3. Here we will join BNAME .
So when I run the query it will ask me to list the users. Here I will select Role name and user name from AGR_USERS table and Full name from USER_ADDR. 7. and also make user name as the selection field.Hit the back button 6. You are ready with your SQVI query . In the selection screen put the user you want to get the info. Save the query and execute it.
Go back to the SAP Easy Access menu. as shown above. On the Attributes tab. activate the following settings: • eCATT and CATT allowed. we will name it ZCREATE_USER. Choose Display 2. Now lets start with creating ecatt On the eCATT (tcode -SECATT) initial screen. Choose the Create Object icon. 6.Procedure to create ecatt script Make sure the client setting is changed to allow ecatt. Leave the remaining fields empty. Follow the instruction below Execute transaction SCC4 SAP R/3 Menu : Tools -> Administration -> Administration -> Client Administration -> Client Maintenance Then carry out the following steps: 1. Select your SAP R/3 client and choose Details. 4. In the Change View Clients: Details screen. 3. Confirm the warning message Caution: The table is cross client. 5. Here. Save. select the Test Script radio button and enter a name for your new test script in the field beside it. enter the following information: Field Title Component System Data Container Entry Create user . . We will not use this field in this tutorial.SU01 BC-SEC TUTORIAL (optional) Leave the Target System field empty. to open the editor for the test script.
On the insert Statement window fill in as below Field Group Command Transaction Entry All Commands TCD (Record) SU01 .Switch to editor tab and click on pattern.
Go back and swith to change mode .This will start recording and take you to the user create screen and continue the user creation. In our example a userid (ZTEST_97) is created with Z:TESTROLE. Save the Object as local object. This will end the recording and you will we asked to save the recording. Save the user and hit the back button. Click Yes.
Click on the button shown below Select SU01_1 and click on the button shown below Highlight Dynpro and click on the button shown below This will switch to simualation mode and we have to parameterize. We .
Usage: For individual human users (also Internet users) System user 'B' System-dependent and system-internal operations • • • • Logon with SAPGUI is not possible. . external RFC (for example. (*) Users have the option of changing their own passwords. User id . TMS. Expired or initial passwords are checked but the conversion of the password change requirement that applies in principle to all users depends on the caller (interactive/not interactive). CUA) Communication user 'C' Individual system access (personalized) • • Logon with SAPGUI is not possible. Expired or initial passwords are checked. background processing. Look at the video Hit the back button and save the script. The user is therefore interaction-capable with the SAPGUI. password and role. Users have the option of changing their own passwords. that is. Multiple logon is checked.paramerterized. workflow. they cannot be initial or expired. Usage: Internal RFC. The user is therefore not interaction-capable with the SAPGUI. The user is therefore not interaction-capable with the SAPGUI. The user is therefore interaction-capable with the SAPGUI. Dialog user 'A' Individual system access (personalized) • • • • Logon with SAPGUI is possible. ALE. Multiple logon is permitted. Usage: external RFC (individual human users) • Service user 'S' Shared system access (anonymous) • Logon with SAPGUI is possible. Only an administrator user can change the password. The passwords are not subject to to the password change requirement.
provided that you can execute a password update dialog with the user (=> middleware. they cannot be initial or expired. Multiple logon is permitted. not using the SAPGUI). The user interaction (including handling error and exceptional situations) is provided here with the middleware (= RFC client). Only a user administrator can change the password. such as SAP ITS. the password change rule (which exists for all users except for system and service users when passwords are initial or have expired) is not enforced by the system if there is no interaction option. that is. .• • • The passwords are not subject to the password change requirement.). for example. Usage: Internet users with identical authorizations Remarks: (*) With all non-interactive system accesses (that is.6C). Reference users are used for authorization assignment to other users. public Web services) Reference user 'L' Authorization enhancement • • No logon possible. However. RFC client programs should recognize the need to change a password and initiate the subsequent password change by calling special function modules (=> see note 145715) or RFC-API functions (as of 4. Usage: Anonymous system access (for example.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue listening from where you left off, or restart the preview.