file:///G|/basis%20security.

txt

jaleel ahmed 26. what is a composite profile? Composite profiles are set of (MORE THAN TWO OR MORE PROFILES) authorization profiles, both simple and composite. A composite profiles can contain unlimited number of profiles. Composite profiles are suitable for users who have MULTIPLE responsibilities or job tasks in the system. These profiles are sometimes known as reference profiles for assigning larger group of access privileges and having the possibility of better match users with several responsibilities. example:SAP_ALL 4.What is an authorization? Authorization provides permission to access certain transactions reports or data. For each user activity or transaction an authorization check is performed to see if the required authorizations have been provided to the user. Authorization limit access to transactions and objects in r/3 system. An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values. 5. What is a profile? A profile is a set of authorizations or user master records TO access certain transactions, reports or data. 6. What is a profile Generator? Profile generator allows authorization administrators to automatically generate and assign authorization profiles. Released with 3.1 G this tool accelerates R/3 implementation by simplifying the task of setting up the authorization environment. The administrator needs only to configure customer specific settings. The profile generator is a new approach to defining the authorization environment. The administrator no longer uses authorization objects to define authorizations for various user groups. 9. What is a security? Why it needs? Explain? This unit focuses on the R/3 user within the R/3 System. However, it is important for the R/3 System administrator to control access to both the operating system (OS) where the R/3 Systems reside and the database (DB). External user IDs exist both at the OS and DB levels that can be used to disrupt normal operation of the R/3 System. Access to the R/3 System is controlled at the client level. Each R/3 user must have a user master record in the client in which that user will work. In R/3, authorizations are used to restrict access to programs and data. 24 how can u modify or add the authorizations (after getting the user dump or user trace)? ans: by using su24( it can possible thru expert mode only) or manualat authorizations screen( if we r using su24 and modify the required authorization object, then it shows the authorizations status
file:///G|/basis%20security.txt (1 of 5)11/21/2006 11:26:33 PM

file:///G|/basis%20security.txt

as"standard" if u do the modification by mannually by choosing the"manually" button at the authorizations screen and add or modify the requried authorization object to the role or profile , then it shows the authorizations status as "manual".), after that u need to regenarate the profile and role too. 26.What is an authorization object? An object class is a logical grouping of authorization objects that share a similar Purpose or business area. For example, object class Basis: Administration contains authorization objects that control access to Basis transactions. The authorization object is the template from which the authorization is created. It is used in the ABAP code for authorization checks. Each object has up to 10 fields that are checked using AND logic before access is granted to the desired transaction. 8. what r the authorizations statuses at the screen, while u r generating profiles? Ans. standard, maintained, changed, manually, old, new. 9. while generating the roles, if the user tab having different type of color symbols? What r they, explain? ans: green, yellow and red. Green: all authorizations have been maintained Yellow: some authorizations must still be maintained Red: organizational levels must be maintained An activity group may contain one-to many (1-n) profiles depending upon the transactions selected from the company menu. If more than 150 authorizations are required for the transactions selected, multiple profiles are generated. RSUSR003 Checks for default password on user IDs SAP* and DDIC RSUSR005 Lists users with critical authorizations RSUSR006 Lists users who are locked due to incorrect logon .This report should be scheduled to run each day, just before midnight. RSUSR007 Lists users with incomplete address data RSUSR008 Lists users with critical combinations of authorizations or transactions RSUSR009 Lists users with critical authorizations, with the option to select the critical authorizations RSUSR100 Lists change documents for users and shows changes made to a user’s security RSUSR101 Lists change documents for profiles and shows changes made to security profiles RSUSR102 Lists change documents for authorizations and shows changes made to security authorizations USR01 contains the runtime data of the user master records USR02 is the table containing logon information such as the password USR03 includes the users' address information USR04 contains users' authorizations USR05 is the users' parameter ID table
file:///G|/basis%20security.txt (2 of 5)11/21/2006 11:26:33 PM

file:///G|/basis%20security.txt

USR09 contains user menus USR10 is the table for user authorization profiles USR11 contains the descriptive texts for profiles USR12 is the user master authorization values table USR13 contains the descriptive short texts for authorizations USR14 contains the logon language versions per user USR30 includes additional information for user menus trdir contains program authorization group assignments tddat contains table authorization group assignments USH02, USH04, USH10 and USH12 contains Users and profile and authorization change history data. Tables related with authorizations objects and authorization fields are as follows: TOBJ is the authorization objects table containing the authorization fields for each. TACT contains the list of standard activities authorization fields in the system. TACTZ is the table which defines the relationship between the authorization objects and the activities in those objects containing the Activity authorization field. TSTC is the transaction code table where authorization objects and values can be defined. SCCR_LOCK_CLIENT and unlock SCCR_UNLOCK_CLIENT 22.what are user groups?expalin? User groups are created by an administrator to organize users into logical groups and apply security, such as: < Basis < Finance < Shipping < purchasing < sales depending on the functionality of the users What is a role? explain? A ROLE describes the job position or acivity of a user 1.What is your minimum length for passwords? Set the profile parameter login/min_password_lng. Default = 3 2.Do users have to change their passwords on a regular basis?
file:///G|/basis%20security.txt (3 of 5)11/21/2006 11:26:33 PM

file:///G|/basis%20security.txt

Set the profile parameter login/password_expiration_time. Default = 0 (users do not have to change passwords) 3.Do you monitor unsuccessful logon attempts on a regular basis (daily)? Report RSUSR006 shows all unsuccessful logon attempts by a known user and all user locks. 4.Have you set session termination after a number of unsuccessful logon attempts? Set the profile parameter login/fails_to_session_end. Default = 3 5.Have you activated automatic logoff for idle users? Set the profile parameter rdisp/gui_auto_logout. Default = 0 (off) 6.Do you have users locked after a number of unsuccessful logon attempts? Is the default (12) appropriate or have you changed the value? Set the profile parameter login/fails_to_user_lock. Default = 12 7.Does your R/3 System automatically remove user locks at midnight on the same day? Set the profile parameter login/failed_user_auto_unlock. Default = 1 (yes) 8.login/min_password_diff Default = 1 9.auth/no_check_in_some_cases Default = Y PARAMETER DEFAULT login/create_sso2_ticket -------------- 0 login/disable_cpic ---------------------------- 0 login/disable_multi_gui_login ............................. 0 login/disable_multi_rfc_login ---------------- ---------- 0 login/disable_password_logon ------------- --- ---0 login/failed_user_auto_unlock ......................... .....1 login/fails_to_session_end --------------------------------3 login/fails_to_user_lock -- --- ----------------------------12 login/min_password_diff ....................................1 login/min_password_digit ------------------------------------0 login/min_password_letters ....................................0 login/min_password_lng ------------------------------------3 login/min_password_specials ...................................0 login/no_automatic_user_sapstar --------------------------------0 login/password_change_for_SSO ................................ -1 login/password_expiration_time ---------------------------------0 login/password_logon_usergroup login/password_max_new_valid ------------------------------- 0 login/password_max_reset_valid ................................0 login/system_client ---------------------------------------000 login/ticket_expiration_time ...................................60 login/ticket_only_by_https -----------------------------------0 login/ticket_only_to_host ...................................0 login/ticketcache_entries_max ----------------------------------1000 login/ticketcache_off ........................................0 login/update_logon_timestamp ----------------------------------m
file:///G|/basis%20security.txt (4 of 5)11/21/2006 11:26:33 PM

file:///G|/basis%20security.txt

rdisp/gui_auto_logout

Default value: 0

•Authorization data administrator, who creates roles (transaction selection and authorization data), selects transactions, and maintains authorization data. However the authorization data administrator can only save data in the Profile Generator, since he or she is not authorized to generate the profile, He or she accepts the default profile name T_.... when doing this.SAP_ADM_AU • Authorization profile administrator, who checks and approves the data, and generates the authorization profile. To do this, he or she choose ? All Roles in transaction SUPC, and then specifies the abbreviation of the role to be edited. On the following screen, he or she checks the data by choosing Display Profile. SAP_ADM_PR • User administrator, who maintains the user data with the user maintenance transaction (SU01) and assigns roles to the users. This enters the approved profiles in the master records of the users. SAP_ADM_US These authorization checks are performed before the start of a program or table maintenance and which the SAP applications cannot avoid: •Starting SAP transactions (authorization object S_TCODE) • Starting reports (authorization object S_PROGRAM) • Calling RFC function modules (authorization object S_RFC) • Table maintenance with generic tools (S_TABU_DIS) You can lock a system at the OS level by running: tp locksys <SID> pf=tpprofile Example: To lock your DEV system enter this command: tp locksys DEV pf=saptranshostsapmnttransbintp_domain_dev.pfl Users will get this message if they attempt to log on: "Upgrade still running. Logon not possible". Notice that the message is not exactly accurate. TP locksys is mainly used during release upgrades so the message is kind of generic. But, it works! To unlock the system, run: tp unlocksys <SID> pf=tpprofile Now you can tell your boss that you know how to keep the users off the system! Only SAP* and DDIC can log on to any of the clients in the system that has been locked. The idea to check, if SAP* is present in the client you want is (Command: SELECT * FROM USR02 WHERE MANDT='XXX' and BNAME='SAP*' ... MANDT here is the client) ... this is an optional step ... Delete the record SAP* ON THE REQUIRED CLIENT ONLY on table USR02. (Command: delete from USR02 where MANDT='XXX' and BNAME='SAP*').

file:///G|/basis%20security.txt (5 of 5)11/21/2006 11:26:33 PM