SAP SECURITY AND GRC CONSULTANT

INTRUDUCTION:
Presentation Layer
3 Tier Architecture:
1. Application Layer:
It consists of – Application Layer
 Process
 Services
Data base Layer
Process:
1. Dialog – All the interaction between User and system, 0.6 sec.
2. Background – Long duration activities and Recurring activities (These
activities will take more than 0.6 sec).
3. Spool – Printer related activities.
4. Update – Updating Database – Create, modify or delete.
5. Enqueue – Following ‘Q’ while updating DB, else dead lock situation occurs.
Services:
1. Message – Used for Load Balancing among application servers.
No server is overloaded and Performance is high.
2. Gateway – Communication channel b/w 2 SAP systems or 1SAP and
1Non-SAP system.

User Gateway

Message
NON-SAP
system SAP SYSTEM
(ORACLE, Server 1 Server 2
Informatica)

HANA DATA BASE: SAP’s Own DATA BASE.

SAP R/3 Architecture:

 SAP SECURITY AND GRC CONSULTANT

The SAP R/3 System architecture consists of three layers: Presentation, Application, and Data storage.
The following diagram illustrates the functions  (Request & Response) done by each layer and how the layers
work together:

Presentation:
This is where users of the SAP R/3 System will submit input to the SAP R/3 System for the
processing of their business transactions. It is also where the output from these transactions
appears as output fields, reports, tables and spread sheets.

Application:
This layer consists of Presentation Components, SAP Applications, Kernel & Basis Services
and ABAP Workbench.
1. Presentation Components: The presentation components are responsible for the
interaction between the R/3 System and the user. Based on the request received,
presentation components inform to the client system, which screen should be presented to
the end user.
2. SAP Applications: An appropriate SAP Application responsible for accomplishing the
request is identified by the presentation components & is provided to the kernel & Basis
services.
3. Kernel & Basis Services: It provides the run time environment to process the SAP
Application along with the data & return results to the end user.
4. ABAP Workbench: It is a development environment that provides the necessary tools to
develop new SAP Applications or customize the existing SAP Applications.

Database:
Each SAP R/3 System is linked to a database system, it consisting of a database
management system (DBMS) and the database itself. The applications do not communicate
directly with the database. Instead, they use Basis services.
 SAP SECURITY AND GRC CONSULTANT
CLIENT ADMINISTRATION:

 Client – Independent Space within a System.

 It is represented by 3-digit number 000 – 999
 000, 001 & 006 are default clients in non-IDES system. (Business)
 000, 001, 066, 800, 810, 811, 812 are default clients in IDES system.
IDES – International Demonstration and Education System. (Training)

Client Data:
1. Client Dependent Data (Standard Data): T codes, ABAP codes
2. Client independent Data (Customized Data): Users, Transactional data, Business
data.
EX. – In Sales the T code used to create Sales order is comes under Client
Dependent data, where as the created Sales order comes under Client Independent
data.

Some T codes related to this concept: (SSC*)

In this 000, 001, 066 are Std Clients, SAP recommends

you to not store your customized data in the Std. Clients
due to they get disturbed. Instead create new client like
100 and copy the data from std client into newly created
one and then you store the data in 100

 SSC4 – Client Creation.

 SSC5 – Client Deletion.
 SCCL – Local Client Copy
 SCC9 – Remote Client Copy

Local Client Copy: Copying of data from Std. Client to Local Client is called Local Client
Copy, it should be done with in a system.

Remote Client Copy: Copying of data from Std. Client to Local Client is called Local Client
Copy, it should be done with another system.
 SAP SECURITY AND GRC CONSULTANT
USER ADMINISTRATION:
It is the Daily activity which we performed in organisation.
As a Security Consultant we are responsible to create every USER ID.
It is all related to User Maintenance.
 User Creation
 User Modification
 User Deletion
 User Lock and Unlock
 User Copy
 User Password Reset.

SU01 – T code for User Administration.

Process involved in the User Administration:

1. User himself has to fill the SAP Access form, providing all the details.
2. Manager Approval is required.
3. Role Owner Approval is required.
4. Security team will create the USER ID and request is closed.

Some Facts:
1. User ID Max length 12 Char.
2. User ID naming convention: differs from Org. to Org.

SU01 Tabs:

CREATE:

Above tabs for 3 years experienced can see 10 * 20 * 12 * 3 times.

Address: Need to fill All details of a User.
 Last Name is Mandatory.
Logon data:
 User Type  DIALOG(Default)
 Password  Initial password, this is mandatory field
 User Group  Click F4 to see all available User groups.
 Validity Period  Valid from to Valid thru.
Without the above two mandatory fields we can’t save the USERID.
SNC: Secure Network Communication. If you activated SNC then USER need not to enter
password to login to SAP system. This could be Insecure. Only this can be used for Security
team and ABAP team.
Defaults: Common to every User.
Parameters: Only required to entered when requested by User
 SAP SECURITY AND GRC CONSULTANT
Roles: Assign authorizations through Roles.
Profiles, Groups, Personalization, Licence Data  Don’t Touch them.
User Types:
1) Dialog  Interactive user, Password parameters are applied, GUI login is allowed.
EX: All Employees of the organisation.
2) Service  Used for Multiple Dialog logons, Password parameters are not applied,
GUI login is allowed. EX: FF ID in GRC, Test ID
3) System  Used for Internal Communication, Password parameters are not applied,
GUI login is not allowed. EX: Background jobs, Internal RFC.
4) Communication  Used for External Communication, Password parameters are not
applied, GUI login is not allowed. EX: RFC (Remote Function Call)
5) Reference  Used for providing extra access to Dialog Id’s when its access limit
(312 profiles) is reached. No password is required, cannot login thru GUI.
Change Docs  To see changes done to USER in a real time interval.
Path: SU01 ----- > Information ----- > Change documents for user.
Different types of User Locks:

 0  Not Locked
 32  Global Lock (CUA)
 64  Administrator Lock
 128  Incorrect Logon locks
 SAP SECURITY AND GRC CONSULTANT
Authorization Concept:
 Authorization  Permission or Privileges.
Authorization comes after User login to system. It decides the user job profile. Sales
user have permission to do Sales related activities only and HR user have
permission to do HR related activities etc.
 Authentication  Identity Check (User id / Password)

 Authorization is identified by Auth. Fields and Auth. Objects.

 Auth. Object is a group of 10 Auth. Fields max.
 Object Class reveals area of the Authorization Objects.

 SU21 – T code for Auth. Objects. To check the Auth. Objects in SAP system.
 SAP SECURITY AND GRC CONSULTANT

HR Member wants the below Access and he contacts us. Then we need to find the Auth.
Objects for below and combining the below Auth. Objects and create a role and assign to
User.
 Appraisals – T1 – Auth. Object1
 Recruitments – T2 – Auth. Object2
 Payrolls – T2 – Auth. Object3
SE93: T code maintenance
SE38 / SA38: To Execute Program.
Below activities are performed under SU01 T code.
 To create User: S_USER_GRP
 To assign Roles to User: S_USER_AGR
 To assign Profiles to User: S_USER_PRO

 Role1: SU01 + S_USER_GRP + S_USER_AGR  User cannot assign profiles to other

users.
 Role2: SU01 + S_USER_AGR + S_USER_PRO  User cannot create another Users.
 Role3: SU01 + No Auth. Objects  User cannot perform any activity under SU01.
After log in and entered into the T code the remaining activities are controlled by Auth.
Object.
Auth. Objects are Readymade or Standard.
Our challenging is to identify and assign them for particular role of USER.
NOTE: Necessary Auth. Objects required for a particular T code have been linked with
the T code under SU24.
 SAP SECURITY AND GRC CONSULTANT

Then Sort it by proposal ‘YS’ then,

The above Auth. Objects are for a T code SU01 USER, then only he can do his job.

In SAP we have > 100000 T codes.

User need access to below-
1) Sales order creation – VA01
2) Printer to print docs – SP01
3) To See his Payroll – PA30
First ask User T-codes of these access.
Now pull the Auth. Objects related to these T codes from SU24.
Role = 3 T-codes + Auth. Objects related to these 3 T-codes.
Role is a combination of T-codes and Auth. Objects.
NOTE: We cannot assign directly either T codes and Auth. Object to User, Only Role can be
assigned.
 SAP SECURITY AND GRC CONSULTANT
T-code: T-code stands for Transaction Code i.e Program. T-code acts as a shortcut to
program. ABAP Team will create the T-codes.
SE93: T code maintenance Here we can Create, Modify and Display any T-code.

SA38: To Execute Program.

SE38: To maintain Programs – Create, Modify, Delete & Execute the Program.
 SAP SECURITY AND GRC CONSULTANT
What is the Difference b/w SA38 and SE38 T-codes?