OSS Information: , This means: If you have selected putative valid users- you actually have selected the invalid ones and vice versa. For the determination of how many users exist of all user types, the report of the system measurement RSUVM can be used. For all clients, the number of existing user types will be displayed: To review which user is of which user type, you may use the RSUVM All users with their user names and types are listed here, sorted by their client-affiliation.
OSS Notes for system measurement: Users priced separately during measurement System measurement in Release 4. Change or addition of data is not allowed. The actual user is not allowed to be active in the system during that time.
The substitute user is free of charge, because the actual user will be cashed up. They are also allowed to use all HR-transactions for their own purpose. This user-type is free. An individual contract settlement is to be agreed. An individual contract settlement is to 85 be agreed.
He works with transactions. Now we have to get acquainted with the relation between transactions and authorization objects. Enter the name of the transaction you want to dissolve, into the selection mask — field Name: Exhibit 3. Some are optional. In the next step it has to be reviewed which authorization objects are actually checked. Call the transaction SU Exhibit 3. Exhibit 3. For the evaluation of a transaction, mark the desired entry and push the button : Exhibit 3.
Via the Help, you can branch to the legend for the check indicators: Exhibit 3. With the help of the button you get the following overview: Exhibit 3. If the authorization for one object is missing, then he will not be allowed to execute the transaction. Another possibility exists, if the user has received authorizations on all three objects, but with further restrictions.
The system will then not allow the display of the selected customer. This object was used for the transaction FK The question displayed by this object which actions may be carried out with the customer master records will be frequently required, for example within the transaction FK01 Creation of vendor master records. For the transaction FK01 there was naturally no new object created.
It may be used in other modules as well, for example in the module SD Sales and Distribution. The user enters a transaction code like for example FK The called transaction has to be part of the existing entries.
If the assigned authorization does not meet the requirements, then the user will fail the authorization check already at this stage of procedure. This is the message that will accompany this step. For a successful pass the user needs a matching authorization.
There one can define whether an additional authorization check on especially selected authorization objects has to be passed additionally. And if further authorization checks are executed depends on the source code. The authority-check is always executed with a logical AND as a joint of the listed field that are part of the listed authorization object.
Only when all values correspond with the requirements, the return value will be set to 0. The authority-check may be integrated as a part of the program or may else be executed within an integrated call of a function module.
The execution of the authority-check relies on the pass through of the correspondent source code section of course. Important exceptions As usual there are some exceptions from the rule. In this case we have to look at two other adjustments. Disabling of authorization objects First of all SAP offers the possibility to deactivate checks on authorization objects globally.
Check indicator The second option that is to be considered is the adjustment for the individual transaction. These tables are the customer specific tables that are valid if the profile generator is activated for use. That means that the origin of a matching authorization is of no relevance. Our first test case for a better understanding. Scenario 3: The user has the following authorizations assigned. He has even higher authorization [Authorization B] than required.
That means that he is able to do whatever is possible within this context. Scenario 5: The user has the following authorizations assigned. He has even higher authorization [Authorization C] than required. Conclusion The authorizations are accumulated within the user master record. The user master data will be scanned during the different steps of the authorization check procedure. If a match or an even higher authorization is detected, the user will successfully pass the authorization check.
Exhibit 4. This includes basis administration, application maintenance, all customizing- functions and the table maintenance for all tables, including the cross-client tables. According to the aspect of a segregation of duties it is not necessary to assign this profile in practice. If at all, it should only be assigned to an emergency user, who is supposed to be protected with dual control. Among others the authorizations for the administration of cross-client tables as well as the transaction authorization for all transactions is in this profile.
This profile may be used for a limited time-period after a release change in a development environment, but is not feasible for the running productive operation mode. With this, no segregation of duties is possible in this area. Through this, he might gain complete access to all available data.
It contains comprehensive access to almost all data. This profile should not be assigned to anyone in the production system. You can evaluate which users have critical authorizations assigned.
In the section , you can review for example, which user has a certain field, as for example BUKRS [company code] assigned with a certain value, e. This way you can see, who generally hass access to this organizational unit. In the selection area Selection by values you can enter up to three authorization objects with corresponding field values for evaluation of critical authorizations.
The objects are combined via logical AND. If your roles are menu based, you can use the as fourth element for your inquiry. This toolset has approx The ruleset is customizable. A variety of features is included as for example the interactive simulation of role changes to identify potential SOD conflicts right in the beginning, or the intgeration into profile generator or user maintenance.
A Fire Fighter solution is also part of the set, as well as a user provisioning entity. Therefore this report can now even be assigned to auditors. If this authorization is established in the user master, the previously listed authorizations are no longer necessary to execute the report.
Helpful OSS notes are: and You have to be aware, that any result provided in this report only shows the transactions that are assigned to the user. It does not provide any insight about the corresponding application authorizations that are required to successfully execute the transaction. With 7. The following tables are relevant for this report: Exhibit 4. You can also utilize the interfaces to review change documents of selected entries or check where the authorization is used. This report is a good tool to check and validate role changes in development phases, or user set ups across systems.
This report is an excellent tool for role research. Via click onto profile entries you can branch through down to the authorization history level Exhibit 4.
In this example a SAP standard program is copied into the customer name space, and modified to meet the company specific needs. Exhibit 5. Activate the report. After that the report is successfully changed. You may also add a user message to the source code as in the example before. Select the transaction you want to maintain. The following message will be displayed. Select the target client. Enter your request ID and confirm via Enter. Select the item Authorization objects from the menu bar, and there the entry Insert.
The selected authorization object will be transferred to the list. When you are finished with the maintenance, do not forget to save the adjustments. You may use the popular ones like e. All these transaction codes have one thing in common. To access tables an authority check based on two authorization objects is executed. In a BC system you deal with approx. Aside from a lot of other differences the tables can be divided into two groups: 1.
Cross-client tables are tables that are valid for the whole system, and not only for one client. Client-dependent tables are always valid for one client. The classification is documented by a technical setting that can be reviewed by looking up the table DD02L. The entry X means, that this is a client- specific table. If the field is entry, the table is a cross-client table.
Tables are protected by so called authorization groups. The defined groups are listed in the table TBRG. Every table can only have one authorization group. But every authorization group may protect a number of tables. The value for this object is X [indicator for cross-client maintenance].
All cross-client tables experience additional protection through this object. This is connected to special customizing adjustments, the definition and activation of so-called organizational criteria.
With the predefinition of organizational criteria like e. Because of the additional complexity of these fine tuning requirements [customizing on-line], this is rarely used in companies so far.
The authorization object consists of two fields. The assignment succeeds with the latter. An authorization group would be entered to the field SECU authorization group. You can however enter the desired values in the field Customer with the help of this report and have it saved. These reports allow to search for specific strings, like e.
Enter the name of the program and click the button Display. As a result, in all included programs it will be searched for this string. Exhibit String search All detected entries will be displayed: Exhibit 5. Make the following selection: Exhibit 5. For more complex questions who is allowed to post within the company code , business area , posting period 11 the document type DR the call of several reports is required. A more effective possibility for these kind of checks results from the export of the corresponding tables into a database e.
There, the maximum number of hits is restricted as a standard, to data records. This value has to be set higher, set it on a high value that cannot be reached, such as Every table can be saved as a file for further processing procedures.
Please select the button. Select the corresponding format: Exhibit 5. The data will now be transferred to the file and can be edited with an associated application. With the help of the trace all authorization objects on which an authority check is executed while working with the system can be logged.
This also includes the corresponding field values within the authorization objects. Call the transaction ST01 for the use of the system trace. Push the button General Filters. You can filter for the process you want to log, the user, the transaction, or the program. Enter the required selection, push the key Enter, and then activate the trace. Note: An activation of the trace for all system users should not be activated.
For user evaluation always enter the username you want to analyze. With activation of the trace all required access rights for the selected user will be logged. When all actions are traced, and logged, then please switch the Trace off. After that you can evaluate the results by pushing the button Analysis [or key F2]. The evaluation path varies in dependency of the current release level. Enter the required selection for evaluation, and push the key F8 for activation.
In the context of performance analysis you can select a restriction in the field duration, which is not very useful for an authorization trace. Additionally an evaluation with consideration of tables can be set up, which might be helpful for SQL or table buffer traces. Select the required information in the dialog box, and activate the button Analysis.
Users can be active on more than one instance. Select the instance you want to review. Select the user from the correspond list. Mark the entry. In the menu bar select the path Goto — Terminals. Select the user. In the menu bar select the path Goto — Remote Server. From here you can activate the trace for the instance on which the user is located. The trace evaluation Exhibit 5.
Type Type of the Display of the selected trace component. From there, you can branch into the related ABAP source code. Please find the component overview with corresponding acronyms. RC is the acronym for return code. The return values vary depending on the check result. The return code 0 means that the authorization was successfully checked. The return code 4 says, that the required authorization for the authorization object in the user master is not available.
The return code 12 says, that no authorization for the authorization object is available. Saving of trace results There are different ways to save trace evaluation results. You can download the trace file in the evaluation display mode by saving the list locally. If trace information are to be protected against overwriting, you have to branch to the button Save after tracing.
For the automatic file name creation, the system provides a file name, and creates the file in the log directory. Automatically created file names can be selected with the F4 search key in the future. This option is not available for manually created names. Automatically created file names can be deleted within this application, manually created file names need to be deleted on the OS level separately.
Therefore the automatic file name creation is to be preferred. Trace configuration The system trace is configurable through different profile parameters. To review the parameters the transaction RZ11 can be used. The following parameters are adjustable. Because of performance issues this is not done directly but through a process internal buffer. There is always only one file with this name. During the renaming a file extension with the numbers 00 to 99 is added to the file name.
If this number is exceeded, the files will be overwritten. The system trace cannot only be used for the evaluation of authority checks, but also for evaluation of kernel functions, kernel modules, DB access, table buffer, RFC calls and lock operations.
For system monitoring the developer trace is usually preferred. First of all we have to understand how the maintenance activities can be executed: 1.
Call the transaction SE16N. Enter the name of the table you want to maintain into the corresponding field. This is then represented by an activation of the checkmark in the checkbox: Maintain entries.
For the tables that do not offer this option automatically you have to choose a different path. You will then get the following message displayed: Exhibit 5.
Generate the table view with the help of the key F8. The maintenance protection is part of the technical adjustments for the table. Table maintenance in a production system always represents a critical risk, especially because not all changes are properly logged.
The advantage in using the transaction SE16N consists in the fact, that the accompanying changes are logged as well as the responsible users. With the help of these tables system traceability is available. After selecting one special entry via double-click, you will then get e.
After that the Pencil Button is activated and the settings are saved. The event ID is A19 change of field content for A14 program, line, and event. But you will not be able to trace the former setting of the field.
This is also valid for the transaction codes based on SE16 that have a table directly assigned, like e. Important components are e. Relevant tools are e. Just like for the former basis kernel the security of this platform is controlled by corresponding system security parameters. The following overview provides a short introduction in the relevant aspects of selected parameters. The parameter change history is available through transaction TU The system profile parameters are stored in files on the operation system level [an instance, a start and default.
Dynamic parameters can be changed on the fly, while for static parameters a restart of the corresponding instance is necessary to activate the setting. Possible entries: [until NW 6. Possible entries: [after NW 6. Only letters, digits and the following special characters are allowed! The password may consist of various characters [incl.
The password may consist of any character and will be stored in UTF-8 format [Unicode]. If the system does not support unicode, not every character can be entered during login. This parameter should only be set to 2, if the systems support the code. The common client for each client system should be entered here.
The system only generates only new hash values that cannot be interpreted by older kernel versions. This setting is required in a CUA controlled landscape with systems that have older kernel releases. The login fails. If not, a password change will be enforced. After that period of time, the password is rejected. There you can enter passwords that you want to exclude from usage in your company, as they might be easy guessed — for example the company name, address etc.. Please be aware that a communication of the corresponding entries will help to reduce confusion; an additional short introduction into the risks of low level passwords security may also help to increase the level of user security compliance.
The information are written into text files that are saved on the operation system level. Enter the parameter name, and activate the execution via F8. The cross-client information are written sequentially into this file until the maximum file size is reached. When the maximum limit is reached a new file will be created, and the old file will be saved as copy.
That means if the new file has reached the maximum size, it will be saved as a copy, and with this, the former copy will be overwritten. A system log is written for every instance. If you run on multiple instances you have to make sure that you look up all corresponding log information.
To check all remote instances at the same time [which is to be preferred due to efficiency] you have to select the menu path: System log — Choose - All remote system logs Select then the menu path: Edit — Expert mode.
The following events and messages are important for audit and security reviews, and can be selected via the integrated button Message IDs. Together with the entries in A14 you can even evaluate with which program, and which line. With BXF you can see if the table logging was deactivated in a program by a user. GEW shows if the authorization check for the lock management via SM12 was deactivated. LC0 displays if a user has executed logical os commands.
F04 provides the information about deletion of DB tables. R0L allows you to see if a program was set to debug mode by a user. R0S displays manually inactivation of the update, R0T the manual activation, and R0U shows if an update request was deleted.
With R0W you can see if a terminated update was reposted. With R0Y you can show that terminated updates were displayed with SM And R65 shows, that an update was terminated. AUP which transaction was locked, and with AUQ you can also see if, and which transaction was unlocked. In the log, you can call the detail view via double click onto a selected entry. Important note: Please make sure that the access to the log files on the os level is restricted, and that the files are properly protected against unauthorized manipulations, or even deletion.
Quite a number of departments try to leverage this risk by additional internal controls like e. To reduce the risk of the permeable controls to zero, the implementation of an asymmetric segregation of duties is to be considered. In departments with lack of resources a fully system-controlled segregation of duties is not always applicable.
All employees would need the authorization to create and change master data e. With this methodology for segregation of duties, employee A can change the affected part of the master data. The master record is blocked for any further activities [payment run etc. In case of discrepancies employees B can decline the changes. The master data will be blocked for further activities until an agreed change is applied including confirmation.
The asymmetric approach results form the fact, that employee A cannot release his own changes. As not all changes to vendor master data need to be considered as highly critical, the focus is usually on payment relevant data such as bank data.
The asymmetric approach allows the definition of fields that require additional protection in case of changes. The segregation of duties is then reduced to these fields only. Changes to telephone numbers e. Step 1: The fields that are supposed to be protected by the segregation of duties need to be defined.
The definition is realized by maintaining the desired entries into the table TF. Vendor master bank key and bank account. Step 2: In a second step the transactions need to be established for future user master data assignment, so that changes to the master data can be confirmed. This is usually done with transaction FK The transaction FK09 List cannot be recommended, because of the higher risk in the permeability.
In addition the user needs to have the authorization values 08 Display changes und C8 Confirm changes established. The protection of customer master data can be relevant as well, in case of high volume credit notes that are paid for example. Table of content 1. Premise 2. Protection of Data being transmitted across state and international borders [Non-violation of local and export laws] 3.
Function structure 3. Explanation of concept 3. Integration in SAP system landscape with interfaces 3. Description of system and data ownership 3. Data classification 3. Overview of relevant organizational units 4. Dependency of authorizations 4. Segregation of duties 4. Functions 5.
Basic system adjustments 5. Globally deactivated authorization objects 5. Deactivation of individual authorization objects 5. Name convention and Use 5. User groups 5. User Name convention 5. Roles 5. Use of SAP Standard roles 5. Single Roles 5.
Composite Roles 5. Indirect Role assignment 5. Local 5. Global 5. Profiles 5. Use of SAP standard profiles 5. Reference users 5.
This report contains detail about the number of incorrect login attempts by a user and the user locks and you can schedule this report as per your requirement. You can analyze the security audit logs using SM20 transaction, but security audit should be activated in the system to monitor security audit logs. The parameter configures this time. Automatic logoff in the SAP system is deactivated by default value 0 , that is, the users are not logged off even if they do not execute any actions for a longer period.
To make your system more secure and to implement strong authorization, you need to review your authorization plan to make sure that it meets the security requirement of the company and there are no security violations. User Types In Prior releases of the SAP System, the user types were only divided in two categories — Dialog users and Non-Dialog users and only non-dialog users were recommended for communication between two systems. With SAP 4. Password can be changed by the user itself. In dialog user, multiple dialog logons can be prevented.
Multiple logins allowed for this user and only an Administrator can change the password for this user. It is not an interactive system dependent user and there are multiple logins allowed for this user.
This user is used to provide additional authorization to internal users. In a SAP system, you can go to the Roles tab and specify a reference user for additional rights for dialog users.
A User type can change their passwords like common dialog users. RFC functional module can be used to change the password. Enter the user type under Logon data tab. We have five different user types. Using this tool, you can manage all user master record centrally in one system. A Central User Administrator allows you to save money and resources in managing similar users in one system landscape. The data exchanges performed using the ALE landscape called as Application Link Enabling that allows to exchange the data in controlled manner.
In a complex landscape environment, you define one system as the Central system with ALE environment and this is linked to all the child systems using bidirectional data exchange. The child system in landscape are not connected with each other. Run the Transaction SU01 and create a user with administrator role assigned to it. To define a Logical system use Transaction BD Click on New Entries to create a new logical system.
Create a new logical name in capital letters for the Central User Administration for central and all child systems including those from other SAP Systems. Save your entry by clicking on the Save button. Next is to create the logical system name for the central system in all child systems. Open the client that you want to assign to logical system by double clicking or by clicking on the Details button. A client can only be assigned to one logical system. In a logical system field in client details, enter a logical system name to which you want to assign this client.
To save your settings, click on the Save button at the top. This is the composite profile that contains all the authorization in a SAP system. It is recommended that a single user should be maintained with a profile. While the password should be well protected for that user and it should only be used when it is required. When a system upgrade is done, this profile is used so that some tasks are run properly.
In PFCG, the role represents a work that a person performs related to real-life scenarios. PFCG allows you to define set of transactions that can be assigned to a person to perform their daily work.
These roles are in connection between user and authorizations in a SAP system. The actual authorizations and profiles are stored in the form of objects in a SAP system. To change the existing role, enter the delivered role name in the field. Enter the name from namespace. Click on value selection button and select the role to which you want to copy this. To change the role, click on the Change button in Role Maintenance. Navigate to the Menu tab to change the user menu on the Menu tab page.
Go to the Authorization tab to change the Authorization data for that user. Click on Generate button to generate the profile for this role. To assign the users to this role, go to User tab in Changes Role option. To assign a user to this role, it should exist in the system. Click on User Comparison option. You can also click on the Information button to know more about Single and Composite roles and User Comparison option to compare the master records. Enter the role name and click on Create Single or Composite Roles as shown in the screenshot below.
Navigate to Authorization tab to generate the Profile, click on Change Authorization data option. When you enter a particular value in the dialog box, die authorization fields of the role are maintained automatically. You can adapt the reference for the roles. Once a role definition is done, you need to generate the role. In this structure, when you see red traffic lights, it shows the organizational levels with no values. You can enter and change organizational levels with Organization levels next to Maintained tab.
Enter the Profile name and click on the tick option to complete the Generate step. You can directly assign this role to users by going to the User tabs. You will reach to role transport option. If the user assignments are also transported, they will replace the entire user assignment of roles in the target system. This role is entered in customizing request.
You can view this using Transaction SE In Customizing request, authorization profiles are transported along with the roles. Like in a User node, you can perform a search on users based on selection criteria. You can get the locked list of users, users having access to a particular set of transactions, etc.
When you expand each tab, you have option to generate different reports based on different selection criteria. Role Node In a similar way, you can access different nodes like Roles, Profiles, Authorizations and various other options under this user information system.
You can also use SUIM tool for searching roles and profiles. You can enter different selection criteria and pull the reports based on Users, Profiles, roles, Transactions and various other criteria. Password Protection In a Unix platform, an attacker can use dictionary attack program to discover password information stored in the Unix OS.
You can store the passwords in a shadow password file and only a root user can have access to this file to improve the security in a system. The remote services rlogin and remsh are security threat in this scenario and you need to deactivate these services. You can deactivate these services by going to inetd. In a Unix system, rlogin is a remote shell client like SSH , which is designed to be fast and small.
It is not encrypted, which may have some small drawbacks in high security environments, but it can operate at very high speeds. Both the server and client do not use a lot of memory.
To access work directories, the authentication process involves network addresses. It is possible that unauthorized access can be gained by attackers over the Network File System using IP spoofing. Global groups are available to all servers in one domain. You can select the name of Global Groups as per your convenience. Local Groups Local groups in Windows Platform are limited to one server in a domain. During the installation, rights are assigned to individual users and not groups.
However, it is recommended that you assign access rights to local groups instead of single users. Local groups are used to increase the security of the Windows environment in shared domains. You can further assign global users and global groups to a local group. Also, note that the Administrator and Guest users are created during the installation process and are used to perform Window specific tasks.
All these users should be protected in a Window platform. You need to protect the standard users from these databases. Password should be protected for standard users and they should be changed regularly. Oracle Standard Users The following table shows the list of standard users in the Windows environment. Password should be maintained for all these users. You should first stop SAP System if it is running and then execute the command given below.
There are various utilities that you can use for a password change. SSO configuration simplifies the process of how a user logs into the SAP systems and applications in landscape by enhancing the security measures and reduces the password management tasks for multiple systems. SSO helps an organization to reduce their operation cost by decreasing the number of calls to the Service Desk related to password issues and hence increase the productivity of the business users.
SSO configuration simplifies the process how user login to SAP systems and applications in landscape by enhancing the security measures and reduces the password management tasks for multiple systems. The login mechanism in system depends on the technology of SAP NetWeaver system and different communication channels used for accessing those systems. It will generate a new profile. The certificate information is displayed. Note down the values of this certificate as you need to enter the values.
Example: EBS Select the. Using SSO, users can access backend systems and other secured information located in the company network. SSO allows you to use several security authentication methods for integrating web based user access on NetWeaver Application servers. You can also implement various network communication security methods like Cryptography to send the information over network.
You can configure a portal to issue SAP logon tickets to the users and the users need to authenticate this system for initial access. When SAP logon tickets are issued to users they are saved in web browsers and allows the user to login to different systems with use of SSO. To configure SAP logon tickets, the following parameters should be set in the User profile. An SSO ticket can be a logon ticket or an assertion ticket. Note — This requires additional configuration steps for issuing and accepting the systems.
If only the procedure X. To set the parameter, use Transaction RZ Note — This requires additional configuration steps for the issuing and accepting the systems.
When creating an SSO ticket, you can set the validity period. Once this has expired, the SSO ticket cannot be used any more to log on to workplace component systems. The user then needs to log on to the workplace server again to obtain a new SSO ticket. The client certificates use very strong cryptography methods to secure user access to the NetWeaver Application server, so your NetWeaver Application Server should be enabled with strong cryptography techniques.
0コメント