grc nordic sap user management · 2020. 10. 21. · s_tcode • it means that if you grant it to...
TRANSCRIPT
GRC Nordic SAP User Management webinar
Team today
Christa Schönberg Mikko Syrjänen
Deep Dive into SAP Security
Authorization check logic and its consequences
Authorization Objects
How the system authorization checks work
Consequences of the nature of theobjects
Protect your data systematically
Authorization Objects
System authorization check
Consequenses 1: Display roles
Consequences 2: Customcode authorizations
Consequences 3: Protecting specific data
Summary and take-aways
Authorization Objects
Authorization Objects
System authorization check
Consequenses 1: Display roles
Consequences 2: Customcode authorizations
Consequences 3: Protecting specific data
Summary and take-aways
• Authorization Objects• An authorization object allows complex tests of an authorization for
multiple conditions. Authorizations allow users to execute actions within the system. For an authorization check to be successful, all field values of the authorization object must be appropriately maintained in the user master.
• From SAP HELP, 2020
Authorization Objects
Authorization Objects
System authorization check
Consequenses 1: Display roles
Consequences 2: Customcode authorizations
Consequences 3: Protecting specific data
Summary and take-aways
Terminology• Authorization Object Name• Authorization Object Text• Class; Logical grouping of
objects• Fields
• All fields within one object are checked simultaneously
• If for example Plant and Activity are not in the same object, then you cannot combine Display and all plants / Create and one plant for one role / person
System authorization check
Authorization Objects
System authorization check
Consequenses 1: Display roles
Consequences 2: Customcode authorizations
Consequences 3: Protecting specific data
Summary and take-aways
A user startstransaction FB50
Object S_TCODE is checked
Object F_BKPF_BUK is
checked
Object F_BKPF_BUP is
checked
Object F_BKPF_GSB is
checked
Object F_BKPF_KOA is
checkedUser action
(save, execute, generate etc.)
The user entersthe data to the
transactions
The user action is executed
• All authorization objects and values are loaded at logon to the USER BUFFER (su56) in alphabetical order
• When the code is execute, the user buffer (su56 transaction) is checked
• It has NO RELEVANCY for what transaction certain objects were given
ROLE: Bookkeeper• F_BKPF_BUK• Company Code 1000• All Activities
Behaviour of authorization objects with multiple instances
Authorization Objects
System authorization check
Consequenses 1: Display roles
Consequences 2: Customcode authorizations
Consequences 3: Protecting specific data
Summary and take-aways
ROLE: Payment recorder• F_BKPF_BUK• Company Code 1000• Display
ROLE: Financial reporter• F_BKPF_BUK• All Company Codes• Display activity
• One user must have a systematically set of limitations so that accesses do not start to leak
• In this example, 1 user & 3 roles, three different setups• The first that the code finds that allows usage will be used irrespective of whether
the access was given for a specific transaction• In practice this user has global display and all activities in CoCode 1000, which is not
what was wanted in the payment recorder role
Consequences 1: Display roles
Let’s grant MIGO in display “Yes”
OK. The role is called MIGO Display. “Erh…yes…we try”
Authorization Objects
System authorization check
Consequenses 1: Display roles
Consequences 2: Customcode authorizations
Consequences 3: Protecting specific data
Summary and take-aways
MIGO DISPLAY
Hey this works!
Consequences 1: Display roles
Time goes by…..Authorization Objects
System authorization check
Consequenses 1: Display roles
Consequences 2: Customcode authorizations
Consequences 3: Protecting specific data
Summary and take-aways
MIGO DISPLAY
Accounts PayablesAccountant Finance
Reporting
Period EndAssistant
Consequences 1: Display roles
But it says DISPLAY!!!I approved Display. How can you do Goods Receipts??
Authorization Objects
System authorization check
Consequenses 1: Display roles
Consequences 2: Customcode authorizations
Consequences 3: Protecting specific data
Summary and take-aways
MIGO DISPLAY
Accounts PayablesAccountant Finance
Reporting
Period EndAssistant
Consequences 1: Display roles
Authorization Objects
System authorization check
Consequenses 1: Display roles
Consequences 2: Customcode authorizations
Consequences 3: Protecting specific data
Summary and take-aways
• Be aware of the problem• Display roles should only have Display tcodes
• Non-display tcodes open up if posting roles are assigned separately• Non-display tcodes may get activity change from SU24 easily to the role if
maintained in the first place in a wrong way• Use Screen variants• Dont grant access to this type of multifuntional transactions in display roles
• CJ20n• MIGO• MIRO• FS00, …. Etc
• Minimize the risk of the system opening up by managing this in a very pedantic way
Consequences 2: Custom Code Authorizations
Authorization Objects
System authorization check
Consequenses 1: Display roles
Consequences 2: Customcode authorizations
Consequences 3: Protecting specific data
Summary and take-aways
• Custom code has no authorization check unless it is programmed in except S_TCODE
• It means that if you grant it to users they can see and do everything there that the code allows to
• You should always:• Implement at least an activity check, organizational level check• Aim to use own authorization objects unless clearly a standard one can be used ie
don't use standard objects in the wrong way• Ensure SoD library is updated when creating custom code if tcode is SOD relevant• Are you showing GDPR relevant information in the custom code
Consequences 3: Protecting special data
Authorization Objects
System authorization check
Consequenses 1: Display roles
Consequences 2: Customcode authorizations
Consequences 3: Protecting specific data
Summary and take-aways
• You want to make sure that a specific account group is limited away from certain users
• Find out the object that limits this business object (SU24)
• Choose potential object and make some tests
• Decide what object and field values to use
• Find all roles that has this field and analyse current values
• Ensure that you systemically restrict ALL roles with this object correctly and also make sure the role assignment process takes this limitation in account
Real life experiences…
Search help in vendor and customer master data In many systems the authorization check
for customer and vendor master search do not check the authorization objects before you actually enter the master data itemThis means a user can list everything in the search box even if not authorized to, before they enter the master data itemThen list it all and download the items. You can search customer data and vendor data with very many criteria in the search help. There are SAP Notes that fix this issue and activate the checks.
Real life experiences…
Search help in vendor and customer master data
Activation of the check triggered directly the need to maintain the *_GRP object systematicallyDependent on in how many roles the object existed each had to do a massive activity to update big numbers of rolesThe new roles needed transportation to production simultaneously with the activated check
Summary and take aways
Authorization Objects
System authorization check
Consequenses 1: Display roles
Consequences 2: Customcode authorizations
Consequences 3: Protecting specific data
Summary and take-aways
• Authorization objects are • collections of fields that are checked at the same time• loaded into the user buffer at logon in alphabetical order• the SAP codes looks for a right value combination when the user
executes a program• Roles must have systematically maintained authorization
object values in order to make sure the restrictions work• Display roles should hence only have display t-codes• Custom code must have authorization checks separately
implemented• Special data must be protected from all object instances
in all roles, systematically for the restrictions to work
GRC Nordic tapahtumat2020
Tapahtuma Ajankohta
› Webinaari: SAP autorisointikonsepti Webinaari: 16.11, 18.11
› Vuodelle 2021 julkaistaan uusi mielenkiintoinen sarja!