introduction to security sap

8/8/2019 Introduction to Security Sap

1/61

Introduction to SAPSecurity

Kyle BalcerzakSAP Security Consultant

Wednesday March 31, 2010


2/61

Download the presentation recording with audio from the

Symmetry Knowledge Center

www.sym-corp.com/knowledge-center
http://www.sym-corp.com/knowledge-center?utm_source=slideshare&utm_medium=social&utm_campaign=slidesharehttp://www.sym-corp.com/knowledge-center?utm_source=slideshare&utm_medium=social&utm_campaign=slideshare


3/61

Upgrade & Project Support

Security Design & Administration

SAP NetWeaver / Basis administration

SAP Certified Hosting

Implementation Support

Lifecycle Support for any SAP application on any platform combination

Symmetry Corporation


4/61

QualityProactive support deliveredby US-based experts

Accessibility24x7 direct access to yoursupport team

AffordabilityHighly competitive fixed-pricecontracts

Symmetrys 21st Century Approach to Managed Services


5/61

Introducing

Kyle Balcerzak

SAP Security Consultant


6/61

What Well Cover

Introduction Why is Security Important?

Legal RequirementsSOX, HIPAA, ITARRisks & ControlsWhy Unregulated Companies Should Care

Security ArchitectureUser Master Record

RolesProfilesAuthorization ObjectsUser Buffer4 Doors to SAP Security

Managing SecuritySecurity TeamRole owners and the approval processPeriodic Access ValidationTroubleshooting and informationSecurity Tools


7/61

Why is Security Important?

Security is the doorway to the SAP system.

Security is a way of protecting information from unauthorized use.Security can unlock the flexibility of the system and customize it foreach user.

Information stored in SAP is one of your companys most valuablebusiness assets.


8/61

What is SAP Security?

SAP application security controls who can do what in SAP.

Examples:

Who can approve purchase requisitions over $10,000 (ME54N)?

Who can view other employees social security numbers in the system

(PA20)?

Who can update vendor bank information (XK02)?

Who can create or modify users (SU01)?


9/61

Security Objectives

Confidentiality - prevent users from viewing and disclosing

confidential information.Integrity - ensure the accuracy of the information in your companyssystem.

Availability - prevent the accidental or deliberate loss or damage ofyour companys information resources.


10/61

Security Against Whom?

When people think about system security, they usually think about

people outside the companybusiness espionage

political rivals

In reality, you need to protect against your own people

Curiosity

Accidental access

Intentional access


11/61

Factors to Consider

How important is your SAP system and the data stored in it to your

business?

Do you have a policy requiring certain levels of security?

Do your internal or external auditors require a certain level ofsecurity for the information stored in your system?

Will you need some degree of security in the foreseeable future?


12/61

Legal Requirements

SOX, HIPAA, ITAR

Segregation of Duties vs. Excessive AccessControls Preventive vs. Detective

Why Smaller Companies Should Care


13/61

Sarbanes-Oxley (SOX) Act

Executives are ultimately responsible for confirming the design andeffectiveness of internal controls

Excessive access and Segregation of Duties issues are key points

Ultimately data integrity is key


14/61

SOX Continued

Segregation of DutiesOne user can perform two or more conflicting actions that causes a risk.

Example:Activities: Someone can create vendor master records and then processaccounts payable payments

Risk: Gives someone the access to create a fictitious vendor and generate

fraudulent payments to that vendor

Excessive AccessOne action that a user can perform that is outside their area ofexpertise, jurisdiction, or allows critical access

Example:

Activity: End user can use SP01 to see the spool request for all users

Risk: Users may view sensitive financial documents or payroll information forexample.


15/61

HIPAA and ITAR

Health Insurance Portability and Accountability Act

Personal health information can be shared with appropriate people forpatient care.

Typically comes into play in SAP HR systems.

Data privacy concernsIf an employee has a potentially embarrassing injury at work, these detailsare stored in the system and should only be viewed by authorized personnel.

International Traffic in Arms RegulationsControls the import/export of defense related articles and information.

Data privacy concernsInformation and material specifically about defense and military technologiesmust only be shared with US Persons or those who are approved.

Shipping concernsUnauthorized users should not have access to change shipping informationof customer.


16/61

Controls Preventive vs. Detective

In order to prevent fraud, accidental errors, and protect sensitive

information we must have controls.

There are two main categories of controls:

Preventive controls: prohibit inappropriate access

Authorizations, configuration, User-Exits, and so on

Detective controls: rely on other processes to identify inconsistencies

Alerts, periodic reporting, system monitoring


17/61

Why Unregulated Companies Should Care

Why should we care about segregating duties, excessive access or

documenting our business processes if we are not publicly traded orsubject to legal requirements?

Documentation

Reduction in errors

Cost of errors

Loss of customersFraud happens

Protection of trade secrets

Preserve confidential information


18/61

Security Architecture

Authorization Objects Intro

User Master RecordRoles Single, Derived, Composite

Task-based vs. Job-based Roles

Profiles

Authorization ObjectsUser Buffer

4 Doors to SAP Security


19/61

Authorization Concept

UserUser Master

Record

Roles

Profiles

Authorization

Objects

SAP

Functionality


20/61

Authorization Objects

Authorization Objects are the keys to SAP security

When you attempt actions in SAP the system checks to see whetheryou have the appropriate Authorizations

The same Authorization Objects can be used by differentTransactions

Example in order to display a table, a user must have the

Authorization Object S_TABU_DIS with the appropriate values


21/61

User Master Records

Required to establish access for Users.

Created when a User is created.

User Master Records are client-dependent!


22/61

User Master Records

User Master Record information includes:

Name, Password, Address, Company informationUser Group (used for security administration or searching capabilities)

Reference to Roles and Profiles (access capabilities are not storeddirectly in user master records)

User type

Dialog typical for most usersSystem cannot be used for dialog login, can communicate betweensystems and start background jobs

Communications Data cannot be used for dialog login, can communicatebetween systems but cannot start background jobs

Reference cannot log in, used to assign additional Authorizations to Users

Service can log in but is excluded from password rules, etc. Used forSupport users and Internet services

Validity dates (from/to)

User defaults (logon language, default printer, date/decimal formats)


23/61

User Master Record


24/61

Roles and Profiles

Profiles contain Authorization Objects

Roles contain Profiles

Profiles that come delivered with thesystem or were created from scratchcan be assigned directly to users

Profiles that were created for a Roleare attached to that Role cannot be

assigned directly. You must assignthe Role and the system will thenassign the user the correct Profile

UserUser Master

Record

Roles

Profiles

Authorization

Objects

SAP

Functionality

Users are assigned Roles and Profiles which contain Authorization

Objects


25/61

Roles

Roles are built on top of Profiles and include additional components

such as:User menus

Personalization

Workflow

In modern SAP systems, users are typically assigned the

appropriate Roles by the security teamThe system will automatically add the appropriate Profile(s) for eachRole assigned

****Authorization Objects only exist in Profiles (either on their own orwhen nested in roles)

A Role has several parts, including:Description Documentation

Menu Profile


26/61

Tips for Managing Roles

Roles typically do not change often

It is strongly recommended that they be created in a Developmentclient, then transported to Quality (tested, hopefully) and finallypromoted to Production.

Roles should originate from the same client (pick one to be yoursecurity development client).

It is much easier to assign an existing Role to a User than to createor modify a Role.

SAPs template Roles are intended only for example.

Best practice is to have Users tell you the exact Transactions theyrequire and build Roles from scratch.

At the very least, copy them into your own namespaceBe aware that many of them contain too much access so be careful!


27/61

Roles


28/61

Roles

Profile for a Role:


29/61

Roles Types

There are 3 types of Roles:

Single an independent RoleDerived has a parent and differs only in Organization Levels. MaintainTransactions, Menu, Authorizations only at the parent level

Composite container that contains one or more Single or DerivedRoles

Derived Role example:Purchaser Parent

ME21N, ME22N for all or no Purchasing Organizations

Purchaser Child 1

ME21N, ME22N for Purchasing Organization 0001

Purchaser Child 2ME21N, ME22N for Purchasing Organization 0002


30/61

Roles Types

Composite Role example:


31/61

Task-based vs. Job-based Roles

Task-based

Each Role can performs one function (usually one or only a fewTransactions)

Vendor master creation

Create sales order

Job-basedEach Role contains most functions that a user will need for their job inthe organization

A/P Clerk

Buyer

Warehouse Manager

Hybrid approach


32/61

Profiles

Authorization Objects are stored in Profiles

Profiles are the original SAP Authorization infrastructureUltimately a users Authorization comes from the Profile/s that theyhave assigned

Profiles are different from Roles.

UserUser Master

Record

Roles

Profiles

Authorization

Objects

SAP

Functionality


33/61

Examples of Delivered Profiles

SAP_ALL

Delivered with the systemContains almost all Authorization Objects

SAP_NEW

Contains the new objects in the current release that are required to

keep old transactions functioning.It does NOT contain all new Authorization Objects for that release

S_A.xxxxxxx

Standard BASIS Profiles for various job functions (i.e. customizing,

development, administration, etc.)


34/61

Authorization Objects

Authorization Objects are the keys to SAP Security

When you attempt actions in SAP, the system checks to seewhether you have the appropriate Authorizations

The same Authorization Objects can be used by differentTransactions

Example in order to display a table, a user must have the

Authorization Object S_TABU_DIS with the appropriate values


35/61

User Buffer

When a User logs into the system, all of the Authorizations that the

User has are loaded into a special place in memory called the UserBuffer

As the User attempts to perform activities, the system checkswhether the user has the appropriate Authorization Objects in theUser Buffer.

You can see thebuffer inTransactionSU56


36/61

Example of Authorization Check

When attempting to execute a Transaction, each instance of a

required Authorization Object that a user has is checked by thesystem until the system finds a match.

Example: User would like to create a Sales Order of the DocumentType Standard Order (OR).

One of the Authorization Objects that the system looks for is:V_VBAK_AAT

There are two fields Activity and Order Type

To create a sales order for this type, the user will need:

V_VBAK_AAT with:

Activity 01 (Create)Order Type OR (Standard Order)


37/61

Example of Authorization Check

To create a sales order for the Standard Order type, the user will need:

V_VBAK_AAT with:Activity 01 (Create)

Order Type OR (Standard Order)

The user might have this Object several times from several Roles. Thesystem keeps checking until it finds a match:

Role 1

V_VBAK_AAT

Activity 03 (Display)

Order Type * (All Order Types)

V_VBAK_AAT

Activity 01 (Create)

Order Type B1, B2, CS

Role 2V_VBAK_AAT

Activity 01 (Create)

Order Type OR, RE


38/61

Authorization Checks

How does SAP test whether the user has Authorization to execute

functions? What happens when I try to start and run a Transaction?


39/61

Authorization Checks Executing a Transaction

1. Does the Transaction Exist?


40/61



2. Is the Transaction locked?


41/61




3. Can the User start the Transaction?


42/61


4. What can the User do in the Transaction?



3. Can the User start the Transaction?


43/61


1) Does the Transaction exist?

All Transactions have an entry in table TSTC2) Is the Transaction locked?

Transactions are locked using Transaction SM01

Once locked, they cannot be used in any client

3) Can the User start the Transaction?

Every Transaction requires that the user have the ObjectS_TCODE=Transaction Name

Some Transactions also require another Authorization Object to start(varies depending on the Transaction)

4) What can the User do in the Transaction?

The system will check to see if the user has additional AuthorizationObjects as necessary


44/61

Managing Security

Security Team

Role Owners and the Approval ProcessPeriodic Access Validation

Troubleshooting and Information

User Information System (SUIM)

SU53

Authorization Trace (ST01)

Security Audit log (SM19/SM20)

Security Tools

Central User Administration

SAP NetWeaver Identity Management

SAP GRC Access Control Suite

Symsoft ControlPanelGRC


45/61

SAP is a Complex Ecosystem

There are many different SAP applications with different areas ofexpertise required

Some of these require specialized security knowledge, e.g. HCMand BI/BW

Examples:ECC (Sales and Distribution (SD), Materials Management (MM),Financial and Cost Accounting (FICO), Warehouse Management (WM),

Quality Management (QM), Plant Maintenance (PM), Human CapitalManagement (HCM))

Business Information Warehouse (BI/BW)

Customer Relationship Management (CRM)

Supplier Relationship Management (SRM)

Advanced Planner and Optimizer/Supply Chain Management(SCM/APO)Portal

And whatever else SAP dreams up!


46/61

Security Team

Important to select an appropriate security team.

Size consideration based on your organizationAuditing requirements

Amount of changes

Security staff knowledge

Role changes should be done by the security team

User assignments can be processed by the security team or thebasis team

Unlocking Users/resetting passwords of Users can be done by thehelpdesk


47/61

Security Team

Outsourcing is a good option for many companies.

Key reasons to outsource

Expert help available its hard for part-time security staff to understandall of the complexities of SAP Security

Internal staff may get overloaded and need extra help.

Project workProvide coverage during vacations/sick days

Key considerations in choosing an outsourcing provider

Ongoing access to a team vs. consultant randomly assigned by a help

desk24x7 access to support

Fixed rate support vs. charge by the hour


48/61

Role Owners and the Approval Process

The security team may know how to make changes to access, but

will need to work with the business to determine what changesshould be made.

Changes include making changes to Roles (modifyingAuthorizations, adding/removing Transactions) and assigning thoseRoles to users.

Have Role changes approved by the Role owner

Have User assignment changes approved by both a manager and theRole owner.

The business is often not aware of the implications of changes that arerequested. Your security team should be able to point out potential riskswhen access is requested.


49/61

Periodic Access Validation

Its a good idea to have Role matrix reports generated and reviewed

periodically by Role ownersEnsures that inappropriate changes were not made

Accountability

Consider doing this quarterly or at least yearly


50/61

Periodic Access Validation

Example output of a report that was generated by

ControlPanelGRC:


51/61

User Information System

Transaction SUIM

Great place to get information about Users/RolesTIP has had bugs over the years. If something seems incorrect, querythe appropriate table directly.


52/61

SU53

Last Authorization check that failed.

May or may not be the Authorization that the User actually needs.Look at context clues to determine if it is appropriate.

User may need more Authorization Objects after this one is added.


53/61

Authorization Trace

Transaction ST01

Records all Authorization Checks performed while a User is in thesystem.

Does not include Structural Authorizations in HR Security.

ControlPanelGRC Security

Troubleshooter makes thisprocess easier by recordingthe steps to recreate theissue, the AuthorizationTrace, and sending theoutput the Security Team.


54/61

Security Audit Log

Records information about what Users are doing

Logon/logoffTransactions/reports started or attempted to start

Password changes

Workstation name of User

Is not on by default.

Transactions SM19/SM20.Does not record what data was changed by the User.


55/61

Central User Administration (CUA)

Manage Users from one SAP client

Simplifies User administration and can save a lot of time especially forlarge environments

If you own SAP, you already own this. All you need is someone to configureit

There are several gotchas that frequently come up when installing. Werecommend contacting a consultant who is CUA savvy

Asynchronous! Ultimately, the Users and Roles exist in each client. CUA isonly the place you log in to make changes!

SOL-100

CUA Central

System

DEV-100

PRD-100

QAS-100


56/61

SAP Netweaver Identity Management

SAPs Identity Management Solution

Cross system/cross vendor integrationSeparate landscape/installation

Highly configurable, contact someone who specializes in thisproduct.


57/61

SAP GRC Access Controls

Risk Analysis and Remediation

Find SoDs, excessive access for both Roles and UsersAlert Monitoring

Compliant User Provisioning

Workflow for User creations/modifications

Incorporates SoD checks

Superuser Privilege ManagementEmergency, temporary access

Logs some of the users actions, notifies managers when used

Enterprise Role Management

Workflow for Role creations/modifications

Incorporates SoD checks


58/61

SymSoft ControlPanelGRC

2nd generation compliance automation solution

User & Role ManagerAccelerates User and Role change management

Risk Analyzer

Real time risk analysis and mitigation of Segregation of Duties and Sensitive Authorization risks

Usage Analyzer

Monitors Transaction executions to provide

Notification of executed risks

Reverse Business Engineering (RBE) tool

License Optimization tool

Transport Manager

Automates processing of change requests with auditable workflow

Batch Manager

Cross system infrastructure for compliant scheduling, monitoring and tracking of batch jobs

Emergency Access Manager

Manages temporary access access is tracked by User and reports are routed for review

AutoAuditor

Allows compliance reports to be scheduled and sent to Users for documented review


59/61

Key Points

Security is the doorway to the SAP system

Security is a way of protecting information from unauthorized use

Security can unlock the flexibility of the system and customize it for each user

Information stored in SAP is one of your companys most valuable business

assets.

SAP Security is complex and often difficult to manage and understand

There are legal requirements that influence SAP Security

Not all companies are required to comply with these regulations

All businesses benefit from having well defined processes

There are tools available to help manage security but ultimately a goodsecurity team is key


60/61

Download the presentation recording with audio from the

Symmetry Knowledge Center

www.sym-corp.com/knowledge-center
http://www.sym-corp.com/knowledge-center?utm_source=slideshare&utm_medium=social&utm_campaign=slidesharehttp://www.sym-corp.com/knowledge-center?utm_source=slideshare&utm_medium=social&utm_campaign=slideshare


61/61

Kyle Balcerzak414-732-2743

[email protected]

introduction to security sap

Documents