SAP Audit Information and Approach

Authorization Example

1. User Master Record

User: Frank W. LyonsProfile: Example

2. Profile: Example Object: Authorizations: S_Program ABAP: 3. Authorization: ABAP: Object: S_Program Values: Fields: * Program Group SUBMIT, VARIANT Activity

1

Authorization System:

1. Profiles One or more assigned to a user

2. Objects Must be unique names with one or more fields

3. Fields Contain values for authority checking

4. Authorizations Can have the same names as they are physically and physically linked to an

object

Field group for an object has multiple values and can be shared across objects

2

Initial Defaults

1. Initial Clients

Client 000 Standard model Client 001 Model for user defined clients. (template)

2. Initial User Ids

SAP* Default super user. A user master record is created during installation but it is not needed by SAP* to access the complete system. If the SAP* master record is deleted, the SAP* account has the following special privileges:

It is not subject to authorization checks and therefore has all authorizations

It has the password “PASS”, which can not be changed without creating a new user master record.

To prevent deletion, assign SAP* user to a group called SUPER and only super user should be able to maintain user group SUPER.

3

3. Initial Security Parameters

Parameters for user logon login/min_password/lng

Minimum password length default is (3) login/password_expiration_time

Number of days after which a password must be changed. The default is zero, which does not enforce password changes. Recommended value = 45.

login/fails_to_session_end Number of times a user can enter an incorrect

password before the system ends the login attempt. The default is (3).

login/fails_to_user_lock Number of times a user can enter an incorrect

password before the system locks the user against further logon attempts. The default is (12). Recommend (3). When a password is locked in this manner, it is automatically unlocked by the system at the start of the next day (midnight).

4

Adding Users

1. Each user must have a master record.

2. Each user master record refers to one or more profiles that determine the access rights for the user.

3. Master record contains:

User ID Password User groups User type Period of validity references to authorization profiles

Master records can be deleted but it will affect the audit trail. Better to lock the user’s master record Menu Path: Tools - Administration - User Maintenance - User - Lock/Unlock.

4. User Group

If a person is assigned to a user group, only the administrators who are authorized for that user group can alter user master records. If a user is not assigned to a group then any user administrator can alter the user master record.

5

Adding Profiles

Profiles and Authorizations exist in both maintenance and active versions. Allows for updates to maintenance before it is activated. Separation of maintenance and activation functions.

1. System Profiles

SAP Standard and Super User ProfilesS_A.SYSTEM Unlimited access to all users,

profiles, and authorizationsS_A.ADMIN Authorizations for SAP system

administration. This includes all authorizations except for: Maintenance of users in user

group SUPER Maintenance of profiles and

authorizations with names beginning “S_A.”

S_A.CUSTOMIZ Authorizations for use in the SAP Customizing system

S_A.DEVELOP Authorizations for use in the SAP Development environment (excludes any user or profile authorizations)

S_A.USER Basis system authorizations for end-users (e.g., S_Program, S_DBC_MONI, etc.

6

2. Startup Profiles

Profile Name DescriptionS_ABAP_ALL All ABAP/4 authorizationsS_ADMI_ALL All system administration functionsS_BDC_ALL All batch input activitiesS_BTCH_ALL All batch processing authorizationsS_DDIC_ALL DDIC: All authorizationsS_DDIC_SU Data Dictionary: All authorizationsS_NUMBER Number range maintenance: All

authorizationsS_SCD0_ALL Change documents: All

authorizationsS_SCRP_ALL All SAPscript text, styles, layout sets

maintenanceS_SPOOL_ALL All spool authorizationsS_SYST_ALL All system authorizationsS_TABU_ALL Standard table maintenance: All

authorizationsS_TSKH_ALL All system administration

authorizationsS_USER_ALL User maintenance: All authorizationsSAP_ALL Provides unlimited access to

maintain all SAP R/3 system authorizations, with the following exceptions: Maintenance of users in user

group SUPER Maintenance of profiles and

authorizations with names beginning S_USER

SAP_ANWEND All SAP R/3 (excluding system) application authorizations

SAP_NEW Provides unlimited access to all authorizations added with new releases of SAP R/3.

Z_ANWEND All user authorizations (excluding BC system)

7

3. Profiles and their associated authorization value sets are stored in USRxx tables.

8

Adding Authorizations

Authorization objects are used to check a user’s authority to perform actions and access data in R/3. A user’s action is approved only if the user passes the authorization test for each field listed in an object.

1. Authorization Objects

SAP contains a number of authorization objects that are used to restrict the ability of users to perform certain functions and access information. Authorization objects can contain up to ten authorization IDs representing such system elements as transactions, tables, fields, or programs.

A user is allowed access if the their master record lists the object for which the authorization is being tested and the user passes the authorization test for each authorization ID.

An authorization value set is required for access 02 = change Authorization Profiles are used to grant the authorization value sets

to a user. The user master record refers to profiles and the profiles, in turn, refer, to value sets that determine the access capabilities of the user.

New authorization objects can be created by Menu Path: System - Services - Table Maintenance. Merely creating a new object does not initiate any authorization checking. Either ABAPs need to be modified to test the new objects, or additional authorization checks need to be defined.

First assign a object class for the new object. Next use AUTHORITY-CHECK for ABAP/4 programs Or add additional authorization checks to the TSTC

(transaction table) Menu Path: System - Services - Table Maintenance.

9

2. Objects

Objects are defined in the system and contain one or more fields that are used to test user access.

3. Authorization Value Sets

Are lists of all values (for each field) for which a user is authorized.

Usually used to define tasks Profile allocate the tasks (authorization value set) to logical

functions. These profiles are assigned to a physical user (master record).

10

4. Basis System Authorization Objects

Object Fields UsesS-PROGRAM Program group Activity ABAP/4 programs that

may be run.S_EDITOR Program group Activity ABAP/4 programs that

may be displayed or edited

ABAP/4 QueryS_QUERY

Activity Whether a user can run queries and whether the user can maintain ABAP/4 Query user groups

System Administration Functions

Administration Functions

A variety of system functions such as:

1. Whether a user may enter a value interactively to pass an authorization test that he does not have authorization for in his user master record2. Access to the ABAP/4 Dictionary3. Access to the interface painter4. System trace authority5. Ability to add or delete additional authorization tests in the TSTC table6. Execute host operating system commands

Central Field Selection ActivityAuthorization group

Which ABAP/4 programs a user can use

11

to dynamically alter attributes of fields

Table Maintenance Authorization class Activity

Authorize users to view and/or modify table contents

Batch Processing: Batch Administrator

Administrator Give user administrator authorization over background processing

Batch Processing: Batch User Name

Authorized user Specify user Ids that a user may specify as the authorization for running background jobs

Batch Processing: Operations on Batch Jobs

Operations Job Group Specify the operations that users may perform on background jobs (Release, delete, etc.)

Batch Input Authorizations

Queue group name Activity

Authorize a user to work with batch input sessions

Queue Management Authorizations

Queue group nameActivity

Management of queues for trouble-shooting or problem analysis

Authorization Check for SM04, SM50

Administration To authorized users to lock or unlock transactions and to manage user sessions other than their own.

Authorization for Update Administration

Administration Authorization to manage update records for other users

Enqueue:Displaying and Deleting Lock Entries

Activities Authorize users to maintain lock entries of other users

Spool: Device Authorization

Output Device Authorizes users to use particular printers

Spool Actions Spool action Value Authorizes an administrator to perform specified actions on the spool system

12

Public Holiday and Calendar Access Privileges

Activity Authorization to display and/or maintain calendars

Number Range Maintenance

ActivityNumber range object

Authorize users to maintain number ranges

Change Documents Activity Authorization to display, maintain, and/or delete change documents

Tools Performance Monitor

Authorization name Authorization to use sensitive functions of the performance monitor

13

Objects - Authorizations

S_TOOLS_EX Access to view logon parameters

S_PROGRAM ABAP program access

Fields Values Comments

P_GROUP * Program group P_ACTION SUBMIT Execute program

EDIT Maintain program attributes and textsVARIANT Start and maintain variantsBTCSUBMIT Submit programs for background

execution

S_EDITOR ABAP program access

Fields Values Comments

P_GROUP * Program groupEDIT_ACTION SHOW Display program source

EDIT Amend program source

S_BDC_MONI Batch input session

Fields Values Comments

BDCGROUPID * Name of batch session for which a user is authorized (e.g. “FRANK”)

BDCAKTI ABTC Submit sessions for executionAONL Run sessions in interactive modeANAL Analyze sessions, log and queueFREE Release sessionsLOCK Lock/unlock sessionsDELE Delete sessions

14

S_NUMBER Number range authorization

Fields Values Comments

NROBJ * Number range object name for a vendor

ACTVT 02 Change03 Display11 Change the last-used number in a number

range interval13 Initialize the last-used number when

transporting ranges between clients17 Maintain number range object (pre 3.0)

S_SCDO Change document authorization

Fields Values Comments

ACTVT 02 Maintain and display change documents06 Delete change documents08 Display change documents12 Maintain change document objects

15

Processes

1. Batch Number of transactions entered into the system as a batch. Batch inputs can take place in the background where no changes can be made or in

the foreground where transactions containing errors

can be interactively corrected.

Restricting Access The Batch Input object restricts user activities in different batch

input sessions. ANAL Analyze sessions. Display session, log, and queue dump DELE Delete sessions LOCK Lock and unlock sessions FREE Release sessions ABTC Submit sessions for background execution AONL Run sessions in interactive modes

2. On-Line

3. Background Program executes on a background processing server without interactive user input. To run it must

be scheduled.

This can be done two ways:

Menu Path: ABAP/4 - System Services - Reporting - Batch Request function

From background processing menu by selecting goto - Batch Request

In either case the user must have a User ID to run the job. Users could be authorized to run background jobs but not foreground jobs.

Before a background job can run, it must be released. The releasing of jobs is usually restricted to “Batch Administrators”.

16

Restricting Access The field Admin in the Batch Admin object is used to give a user

administration authorizations. If this field contains a “Y”, the user has access to all background jobs in a SAP system and can perform any operation on any job.

The field Activity in the S_PROGRAM object determines activities users are able to perform on an ABAP. A value of BTCSUBMIT allows a user to schedule the ABAP/4 program for background execution.

The Auth user field of the Batch User Name object is used to restrict user-IDs specified as the authorized user for running a job.

The Operation field of the Operations on Batch Jobs object is used to specify the operations that a user can perform on their own jobs. This is used to restrict users from deleting or releasing jobs.

4. Services

Can run on different servers.

Dialog Update Enqueue Background Message Server CPI-C Gateway Server Spool

5. Work Processes

TSKH Task Handler DYNP Screen Processor ABAP Program Processor DB-SS Database interface that converts ABAP/4 SQL into

DBMS SQL.

17

Transactions

SAP transactions allow different functions to be performed within R/3. Menu selection also generates transactions. To see which transaction is currently executing select Menu Path: System - Status.

System transactions are applicable to the basis system and application transactions are specific to a certain module.

Transactions can be locked and unlocked using Menu Path: Administration - Tcode Administration. When a transaction is locked, users can not execute that transaction. To perform this function, a user requires the authorization object Authorization check for SM04, SM05 with a value of S in the Admin field.

1. Controlled by DYNP processor

Checks whether additional authorization checks are required to run the transaction (in TSTC Table).

Interprets the Dynpros, which involves creating the screens and applying the logic defined in the dynpro (field checks, etc.).

2. All transactions are listed in the TSTC Table. This table includes:

An indicator that the transaction has been locked or is available to be used. The ability to lock and unlock transactions is controlled using authorization object Authorization Check for SM04, SM50.

Additional authorization checks to be performed. Only users with the value TCOD in the field, Admin Functions in object, System Admin Functions have the ability to add, alter, or delete these additional authorization tests.

If a transaction is not marked as requiring authorization checks then any user can run the transaction.

18

Transaction types:

SU93 and SU91 Displays changes master records and profiles

SE30 Trace function SU53 Authorization check failures SU02 Activation of profiles SU03 Activation of authorizations SU0 Assignment of user ID SU01 Assignment of users to profiles and alter the

password of any user SU10 Assignment of profiles for a range of users SU12 Delete all users TU02 View logon parameters SM52 Unix command line prompt SU21 Grouping of objects into object classes

(example is Basis Administration, Financial Accounting)

19

Tables

SAP is characterized by the use of thousands of application and control tables. The setup of the control tables, to a large extent, determines in which way a SAP installation functions.

Logical views provided by the ABAP/4 Dictionary of all data (control data, master data, and transaction data) stored in SAP system.

All control tables start with the letter “T”.

Control tables can be displayed and maintained on-line. Menu Path: System - Services - Table Maintenance. In order to restrict tables a number of table authorization classes should be defined. All standard tables have been assigned to authorization classes. Authorization object, Table Maintenance is used to maintain the tables in each authorization class. Two levels of access are allowed value = 02 (add, change, or delete) and 03 (display only).

To modify a table structure Menu Path: Tools - CASE - Development - Data Dictionary - Maintenance.

Logging of changes can be accomplished by using change document objects to specify which tables are logged and the level of logging performed on each table.

20

1. TSTC Transactions

2. MAC Matchcodes

3. T001 Details about a company

4. T001B Defines accounting periods for company T001.

5. USRxx Profiles

6. TUSR04 Authorization Profiles

7. TUSR01 User master record

8. TUSR02 User ID and password

9. TUSR03 Extended information about the user.

10. TUSR05 Field defaults for each R/3 user and field.

11. TOBJ Pre-defined authorization objects and fields

12. TOBJT Descriptive text of the authorization objects.

13. TUSR10 Authorization Profiles and DescriptionsandTUSR11

14. T055 Field group fields

15. T055G Field groups

16. T055T Field Group descriptions

17. AUTH Internal table - Financial objects

18. TACT Activity codes

19. TACTT Activity codes descriptions

21

20. TACTZ Valid activity codes for each authorization object

21. USR40 Custom password checks

22. TDDAT Defines the link between tables and their authorization classes

23. T000 SAP Clients

24. T001 SAP companies

25. TGSB Business Areas and Plants

22

Logs

Errors and important events are logged in the system logs. These logs should be reviewed daily.

The servers in an SAP system record events and problems in a set of local and central system logs. These logs may be displayed and maintained on-line from the Menu Path: Tools - Administration - Monitoring - System log.

Local logs keep only messages issued by the local application server. Each application server has a local log file.

System logs are configured by setting parameters in the system profile.

Transaction SU93 and SU91 display changes made to a user’s master record or profiles.

Logging of Changes to Authorizations:

All changes to user master records, profiles, and authorization value sets. For example, user master records will display added or deleted from the list in the user master records. It will not display modified profiles rather, the log of changes to profiles could be used to identified changed profiles.

Changes to a user’s password, user type, user group, period of validity, and account number.

For each item in the log, the system reports both the old and new version of any lines that have changed. This log is a valuable control over unauthorized changes to users’ access capabilities and needs to be reviewed daily.

23

Reports for Auditing Security

Menu Path: Information - Current Information

Displays detailed information on user master records, authorization profiles, authorization objects, and authorization value sets. With this facility, it is possible to display all user master records and/or profiles that contain a specific object.

Modules

SAP application modules.

1. BC SAP Basis module

2. Logistics: SD, MM, PP, QM, PM

3. Human Resources: HR

4. Financial and Administration: FI, CO, AM, PS, OC

Change Management

Backup and Recovery

Daily backups are necessary to ensure the recoverability of data, in the event of a disaster.

SAP includes SAPDBA program that is used to perform database administration tasks.

SAP can be backed up on-line.

Redo logs (Oracle) should also be archived daily.

24

Security Administration

Users who are able to change user master records, profiles and/or authorization value sets need to be tightly controlled. The system provides a number of standard authorization objects that can be used.

User Groups S_USER_GRP

Fields ValuesUser group Names of the user groups for

which an administrator is authorized.

Administrator 01: Create user master recordsactions add profiles to new or

existing records 02: Edit03: Display05: Lock or unlock user06: Delete a user master record08: Display user change records

25

Authorization Profile S_USER_PRO

Fields ValuesProfile name The profile names for which an administrator is

authorized.

Administrator 01: Create profiles and enter actions authorizations into them

02: Edit03: Display06: Delete a profile08: Display change records22: Add profiles to user master

record Authorizations Value Sets S_USER_AUT

Fields ValuesObject name The names of the authorization objects for which an

administrator is authorized.

Authorization The names of the authorizationname value sets for which an

administrator is authorized

Administrator 01: Create authorization value actions set

02: Edit03: Display06: Delete 07: Activate08: Display change records 22: Enter authorizations into a

profile Table Maintenance S_TABU_DIS

26

Fields Values

DICBERCLS Table classes for which a user access is authorized

ACTVT Activity code

Table Maintenance Across Clients S_TABU_CLI

Fields Values

CLIDMAINT Access indicator

Object S_USER_GRP

Determines which user groups can be administered and consequently all users who are assigned to those groups.

27

Object S_ADMI_FCD

“Systems Administration Functions” provides powerful systems administration functions, including the following (field = “Systems Administration Functions”):

NADM - Network Administration (SM54, 55, 59)

UADM - Update Administration (SM13) T000 - Create New Client TLCK - Lock/Unlock Transactions SPAD - Authorization for spool administration in all clients SPAR - Authorization for client-dependent spool administration SP01 - Authorization for administration of spool

requests in spool output control (all users and clients)

SPOR - Spool administration BTCH - Test environment, batch UNIX - Execute UNIX commands from

SAPMSOS0 RSET - Reset/delete data without archiving SYNC - Reset buffers

28

ABAP/4 Dictionary

R/3 uses an external database (Oracle in most cases) to hold application data, but it makes use of its own ABAP/4 Dictionary. This Dictionary gives R/3 the functionality to control the environment.

1. Each field in the ABAP/4 Dictionary is described by a domain. When any input is not valid in terms of the domain, it will not be accepted and the user will have to correct the entry in the DYNPRO screen before continuing. The ABAP/4 Dictionary provides the following domain checks:

The format of the field must match the definition in the ABAP/4 Dictionary (character, numeric, date, etc.)

A number of discrete values may be contained in the domain that are valid for the field.

A table can be specified that contains all the values allowed for a particular field. If a table is specified, there must be procedures for ensuring that the table’s contents are kept up-to-date.

Restricting Access Controlled by the authorization object System Admin

Functions. Only users with the value = DDIC in the Admin Function fields can make changes to the ABAP/4 Dictionary or use the database table utility.

It is not possible to further restrict access to alterable tables. Changes are logged by the system and can be queried using the

ABAP/4 Dictionary Information System Menu Path: Development - ABAP/4 Dictionary - Info System

Dictionary changes should be reviewed daily.

29

ABAP/4 Programming

ABAP/4 is the fourth generation interpretative language in which all R/3 applications are written. The Basis System is written in C.

ABAP/4 is a comprehensive programming language. ABAP statements can be written that will read and update data, create new records, etc. ABAP also can contain SQL statements allowing almost unrestricted access to the database.

ABAP/4 must be tightly controlled. No ABAP statement changes should be allowed in the production system’s environment.

1. Location

On Application Server

Restricting Access

Each ABAP needs to be assigned to an authorization group in the report attributes set when creating an ABAP report. Any ABAP that has not been assigned to an authorization group may be run by any user with authorization for object S_PROGRAM.

30

ABAP that have been assigned to a program group can only be run by users who are authorized to that program group using object S_PROGRAM. This object further restricts the manner in which a user is able to run an ABAP.

SUBMIT The user may start programs interactively BTCSUBMIT The user may submit programs for execution in the background partition. EDIT The user can maintain attributes and text elements

and use utilities for copying and deleting reports ( This does not allow the user to edit ABAP/4 programs).

VARIANT The user may maintain variants. Variants are parameters that are passed to an ABAP program.

In the standard system, none of the ABAPs are assigned to authorization groups. Therefore any user that can run transaction SA38 (or SE38 to develop ABAP/4 programs), can run any of the standard ABAPs. It is recommended that all ABAPs be placed in authorization classes and that users should only have authorization for authorization classes (ABAPs) that are required for their job functions. No matter what, the database interface checks are still in play for all ABAPs and the user will not be able to act on data for which they have no authority.

ABAPs may be developed on-line using the SAP ABAP editor. The ABAP programs can be assigned to authorization groups. The S_EDITOR authorization object is used to restrict authorization groups a user is able to edit. Any user with S_EDITOR authorization object is able to edit any ABAP program that has not been assigned to an authorization group.

No users should have S_EDITOR. Otherwise they may write a dynamic SQL that allows complete access to all client’s data.

31

ABAP/4 Query

ABAP/4 Query is the report writing software that allows users to generate reports quickly and easily without programming knowledge. It generates an ABAP program. Users cannot access any information to which the user would otherwise not have access.

Restricting Access Must be assigned to a user group before they can be run User group contains the functional areas and the names of all

people authorized to run queries. Ensure that procedures are in effect to update the user groups when

job assignments change. Any user can run any queries defined for a user group of which

he/she is a member, regardless of who wrote the query. In order to create or maintain ABAP/4 Queries, a user must be a

member of one or more user groups and have a value = 02 (change) in the activity field of the ABAP/4 Query authorization object.

In order to maintain the ABAP/4 Query user groups, a user needs the value = 23 (Maintain Environment) in the activity field of the ABAP/4 Query authorization object. This should be restricted to administrators.

32

Operating Systems

1. Unix

Start-Up Profiles are stored in /usr/sap<SAP System Name>/sys/profile

2. NT

Database Management Systems

1. Oracle

Dynpros Screen Generator

Dynpros are the input screens used when processing SAP transactions. They include details of the processing logic to be performed on the fields.

1. Dynpros can be developed on-line using the standard SAP Dynpro Screen Painter Menu Path: Tools - Case - Development - Screen Painter.

2. Controls need to be in place to ensure that changes to Dynpros are authorized, tested, and approved.

33

Number Ranges

SAP provides an “internal” and “external” numbering mechanism

1. Internal numbers are sequential codes given by the system for documents, article numbers, personnel numbers, etc.

2. Both internal and external numbers are stored in a file SYSV.

Matchcodes

These are secondary indexes to enable users to find specific records when the primary key is unknown.

1. Stored in Table MAC

2. Table MAC can be edited on-line using transaction SM31 and accessible through the Menu Path: System - Services - Table Maintenance.

34

Weaknesses

1. In the standard system, none of the ABAPs are assigned to authorization groups.

2. Do not use native SQL calls in ABAPs as they will bypass the dictionary consistency checks. Use open SQL statements.

Unlike normal ABAP statements, native SQL and open SQL do not trigger any authorization checks at run time. But using ABAPs with AUTHORITY-CHECK statement, the users authority can be checked at run time for specified objects.

3. SAP* is the default user ID and it has unlimited access capabilities. Itshould only be given to the system administrators (SUPERUSER).

4. Default system profiles may provide too much authority.

5. Default logon Ids

SAP* password = 06071992 SAP* password = PASS DDIC password = 19920706 Oracle

Sys password = change_on_install System password = manager Sapr3 password = sapr3 SAP/R3 application ID

SAPDBA Front-end to SQL*DBA Can perform all DBA functions within SAP Authentication is completed in UNIX

35

6. Ad-hoc Queries

SQL*Plus ODBC

7. Oracle Tables

User02 Table contains all SAP user IDs and passwords

36

Standard Reports

RSAVGL00 Table comparison across clientsRSDECOMP Comparing tables across two systemsRSDELSAP Delete SAP* from client 066 (EarlyWatch client)RSKEYS00 Tables comparison: system versus sequential fileRSTABL00 As for RSKEYS00RSSTAT92 Table changes for a selected monthRSSTAT95 Table access statisticsRSPARAM Display system parameters settingsRSUSER01 Test SAP_ALLRSUSR000 List all active users

37

Financial

Authorization Objects

Master Data- GL- Customer- Vendor- Bank

DocumentsBalance SheetsCredit Control DataPayment RunsDunning Runs

Example:

Object = Company Codes

Fields Values

Company codes 01 Create02 Change03 Display05 Block/Unblock06 Delete08 Display change documents

38