SAP BASIS AND SECURITY TUTORIAL

How to set auto Logoff for Inactive users in SAP SAP provides an options for logging of inactive users in SAP automatically. Inactive means if there is no activity for a specific period of time. By setting the auto logoff improves the security in the SAP system. The auto logoff options is not active in the system by default. This needs to be activated using the profile parameter called rdisp/gui_auto_logout. The value for this parameter should be set in the form of seconds. The inactive users are logout of the system after the specific time period that is set in the parameter. The SAP system doesn't save the data before auto logoff and it does not popup any prompt before auto logoff. Procedure to set the value in the Profile parameter: Execute transaction code RZ10 Select the DEFAULT profile from the selection menu. Select the Extended maintenance and click on change icon. Click on the create parameter icon as shown below. Enter the new parameter name as rdisp/gui_auto_logout and c

SAP Security User Information System (SUIM) SAP User Information System (SUIM) is used to get the information about users, authorizations, roles and profiles in SAP system. we can explicitly search for users with critical authorizations and critical roles. SUIM is also used for user, authorizations, role and profile comparisons. We can get the list of transaction codes in particular role. SUIM is also used for displaying change documents for users, roles, role assignments, profiles, authorizations and security policies. Displaying users by their address: Execute SUIM transaction code and select "users by Address Data" under Users menu   Or  Use report RSUSR002_ADDRESS. Execute this report using SE38 transaction code. Leave the fields empty and click on execute icon. This will display all the users in the system with their address. Below is the output that shows the list of users by their address. Below are the various reports that are used to display the users on various para

SAP Security: How To Create User Group User groups in SAP are used for grouping of one or more users. User groups are required to distribute the user maintenance work among the user administrators. User Administrators need access to the user group to maintain the users in that user group. If there is no user group is assigned to the user that means any administrator can maintain that user. There are two types of user groups in SAP. First one is User group for authorization check which appears in SU01 transaction code under the "Logon Data" tab. This user group is also used for reporting purposes. Second one is general user groups appears in "Groups" tab. The general user group is used for mass maintenance (SU10). Both user groups are created using SUGR transaction code. How to create user groups using SUGR transaction code? 1. Go to SAP Menu--> Tools--> Administration-->User Maintenance--> User Groups or execute SUGR transaction code. 2. Enter the new us

 Protecting Special Users in SAP Standard Users in SAP: SAP system comes with SAP* and DDIC. These are the super users and they are created during the SAP installation process. Password is set during the installation process. The SAP* user is created in 000, 001 and all new clients while DDIC is created in 000 and 001 clients only. Apart from these users, there are other users like EARLYWATCH, SAPCPIC and TMSADM. SAP* and DDIC users should be monitored regularly and should be protected from unauthorized access. Protecting the SAP Special Users: a. SAP* user should exists in all clients and should be deactivated in all clients. The default password for SAP* and DDIC should be changed. Report RSUSR003 displays special users that are exists in all the client and changes made to these users. b. Set the user group to "SUPER" for all these users in all clients. All these users should be locked in all clients. c. There is a transport background job called RDDIMPDP which executes wi

  SAP GRC Implementation process Top-down approach, where it starts by defining security requirements up front during the blueprint phase. 1. Define SOD policies and Ruleset design The first step is to work with the business process owners (BPO’s), functional leads to identify the business processes and applications in-scope of the SAP project and finalizing the SoD policies and risk ratings (Critical, High, Medium, and low). Critical Risk represents significant impact to company operations. Risk cannot be mitigated, it requires remediation. Examples are Hight Risk represents financial risk and causes loss or theft. Risk may be mitigated with proper management level report or it may require remediation. Medium Risk represents medium profit and loss impact and disrupts an operational process. The risk can be mitigated with a management level report.  Low risk can be mitigated The definitions vary from company to company. Once the SoD policies and risks are defined, SAP standard and cust

 SAP HANA Administration Questions And Answers 1. What is SAP HANA? SAP HANA (High-Performance Analytic Appliance) is a modern, in memory-database and platform that is deployable on premise or in the cloud. The SAP HANA platform allows you to analyze large volume of data in real time. SAP HANA platform allows you to store and access data in-memory and column based by using the database services. SAP HANA allows both online transaction processing (OLTP) and online analytical processing (OLAP) on one system. SAP HANA allows to develop applications, run your custom applications built on SAP HANA, and manage their lifecycles by using application services. 2. What are the user types required in SAP HANA Database? Users: These are regular users who uses SAP HANA database regularly. These users are created by the system administrators. SYSTEM User: These are the user where they will be having system administrator access. Technical user: SYS, _SYS_STATISTICS and _SYS_REPO. These are internal u

 How To Create Derived Roles in SAP We have seen how to  create Single roles , Composite roles  and assigning the roles to  user master  records. In this blog we will see how to create derived roles and assigning these roles to users in SAP.  Difference in the derived roles and deriving roles are the organizational values. The menus and authorizations are same in both the roles. The relation is also called as parent child relationship or master role and derived role. Derived roles are useful when the organization has spread across the globe. System Administrators can create one master role and can derive several roles based on the company codes. Procedure for creating Derived Roles: 1. Go to SAP menu-->Administration-->User Maintenance-->Role Maintenance or execute transaction code PFCG Enter the derived role name and click on create single role tab. 2. Provide short description and long text like manager approvals and ticket number. 3. Enter the derive from role (Parent Role)

  How To Create Composite Roles In SAP We have seen how to create single roles and assigning the roles to user master records. In this blog we will see how to create composite roles and assigning these roles to users in SAP. Composite roles consists of single roles. One composite role can have multiple single roles. When the composite roles are assigned to users, the single roles with in the composite role gets assigned to user automatically. Composite roles do not contain any authorization data. All the authorizations comes from the single roles. Composite roles are useful when the user requires authorizations for multiple roles. We can assign one composite role instead of assigning multiple single roles. Composite roles can not be included in another composite role. Procedure for creating Composite roles: 1. Go to SAP menu-->Administration-->User Maintenance-->Role Maintenance or execute transaction code PFCG SAP System do not recognize the single role and composite role.

What is SAP Security and Why it is important SAP software is used by many organizations as their business application, so the data pertaining to SAP should be protected from unauthorized access within the organization and outside of the organization. The system should be monitored and protected. SAP Security is all about securing the code which includes securing custom code and SAP code. Server configuration, secure login, system communication, data security, authorizations and users security are essential to secure. At the same time it is required to maintain the system compliance by monitoring the system, performing timely audits, and creating emergency plans. SAP Security is important in protecting the systems from cyber threats. This way one can maintain the integrity, confidentiality and availability of the system. The most common use cases are data leak detection, periodic audits, central system monitoring, and finding unauthorized access. Any attack on the SAP system can cause a

 SAP GRC Access Controls Questions and Answers 1. What is SAP GRC? Governance, Risk and Compliance id the full form of GRC. It provides a solution that enables organizations to maintain regulations and compliance and remove any risks in maintaining organizations key operations. 2. How many modules present in GRC? a. Access Control (AC) b. Process Control (PC) c. Risk Management (RM) d. Environment, Health and Safety (EHS) e. Global Trade Services (GTS) 3. What is the software of GRC Financial compliance? GRCFND_A 4. What is the plugin used for HR backend? GRCPIERP – Used for HR function 5. What is the plugin used for NHR backend? GRCPINW – Used for Non-HR functions 6. What is the periodic process that allows role owner to remove roles from the users? UAR Review 7. Where can you define a mitigating control? a. Mitigating controls workset in Access Control b. Access Control risk analysis result screen c. Central process hierarchy in process control 8. What is the process of  importing ro

Role Administration Functions of the role administration is managing roles and managing authorization data. Transaction code PFCG (Profile Generator) is used for maintaining the roles, profiles and authorizations.  The roles are link between the user and authorizations. Basically the authorizations are stored in the system as objects. User menu is assigned to the users with the roles and it is displayed when the user logon the system. Roles contains transactions, reports and web based applications. With the role administration user can create roles and assign to users, change roles, delete roles, derive roles, compare roles and transport roles. In this blog i will be explaining about how to creating single roles in SAP using PFCG transaction code. Basic process of role administration: 1. Prepare a role matrix based on job description. Menu paths and transactions should be determined for each job position and determine the required authorizations like change, display, delete.  2. Create