SAP Security Overview

 SAP Security Overview


This content provides an overview of  SAP Security concepts which is intended for SAP Security Administrators or SAP User Administrators. 

1. Security SAP systems and Clients:

SAP Security Administration is based on the systems and clients. In general there are 3 systems used to support the process. Those systems are Development, Quality/Integration and Production. This is also called as Three System Landscape. Apart from these systems, some companies might setup Training and Sandbox systems depending on the requirements.
Clients are created with in the systems and client number may vary with in the system. Security Administrator has to take consideration of system and client structure while defining the system requirements as well as client specific security requirements. Client specific security setting may vary with in the same system.

Basis team is responsible for creation and maintenance of client. They will take the ownership and will be having full authorization. Basis administrator and Security Administrator will coordinate each other for any changes and reviews on a periodic basis.

In general, there will be four type of users in SAP R/3 system.
a. Basis Administrators: These are the users who performs the administration activities like monitoring the system, managing transports, client maintenance, applying support packs, upgrades etc.
b. Security Administrators: These are the users who performs the security activities like user management, role management, authorization management, security audits etc.
c. ABAP Developers: ABAP developers are responsible for developing and maintaining the programs, transactions, screens etc. They will be having access to data dictionary objects to execute development activities.
d. Functional Consultants: For each module there will be Functional Consultants like FI, SD, MM and PP etc. These users are responsible for making any configuration settings in the system. For example FI consultant make finance related changes in the system.
e. Help Desk: These are the users who is responsible for unlocking user account and password resets.

2. SAP System Security:

Development System: The development system is intended for configuration and development activities. This system should be properly controlled and roles should be defined. Security Administrator has to make sure that all the users in the system should get proper authorizations. Authorizations for change management like creating, deleting, releasing change requests should be segregated. Create and release of change requests should be segregated for better change control.
Quality/Integration System: This system is intended for integration testing. Once the development activities are completed, the changes are transported to Integration System for testing. 
Production System: The changes that are tested in Integration system are moved to Production System. This is the live system and no changes are done. Security Administrators can create, change, delete, lock, unlock and do password resets. They can remove the roles also.

3. User Groups: 

User Groups are used to segregate the users and important for reporting and audit activities.
Below are the user group assignments. These assignments may vary company to company.
Basis Administrators        SUPER
Security Administrators    SUPER
ABAP Developers            DEVELOPER
Functional Consultants     FI-DEVELOPER
Help Desk                         SUPPORT

4. Transport System:

SAP System has its own change and transport control mechanism. This is called Transport Management System (TMS). This controls change process of development objects like tales, screens, menus, programs and roles. The transport system is managed by Basis Administrators. The change management ensure that all the changes are properly tested before moving to the Production System.

5. Role Naming Convention: 

Security roles, Profiles and authorizations are created with standard naming convention. SAP has its own naming convention for customer objects like authorizations, authorization objects and profiles. SAP suggests that use a naming convention starts with "Y" or "Z", so that it helps in recognizing the standard objects and customized objects and also ensure that SAP supplied objects are not overwritten while import of support packs or upgrades.

6. Security Profile parameters:

There are some important parameters related to security that should be set for a controlled environment in SAP System.
a. login/min_password_lng:                  Minimum password length for user password
b. login/password_expiration_time:      Number of days between forced password change.  
c. Login/fails_to_session_end:              Number of invalid logon attempts allowed before the SAP GUI is disconnected. 
d. Login/fails_to_user_lock:                  Number of invalid logon attempts within a day before the user id is automatically locked by the system. 
e. rdisp/gui_auto_logout:                       Time, in seconds, that SAPGUI is automatically disconnected because of in-activity. 
f. Auth/system_access_check_off:         Switch off automatic authority check.
g. Auth/no_check_in_some_cases:        Special authorization checks turned off by customer  
h. Login/no_automatic_user_sapstar:    Disable ability to logon as SAP* with PASS of password when SAP* deleted. 


7. User Master Records:

User Master Record contains all the information related to the user in SAP System. It includes user address, logon data, roles, profiles and parameters. These master records are client specific and need to be maintained separately in each client. These user master records can be modified later if required. SAP provides option to user to update his/her own data like address, defaults and parameters. SU01 transaction code is used to create user master record. Below is a demo video on how to create user account in SAP.

8. SAP Provided Users:

There are standard users in SAP which comes after the installation of software. Those users are SAP* and DDIC. These two users should be protected by the Security Administrators. Only Basis and Security teams should be having access to these two users. 
SAP* doesn't contain any user master record as it was built in the SAP code. It has a predefined password of 06071992. The SAP* user is used for client copies.
DDIC user is also comes with SAP and it contains user master record. The default password is 19920706. DDIC is used to update any data dictionary objects and it is the only user allowed during the system upgrades.

9. Security Change Management:

Any changes to roles, profiles and authorizations should follow proper approval process. Before making any changes to these object, approvals from manager/role owners is required and documented for audit. All the changes should be done in the development system, moved to integration system for testing, and moved to production when the testing is successful.

Pls visit my YouTube channel for more SAP content and demo videos. 
https://www.youtube.com/channel/UCirrZvU_y9IBJzkH-AoxvUQ





Location: Chicago, IL, USA

Comments

Post a Comment

Popular posts from this blog

SAP Security: Critical Authorization Objects

SAP Security: Critical Authorization Objects 1. S_TABU_DIS: This authorization object enables authorization check for displaying or modifying the table content. For accessing the table data, users use SE16, SM30 or SM31 transaction codes. This object contains two fields, DICBERCLS (authorization group) and ACTCT. 2. S_RFC: This authorization object enables authorization check for remote function call to access program modules (function modules). This authorization object contains three fields, RFC_TYPE, RFC_NAME and ACTCT. 3. S_DATASET: This authorization object enable file access at operating system level. This gives permission to access files from ABAP programs. This object contains three fields, File name, Program and Activity. 4. S_ADMI_FCD: This authorization objects enable access to various administrator activities like system monitoring, spool administration, client creations, update administration etc. This object contains one field, system administration functions. 5. S_DE
Read more

SAP Security: How to set auto Logoff for Inactive users in SAP

Image
How to set auto Logoff for Inactive users in SAP SAP provides an options for logging of inactive users in SAP automatically. Inactive means if there is no activity for a specific period of time. By setting the auto logoff improves the security in the SAP system. The auto logoff options is not active in the system by default. This needs to be activated using the profile parameter called rdisp/gui_auto_logout. The value for this parameter should be set in the form of seconds. The inactive users are logout of the system after the specific time period that is set in the parameter. The SAP system doesn't save the data before auto logoff and it does not popup any prompt before auto logoff. Procedure to set the value in the Profile parameter: Execute transaction code RZ10 Select the DEFAULT profile from the selection menu. Select the Extended maintenance and click on change icon. Click on the create parameter icon as shown below. Enter the new parameter name as rdisp/gui_auto_logout and c
Read more

SAP GRC Security Consultant Roles and Responsibilities

SAP GRC Security Consultant Roles and Responsibilities 1. SAP GRC Consultant should have a knowledge on Governance, Risk and Compliance products. 2. Should have a thorough knowledge as well as experience in relation between ERP and GRC systems. 3. Should have an experience in configuring and supporting of GRC components like ARA, ARM, BRM and EAM. 4. GRC consultant should be having good understanding of GRC architecture. 5. Should be having hands on experience in user provisioning, role management, risk analysis, emergency access management and monitoring. 6. Should have experience in pre installation, post installation, connector settings, rule building and MSMP workflows and BRF+ in the ARM and BRM components. 7. Should have experience in end to end implementation of GRC Access Controls. 8. Should have experience in designing and developing the SAP business process. 9. Should be able to gather business requirements and implement the same in the GRC AC modules like ARA, ARM, BRM and E
Read more