SAP Security Questions and Answers - Part 2

 SAP Security Questions and Answers - Part 2

1. What is USOBT_C and USOBX_C

USOBT_C and USOBX_C are two SAP customer tables which controls the behavior of the profile generator after the transaction has been selected.
After new installations, these two tables are empty and must be filled with values before the profile generator is used for the first time.
SAP delivers standard tables USOBT and USOBX. These tables are filled with default values and used for the initial fill of the customer tables USOBT_C and USOBX_C. The customer tables may be modified if required.
T.code SU25 copies the SAP defaults from USOBT and USOBX to the customer tables USOBT_C and USOBX_C.
T.code SU24 is used to take care of these customer tables to adjust the behavior of profile generator and authorization checks to be performed for every transaction code.

2. Authorization object status in Roles

a. Standard: This object displays value entries in authorization fields which are  default, and also the object is retrieved from the customer tables maintained in SU24
b. Changed: The default field values of this object are changed
c. Maintained: The changed values have been maintained
d. Manually: The object has been added manually by using the button ‘Manually’

3. Expert mode in PFCG t.code

Expert mode contains 3 options
a. Delete and recreate profile and authorizations: This option will delete all the authorizations and start over. This option can be selected only when you need to start over and bring in fresh copy of the objects based on the transactions.
b. Edit old status: This option is to edit the old status, which is same as entering change mode.
c. Read old status and merge with new data: This is the option we normally use, which Is to read old status and merge the new data. The new data contains any new SU24 changes.

4. Traffic lights in PFCG

a. Green: All fields below this level have been filled with values
b. Yellow: There is at least one field (but no organizational levels) below this level for which no data has been proposed or entered.
c. Red: There is at least one organizational level field (also known as org level) below this level for which no values has been maintained.

5. What are the methods of transporting a role?

Security roles are created in development system and transported to quality assurance system for testing and once the roles are tested, they are transported to production system.
There are 3 different ways to transport the role.
a. Use t.code SCC1 for transporting the role between clients with in the same system.
b. Role can be downloaded from source client/system and uploaded to target client/system.
c. Use transport management system. Create a transport request and transport the change request to other systems in the landscape. This method is preferred.

6. What are the benefits and drawbacks in role download and upload?

Advantages:
This method is beneficial when the system is not in the system landscape. When composite role is downloaded, all the single roles included in composite role are downloaded and when the composite role is uploaded , all the single roles in composite role are uploaded.

Disadvantages:
The disadvantage is that all the roles needs to be generated after upload. No User assignments are uploaded when roles are uploaded. No audit trial happens in role upload or download.

7. How to secure the programs?

SE38 or SA38 transaction code is used to execute the programs.
Authorization object S_PROGRAM is checked when program is executed.
S_PROGRAM contain two fields, User Action and Authorization Group.
One way of securing program is to assign authorization group to all custom programs/reports.
For all custom programs or reports, include AUTHORITY_CHECK statement. Custom t.codes are created for all custom programs or reports, so that it checks S_TCODE object. The best practice is to avoid assigning SE38 or SA38 in production system.

8. How to secure tables?

Data is stored in tables and these tables contains confidential and sensitive data.
SE16 or SM30 transaction code is used to look for data in a table.
Authorization object S_TABU_DIS is checked when a table is accessed.
S_TABU_DIS contains two fields, Activity and Dicbercls (table authorization group).
One way of securing tables are assigning tables to table authorization group. Create custom t.codes for each and every table that need access. The best practice is to avoid assigning SE16 in production system.

9. What are the authorization objects related to tables?

a. S_TABU_DIS: This object is used to control the table access. This object controls access through standard table maintenance functions.
b. S_TABU_CLI: This object is for maintaining the cross-client tables. It is also be used along with S_TABU_DIS to enhance the table maintenance authorizations.
c. S_TABU_NAM: This object is used to give access only one table belonging to some authorization group.
d. S_TABU_LIN: This object is used to restrict access to tables based on organizational criteria. This object control access to individual table rows.

10. What authorization object is used to control the debugging access and program developments?

S_DEVELOP is the authorization object which controls the ABAP development access. This object is used to give permission for all the ABAP Workbench components.
The authorization object S_DEVELOP is considered as critical if it is assigned in production system.
Users do not require this object in production system with more than display access.

11. What are the critical Basis authorization objects?

a. S_RFC: Authorization check when using the remote function call to access program modules (such as function groups).
b. S_TABU_DIS: This object enables authorization checks in display or edit the table content
c. S_PROGRAM: Authorization object to control the program execution
d. S_DEVELOP: Authorization object to control the ABAP development activities
e. S_BTCH_ADM: Authorization object that enables access for background job processing
f. S_DATASET: Authorization object that enables file access at OS level 
g. S_CTS_ADMI: Authorization object that enables the system admin activities

12. What are the authorization objects related to background processing?

a. S_BTCH_JOB: This objects is used to control the operations on background jobs. This allows users to release their own jobs.
b. S_BTCH_NAM: This object determines the authorized users, which users can choose from scheduling a background jobs.
c. S_BTCH_ADM: This object is used to administer the background jobs, such as defining, maintaining and monitoring the jobs.

13. How to secure client settings?

Client settings are stored in the table T000 and these settings can be maintained only by the system administrators. The table T000 can be accessed through transaction codes SCC4 and SM30.
Authorization object S_ADMI_FCD gives the maintenance access to client settings, this object will be given to system administrators only along with SCC4.
Assign table T000 to the table authorization group, so it can be controlled via S_TABU_DIS authorization object.

14. What are the authorization objects related to print and spool?

a. S_SPO_DEV: This object is used to control the authorizations for output devices define which users can generate spool and output requests for which output device.
b. S_SPO_ACT: This object is used to control the actions performed on the spool requests. This object is checked only when user tries to access other user spool requests.

15. What is the purpose of S_DATASET?

S_DATASET is the authorization object which controls the authorization checks for programs and files.
When user access sequential files on the application server using open dataset, read dataset, transfer and delete dataset.

16. What is the purpose of S_TCODE?

S_TCODE is the authorization object which is used to control transaction code access.
This object is required to execute any transaction code. S_TCODE is the first line of defense as it is checked before any other authorization object.

17. What do you see in the user buffer and how to call the user buffer?

Each user has his own user buffer. It contains all the authorizations that are assigned to the user. This list is arranged by Object/Authorization/Object text. 
User buffer can be seen by executing the SU56 transaction code.

18. What are the SAP System predefined profiles?

SAP_ALL: This is to assign all authorizations that exists in the SAP system to users.
SAP_NEW: This composite profile bridges the differences in the releases in case of new or changed authorization checks for existing functions.

19. What data contains in USR* and USH*tables?

USR* tables contains Authorizations and User master records. The memory space can be reduced in these tables by archiving the tables.
USH* tables contains the changed documents and archiving process deletes these documents from USR* tables that are no longer needed.

20. What happens if the transport request had user assignment and no import lock had been setup?

If user transports the roles with user assignment, the user assignments in the target system are completely replaced by those from the transport request. It also deletes the existing assignments to users that are not contained in the transport request.

21. What are the important user and authorization related tables?

a. USR01: Contains runtime data of user master record such as printer, language, decimal notation, date format etc
b. USR02: Table contains logon information such as name, validity, last logon and password etc
c. USR03: Contains users address information
d. USR04: Contains the user authorizations
e. USR10: Contains the user authorization profiles
f. USR12: Contains the user master authorizations values
g. USR13: Contains the short text for authorizations
Users, profiles and authorization change history data is stored in USH02, USH04, USH10 and USH12.

22. What is the purpose of SUIM transaction code?

SUIM is a user information system which is a powerful tool used to analyze SAP authorizations assigned to users. 
Analysis is done with based on any of these categories:
A specific user to check his complete access
Tcode or Role assigned to a specific user or group of users
Change history of roles and users

Pls visit my YouTube channel for more SAP content and demo videos. 
https://www.youtube.com/channel/UCirrZvU_y9IBJzkH-AoxvUQ


Location: Chicago, IL, USA

Comments

Post a Comment

Popular posts from this blog

SAP Security: Critical Authorization Objects

SAP Security: Critical Authorization Objects 1. S_TABU_DIS: This authorization object enables authorization check for displaying or modifying the table content. For accessing the table data, users use SE16, SM30 or SM31 transaction codes. This object contains two fields, DICBERCLS (authorization group) and ACTCT. 2. S_RFC: This authorization object enables authorization check for remote function call to access program modules (function modules). This authorization object contains three fields, RFC_TYPE, RFC_NAME and ACTCT. 3. S_DATASET: This authorization object enable file access at operating system level. This gives permission to access files from ABAP programs. This object contains three fields, File name, Program and Activity. 4. S_ADMI_FCD: This authorization objects enable access to various administrator activities like system monitoring, spool administration, client creations, update administration etc. This object contains one field, system administration functions. 5. S_DE...
Read more

SAP Security: Creating New User Account using Transaction Code SU01

Image
Creating  New User Account U sing Transaction Code SU01 SAP User Administration functions include User Creation, Change, Display, Delete, Copy, Lock/Unlock, Password reset. The topic is about creating new user account in SAP system. I have explained two methods. This is relevant for SAP Security Consultants or SAP User Administrators who want to perform user administration activities in SAP system. The User Administrator must follow the company policies and approval process before creating user account. Prerequisites for creating New User Account User Administrator/SAP Security Consultant should have the roles with the below authorizations in it. 1. Authorization Object S_USER_GRP for creating user and assign to user group. 2. Authorization Object S_USER_PRO for assigning authorization profiles to user. 3. Authorization Object S_USER_AUTH for creating and modifying authorizations. 4. Authorization Object S_USER_AGR for assigning roles to user. 5. Authorization Object S_USER_TCD for...
Read more

SAP Security: How to set auto Logoff for Inactive users in SAP

Image
How to set auto Logoff for Inactive users in SAP SAP provides an options for logging of inactive users in SAP automatically. Inactive means if there is no activity for a specific period of time. By setting the auto logoff improves the security in the SAP system. The auto logoff options is not active in the system by default. This needs to be activated using the profile parameter called rdisp/gui_auto_logout. The value for this parameter should be set in the form of seconds. The inactive users are logout of the system after the specific time period that is set in the parameter. The SAP system doesn't save the data before auto logoff and it does not popup any prompt before auto logoff. Procedure to set the value in the Profile parameter: Execute transaction code RZ10 Select the DEFAULT profile from the selection menu. Select the Extended maintenance and click on change icon. Click on the create parameter icon as shown below. Enter the new parameter name as rdisp/gui_auto_logout and c...
Read more