SAP Security Questions and Answers - Part 1

 SAP Security Questions and Answers - Part 1

1. Overview of the elements of SAP Authorization Objects?

a. Authorization Object Class: It is a logical grouping of authorization objects.
Example all authorization objects for class FI starts with “F_”

b. Authorization Object: It is a group of 1 to 10 authorization fields.
Example S_TABU_DIS, S_USER_PRO, F_BKPF_BUK etc.

c. Authorization field: It is a smallest using where an authorization check should be
Executed.
Example ACTVT, BUKRS, CLASS etc.

2. How to view the existing authorization objects in SAP System?

There are two ways to view the of the existing authorization objects in the SAP system.
SU03 -  Maintain Authorizations and Profiles 
In this overview the authorization objects are sorted according the classes. With a double click you directly into the detail display.

SU21 – Maintain Authorization Objects
This t.code also provides the similar editing structure as SU03. This t.code allows to create new authorization objects.

3. What are the important tables related to SAP Authorizations

TOBJ – Details of all the authorization objects exists in the system
TACT – Stores all the activities which can be protected
TACTZ – Contains valid activities for authorization objects
TBRG – Details of an authorization groups
TOBC – Details of Authorization object classes
TOBCT – Text for authorization object classes
All the above tables can be viewed using SE16 transaction code.

4. Authorization checks for Dialog Users?

When starting a transaction, a system program executes a series of checks to make sure that the user has appropriate authorizations. If the user executes a transaction code called SU01, there are some series of steps happens with in the SAP system.
1st step is SAP checks if the executed transaction code is valid or not. It compares with the table entries in the table called TSTC.
2nd step is SAP checks for an authorization object called S_TCODE. It contains only one field, called TCD(transaction code). The executed t.code should be part of the existing entries.
If the assigned authorization are not exists, then the user will fail the authorization check at this stage and the user will get an error message saying that “you are not authorized to use the transaction FB02”. So, the user must have this authorization for the transaction code when he wants to run  t.codes like FB02, SU01 or PFCG etc.

5. What are the valid return codes for the authorization check?

0: The user has the required authorization for the authorization object along with right field values values
4: The user contains an authorization for the authorization object, but the field values checked are not in the user account
12: User doesn't contain any authorizations for that authorization object
The values that are returned by the program check depends on the user buffer (SU56).
When a user login to the system, a user buffer is built containing all the authorizations 
for the user. User buffer is an user specific. Every user has his or her own user buffer.

6. What is Role and what is Profile in SAP?

Role: A Role is a set of functions which describes a specific area. It contains
transactions, reports and other related items. Roles also contains the authorization
related to the transaction codes.
For example, Accounts receivable clerk role contains all the t.codes and reports 
that an accountant need for his or her daily work.
Roles are used to implement the menus that user can work with after they
have logged on to the SAP System. Roles are created using the PFCG t.code.

Profile: Profile is created when the role is generated. It contains the actual authorizations of a role. 

7. What is composite roles and Derived Roles?

Composite Roles -  Composite roles are collection of one or more single
roles.  These roles contains only shell for combined roles, and they do not
contain any authorization data themselves.

Derived Roles - Derived roles are derived from the existing role, which is
Also called as master role. These roles inherits the transactions, reports
Other elements from the master roles. 
Only the Organizational values like Company code, controlling area, sales org, 
purchase org etc. are not inherited from the master role.
The master and derived role concept is used when the company has offices/plants 
across the globe.

8. What are the Standard Profiles and Generated Profiles?

Standard profiles: Standard profiles comes with SAP. Below are the two important 
standard profiles. These profiles contains all the authorizations and capable of executing all the transaction code. These profiles can be assigned directly to the user using SU01.
SAP_ALL
SAP_NEW
Generated Profiles: These profiles are the one which are created when the 
role is generated. These profiles cannot be assigned to user directly. They should get assigned when role is assigned.

9. What is User Comparison?

User comparison is used to reconcile the roles/profiles of user account. The comparison is required when the roles are assigned with valid to dates. If the valid to date expires, then the user comparison deletes the roles or profile from that account.
There is a report called pfcg_time_dependency is run before the start of the business day. This will ensure that the authorization profiles in user master record are up to date.
PFUD transaction code can be used to do manual comparison.
User comparison also ensures the deletion of generated profiles from the user master record if they are not among the roles that are assigned to user.

10. What are the tables related to Roles and Profiles?

AGR_DEFINE - Contains all the roles and reference to the parent role if available
AGR_AGRS – Overview of composite roles and their assigned single roles
AGR_1016 – Roles along with their profiles
AGR_1250 – Authorization object of the individual roles
AGR_1251 – Authorization data including filed values 
AGR_1252 – Organizational values of the individual roles
AGR_TCODES – Overview of the roles with their transaction codes
All these tables can be displayed using SE16 or SE16N transaction code.

11. What are the daily activities of SAP Security Administrator?

Create, Maintain, lock, unlock users and password resets – SU01
Create and Maintain roles - PFCG
Maintain transactions authorization data in roles - PFCG
Generate authorization profiles - PFCG
Assign roles and profiles – SU01/PFCG
Transport roles – PFCG/SE09/SE10
Monitoring/troubleshooting the system – SU53/ST01/SUIM

12. What are the options for Transporting SAP security roles?

a. Download the roles from one system and upload them into another system. This option loads the role data, including authorizations data from file in to the SAP system. The generated profiles for the roles and user assignments are exceptions.

b. Transport the roles with transport function. Transporting the role is done using PFCG transaction code. Once the transport is created, it can be displayed using SE10 transaction code. The profiles are also transported along with the roles 

13. What is Customizing Request and Workbench Request?

Customizing request contains the changes related to the customization settings. It contains objects related to client specific settings. Role changes are recorded under customizing request.
Workbench request contains the changes related to the ABAP workbench Objects. It contains objects related client independent settings. Programs, tables changes are recorded under workbench request.

14. What are the tables related to Transports?

E070 - CTS: Header of Requests/Tasks
E071 -  CTS: Object Entries of Requests/Tasks
All these tables can be displayed using SE16 or SE16N transaction code.

15. What are the Return codes in the transport logs?

0 – Transport ran without error
4 – Warning were issued. All objects were transported successfully
8 – Objects could not be transported successfully
12 – A critical error has occurred,  probably not caused by the contents of the request
SE01 transaction code can be used to display the transport logs

16. What are the options in SAP Role Deletion?

1. Direct deletion
Go to PFCG transaction code, enter the role name and delete the role directly. This needs to be Performed in all the systems except production system.

2. Delete using transport system
Go to PFCG transaction code and create a transport request with the roles you want to delete. Once the transport request is created, delete the roles and release the transport request. Import the request in all the systems. This method can be used to delete the roles in production system as roles in production system cannot be deleted directly.

17. What are the User Types in SAP System?

Dialog (A) – Individual interactive system access
System (B) – Background processing and communication within the system. Dialog
Logon is not possible.
Service (S) – Login is possible, assigned to anonymous group of users.
Communication (C) – Dialog free communication for external RFC calls. Dialog 
Logon is not possible.
Reference (L) – General, non-person related users that allows the assignment of
additional identical authorizations. No logon is possible.

18. How to protect SAP Standard Users?

Protecting Standard users from unauthorized use:
a. Define a new superuser and deactivate SAP*. Use parameter
    login/no_automatic_user_sapstar and set the value to greater than 0.
b. Change all the default passwords for these users.
c. Assign them to the SUPER user group.
d. Lock DDIC and EARLYWATCH and unlock them only when necessary. Do not 
    Delete DDIC. It is needed for installations and upgrade activities.

19. How to protect the SAP system from unauthorized logons

a. Terminate session after a number of unsuccessful logon attempts.
    Set the number using profile parameter: login/fails_to_session_end
b. Lock user after a number of consecutive unsuccessful logon attempts.
    Set the number using profile parameter: login/fails_to_user_lock
c. Logoff the idle users. 
    Set the amount of time using profile parameter: rdisp/gui_auto_logout
d. Monitor unsuccessful logon attempts with report RSUSR006.
    RZ10/RZ11 t.codes are used to display and maintain the profile parameters.

20. What are the reports related to SAP Information system

a. RSUSR002 – Users by complex selection criteria
b. RSUSR0025 – List of users with critical authorizations
c. RSUSR020 – Profiles by complex selection criteria
d. RSUSR030 – Authorizations by complex selection criteria
e. RSUSR040 – Authorization objects by complex selection criteria
f. RSUSR070 – Roles by complex selection criteria
g. RSUSR100 – Change documents for users
All these reports can be displayed using the SA38 t.code

Pls visit my YouTube channel for more SAP content and demo videos. 
https://www.youtube.com/channel/UCirrZvU_y9IBJzkH-AoxvUQ






Location: Chicago, IL, USA

Comments

Post a Comment

Popular posts from this blog

SAP Security: Critical Authorization Objects

SAP Security: Critical Authorization Objects 1. S_TABU_DIS: This authorization object enables authorization check for displaying or modifying the table content. For accessing the table data, users use SE16, SM30 or SM31 transaction codes. This object contains two fields, DICBERCLS (authorization group) and ACTCT. 2. S_RFC: This authorization object enables authorization check for remote function call to access program modules (function modules). This authorization object contains three fields, RFC_TYPE, RFC_NAME and ACTCT. 3. S_DATASET: This authorization object enable file access at operating system level. This gives permission to access files from ABAP programs. This object contains three fields, File name, Program and Activity. 4. S_ADMI_FCD: This authorization objects enable access to various administrator activities like system monitoring, spool administration, client creations, update administration etc. This object contains one field, system administration functions. 5. S_DE
Read more

SAP Security: How to set auto Logoff for Inactive users in SAP

Image
How to set auto Logoff for Inactive users in SAP SAP provides an options for logging of inactive users in SAP automatically. Inactive means if there is no activity for a specific period of time. By setting the auto logoff improves the security in the SAP system. The auto logoff options is not active in the system by default. This needs to be activated using the profile parameter called rdisp/gui_auto_logout. The value for this parameter should be set in the form of seconds. The inactive users are logout of the system after the specific time period that is set in the parameter. The SAP system doesn't save the data before auto logoff and it does not popup any prompt before auto logoff. Procedure to set the value in the Profile parameter: Execute transaction code RZ10 Select the DEFAULT profile from the selection menu. Select the Extended maintenance and click on change icon. Click on the create parameter icon as shown below. Enter the new parameter name as rdisp/gui_auto_logout and c
Read more

SAP GRC Security Consultant Roles and Responsibilities

SAP GRC Security Consultant Roles and Responsibilities 1. SAP GRC Consultant should have a knowledge on Governance, Risk and Compliance products. 2. Should have a thorough knowledge as well as experience in relation between ERP and GRC systems. 3. Should have an experience in configuring and supporting of GRC components like ARA, ARM, BRM and EAM. 4. GRC consultant should be having good understanding of GRC architecture. 5. Should be having hands on experience in user provisioning, role management, risk analysis, emergency access management and monitoring. 6. Should have experience in pre installation, post installation, connector settings, rule building and MSMP workflows and BRF+ in the ARM and BRM components. 7. Should have experience in end to end implementation of GRC Access Controls. 8. Should have experience in designing and developing the SAP business process. 9. Should be able to gather business requirements and implement the same in the GRC AC modules like ARA, ARM, BRM and E
Read more