SlideShare a Scribd company logo

Sap basis and_security_administration

Anil Kumar Reddy Cheppalli
Anil Kumar Reddy Cheppalli

The document discusses SAP BASIS and security administration. It describes SAP security components including authorization concepts using user IDs, profiles, and authorizations. It outlines the process for security configuration in SAP, including user authentication, creating and assigning authorization profiles, auditing and monitoring, and administration and maintenance. The key aspects of security configuration are creating activity groups to generate authorization profiles, auditing user access and changes, and monitoring default profiles and users.

1 of 9
Downloaded 99 times
SAP BASIS and Security Administration An Article From thespot4sap LTD Contents 1.0 Introduction...............................................................................................................2 2.0 SAP Security Components – The Big Picture ............................................................2 2.1 SAP Authorization Concept...................................................................................3 2.2 Composite Profiles ................................................................................................4 2.3 User Ids.................................................................................................................4 2.4 Authorizations .......................................................................................................4 3.0 Security Configuration in SAP...................................................................................4 3.1 User Authentication...............................................................................................4 3.2 Creating and Assigning Authorization Profiles.......................................................5 3.3 Auditing and Monitoring .......................................................................................6 3.4 Administration and Maintenance ...........................................................................9 © www.thespot4sap.com Page 1 of 9 independent.current.research
SAP BASIS and Security Administration 1.0 Introduction SAP has done nothing less than change the entire systems landscape for enterprises. The benefits it can bring have led to widespread adoption across the globe. One of the key benefits SAP brings to an enterprise is the ability to integrate the data both within the enterprise, and between it and it’s partners / competitors. In many cases organizations today are both partners and competitors at the same time. Think of wholesalers and distributors, SAP and Oracle, AT&T and BT, or two oil giants who have an upstream joint venture. These companies use SAP to integrate process between themselves for their mutual benefit. This ability to integrate, however, brings with it a particular risk – that of exposing their data to the un-authorized outside world. Entire companies have been built up around highly guarded intellectual property and process secrets ... and could easily fall if this was breached. Therefore, keeping the security of the organization intact is one of the vital aspects of any SAP implementation. SAP BASIS addresses all security issues by incorporating an authorization module. With increased potential for security breaches in the computer systems around the world, BASIS consultants face a tough task of maintaining the integrity and administering the security of SAP systems. Interoperability features of a SAP system makes this task a bit more difficult. 2.0 SAP Security Components – The Big Picture SAP security in an integrated environment can be viewed in the form of discrete components as shown below (figure 1). Figure 1 © www.thespot4sap.com Page 2 of 9 independent.current.research
Tight security is required for each of the above components (Network, Workstation, Operating System and Database) as a breach made in one area can compromise the entire system. The scope of this article is SAP Application Security, which can be achieved with the help of SAP’s BASIS security application through the concept of authorization. In SAP, security is administered for objects (profiles and authorizations). Users are only authorized to see or change the parts of the system required by their respective job responsibilities. 2.1 SAP Authorization Concept The SAP authorization concept is based upon the logical relationship between a user ID and the range of system authorizations with which it can be associated. The architecture of the authorization system is based upon the utilization of several individuals but related logical components: Profiles, Objects, Fields, and Authorizations. The user ID refers exclusively to profiles. Each profile grants a set of specific system access authorizations to user. Figure 2 illustrates the hierarchical authorization concept in SAP. Figure 2 © www.thespot4sap.com Page 3 of 9 independent.current.research
2.2 Composite Profiles Composite profiles refer to the various employee roles available in the corporation (for instance: Purchasing / Receiving Clerk or Accounts Agent). As the name suggests, composite profiles may contain multiple user IDs necessary to perform all the business operations associated with a particular role. A composite profile may encapsulate another composite profile(s). In practice, a model composite profile should be recognized for each possible role in the organization, which may be used to produce hybrid composite profiles. The over- existence of the hybrids can defy the very purpose of composite profiles and they should be created only when specific needs arise. 2.3 User Ids User ids allow access to SAP applications. Each user must have a corresponding profile specifically assigned. In many situations, multiple composite profiles can be assigned to a user ID, depending on the role(s) an individual user is responsible for, in the business processes. 2.4 Authorizations Authorizations are the key building blocks of SAP security. Authorization is the process of assigning values to fields present in authorization objects. In SAP, access to all system functionality is achieved through a complex array of authorizations. Sometimes users find that they lack the necessary authorizations to perform a certain function in the system, in which case the message: "You are not authorized..." is displayed at the bottom of the screen. An authorization process may ask for second associated authorization process which in turn asks for third and so on. For example, the task of paying a vendor invoice may require 10 different authorizations. 3.0 Security Configuration in SAP Security configuration and administration in SAP is a multi-phase process. Four key security components are required to ensure the adequate security, privacy, and integrity of information. The phases are as follows: 3.1 User Authentication The first phase comprises confirmation of user identity and results in authentication of user. Unauthorized access to SAP system is prevented through © www.thespot4sap.com Page 4 of 9 independent.current.research
this initial check. This ensures system integrity by regulating secure access through genuine user authentication. 3.2 Creating and Assigning Authorization Profiles A Profile Generator (PG) is used to automatically generate and assign authorization profiles. This tool was released with SAP version 3.1g and above. The administrator can also create authorization profiles manually. Note: Profile Generator can be retroactively installed in SAP versions 3.0f and above. The authorization objects can be selected using the SAP Profile Generator. Administrators can automatically generate authorization profiles for function- specific access to SAP users after configuring initial settings. The entire authorization functionality of SAP signifies a new approach to authorization. The administrator can define user authorization based on SAP functions. Based on the selected function, the PG groups objects in administrator-created authorization profiles. Authorization profiles created by a Profile Generator are based on the given authorizations. It also speeds up the process and simplifies administrator/user communication facilitating both the administrator and users to use the same SAP function terminology. To auto-generate an Authorization profile, an Activity Group needs to be created. Activity Groups contain simple profiles and usually represent employee or job roles. They are user-defined and allow administrator to organize and maintain system activities. Activity group when used as an information database reduces data entry time. Administrators can define activity groups in two steps: 1. Selecting the criteria, such as access controls. 2. Dividing the activities into appropriate groups. For example, activities can be organized by functions, such as human resources, payroll, or administration or by job classes, such as computer programming activities, or accounting activities. A combination of function-specific activity and job-specific activity can also be implemented. Security implementation with the new Profile Generator is based on the creation of activity groups or a collection of linked or associated activities, such as tasks, reports, and transactions. © www.thespot4sap.com Page 5 of 9 independent.current.research
Consider a business situation involving a company, ABC Inc. faced with transaction security hiccups in business dealings with its dealers. To address this problem, the company can create authorization profiles for its dealers using the profile generator features. This can be done by implementing the following instruction set: Instruction 1: A dealer activity group should be created. Name this activity group as Dealer. Instruction 2: All dealer-specific business transactions should be included in the activity group. Instruction 3: Generate an authorization profile for Dealers. Instruction 4: Assign Dealer to a “new user” or in your system and update master records. Following this procedure will ensure complete functional access to the new user using the system as Dealer. 3.3 Auditing and Monitoring In this subsequent phase, a track of the authorizations created (previous phase) is kept. Detailed accounts of system events are used to record the actions of a user corresponding to that unique user account identifier. Auditing/Monitoring activities should be in compliance with enterprise’s overall IT strategy and should be performed on a weekly, monthly, quarterly, and yearly basis. Figure 3 © www.thespot4sap.com Page 6 of 9 independent.current.research
There are some key tasks that should be included in a monitoring plan. The following reviews should be a part of an ideal monitoring plans. Using System Logs and Security Audit Logs The system log records critical information important events. Each individual application server maintains local log files to which the information is written periodically. The security audit log records areas such as successful and unsuccessful dialog log-on attempts, RFC log-on attempts, changes to user master records, and transaction starts. Reviewing User Activity All SAP system users must be continuously monitored so that their problems can be rectified as soon as they occur. The timely attention to user problems can reduce administration overheads. For example, if a SAP administrator wants to check for unrecognizable user Ids or the users trying to use non-permitted transactions, administrator can execute transaction AL08 and review user activity. Monitoring User access in BASIS User Group The BASIS users in a SAP system have access to sensitive areas of an organization. Therefore it is vital to monitor their access. Following instructions can be performed to check the access of BASIS User group. Instruction Set • Enter transaction SUIM to view Repository Information of the system. • Follow the Menu Path: o User > Lists of users (according to selection criteria) > user IDS (Double Click). Monitoring Change Requests All change requests need to be properly reviewed and controlled prior to being applied. This formal process needs to be detailed enough to ensure that separation of duties and other control features are not breached. Strong integration knowledge of the SAP system is required for this review. Critical profiles, authorizations, and transactions need to be identified and treated even more carefully. Checking Important Default SAP Profiles © www.thespot4sap.com Page 7 of 9 independent.current.research
Administrators must check that default profiles act a template for user defined profiles and are not directly used in production. Default profiles contain values, which apply to all application servers. These include: SAP_ALL, SAP_NEW, S_A.ADMIN, S_A.CUSTOMIZ, S_A.DEVELOP, S_A.DOKU, S_A.SYSTEM, S_A.USER, S_ENT_IMG_GE, S_WF_ALL, and P_ALL. Changing Default SAP User ID’s SAP comes with some pre-configure clients (independent business units). They are client 000, 001 and 066 in the non-IDES system. In the IDES system, client 800 is the default client. SAP installation process automatically creates default user Ids and their corresponding passwords. SAP administrators must ensure that they are not used to access the system. The following table explains default user Ids in various SAP clients. User Ids Client Name User Function SAP* 000 and 001 SAP* denotes the default super user and has all administrative powers. DDIC 000 and 001 DDIC user is responsible for the maintenance of the ABAP/4 Dictionary and the software logistics. EarlyWatch 066 The EarlyWatch user has access only to monitoring and performance data. Instruction Set • Change all default passwords and verifying the password change by logging into various client areas. • Assign SAP* to the Super user group. o Enter transaction SE16. o Enter SAP* into the field called BNAME. o Click “Execute” and verify. • As a final step, check that the secret super user has been created (with a different user ID and password). All of the authorizations assigned to SAP* should then be removed (an empty profile list followed by a password change. © www.thespot4sap.com Page 8 of 9 independent.current.research
Auditing Information System (AIS) SAP Audit Information System (AIS) serves as a centralized repository for reports, queries, and views of interest to auditors. It is designed to address the overall system configuration as well as SAP business processes and their related control features, providing audit and security practitioners with the critical information they need to conduct effective reviews of their SAP systems. SAP administrators can use AIS for security auditing. The AIS plays a supportive role in providing security services for SAP systems. The primary function of AIS is auditing but auditing features can derive the measures that help in developing the security policy for SAP systems. 3.4 Administration and Maintenance A successful security set up of a SAP system concludes with proper management and administration of user IDs, password resetting, audit trails, audit logs, access control list, and personnel responsibilities. Security administration in SAP includes maintenance of the overall SAP security environment using the SAP Profile Generator, creating user-level activity groups and creating user master records. The concept of SAP security is flexible as well as complex. SAP has a multi- layered integrated framework. To ensure adequate protection, security measures must be factored into all layers of the SAP infrastructure. With client/server architecture, SAP systems include many components that exchange information, each of which constitutes a layer of the SAP security infrastructure. Security is often not a priority in an implementation and as a result, the default security is not strong. SAP security functionality could be enhanced using various measures as discussed above. Enterprises must develop a security strategy to ensure a secure and functional SAP system. A business critical application like SAP needs continuous monitoring and improvement of its security features. © www.thespot4sap.com Page 9 of 9 independent.current.research
Ad

Recommended

Startup application trends spring 2013
Startup application trends spring 2013Startup application trends spring 2013
Startup application trends spring 2013
Mukund Mohan
 
Oracle Fusion applications 101 [2010 OAUG Collaborate]
Oracle Fusion applications 101 [2010 OAUG Collaborate]Oracle Fusion applications 101 [2010 OAUG Collaborate]
Oracle Fusion applications 101 [2010 OAUG Collaborate]
Rhapsody Technologies, Inc.
 
ESG Labs Testing and Performance Audit of the NetBackup 5330 Appliance
ESG Labs Testing and Performance Audit of the NetBackup 5330 ApplianceESG Labs Testing and Performance Audit of the NetBackup 5330 Appliance
ESG Labs Testing and Performance Audit of the NetBackup 5330 Appliance
Symantec
 
Oracle Fusion Applications 101
Oracle Fusion Applications 101Oracle Fusion Applications 101
Oracle Fusion Applications 101
Rhapsody Technologies, Inc.
 
IRJET- Proficient Business Solutions through Cloud Services
IRJET- Proficient Business Solutions through Cloud ServicesIRJET- Proficient Business Solutions through Cloud Services
IRJET- Proficient Business Solutions through Cloud Services
IRJET Journal
 
Fusion app tech_con8707_pdf_8707_0001
Fusion app tech_con8707_pdf_8707_0001Fusion app tech_con8707_pdf_8707_0001
Fusion app tech_con8707_pdf_8707_0001
jucaab
 
Sap grc-access-control-solution
Sap grc-access-control-solutionSap grc-access-control-solution
Sap grc-access-control-solution
Anywhere Gondodza SAP.GRC.FI.B.COM.ACC.HONS (MSU)
 
Udvikling af apps til mobile enheder med IBM Worklight, Christina Møller, IBM
Udvikling af apps til mobile enheder med IBM Worklight, Christina Møller, IBMUdvikling af apps til mobile enheder med IBM Worklight, Christina Møller, IBM
Udvikling af apps til mobile enheder med IBM Worklight, Christina Møller, IBM
IBM Danmark
 
A Market Landscape/Taxonomy/Segmentation Model for Cloud Computing Rev 1 (0.92)
A Market Landscape/Taxonomy/Segmentation Model for Cloud Computing Rev 1 (0.92)A Market Landscape/Taxonomy/Segmentation Model for Cloud Computing Rev 1 (0.92)
A Market Landscape/Taxonomy/Segmentation Model for Cloud Computing Rev 1 (0.92)
Lustratus REPAMA
 
Darwin Overview
Darwin OverviewDarwin Overview
Darwin Overview
Recruitment Software
 
Three SOA Case Studies
Three SOA Case StudiesThree SOA Case Studies
Three SOA Case Studies
Paul Fremantle
 
Wise Men- SAP GRC Webinar Deck- March 2015
Wise Men- SAP GRC Webinar Deck- March 2015Wise Men- SAP GRC Webinar Deck- March 2015
Wise Men- SAP GRC Webinar Deck- March 2015
Wise Men
 
SAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsSAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM Workflows
Rohan Andrews
 
SAP grc
SAP grc SAP grc
SAP grc
smadhu29
 
Comprehensive Information on Software as a Service
Comprehensive Information on Software as a ServiceComprehensive Information on Software as a Service
Comprehensive Information on Software as a Service
HTS Hosting
 
Sap grc process control 10.0
Sap grc process control 10.0Sap grc process control 10.0
Sap grc process control 10.0
Latha Kamal
 
Powerup performance of Informatica Environment Nov 5, 2015
Powerup performance of Informatica Environment Nov 5, 2015Powerup performance of Informatica Environment Nov 5, 2015
Powerup performance of Informatica Environment Nov 5, 2015
Wise Men
 
VCE A Foundation for IT Transformation
VCE A Foundation for IT TransformationVCE A Foundation for IT Transformation
VCE A Foundation for IT Transformation
patmisasi
 
SAP GRC
SAP GRC SAP GRC
SAP GRC
Kellton Tech Solutions Ltd
 
Elevate Your Continuous Delivery Strategy Above the Rolling Clouds (Interconn...
Elevate Your Continuous Delivery Strategy Above the Rolling Clouds (Interconn...Elevate Your Continuous Delivery Strategy Above the Rolling Clouds (Interconn...
Elevate Your Continuous Delivery Strategy Above the Rolling Clouds (Interconn...
Michael Elder
 
Microsoft Volume Licensing Basics
Microsoft Volume Licensing BasicsMicrosoft Volume Licensing Basics
Microsoft Volume Licensing Basics
FlorisKlaver1
 
Identifying design requeriments
Identifying design requerimentsIdentifying design requeriments
Identifying design requeriments
Yohany Acosta
 
Webinar: Simplify, Gain Insight, Strengthen with SAP GRC 10.1
Webinar: Simplify, Gain Insight, Strengthen with SAP GRC 10.1Webinar: Simplify, Gain Insight, Strengthen with SAP GRC 10.1
Webinar: Simplify, Gain Insight, Strengthen with SAP GRC 10.1
Anup Lakra
 
Platform approach-series-building a-roadmap-finalv1
Platform approach-series-building a-roadmap-finalv1Platform approach-series-building a-roadmap-finalv1
Platform approach-series-building a-roadmap-finalv1
OracleIDM
 
Building a Secure Cloud with Identity Management
Building a Secure Cloud with Identity ManagementBuilding a Secure Cloud with Identity Management
Building a Secure Cloud with Identity Management
OracleIDM
 
Epicor ERP 10 Adaptive ERP
Epicor ERP 10 Adaptive ERPEpicor ERP 10 Adaptive ERP
Epicor ERP 10 Adaptive ERP
Index InfoTech
 
Continuous Integration and Continuous Delivery on Azure
Continuous Integration and Continuous Delivery on AzureContinuous Integration and Continuous Delivery on Azure
Continuous Integration and Continuous Delivery on Azure
CitiusTech
 
Hr structural auths
Hr structural authsHr structural auths
Hr structural auths
hkodali
 
What is sap security
What is sap securityWhat is sap security
What is sap security
grconlinetraining
 
Saas security
Saas securitySaas security
Saas security
Sandeep Sharma IIMK Smart City,IoT,Bigdata,Cloud,BI,DW
 
Ad

More Related Content

What's hot (19)

A Market Landscape/Taxonomy/Segmentation Model for Cloud Computing Rev 1 (0.92)
A Market Landscape/Taxonomy/Segmentation Model for Cloud Computing Rev 1 (0.92)A Market Landscape/Taxonomy/Segmentation Model for Cloud Computing Rev 1 (0.92)
A Market Landscape/Taxonomy/Segmentation Model for Cloud Computing Rev 1 (0.92)
Lustratus REPAMA
 
Darwin Overview
Darwin OverviewDarwin Overview
Darwin Overview
Recruitment Software
 
Three SOA Case Studies
Three SOA Case StudiesThree SOA Case Studies
Three SOA Case Studies
Paul Fremantle
 
Wise Men- SAP GRC Webinar Deck- March 2015
Wise Men- SAP GRC Webinar Deck- March 2015Wise Men- SAP GRC Webinar Deck- March 2015
Wise Men- SAP GRC Webinar Deck- March 2015
Wise Men
 
SAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsSAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM Workflows
Rohan Andrews
 
SAP grc
SAP grc SAP grc
SAP grc
smadhu29
 
Comprehensive Information on Software as a Service
Comprehensive Information on Software as a ServiceComprehensive Information on Software as a Service
Comprehensive Information on Software as a Service
HTS Hosting
 
Sap grc process control 10.0
Sap grc process control 10.0Sap grc process control 10.0
Sap grc process control 10.0
Latha Kamal
 
Powerup performance of Informatica Environment Nov 5, 2015
Powerup performance of Informatica Environment Nov 5, 2015Powerup performance of Informatica Environment Nov 5, 2015
Powerup performance of Informatica Environment Nov 5, 2015
Wise Men
 
VCE A Foundation for IT Transformation
VCE A Foundation for IT TransformationVCE A Foundation for IT Transformation
VCE A Foundation for IT Transformation
patmisasi
 
SAP GRC
SAP GRC SAP GRC
SAP GRC
Kellton Tech Solutions Ltd
 
Elevate Your Continuous Delivery Strategy Above the Rolling Clouds (Interconn...
Elevate Your Continuous Delivery Strategy Above the Rolling Clouds (Interconn...Elevate Your Continuous Delivery Strategy Above the Rolling Clouds (Interconn...
Elevate Your Continuous Delivery Strategy Above the Rolling Clouds (Interconn...
Michael Elder
 
Microsoft Volume Licensing Basics
Microsoft Volume Licensing BasicsMicrosoft Volume Licensing Basics
Microsoft Volume Licensing Basics
FlorisKlaver1
 
Identifying design requeriments
Identifying design requerimentsIdentifying design requeriments
Identifying design requeriments
Yohany Acosta
 
Webinar: Simplify, Gain Insight, Strengthen with SAP GRC 10.1
Webinar: Simplify, Gain Insight, Strengthen with SAP GRC 10.1Webinar: Simplify, Gain Insight, Strengthen with SAP GRC 10.1
Webinar: Simplify, Gain Insight, Strengthen with SAP GRC 10.1
Anup Lakra
 
Platform approach-series-building a-roadmap-finalv1
Platform approach-series-building a-roadmap-finalv1Platform approach-series-building a-roadmap-finalv1
Platform approach-series-building a-roadmap-finalv1
OracleIDM
 
Building a Secure Cloud with Identity Management
Building a Secure Cloud with Identity ManagementBuilding a Secure Cloud with Identity Management
Building a Secure Cloud with Identity Management
OracleIDM
 
Epicor ERP 10 Adaptive ERP
Epicor ERP 10 Adaptive ERPEpicor ERP 10 Adaptive ERP
Epicor ERP 10 Adaptive ERP
Index InfoTech
 
Continuous Integration and Continuous Delivery on Azure
Continuous Integration and Continuous Delivery on AzureContinuous Integration and Continuous Delivery on Azure
Continuous Integration and Continuous Delivery on Azure
CitiusTech
 
A Market Landscape/Taxonomy/Segmentation Model for Cloud Computing Rev 1 (0.92)
A Market Landscape/Taxonomy/Segmentation Model for Cloud Computing Rev 1 (0.92)A Market Landscape/Taxonomy/Segmentation Model for Cloud Computing Rev 1 (0.92)
A Market Landscape/Taxonomy/Segmentation Model for Cloud Computing Rev 1 (0.92)
Lustratus REPAMA
 
Darwin Overview
Darwin OverviewDarwin Overview
Darwin Overview
Recruitment Software
 
Three SOA Case Studies
Three SOA Case StudiesThree SOA Case Studies
Three SOA Case Studies
Paul Fremantle
 
Wise Men- SAP GRC Webinar Deck- March 2015
Wise Men- SAP GRC Webinar Deck- March 2015Wise Men- SAP GRC Webinar Deck- March 2015
Wise Men- SAP GRC Webinar Deck- March 2015
Wise Men
 
SAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsSAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM Workflows
Rohan Andrews
 
SAP grc
SAP grc SAP grc
SAP grc
smadhu29
 
Comprehensive Information on Software as a Service
Comprehensive Information on Software as a ServiceComprehensive Information on Software as a Service
Comprehensive Information on Software as a Service
HTS Hosting
 
Sap grc process control 10.0
Sap grc process control 10.0Sap grc process control 10.0
Sap grc process control 10.0
Latha Kamal
 
Powerup performance of Informatica Environment Nov 5, 2015
Powerup performance of Informatica Environment Nov 5, 2015Powerup performance of Informatica Environment Nov 5, 2015
Powerup performance of Informatica Environment Nov 5, 2015
Wise Men
 
VCE A Foundation for IT Transformation
VCE A Foundation for IT TransformationVCE A Foundation for IT Transformation
VCE A Foundation for IT Transformation
patmisasi
 
SAP GRC
SAP GRC SAP GRC
SAP GRC
Kellton Tech Solutions Ltd
 
Elevate Your Continuous Delivery Strategy Above the Rolling Clouds (Interconn...
Elevate Your Continuous Delivery Strategy Above the Rolling Clouds (Interconn...Elevate Your Continuous Delivery Strategy Above the Rolling Clouds (Interconn...
Elevate Your Continuous Delivery Strategy Above the Rolling Clouds (Interconn...
Michael Elder
 
Microsoft Volume Licensing Basics
Microsoft Volume Licensing BasicsMicrosoft Volume Licensing Basics
Microsoft Volume Licensing Basics
FlorisKlaver1
 
Identifying design requeriments
Identifying design requerimentsIdentifying design requeriments
Identifying design requeriments
Yohany Acosta
 
Webinar: Simplify, Gain Insight, Strengthen with SAP GRC 10.1
Webinar: Simplify, Gain Insight, Strengthen with SAP GRC 10.1Webinar: Simplify, Gain Insight, Strengthen with SAP GRC 10.1
Webinar: Simplify, Gain Insight, Strengthen with SAP GRC 10.1
Anup Lakra
 
Platform approach-series-building a-roadmap-finalv1
Platform approach-series-building a-roadmap-finalv1Platform approach-series-building a-roadmap-finalv1
Platform approach-series-building a-roadmap-finalv1
OracleIDM
 
Building a Secure Cloud with Identity Management
Building a Secure Cloud with Identity ManagementBuilding a Secure Cloud with Identity Management
Building a Secure Cloud with Identity Management
OracleIDM
 
Epicor ERP 10 Adaptive ERP
Epicor ERP 10 Adaptive ERPEpicor ERP 10 Adaptive ERP
Epicor ERP 10 Adaptive ERP
Index InfoTech
 
Continuous Integration and Continuous Delivery on Azure
Continuous Integration and Continuous Delivery on AzureContinuous Integration and Continuous Delivery on Azure
Continuous Integration and Continuous Delivery on Azure
CitiusTech
 

Similar to Sap basis and_security_administration (20)

Hr structural auths
Hr structural authsHr structural auths
Hr structural auths
hkodali
 
What is sap security
What is sap securityWhat is sap security
What is sap security
grconlinetraining
 
Saas security
Saas securitySaas security
Saas security
Sandeep Sharma IIMK Smart City,IoT,Bigdata,Cloud,BI,DW
 
Large Scale User Provisioning with Hitachi ID Identity Manager
Large Scale User Provisioning with Hitachi ID Identity ManagerLarge Scale User Provisioning with Hitachi ID Identity Manager
Large Scale User Provisioning with Hitachi ID Identity Manager
Hitachi ID Systems, Inc.
 
Identity_Management_Vendor_Evaluation
Identity_Management_Vendor_EvaluationIdentity_Management_Vendor_Evaluation
Identity_Management_Vendor_Evaluation
Jerry Ruggieri
 
SailPoint VS CyberArk.pdf
SailPoint VS CyberArk.pdfSailPoint VS CyberArk.pdf
SailPoint VS CyberArk.pdf
VishnuGone
 
Reduce License costs and increase security in Oracle Applications
Reduce License costs and increase security in Oracle ApplicationsReduce License costs and increase security in Oracle Applications
Reduce License costs and increase security in Oracle Applications
Seecuring
 
Intelligence Driven Identity and Access Management
Intelligence Driven Identity and Access ManagementIntelligence Driven Identity and Access Management
Intelligence Driven Identity and Access Management
EMC
 
Introduction on sap security
Introduction on sap securityIntroduction on sap security
Introduction on sap security
yektek
 
SAP security With South Africa At Prompt Edify
SAP security With South Africa At Prompt EdifySAP security With South Africa At Prompt Edify
SAP security With South Africa At Prompt Edify
Prompt Edify
 
Cis controls v8_guide (1)
Cis controls v8_guide (1)Cis controls v8_guide (1)
Cis controls v8_guide (1)
MHumaamAl
 
Open iam technicalarchitecture-v3-a
Open iam technicalarchitecture-v3-aOpen iam technicalarchitecture-v3-a
Open iam technicalarchitecture-v3-a
Bibhuti Kr Jha +91-9810016292
 
School of Computer & Information SciencesISOL-536 - Se.docx
School of Computer & Information SciencesISOL-536 - Se.docxSchool of Computer & Information SciencesISOL-536 - Se.docx
School of Computer & Information SciencesISOL-536 - Se.docx
jeffsrosalyn
 
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...
HakTrak Cybersecurity Squad
 
Building a SaaS Style Application
Building a SaaS Style ApplicationBuilding a SaaS Style Application
Building a SaaS Style Application
Premkumar Veerakumar
 
Business rules-extraction
Business rules-extractionBusiness rules-extraction
Business rules-extraction
Maran Gothandaraman
 
A MOBILITY SOLUTION FOR AN ENTERPRISE CUSTOMER.compressed
A MOBILITY SOLUTION FOR AN ENTERPRISE CUSTOMER.compressedA MOBILITY SOLUTION FOR AN ENTERPRISE CUSTOMER.compressed
A MOBILITY SOLUTION FOR AN ENTERPRISE CUSTOMER.compressed
Motasem Al Amour
 
PCI and Remote Vendors
PCI and Remote VendorsPCI and Remote Vendors
PCI and Remote Vendors
ObserveIT
 
Whitepaper: Continuous Compliance in SAP Environments - Happiest Minds
Whitepaper: Continuous Compliance in SAP Environments - Happiest MindsWhitepaper: Continuous Compliance in SAP Environments - Happiest Minds
Whitepaper: Continuous Compliance in SAP Environments - Happiest Minds
Happiest Minds Technologies
 
Continuous Compliance-in-Sap-Environments
Continuous Compliance-in-Sap-EnvironmentsContinuous Compliance-in-Sap-Environments
Continuous Compliance-in-Sap-Environments
happiestmindstech
 
Hr structural auths
Hr structural authsHr structural auths
Hr structural auths
hkodali
 
What is sap security
What is sap securityWhat is sap security
What is sap security
grconlinetraining
 
Saas security
Saas securitySaas security
Saas security
Sandeep Sharma IIMK Smart City,IoT,Bigdata,Cloud,BI,DW
 
Large Scale User Provisioning with Hitachi ID Identity Manager
Large Scale User Provisioning with Hitachi ID Identity ManagerLarge Scale User Provisioning with Hitachi ID Identity Manager
Large Scale User Provisioning with Hitachi ID Identity Manager
Hitachi ID Systems, Inc.
 
Identity_Management_Vendor_Evaluation
Identity_Management_Vendor_EvaluationIdentity_Management_Vendor_Evaluation
Identity_Management_Vendor_Evaluation
Jerry Ruggieri
 
SailPoint VS CyberArk.pdf
SailPoint VS CyberArk.pdfSailPoint VS CyberArk.pdf
SailPoint VS CyberArk.pdf
VishnuGone
 
Reduce License costs and increase security in Oracle Applications
Reduce License costs and increase security in Oracle ApplicationsReduce License costs and increase security in Oracle Applications
Reduce License costs and increase security in Oracle Applications
Seecuring
 
Intelligence Driven Identity and Access Management
Intelligence Driven Identity and Access ManagementIntelligence Driven Identity and Access Management
Intelligence Driven Identity and Access Management
EMC
 
Introduction on sap security
Introduction on sap securityIntroduction on sap security
Introduction on sap security
yektek
 
SAP security With South Africa At Prompt Edify
SAP security With South Africa At Prompt EdifySAP security With South Africa At Prompt Edify
SAP security With South Africa At Prompt Edify
Prompt Edify
 
Cis controls v8_guide (1)
Cis controls v8_guide (1)Cis controls v8_guide (1)
Cis controls v8_guide (1)
MHumaamAl
 
Open iam technicalarchitecture-v3-a
Open iam technicalarchitecture-v3-aOpen iam technicalarchitecture-v3-a
Open iam technicalarchitecture-v3-a
Bibhuti Kr Jha +91-9810016292
 
School of Computer & Information SciencesISOL-536 - Se.docx
School of Computer & Information SciencesISOL-536 - Se.docxSchool of Computer & Information SciencesISOL-536 - Se.docx
School of Computer & Information SciencesISOL-536 - Se.docx
jeffsrosalyn
 
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...
HakTrak Cybersecurity Squad
 
Building a SaaS Style Application
Building a SaaS Style ApplicationBuilding a SaaS Style Application
Building a SaaS Style Application
Premkumar Veerakumar
 
Business rules-extraction
Business rules-extractionBusiness rules-extraction
Business rules-extraction
Maran Gothandaraman
 
A MOBILITY SOLUTION FOR AN ENTERPRISE CUSTOMER.compressed
A MOBILITY SOLUTION FOR AN ENTERPRISE CUSTOMER.compressedA MOBILITY SOLUTION FOR AN ENTERPRISE CUSTOMER.compressed
A MOBILITY SOLUTION FOR AN ENTERPRISE CUSTOMER.compressed
Motasem Al Amour
 
PCI and Remote Vendors
PCI and Remote VendorsPCI and Remote Vendors
PCI and Remote Vendors
ObserveIT
 
Whitepaper: Continuous Compliance in SAP Environments - Happiest Minds
Whitepaper: Continuous Compliance in SAP Environments - Happiest MindsWhitepaper: Continuous Compliance in SAP Environments - Happiest Minds
Whitepaper: Continuous Compliance in SAP Environments - Happiest Minds
Happiest Minds Technologies
 
Continuous Compliance-in-Sap-Environments
Continuous Compliance-in-Sap-EnvironmentsContinuous Compliance-in-Sap-Environments
Continuous Compliance-in-Sap-Environments
happiestmindstech
 
Ad

Sap basis and_security_administration

  • 1. SAP BASIS and Security Administration An Article From thespot4sap LTD Contents 1.0 Introduction...............................................................................................................2 2.0 SAP Security Components – The Big Picture ............................................................2 2.1 SAP Authorization Concept...................................................................................3 2.2 Composite Profiles ................................................................................................4 2.3 User Ids.................................................................................................................4 2.4 Authorizations .......................................................................................................4 3.0 Security Configuration in SAP...................................................................................4 3.1 User Authentication...............................................................................................4 3.2 Creating and Assigning Authorization Profiles.......................................................5 3.3 Auditing and Monitoring .......................................................................................6 3.4 Administration and Maintenance ...........................................................................9 © www.thespot4sap.com Page 1 of 9 independent.current.research
  • 2. SAP BASIS and Security Administration 1.0 Introduction SAP has done nothing less than change the entire systems landscape for enterprises. The benefits it can bring have led to widespread adoption across the globe. One of the key benefits SAP brings to an enterprise is the ability to integrate the data both within the enterprise, and between it and it’s partners / competitors. In many cases organizations today are both partners and competitors at the same time. Think of wholesalers and distributors, SAP and Oracle, AT&T and BT, or two oil giants who have an upstream joint venture. These companies use SAP to integrate process between themselves for their mutual benefit. This ability to integrate, however, brings with it a particular risk – that of exposing their data to the un-authorized outside world. Entire companies have been built up around highly guarded intellectual property and process secrets ... and could easily fall if this was breached. Therefore, keeping the security of the organization intact is one of the vital aspects of any SAP implementation. SAP BASIS addresses all security issues by incorporating an authorization module. With increased potential for security breaches in the computer systems around the world, BASIS consultants face a tough task of maintaining the integrity and administering the security of SAP systems. Interoperability features of a SAP system makes this task a bit more difficult. 2.0 SAP Security Components – The Big Picture SAP security in an integrated environment can be viewed in the form of discrete components as shown below (figure 1). Figure 1 © www.thespot4sap.com Page 2 of 9 independent.current.research
  • 3. Tight security is required for each of the above components (Network, Workstation, Operating System and Database) as a breach made in one area can compromise the entire system. The scope of this article is SAP Application Security, which can be achieved with the help of SAP’s BASIS security application through the concept of authorization. In SAP, security is administered for objects (profiles and authorizations). Users are only authorized to see or change the parts of the system required by their respective job responsibilities. 2.1 SAP Authorization Concept The SAP authorization concept is based upon the logical relationship between a user ID and the range of system authorizations with which it can be associated. The architecture of the authorization system is based upon the utilization of several individuals but related logical components: Profiles, Objects, Fields, and Authorizations. The user ID refers exclusively to profiles. Each profile grants a set of specific system access authorizations to user. Figure 2 illustrates the hierarchical authorization concept in SAP. Figure 2 © www.thespot4sap.com Page 3 of 9 independent.current.research
  • 4. 2.2 Composite Profiles Composite profiles refer to the various employee roles available in the corporation (for instance: Purchasing / Receiving Clerk or Accounts Agent). As the name suggests, composite profiles may contain multiple user IDs necessary to perform all the business operations associated with a particular role. A composite profile may encapsulate another composite profile(s). In practice, a model composite profile should be recognized for each possible role in the organization, which may be used to produce hybrid composite profiles. The over- existence of the hybrids can defy the very purpose of composite profiles and they should be created only when specific needs arise. 2.3 User Ids User ids allow access to SAP applications. Each user must have a corresponding profile specifically assigned. In many situations, multiple composite profiles can be assigned to a user ID, depending on the role(s) an individual user is responsible for, in the business processes. 2.4 Authorizations Authorizations are the key building blocks of SAP security. Authorization is the process of assigning values to fields present in authorization objects. In SAP, access to all system functionality is achieved through a complex array of authorizations. Sometimes users find that they lack the necessary authorizations to perform a certain function in the system, in which case the message: "You are not authorized..." is displayed at the bottom of the screen. An authorization process may ask for second associated authorization process which in turn asks for third and so on. For example, the task of paying a vendor invoice may require 10 different authorizations. 3.0 Security Configuration in SAP Security configuration and administration in SAP is a multi-phase process. Four key security components are required to ensure the adequate security, privacy, and integrity of information. The phases are as follows: 3.1 User Authentication The first phase comprises confirmation of user identity and results in authentication of user. Unauthorized access to SAP system is prevented through © www.thespot4sap.com Page 4 of 9 independent.current.research
  • 5. this initial check. This ensures system integrity by regulating secure access through genuine user authentication. 3.2 Creating and Assigning Authorization Profiles A Profile Generator (PG) is used to automatically generate and assign authorization profiles. This tool was released with SAP version 3.1g and above. The administrator can also create authorization profiles manually. Note: Profile Generator can be retroactively installed in SAP versions 3.0f and above. The authorization objects can be selected using the SAP Profile Generator. Administrators can automatically generate authorization profiles for function- specific access to SAP users after configuring initial settings. The entire authorization functionality of SAP signifies a new approach to authorization. The administrator can define user authorization based on SAP functions. Based on the selected function, the PG groups objects in administrator-created authorization profiles. Authorization profiles created by a Profile Generator are based on the given authorizations. It also speeds up the process and simplifies administrator/user communication facilitating both the administrator and users to use the same SAP function terminology. To auto-generate an Authorization profile, an Activity Group needs to be created. Activity Groups contain simple profiles and usually represent employee or job roles. They are user-defined and allow administrator to organize and maintain system activities. Activity group when used as an information database reduces data entry time. Administrators can define activity groups in two steps: 1. Selecting the criteria, such as access controls. 2. Dividing the activities into appropriate groups. For example, activities can be organized by functions, such as human resources, payroll, or administration or by job classes, such as computer programming activities, or accounting activities. A combination of function-specific activity and job-specific activity can also be implemented. Security implementation with the new Profile Generator is based on the creation of activity groups or a collection of linked or associated activities, such as tasks, reports, and transactions. © www.thespot4sap.com Page 5 of 9 independent.current.research
  • 6. Consider a business situation involving a company, ABC Inc. faced with transaction security hiccups in business dealings with its dealers. To address this problem, the company can create authorization profiles for its dealers using the profile generator features. This can be done by implementing the following instruction set: Instruction 1: A dealer activity group should be created. Name this activity group as Dealer. Instruction 2: All dealer-specific business transactions should be included in the activity group. Instruction 3: Generate an authorization profile for Dealers. Instruction 4: Assign Dealer to a “new user” or in your system and update master records. Following this procedure will ensure complete functional access to the new user using the system as Dealer. 3.3 Auditing and Monitoring In this subsequent phase, a track of the authorizations created (previous phase) is kept. Detailed accounts of system events are used to record the actions of a user corresponding to that unique user account identifier. Auditing/Monitoring activities should be in compliance with enterprise’s overall IT strategy and should be performed on a weekly, monthly, quarterly, and yearly basis. Figure 3 © www.thespot4sap.com Page 6 of 9 independent.current.research
  • 7. There are some key tasks that should be included in a monitoring plan. The following reviews should be a part of an ideal monitoring plans. Using System Logs and Security Audit Logs The system log records critical information important events. Each individual application server maintains local log files to which the information is written periodically. The security audit log records areas such as successful and unsuccessful dialog log-on attempts, RFC log-on attempts, changes to user master records, and transaction starts. Reviewing User Activity All SAP system users must be continuously monitored so that their problems can be rectified as soon as they occur. The timely attention to user problems can reduce administration overheads. For example, if a SAP administrator wants to check for unrecognizable user Ids or the users trying to use non-permitted transactions, administrator can execute transaction AL08 and review user activity. Monitoring User access in BASIS User Group The BASIS users in a SAP system have access to sensitive areas of an organization. Therefore it is vital to monitor their access. Following instructions can be performed to check the access of BASIS User group. Instruction Set • Enter transaction SUIM to view Repository Information of the system. • Follow the Menu Path: o User > Lists of users (according to selection criteria) > user IDS (Double Click). Monitoring Change Requests All change requests need to be properly reviewed and controlled prior to being applied. This formal process needs to be detailed enough to ensure that separation of duties and other control features are not breached. Strong integration knowledge of the SAP system is required for this review. Critical profiles, authorizations, and transactions need to be identified and treated even more carefully. Checking Important Default SAP Profiles © www.thespot4sap.com Page 7 of 9 independent.current.research
  • 8. Administrators must check that default profiles act a template for user defined profiles and are not directly used in production. Default profiles contain values, which apply to all application servers. These include: SAP_ALL, SAP_NEW, S_A.ADMIN, S_A.CUSTOMIZ, S_A.DEVELOP, S_A.DOKU, S_A.SYSTEM, S_A.USER, S_ENT_IMG_GE, S_WF_ALL, and P_ALL. Changing Default SAP User ID’s SAP comes with some pre-configure clients (independent business units). They are client 000, 001 and 066 in the non-IDES system. In the IDES system, client 800 is the default client. SAP installation process automatically creates default user Ids and their corresponding passwords. SAP administrators must ensure that they are not used to access the system. The following table explains default user Ids in various SAP clients. User Ids Client Name User Function SAP* 000 and 001 SAP* denotes the default super user and has all administrative powers. DDIC 000 and 001 DDIC user is responsible for the maintenance of the ABAP/4 Dictionary and the software logistics. EarlyWatch 066 The EarlyWatch user has access only to monitoring and performance data. Instruction Set • Change all default passwords and verifying the password change by logging into various client areas. • Assign SAP* to the Super user group. o Enter transaction SE16. o Enter SAP* into the field called BNAME. o Click “Execute” and verify. • As a final step, check that the secret super user has been created (with a different user ID and password). All of the authorizations assigned to SAP* should then be removed (an empty profile list followed by a password change. © www.thespot4sap.com Page 8 of 9 independent.current.research
  • 9. Auditing Information System (AIS) SAP Audit Information System (AIS) serves as a centralized repository for reports, queries, and views of interest to auditors. It is designed to address the overall system configuration as well as SAP business processes and their related control features, providing audit and security practitioners with the critical information they need to conduct effective reviews of their SAP systems. SAP administrators can use AIS for security auditing. The AIS plays a supportive role in providing security services for SAP systems. The primary function of AIS is auditing but auditing features can derive the measures that help in developing the security policy for SAP systems. 3.4 Administration and Maintenance A successful security set up of a SAP system concludes with proper management and administration of user IDs, password resetting, audit trails, audit logs, access control list, and personnel responsibilities. Security administration in SAP includes maintenance of the overall SAP security environment using the SAP Profile Generator, creating user-level activity groups and creating user master records. The concept of SAP security is flexible as well as complex. SAP has a multi- layered integrated framework. To ensure adequate protection, security measures must be factored into all layers of the SAP infrastructure. With client/server architecture, SAP systems include many components that exchange information, each of which constitutes a layer of the SAP security infrastructure. Security is often not a priority in an implementation and as a result, the default security is not strong. SAP security functionality could be enhanced using various measures as discussed above. Enterprises must develop a security strategy to ensure a secure and functional SAP system. A business critical application like SAP needs continuous monitoring and improvement of its security features. © www.thespot4sap.com Page 9 of 9 independent.current.research