SlideShare a Scribd company logo

Introduction to SAP Security

Nasir Gondal
Nasir Gondal

This document provides an overview of SAP security. It discusses key concepts like user master records, roles, profiles, and authorization objects which form the building blocks of SAP security. It also explains common terminologies and tools used in SAP security like user buffer, authorization errors, and security matrix. The document demonstrates how authorization checks work when executing a transaction in SAP and lists some standard SAP password controls. It introduces the Central User Administration feature and provides examples of common security tools in SAP.

1 of 20
SAP Security An Overview Presented to: BCO6181
Agenda 1. 2. 3. 4. 5. What is Security Building blocks Common terminologies used Most Common tools in Security CUA
What is Security? Security concept is same around the globe like in your normal life, security - means removing or restricting unauthorized access to your belongings. For example your Car, laptop or cared cards etc IT Security? Information security (sometimes shortened to InfoSec) is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (electronic, physical, etc...) SAP Security? In the same context of InfoSec. SAP security have the same meaning… or in other words - who can do what in SAP?
Building Blocks • • • • User Master Record Roles Profiles Authorization Objects
User Master Record? A User initially has no access in SAP • When we create access in system it defines UMR User Master Record information includes: • Name, Password, Address, User type, Company information • User Group • Roles and Profiles • Validity dates (from/to) • User defaults (logon language, default printer, date format, etc) User Types: Dialog – typical for most users System – cannot be used for dialog login, can communicate between systems and start background jobs Communications Data – cannot be used for dialog login, can communicate between systems but cannot start background jobs Reference – cannot log in, used to assign additional Authorizations to Users Service – can log in but is excluded from password rules, etc. Used for Support users and Internet services
Roles and Profiles Roles is group of tcode (s), which is used to perform a specific business task. Each role requires specific privileges to perform a function in SAP that is called AUTHORIZATIONS There are 3 types of Roles: • Single – an independent Role • Derived – has a parent and differs only in Organization Levels. Maintain Transactions, Menu, Authorizations only at the parent level • Composite – container that contains one or more Single or Derived Roles
Authorization Objects • Authorization Objects are the keys to SAP security • When you attempt actions in SAP the system checks to see whether you have the appropriate Authorizations • The same Authorization Objects can be used by different Transactions
Introduction to SAP Security
SAP Application Security
User Buffer? • When a User logs into the system, all of the Authorizations that the User has are loaded into a special place in memory called the User Buffer • As the User attempts to perform activities, the system checks whether the user has the appropriate Authorization Objects in the User Buffer. • You can see the buffer in Transaction ???
Executing a Transaction (Authorization Checks) 1) Does the Transaction exist? All Transactions have an entry in table TSTC 2) Is the Transaction locked? Transactions are locked using Transaction SM01 Once locked, they cannot be used in any client 3) Can the User start the Transaction? Every Transaction requires that the user have the Object S_TCODE=Transaction Name Some Transactions also require another Authorization Object to start (varies depending on the Transaction) 4) What can the User do in the Transaction? The system will check to see if the user has additional Authorization Objects as necessary
Live Demo
How to trace missing Authorization Frequently you find that the role you built has inadequate accesses and will fail during testing or during production usage. Why? Why It happens? Negligence of tester or some other reason How process initiated? This process kicks when security guy receives: • Email or, • phone call or • ticket
How do we determine correct accesses required?  SAP has various tools to analyse access errors and determine correct Authorizations required: Use Last Failed Authorization check - SU53 (60% effective) Use Assignment of Auth Object to Transactions - SU24 (60% effective) Trace the Authorizations for a function - ST01 (90% effective)
Common Terminologies User master Records Roles Authorizations Authority Check user buffer Authorization Errors security matrix Profiles Authorization Objects User menus
SAP Password controls There are some Standard SAP password Controls delivered by SAP which cannot be changed First-time users forced to change their passwords before they can log onto the SAP system, or after their password is reset.* Users can only change their password when logging on. Users can change their password at most, once a day Users can not re-use their previous five passwords. The first character can not be “?” or “!”. The first three characters of the password cannot appear in the same order as part of the user name. all be the same. include space characters. The password cannot be PASS or SAP*.
Password Controls - cont.  SAP Password System Parameters - system wide settings that can be configured by MPL - Minimum Password Length Password locked after unsuccessful login attempts Password Expiration time Password complexity  Illegal Passwords MPL can define passwords that cannot be used Enter impermissible passwords into SAP table USR40 MPL = Master parts List
Tools:  SU01 User Maintenance  PFCG Role Maintenance  SUIM Authorization Reporting Tree  SU02 Maintain Profiles  SU03 Maintain Authorisations  SU10 User Maintenance: Mass Changes  SU21 Maintain Authorization Objects  SU24 Auth Object check under transactions  SU3 Maintain default settings  SU53 Display Authority Check Values  SU56 Display user buffer  ST01 User trace  SM19 Audit Log Configuration  SM20 Display Audit Log  S_BCE_68002111 List of users with Critical Authorisations
CUA Central User Administration is a feature in SAP that helps to streamline multiple users account management on different clients in a multi SAP systems environment. This feature is laudable when similar user accounts are created and managed on multiple clients  Centralized Admin  Data consistency & accuracy  Eliminate redundant efforts
www.about.me/nasirgondal
Ad

Recommended

SAP Security & GRC Framework
SAP Security & GRC FrameworkSAP Security & GRC Framework
SAP Security & GRC Framework
Harish Sharma
 
SAP SECURITY GRC
SAP SECURITY GRCSAP SECURITY GRC
SAP SECURITY GRC
techgurusuresh
 
What is sap security
What is sap securityWhat is sap security
What is sap security
grconlinetraining
 
SAP Security important Questions
SAP Security important QuestionsSAP Security important Questions
SAP Security important Questions
Ragu M
 
Sap Security Workshop
Sap Security WorkshopSap Security Workshop
Sap Security Workshop
larrymcc
 
SAP BI 7 security concepts
SAP BI 7 security conceptsSAP BI 7 security concepts
SAP BI 7 security concepts
Siva Pradeep Bolisetti
 
Sap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online trainingSap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online training
grconlinetraining
 
SAP Fiori ppt
SAP Fiori pptSAP Fiori ppt
SAP Fiori ppt
Pushkar Vinchurkar
 
Authorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.infoAuthorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.info
sapdocs. info
 
Introduction on sap security
Introduction on sap securityIntroduction on sap security
Introduction on sap security
yektek
 
Iia los angeles sap security presentation
Iia los angeles sap security presentation Iia los angeles sap security presentation
Iia los angeles sap security presentation
hkodali
 
Sap security-administration
Sap security-administrationSap security-administration
Sap security-administration
nanda nanda
 
Sap security tasks
Sap security tasksSap security tasks
Sap security tasks
Siva Pradeep Bolisetti
 
Sap security interview question & answers
Sap security interview question & answersSap security interview question & answers
Sap security interview question & answers
Nancy Nelida
 
SAP Governance,Risk and Compliance
SAP Governance,Risk and ComplianceSAP Governance,Risk and Compliance
SAP Governance,Risk and Compliance
TLI GrowthSession
 
Practical guide for sap security
Practical guide for sap security Practical guide for sap security
Practical guide for sap security
Siva Pradeep Bolisetti
 
SU01 - Background and Instruction
SU01 - Background and InstructionSU01 - Background and Instruction
SU01 - Background and Instruction
Mart Leepin
 
How to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systemsHow to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systems
TL Technologies - Thoughts Become Things
 
SAP BASIS Daily Monitoring T - codes
SAP BASIS Daily Monitoring T - codesSAP BASIS Daily Monitoring T - codes
SAP BASIS Daily Monitoring T - codes
Jitendra Ahir
 
Authorisations in SAP: best practices
Authorisations in SAP: best practicesAuthorisations in SAP: best practices
Authorisations in SAP: best practices
Jonathan Eemans
 
081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grc081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grc
hkodali
 
SAP Landscape
SAP Landscape SAP Landscape
SAP Landscape
lakshmi rajkumar
 
165373293 sap-security-q
165373293 sap-security-q165373293 sap-security-q
165373293 sap-security-q
Anywhere Gondodza SAP.GRC.FI.B.COM.ACC.HONS (MSU)
 
SAP GRC 10 Access Control
SAP GRC 10 Access ControlSAP GRC 10 Access Control
SAP GRC 10 Access Control
Nasir Gondal
 
Sap basis made easy
Sap basis made easySap basis made easy
Sap basis made easy
Durga Balaji M
 
sap security interview_questions
sap security interview_questionssap security interview_questions
sap security interview_questions
sumitmsn2
 
Exclusive SAP Basis Training Book | www.sapdocs.info
Exclusive SAP Basis Training Book | www.sapdocs.infoExclusive SAP Basis Training Book | www.sapdocs.info
Exclusive SAP Basis Training Book | www.sapdocs.info
sapdocs. info
 
SAP HCM Structural Authorization Overview Presentation
SAP HCM Structural Authorization Overview PresentationSAP HCM Structural Authorization Overview Presentation
SAP HCM Structural Authorization Overview Presentation
KenBowers
 
Sap Access Risks Procedures
Sap Access Risks ProceduresSap Access Risks Procedures
Sap Access Risks Procedures
Inprise Group
 
Ch10
Ch10Ch10
Ch10
Raja Waseem Akhtar
 
Ad

More Related Content

What's hot (20)

Authorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.infoAuthorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.info
sapdocs. info
 
Introduction on sap security
Introduction on sap securityIntroduction on sap security
Introduction on sap security
yektek
 
Iia los angeles sap security presentation
Iia los angeles sap security presentation Iia los angeles sap security presentation
Iia los angeles sap security presentation
hkodali
 
Sap security-administration
Sap security-administrationSap security-administration
Sap security-administration
nanda nanda
 
Sap security tasks
Sap security tasksSap security tasks
Sap security tasks
Siva Pradeep Bolisetti
 
Sap security interview question & answers
Sap security interview question & answersSap security interview question & answers
Sap security interview question & answers
Nancy Nelida
 
SAP Governance,Risk and Compliance
SAP Governance,Risk and ComplianceSAP Governance,Risk and Compliance
SAP Governance,Risk and Compliance
TLI GrowthSession
 
Practical guide for sap security
Practical guide for sap security Practical guide for sap security
Practical guide for sap security
Siva Pradeep Bolisetti
 
SU01 - Background and Instruction
SU01 - Background and InstructionSU01 - Background and Instruction
SU01 - Background and Instruction
Mart Leepin
 
How to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systemsHow to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systems
TL Technologies - Thoughts Become Things
 
SAP BASIS Daily Monitoring T - codes
SAP BASIS Daily Monitoring T - codesSAP BASIS Daily Monitoring T - codes
SAP BASIS Daily Monitoring T - codes
Jitendra Ahir
 
Authorisations in SAP: best practices
Authorisations in SAP: best practicesAuthorisations in SAP: best practices
Authorisations in SAP: best practices
Jonathan Eemans
 
081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grc081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grc
hkodali
 
SAP Landscape
SAP Landscape SAP Landscape
SAP Landscape
lakshmi rajkumar
 
165373293 sap-security-q
165373293 sap-security-q165373293 sap-security-q
165373293 sap-security-q
Anywhere Gondodza SAP.GRC.FI.B.COM.ACC.HONS (MSU)
 
SAP GRC 10 Access Control
SAP GRC 10 Access ControlSAP GRC 10 Access Control
SAP GRC 10 Access Control
Nasir Gondal
 
Sap basis made easy
Sap basis made easySap basis made easy
Sap basis made easy
Durga Balaji M
 
sap security interview_questions
sap security interview_questionssap security interview_questions
sap security interview_questions
sumitmsn2
 
Exclusive SAP Basis Training Book | www.sapdocs.info
Exclusive SAP Basis Training Book | www.sapdocs.infoExclusive SAP Basis Training Book | www.sapdocs.info
Exclusive SAP Basis Training Book | www.sapdocs.info
sapdocs. info
 
SAP HCM Structural Authorization Overview Presentation
SAP HCM Structural Authorization Overview PresentationSAP HCM Structural Authorization Overview Presentation
SAP HCM Structural Authorization Overview Presentation
KenBowers
 
Authorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.infoAuthorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.info
sapdocs. info
 
Introduction on sap security
Introduction on sap securityIntroduction on sap security
Introduction on sap security
yektek
 
Iia los angeles sap security presentation
Iia los angeles sap security presentation Iia los angeles sap security presentation
Iia los angeles sap security presentation
hkodali
 
Sap security-administration
Sap security-administrationSap security-administration
Sap security-administration
nanda nanda
 
Sap security tasks
Sap security tasksSap security tasks
Sap security tasks
Siva Pradeep Bolisetti
 
Sap security interview question & answers
Sap security interview question & answersSap security interview question & answers
Sap security interview question & answers
Nancy Nelida
 
SAP Governance,Risk and Compliance
SAP Governance,Risk and ComplianceSAP Governance,Risk and Compliance
SAP Governance,Risk and Compliance
TLI GrowthSession
 
Practical guide for sap security
Practical guide for sap security Practical guide for sap security
Practical guide for sap security
Siva Pradeep Bolisetti
 
SU01 - Background and Instruction
SU01 - Background and InstructionSU01 - Background and Instruction
SU01 - Background and Instruction
Mart Leepin
 
How to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systemsHow to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systems
TL Technologies - Thoughts Become Things
 
SAP BASIS Daily Monitoring T - codes
SAP BASIS Daily Monitoring T - codesSAP BASIS Daily Monitoring T - codes
SAP BASIS Daily Monitoring T - codes
Jitendra Ahir
 
Authorisations in SAP: best practices
Authorisations in SAP: best practicesAuthorisations in SAP: best practices
Authorisations in SAP: best practices
Jonathan Eemans
 
081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grc081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grc
hkodali
 
SAP Landscape
SAP Landscape SAP Landscape
SAP Landscape
lakshmi rajkumar
 
165373293 sap-security-q
165373293 sap-security-q165373293 sap-security-q
165373293 sap-security-q
Anywhere Gondodza SAP.GRC.FI.B.COM.ACC.HONS (MSU)
 
SAP GRC 10 Access Control
SAP GRC 10 Access ControlSAP GRC 10 Access Control
SAP GRC 10 Access Control
Nasir Gondal
 
Sap basis made easy
Sap basis made easySap basis made easy
Sap basis made easy
Durga Balaji M
 
sap security interview_questions
sap security interview_questionssap security interview_questions
sap security interview_questions
sumitmsn2
 
Exclusive SAP Basis Training Book | www.sapdocs.info
Exclusive SAP Basis Training Book | www.sapdocs.infoExclusive SAP Basis Training Book | www.sapdocs.info
Exclusive SAP Basis Training Book | www.sapdocs.info
sapdocs. info
 
SAP HCM Structural Authorization Overview Presentation
SAP HCM Structural Authorization Overview PresentationSAP HCM Structural Authorization Overview Presentation
SAP HCM Structural Authorization Overview Presentation
KenBowers
 

Similar to Introduction to SAP Security (20)

Sap Access Risks Procedures
Sap Access Risks ProceduresSap Access Risks Procedures
Sap Access Risks Procedures
Inprise Group
 
Ch10
Ch10Ch10
Ch10
Raja Waseem Akhtar
 
Ch10 system administration
Ch10 system administration Ch10 system administration
Ch10 system administration
Raja Waseem Akhtar
 
Salesforce admin training 2
Salesforce admin training 2Salesforce admin training 2
Salesforce admin training 2
HungPham381
 
Sap
SapSap
Sap
abhishek sharma
 
How to be a Security Minded Admin by Chris Zullo
How to be a Security Minded Admin by Chris ZulloHow to be a Security Minded Admin by Chris Zullo
How to be a Security Minded Admin by Chris Zullo
Salesforce Admins
 
Chapter 7
Chapter 7Chapter 7
Chapter 7
Seth Nurul
 
Access Control Fundamentals
Access Control FundamentalsAccess Control Fundamentals
Access Control Fundamentals
Setiya Nugroho
 
Getting Started with IBM i Security: User Privileges
Getting Started with IBM i Security: User PrivilegesGetting Started with IBM i Security: User Privileges
Getting Started with IBM i Security: User Privileges
HelpSystems
 
5 Reasons to Always Keep an Eye on Privileged Business Accounts
5 Reasons to Always Keep an Eye on Privileged Business Accounts5 Reasons to Always Keep an Eye on Privileged Business Accounts
5 Reasons to Always Keep an Eye on Privileged Business Accounts
AnayaGrewal
 
3 windowssecurity
3 windowssecurity3 windowssecurity
3 windowssecurity
richarddxd
 
Devi
DeviDevi
Devi
JAYAARC
 
Nt1330 Week 1 Case Study Of EAP.pdfNt1330 Week 1 Case Study Of EAP
Nt1330 Week 1 Case Study Of EAP.pdfNt1330 Week 1 Case Study Of EAPNt1330 Week 1 Case Study Of EAP.pdfNt1330 Week 1 Case Study Of EAP
Nt1330 Week 1 Case Study Of EAP.pdfNt1330 Week 1 Case Study Of EAP
Evelyn Donaldson
 
Globalcompose.com sample coursework paper on management of information security
Globalcompose.com sample coursework paper on management of information securityGlobalcompose.com sample coursework paper on management of information security
Globalcompose.com sample coursework paper on management of information security
Academic Research Paper Writing Services
 
Globalcompose.com sample coursework paper on management of information security
Globalcompose.com sample coursework paper on management of information securityGlobalcompose.com sample coursework paper on management of information security
Globalcompose.com sample coursework paper on management of information security
Academic Research Paper Writing Services
 
Privileged Access Manager Product Q&A
Privileged Access Manager Product Q&APrivileged Access Manager Product Q&A
Privileged Access Manager Product Q&A
Hitachi ID Systems, Inc.
 
System security by Amin Pathan
System security by Amin PathanSystem security by Amin Pathan
System security by Amin Pathan
aminpathan11
 
Annual OktCyberfest 2019
Annual OktCyberfest 2019Annual OktCyberfest 2019
Annual OktCyberfest 2019
Fahad Al-Hasan
 
How vulnerable are you to insider attacks?.pdf
How vulnerable are you to insider attacks?.pdfHow vulnerable are you to insider attacks?.pdf
How vulnerable are you to insider attacks?.pdf
udayamosol9
 
Lecture 11 understanding requirements (3)
Lecture 11 understanding requirements (3)Lecture 11 understanding requirements (3)
Lecture 11 understanding requirements (3)
IIUI
 
Sap Access Risks Procedures
Sap Access Risks ProceduresSap Access Risks Procedures
Sap Access Risks Procedures
Inprise Group
 
Ch10
Ch10Ch10
Ch10
Raja Waseem Akhtar
 
Ch10 system administration
Ch10 system administration Ch10 system administration
Ch10 system administration
Raja Waseem Akhtar
 
Salesforce admin training 2
Salesforce admin training 2Salesforce admin training 2
Salesforce admin training 2
HungPham381
 
Sap
SapSap
Sap
abhishek sharma
 
How to be a Security Minded Admin by Chris Zullo
How to be a Security Minded Admin by Chris ZulloHow to be a Security Minded Admin by Chris Zullo
How to be a Security Minded Admin by Chris Zullo
Salesforce Admins
 
Chapter 7
Chapter 7Chapter 7
Chapter 7
Seth Nurul
 
Access Control Fundamentals
Access Control FundamentalsAccess Control Fundamentals
Access Control Fundamentals
Setiya Nugroho
 
Getting Started with IBM i Security: User Privileges
Getting Started with IBM i Security: User PrivilegesGetting Started with IBM i Security: User Privileges
Getting Started with IBM i Security: User Privileges
HelpSystems
 
5 Reasons to Always Keep an Eye on Privileged Business Accounts
5 Reasons to Always Keep an Eye on Privileged Business Accounts5 Reasons to Always Keep an Eye on Privileged Business Accounts
5 Reasons to Always Keep an Eye on Privileged Business Accounts
AnayaGrewal
 
3 windowssecurity
3 windowssecurity3 windowssecurity
3 windowssecurity
richarddxd
 
Devi
DeviDevi
Devi
JAYAARC
 
Nt1330 Week 1 Case Study Of EAP.pdfNt1330 Week 1 Case Study Of EAP
Nt1330 Week 1 Case Study Of EAP.pdfNt1330 Week 1 Case Study Of EAPNt1330 Week 1 Case Study Of EAP.pdfNt1330 Week 1 Case Study Of EAP
Nt1330 Week 1 Case Study Of EAP.pdfNt1330 Week 1 Case Study Of EAP
Evelyn Donaldson
 
Globalcompose.com sample coursework paper on management of information security
Globalcompose.com sample coursework paper on management of information securityGlobalcompose.com sample coursework paper on management of information security
Globalcompose.com sample coursework paper on management of information security
Academic Research Paper Writing Services
 
Globalcompose.com sample coursework paper on management of information security
Globalcompose.com sample coursework paper on management of information securityGlobalcompose.com sample coursework paper on management of information security
Globalcompose.com sample coursework paper on management of information security
Academic Research Paper Writing Services
 
Privileged Access Manager Product Q&A
Privileged Access Manager Product Q&APrivileged Access Manager Product Q&A
Privileged Access Manager Product Q&A
Hitachi ID Systems, Inc.
 
System security by Amin Pathan
System security by Amin PathanSystem security by Amin Pathan
System security by Amin Pathan
aminpathan11
 
Annual OktCyberfest 2019
Annual OktCyberfest 2019Annual OktCyberfest 2019
Annual OktCyberfest 2019
Fahad Al-Hasan
 
How vulnerable are you to insider attacks?.pdf
How vulnerable are you to insider attacks?.pdfHow vulnerable are you to insider attacks?.pdf
How vulnerable are you to insider attacks?.pdf
udayamosol9
 
Lecture 11 understanding requirements (3)
Lecture 11 understanding requirements (3)Lecture 11 understanding requirements (3)
Lecture 11 understanding requirements (3)
IIUI
 
Ad

Recently uploaded (20)

How to Subscribe Newsletter From Odoo 18 Website
How to Subscribe Newsletter From Odoo 18 WebsiteHow to Subscribe Newsletter From Odoo 18 Website
How to Subscribe Newsletter From Odoo 18 Website
Celine George
 
Unit 4: Long term- Capital budgeting and its types
Unit 4: Long term- Capital budgeting and its typesUnit 4: Long term- Capital budgeting and its types
Unit 4: Long term- Capital budgeting and its types
bharath321164
 
How to track Cost and Revenue using Analytic Accounts in odoo Accounting, App...
How to track Cost and Revenue using Analytic Accounts in odoo Accounting, App...How to track Cost and Revenue using Analytic Accounts in odoo Accounting, App...
How to track Cost and Revenue using Analytic Accounts in odoo Accounting, App...
Celine George
 
Niamh Lucey, Mary Dunne. Health Sciences Libraries Group (LAI). Lighting the ...
Niamh Lucey, Mary Dunne. Health Sciences Libraries Group (LAI). Lighting the ...Niamh Lucey, Mary Dunne. Health Sciences Libraries Group (LAI). Lighting the ...
Niamh Lucey, Mary Dunne. Health Sciences Libraries Group (LAI). Lighting the ...
Library Association of Ireland
 
Geography Sem II Unit 1C Correlation of Geography with other school subjects
Geography Sem II Unit 1C Correlation of Geography with other school subjectsGeography Sem II Unit 1C Correlation of Geography with other school subjects
Geography Sem II Unit 1C Correlation of Geography with other school subjects
ProfDrShaikhImran
 
World war-1(Causes & impacts at a glance) PPT by Simanchala Sarab(BABed,sem-4...
World war-1(Causes & impacts at a glance) PPT by Simanchala Sarab(BABed,sem-4...World war-1(Causes & impacts at a glance) PPT by Simanchala Sarab(BABed,sem-4...
World war-1(Causes & impacts at a glance) PPT by Simanchala Sarab(BABed,sem-4...
larencebapu132
 
LDMMIA Reiki Master Spring 2025 Mini Updates
LDMMIA Reiki Master Spring 2025 Mini UpdatesLDMMIA Reiki Master Spring 2025 Mini Updates
LDMMIA Reiki Master Spring 2025 Mini Updates
LDM Mia eStudios
 
Phoenix – A Collaborative Renewal of Children’s and Young People’s Services C...
Phoenix – A Collaborative Renewal of Children’s and Young People’s Services C...Phoenix – A Collaborative Renewal of Children’s and Young People’s Services C...
Phoenix – A Collaborative Renewal of Children’s and Young People’s Services C...
Library Association of Ireland
 
K12 Tableau Tuesday - Algebra Equity and Access in Atlanta Public Schools
K12 Tableau Tuesday - Algebra Equity and Access in Atlanta Public SchoolsK12 Tableau Tuesday - Algebra Equity and Access in Atlanta Public Schools
K12 Tableau Tuesday - Algebra Equity and Access in Atlanta Public Schools
dogden2
 
High Performance Liquid Chromatography .pptx
High Performance Liquid Chromatography .pptxHigh Performance Liquid Chromatography .pptx
High Performance Liquid Chromatography .pptx
Ayush Srivastava
 
To study Digestive system of insect.pptx
To study Digestive system of insect.pptxTo study Digestive system of insect.pptx
To study Digestive system of insect.pptx
Arshad Shaikh
 
Stein, Hunt, Green letter to Congress April 2025
Stein, Hunt, Green letter to Congress April 2025Stein, Hunt, Green letter to Congress April 2025
Stein, Hunt, Green letter to Congress April 2025
Mebane Rash
 
Introduction to Vibe Coding and Vibe Engineering
Introduction to Vibe Coding and Vibe EngineeringIntroduction to Vibe Coding and Vibe Engineering
Introduction to Vibe Coding and Vibe Engineering
Damian T. Gordon
 
Marie Boran Special Collections Librarian Hardiman Library, University of Gal...
Marie Boran Special Collections Librarian Hardiman Library, University of Gal...Marie Boran Special Collections Librarian Hardiman Library, University of Gal...
Marie Boran Special Collections Librarian Hardiman Library, University of Gal...
Library Association of Ireland
 
Multi-currency in odoo accounting and Update exchange rates automatically in ...
Multi-currency in odoo accounting and Update exchange rates automatically in ...Multi-currency in odoo accounting and Update exchange rates automatically in ...
Multi-currency in odoo accounting and Update exchange rates automatically in ...
Celine George
 
Exploring-Substances-Acidic-Basic-and-Neutral.pdf
Exploring-Substances-Acidic-Basic-and-Neutral.pdfExploring-Substances-Acidic-Basic-and-Neutral.pdf
Exploring-Substances-Acidic-Basic-and-Neutral.pdf
Sandeep Swamy
 
Quality Contril Analysis of Containers.pdf
Quality Contril Analysis of Containers.pdfQuality Contril Analysis of Containers.pdf
Quality Contril Analysis of Containers.pdf
Dr. Bindiya Chauhan
 
UNIT 3 NATIONAL HEALTH PROGRAMMEE. SOCIAL AND PREVENTIVE PHARMACY
UNIT 3 NATIONAL HEALTH PROGRAMMEE. SOCIAL AND PREVENTIVE PHARMACYUNIT 3 NATIONAL HEALTH PROGRAMMEE. SOCIAL AND PREVENTIVE PHARMACY
UNIT 3 NATIONAL HEALTH PROGRAMMEE. SOCIAL AND PREVENTIVE PHARMACY
DR.PRISCILLA MARY J
 
Studying Drama: Definition, types and elements
Studying Drama: Definition, types and elementsStudying Drama: Definition, types and elements
Studying Drama: Definition, types and elements
AbdelFattahAdel2
 
Envenomation---Clinical Toxicology. pptx
Envenomation---Clinical Toxicology. pptxEnvenomation---Clinical Toxicology. pptx
Envenomation---Clinical Toxicology. pptx
rekhapositivity
 
How to Subscribe Newsletter From Odoo 18 Website
How to Subscribe Newsletter From Odoo 18 WebsiteHow to Subscribe Newsletter From Odoo 18 Website
How to Subscribe Newsletter From Odoo 18 Website
Celine George
 
Unit 4: Long term- Capital budgeting and its types
Unit 4: Long term- Capital budgeting and its typesUnit 4: Long term- Capital budgeting and its types
Unit 4: Long term- Capital budgeting and its types
bharath321164
 
How to track Cost and Revenue using Analytic Accounts in odoo Accounting, App...
How to track Cost and Revenue using Analytic Accounts in odoo Accounting, App...How to track Cost and Revenue using Analytic Accounts in odoo Accounting, App...
How to track Cost and Revenue using Analytic Accounts in odoo Accounting, App...
Celine George
 
Niamh Lucey, Mary Dunne. Health Sciences Libraries Group (LAI). Lighting the ...
Niamh Lucey, Mary Dunne. Health Sciences Libraries Group (LAI). Lighting the ...Niamh Lucey, Mary Dunne. Health Sciences Libraries Group (LAI). Lighting the ...
Niamh Lucey, Mary Dunne. Health Sciences Libraries Group (LAI). Lighting the ...
Library Association of Ireland
 
Geography Sem II Unit 1C Correlation of Geography with other school subjects
Geography Sem II Unit 1C Correlation of Geography with other school subjectsGeography Sem II Unit 1C Correlation of Geography with other school subjects
Geography Sem II Unit 1C Correlation of Geography with other school subjects
ProfDrShaikhImran
 
World war-1(Causes & impacts at a glance) PPT by Simanchala Sarab(BABed,sem-4...
World war-1(Causes & impacts at a glance) PPT by Simanchala Sarab(BABed,sem-4...World war-1(Causes & impacts at a glance) PPT by Simanchala Sarab(BABed,sem-4...
World war-1(Causes & impacts at a glance) PPT by Simanchala Sarab(BABed,sem-4...
larencebapu132
 
LDMMIA Reiki Master Spring 2025 Mini Updates
LDMMIA Reiki Master Spring 2025 Mini UpdatesLDMMIA Reiki Master Spring 2025 Mini Updates
LDMMIA Reiki Master Spring 2025 Mini Updates
LDM Mia eStudios
 
Phoenix – A Collaborative Renewal of Children’s and Young People’s Services C...
Phoenix – A Collaborative Renewal of Children’s and Young People’s Services C...Phoenix – A Collaborative Renewal of Children’s and Young People’s Services C...
Phoenix – A Collaborative Renewal of Children’s and Young People’s Services C...
Library Association of Ireland
 
K12 Tableau Tuesday - Algebra Equity and Access in Atlanta Public Schools
K12 Tableau Tuesday - Algebra Equity and Access in Atlanta Public SchoolsK12 Tableau Tuesday - Algebra Equity and Access in Atlanta Public Schools
K12 Tableau Tuesday - Algebra Equity and Access in Atlanta Public Schools
dogden2
 
High Performance Liquid Chromatography .pptx
High Performance Liquid Chromatography .pptxHigh Performance Liquid Chromatography .pptx
High Performance Liquid Chromatography .pptx
Ayush Srivastava
 
To study Digestive system of insect.pptx
To study Digestive system of insect.pptxTo study Digestive system of insect.pptx
To study Digestive system of insect.pptx
Arshad Shaikh
 
Stein, Hunt, Green letter to Congress April 2025
Stein, Hunt, Green letter to Congress April 2025Stein, Hunt, Green letter to Congress April 2025
Stein, Hunt, Green letter to Congress April 2025
Mebane Rash
 
Introduction to Vibe Coding and Vibe Engineering
Introduction to Vibe Coding and Vibe EngineeringIntroduction to Vibe Coding and Vibe Engineering
Introduction to Vibe Coding and Vibe Engineering
Damian T. Gordon
 
Marie Boran Special Collections Librarian Hardiman Library, University of Gal...
Marie Boran Special Collections Librarian Hardiman Library, University of Gal...Marie Boran Special Collections Librarian Hardiman Library, University of Gal...
Marie Boran Special Collections Librarian Hardiman Library, University of Gal...
Library Association of Ireland
 
Multi-currency in odoo accounting and Update exchange rates automatically in ...
Multi-currency in odoo accounting and Update exchange rates automatically in ...Multi-currency in odoo accounting and Update exchange rates automatically in ...
Multi-currency in odoo accounting and Update exchange rates automatically in ...
Celine George
 
Exploring-Substances-Acidic-Basic-and-Neutral.pdf
Exploring-Substances-Acidic-Basic-and-Neutral.pdfExploring-Substances-Acidic-Basic-and-Neutral.pdf
Exploring-Substances-Acidic-Basic-and-Neutral.pdf
Sandeep Swamy
 
Quality Contril Analysis of Containers.pdf
Quality Contril Analysis of Containers.pdfQuality Contril Analysis of Containers.pdf
Quality Contril Analysis of Containers.pdf
Dr. Bindiya Chauhan
 
UNIT 3 NATIONAL HEALTH PROGRAMMEE. SOCIAL AND PREVENTIVE PHARMACY
UNIT 3 NATIONAL HEALTH PROGRAMMEE. SOCIAL AND PREVENTIVE PHARMACYUNIT 3 NATIONAL HEALTH PROGRAMMEE. SOCIAL AND PREVENTIVE PHARMACY
UNIT 3 NATIONAL HEALTH PROGRAMMEE. SOCIAL AND PREVENTIVE PHARMACY
DR.PRISCILLA MARY J
 
Studying Drama: Definition, types and elements
Studying Drama: Definition, types and elementsStudying Drama: Definition, types and elements
Studying Drama: Definition, types and elements
AbdelFattahAdel2
 
Envenomation---Clinical Toxicology. pptx
Envenomation---Clinical Toxicology. pptxEnvenomation---Clinical Toxicology. pptx
Envenomation---Clinical Toxicology. pptx
rekhapositivity
 
Ad

Introduction to SAP Security

  • 2. Agenda 1. 2. 3. 4. 5. What is Security Building blocks Common terminologies used Most Common tools in Security CUA
  • 3. What is Security? Security concept is same around the globe like in your normal life, security - means removing or restricting unauthorized access to your belongings. For example your Car, laptop or cared cards etc IT Security? Information security (sometimes shortened to InfoSec) is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (electronic, physical, etc...) SAP Security? In the same context of InfoSec. SAP security have the same meaning… or in other words - who can do what in SAP?
  • 4. Building Blocks • • • • User Master Record Roles Profiles Authorization Objects
  • 5. User Master Record? A User initially has no access in SAP • When we create access in system it defines UMR User Master Record information includes: • Name, Password, Address, User type, Company information • User Group • Roles and Profiles • Validity dates (from/to) • User defaults (logon language, default printer, date format, etc) User Types: Dialog – typical for most users System – cannot be used for dialog login, can communicate between systems and start background jobs Communications Data – cannot be used for dialog login, can communicate between systems but cannot start background jobs Reference – cannot log in, used to assign additional Authorizations to Users Service – can log in but is excluded from password rules, etc. Used for Support users and Internet services
  • 6. Roles and Profiles Roles is group of tcode (s), which is used to perform a specific business task. Each role requires specific privileges to perform a function in SAP that is called AUTHORIZATIONS There are 3 types of Roles: • Single – an independent Role • Derived – has a parent and differs only in Organization Levels. Maintain Transactions, Menu, Authorizations only at the parent level • Composite – container that contains one or more Single or Derived Roles
  • 7. Authorization Objects • Authorization Objects are the keys to SAP security • When you attempt actions in SAP the system checks to see whether you have the appropriate Authorizations • The same Authorization Objects can be used by different Transactions
  • 10. User Buffer? • When a User logs into the system, all of the Authorizations that the User has are loaded into a special place in memory called the User Buffer • As the User attempts to perform activities, the system checks whether the user has the appropriate Authorization Objects in the User Buffer. • You can see the buffer in Transaction ???
  • 11. Executing a Transaction (Authorization Checks) 1) Does the Transaction exist? All Transactions have an entry in table TSTC 2) Is the Transaction locked? Transactions are locked using Transaction SM01 Once locked, they cannot be used in any client 3) Can the User start the Transaction? Every Transaction requires that the user have the Object S_TCODE=Transaction Name Some Transactions also require another Authorization Object to start (varies depending on the Transaction) 4) What can the User do in the Transaction? The system will check to see if the user has additional Authorization Objects as necessary
  • 13. How to trace missing Authorization Frequently you find that the role you built has inadequate accesses and will fail during testing or during production usage. Why? Why It happens? Negligence of tester or some other reason How process initiated? This process kicks when security guy receives: • Email or, • phone call or • ticket
  • 14. How do we determine correct accesses required?  SAP has various tools to analyse access errors and determine correct Authorizations required: Use Last Failed Authorization check - SU53 (60% effective) Use Assignment of Auth Object to Transactions - SU24 (60% effective) Trace the Authorizations for a function - ST01 (90% effective)
  • 15. Common Terminologies User master Records Roles Authorizations Authority Check user buffer Authorization Errors security matrix Profiles Authorization Objects User menus
  • 16. SAP Password controls There are some Standard SAP password Controls delivered by SAP which cannot be changed First-time users forced to change their passwords before they can log onto the SAP system, or after their password is reset.* Users can only change their password when logging on. Users can change their password at most, once a day Users can not re-use their previous five passwords. The first character can not be “?” or “!”. The first three characters of the password cannot appear in the same order as part of the user name. all be the same. include space characters. The password cannot be PASS or SAP*.
  • 17. Password Controls - cont.  SAP Password System Parameters - system wide settings that can be configured by MPL - Minimum Password Length Password locked after unsuccessful login attempts Password Expiration time Password complexity  Illegal Passwords MPL can define passwords that cannot be used Enter impermissible passwords into SAP table USR40 MPL = Master parts List
  • 18. Tools:  SU01 User Maintenance  PFCG Role Maintenance  SUIM Authorization Reporting Tree  SU02 Maintain Profiles  SU03 Maintain Authorisations  SU10 User Maintenance: Mass Changes  SU21 Maintain Authorization Objects  SU24 Auth Object check under transactions  SU3 Maintain default settings  SU53 Display Authority Check Values  SU56 Display user buffer  ST01 User trace  SM19 Audit Log Configuration  SM20 Display Audit Log  S_BCE_68002111 List of users with Critical Authorisations
  • 19. CUA Central User Administration is a feature in SAP that helps to streamline multiple users account management on different clients in a multi SAP systems environment. This feature is laudable when similar user accounts are created and managed on multiple clients  Centralized Admin  Data consistency & accuracy  Eliminate redundant efforts