SAP AG CSU Chico 102/14/981SAP Security Lecture MINS 298C SAP Configuration & Use: Security...

SAP AG

CSU Chico102/14/98 1SAP Security Lecture

MINS 298CSAP Configuration & Use: Security

Copyright 1996, 1997, 1998- James R. Mensching, Gail CorbittCopyright 1996, 1997, 1998- James R. Mensching, Gail Corbitt

Contents of this file are for the exclusive use of the specialContents of this file are for the exclusive use of the special

MINS 298C class dealing with SAP software at CSU Chico MINS 298C class dealing with SAP software at CSU Chico

for the Fall, 1998 semester. Any other use in either electronicfor the Fall, 1998 semester. Any other use in either electronic

or hardcopy form is prohibited without the express writtenor hardcopy form is prohibited without the express written

permission of the author. This material is confidential. permission of the author. This material is confidential.

Do not share it with anyone not enrolled in the class. Do not share it with anyone not enrolled in the class.

Security LectureSecurity Lecture

SAP AG


SAP Security

Purpose of Security:

Assign users rights to perform job tasks that they need to do.

Prohibit users from doing tasks that they are not supposed to do.

Objectives of presentation

Define key security concepts

Examine relationship between user and security concepts

Apply concepts to real situations

SAP AG


SAP Security

Security is performed at the object level

30 + Object classes, such as Basis Administration, FI, MM Master Data (View Objects within classes by using SU03)

About 500 + objects within the 30 + classes

SAP Security works on a pass-fail system. It checks constraints until if finds a failure.

Levels of Setting:

Authorization Object in the form of authorization (test on an object)

Profile (sets of authorizations)

User ID

SAP AG


SAP Security Framework

ObjectAuthorization

ObjectAuthorization

ObjectAuthorization

FunctionalProfile

FunctionalProfile

JobProfile

USER

User ID

SAP AG

CSU Chico

SAP Security Framework

FunctionalProfile

FunctionalProfile

JobProfile

USER

User ID

ClassProfile

SAP AG


SAP Security Components

Authorization Object: something in the system that potentially needs protecting (company code, document type, etc.)

Fields: attributes that can be used to set protection (1-10 fields per object that vary with object)

Activity: such as create, update, delete, view..

Authorization Group: Values that the object needs

IDOC Type

Profile (set of authorizations)

User Master Record (all profiles for that user)

SAP AG


SAP Security Components

Levels of Security Administration:

SAP Super User

User IDMaintenance

ActivationAdministration

AuthorizationMaintenance

ProgramDeveloper

Objects &Classes

Authorizations(values of objects)

ProfilesUser IDs

SAP AG


SAP Security and Business Processes

Business Task

Business Task

PROCESS

ObjectAuthorization

ObjectAuthorization Functional

ProfileJob

Profile

FunctionalProfile

User ID

User

SAP AG


SAP Security

Authorization: Set of specified values for fields in an Authorization Object = test conditions for the object

Standard Authorizations provided by SAP

Object: F_BKPF_BED: Customer Account

Activity: *

Account Group: *

Never Change or Delete an SAP authorization

Custom Authorizations (should start with Z)

SAP AG


SAP Security Example

Object Class: Financial Accounting

Authorization: ZS_D01

Authorization Object: F_BKPF_BED: Customer Account

Activity: 01-03, 10 (create, change, print,post)

Account Group: CALF, HAW

SAP programs perform AUTHORITY-CHECK on objects for values in fields

SAP AG


SAP Security: Creating an Authorization

Create a name for the authorization

Start with the letter Z

Don’t use underscore as second character

Example: ZS_D01

Use SU03 to create the authorization (Tools --> Administration -->Maintain Users)

Create (first icon: sheet of paper)

Maintain values sets the values you want

Save

Activate

SAP AG


SAP Security

Profile: Set of Authorization Objects

Simple Profile: 1 Authorization Object

Composite Profile: more than one authorization object

Can have a composite made up of composites

SAP AG


SAP Security

User Master Record

Composite Profile Profile

SimpleProfile

CompositeProfile Authorization

Object Authorization

Fields

SAP AG


SAP Security

SAP Standard Profile: F_BKPF_KANZ (Display vendor Accounts)

Custom Profile: AA:FIAR_M01

Create profile then activate

Copy from existing profile then rename

To look at, change or create profiles use SU02

SAP AG


SAP Security

Standard Profiles common to all SAP installations

SAP_ALL (unlimited access to system)

SAP_NEW (allows older standard profiles to work in newer SAP releases)

S_A_SYSTEM: System Administrator

S_A_SHOW: Display authorizations only

SAP AG


SAP Security: Users

User Profiles assign profiles to specific user IDs

Users can belong to Group, I.e. ABAP Developers, C&I Admin

Can’t assign authorizations to groups only to individual users

User Group is a field in some authorization objects

Groups useful to separate responsibility, I.e. more than one security administrator, each responsible for a group of users

SAP AG


SAP Security: Users

Name the ID for the User

Set the password

Lock/unlock the account

Define time period for the ID

Set default printer and printing rights

Define PIDs (Parameters)

Define profiles

SAP AG


SAP Security: Users

Rules for setting passwords:

Must be at least 3 characters

Can not begin with ! or ?

First 3 characters can not be a sequence of 3 characters in user ID. I.e. if by user id is gcorbitt, my password can not contain orb, or cor.

First 3 characters can not be the same, I.e. ccc

Can not use “pass” or “sap”

SAP AG


SAP Security: Users

PID :Parameter ID

Example of parameter:

default menu options, I.e. fast entry

default currency

posting period options

SAP AG


SAP Security: Users

User types

Dialog

BDC: inbound interfaces (I.e. data coming in from a legacy system)

CPIC: machine to machine ID connect through UNIX (I.e. EDI inbound or outbound)

BDC and CPIC do not have expiration dates on the passwords

SAP AG


SAP Security: Transactions SU01: Creates and maintains users

SU02: Creates and maintains profiles

SU53: Displays LAST authorization failure

ST01: Traces keystrokes

SU03: Lists objects and classes

SM04: Monitors user activity

SE16: Looks at specific tables in SAP (T003 = auth. group)

SA38: Looks at programs (AUTHORITY-CHECK)

SU12: Deletes all users (usually disabled)

SU10: Adds or deletes a profile to all users

SAP AG


SAP Security: Coming Attractions

SAP Profile Generator (31.G, R4)

Makes it easier to track and maintain multiple profiles per user

Uses menu paths to create authorizations or profiles

Activity Groups similar to our functional profiles

Activity Group Maintenance (31.G)

Allows for profile updates, parameter settings by group instead of by individual user

Hopefully allows for resetting expiration, start dates, printer options, etc. by groups of users instead of one user at a time

SAP AG


Application of SAP Security to Classroom Activity

Define what “jobs” or roles we want the students to have per class --functional profiles

Set up authorizations for each job or role - job profiles

Assign job profiles to users

Document existing authorizations for Display and Create Activities for each “application” object

Create authorizations for Display and Create where missing

Create a standard profile that any user could have (view only to all modules)

SAP AG CSU Chico 102/14/981SAP Security Lecture MINS 298C SAP Configuration & Use: Security...

Documents

Transcript of SAP AG CSU Chico 102/14/981SAP Security Lecture MINS 298C SAP Configuration & Use: Security...