SAP AG CSU Chico 102/14/981SAP Security Lecture MINS 298C SAP Configuration & Use: Security...
-
date post
19-Dec-2015 -
Category
Documents
-
view
218 -
download
1
Transcript of SAP AG CSU Chico 102/14/981SAP Security Lecture MINS 298C SAP Configuration & Use: Security...
SAP AG
CSU Chico102/14/98 1SAP Security Lecture
MINS 298CSAP Configuration & Use: Security
Copyright 1996, 1997, 1998- James R. Mensching, Gail CorbittCopyright 1996, 1997, 1998- James R. Mensching, Gail Corbitt
Contents of this file are for the exclusive use of the specialContents of this file are for the exclusive use of the special
MINS 298C class dealing with SAP software at CSU Chico MINS 298C class dealing with SAP software at CSU Chico
for the Fall, 1998 semester. Any other use in either electronicfor the Fall, 1998 semester. Any other use in either electronic
or hardcopy form is prohibited without the express writtenor hardcopy form is prohibited without the express written
permission of the author. This material is confidential. permission of the author. This material is confidential.
Do not share it with anyone not enrolled in the class. Do not share it with anyone not enrolled in the class.
Security LectureSecurity Lecture
SAP AG
CSU Chico202/14/98 2SAP Security Lecture
SAP Security
Purpose of Security:
Assign users rights to perform job tasks that they need to do.
Prohibit users from doing tasks that they are not supposed to do.
Objectives of presentation
Define key security concepts
Examine relationship between user and security concepts
Apply concepts to real situations
SAP AG
CSU Chico302/14/98 3SAP Security Lecture
SAP Security
Security is performed at the object level
30 + Object classes, such as Basis Administration, FI, MM Master Data (View Objects within classes by using SU03)
About 500 + objects within the 30 + classes
SAP Security works on a pass-fail system. It checks constraints until if finds a failure.
Levels of Setting:
Authorization Object in the form of authorization (test on an object)
Profile (sets of authorizations)
User ID
SAP AG
CSU Chico402/14/98 4SAP Security Lecture
SAP Security Framework
ObjectAuthorization
ObjectAuthorization
ObjectAuthorization
FunctionalProfile
FunctionalProfile
JobProfile
USER
User ID
SAP AG
CSU Chico
SAP Security Framework
FunctionalProfile
FunctionalProfile
JobProfile
USER
User ID
ClassProfile
SAP AG
CSU Chico502/14/98 5SAP Security Lecture
SAP Security Components
Authorization Object: something in the system that potentially needs protecting (company code, document type, etc.)
Fields: attributes that can be used to set protection (1-10 fields per object that vary with object)
Activity: such as create, update, delete, view..
Authorization Group: Values that the object needs
IDOC Type
Profile (set of authorizations)
User Master Record (all profiles for that user)
SAP AG
CSU Chico602/14/98 6SAP Security Lecture
SAP Security Components
Levels of Security Administration:
SAP Super User
User IDMaintenance
ActivationAdministration
AuthorizationMaintenance
ProgramDeveloper
Objects &Classes
Authorizations(values of objects)
ProfilesUser IDs
SAP AG
CSU Chico702/14/98 7SAP Security Lecture
SAP Security and Business Processes
Business Task
Business Task
PROCESS
ObjectAuthorization
ObjectAuthorization Functional
ProfileJob
Profile
FunctionalProfile
User ID
User
SAP AG
CSU Chico802/14/98 8SAP Security Lecture
SAP Security
Authorization: Set of specified values for fields in an Authorization Object = test conditions for the object
Standard Authorizations provided by SAP
Object: F_BKPF_BED: Customer Account
Activity: *
Account Group: *
Never Change or Delete an SAP authorization
Custom Authorizations (should start with Z)
SAP AG
CSU Chico902/14/98 9SAP Security Lecture
SAP Security Example
Object Class: Financial Accounting
Authorization: ZS_D01
Authorization Object: F_BKPF_BED: Customer Account
Activity: 01-03, 10 (create, change, print,post)
Account Group: CALF, HAW
SAP programs perform AUTHORITY-CHECK on objects for values in fields
SAP AG
CSU Chico1002/14/98 10SAP Security Lecture
SAP Security: Creating an Authorization
Create a name for the authorization
Start with the letter Z
Don’t use underscore as second character
Example: ZS_D01
Use SU03 to create the authorization (Tools --> Administration -->Maintain Users)
Create (first icon: sheet of paper)
Maintain values sets the values you want
Save
Activate
SAP AG
CSU Chico1102/14/98 11SAP Security Lecture
SAP Security
Profile: Set of Authorization Objects
Simple Profile: 1 Authorization Object
Composite Profile: more than one authorization object
Can have a composite made up of composites
SAP AG
CSU Chico1202/14/98 12SAP Security Lecture
SAP Security
User Master Record
Composite Profile Profile
SimpleProfile
CompositeProfile Authorization
Object Authorization
Fields
SAP AG
CSU Chico1302/14/98 13SAP Security Lecture
SAP Security
SAP Standard Profile: F_BKPF_KANZ (Display vendor Accounts)
Custom Profile: AA:FIAR_M01
Create profile then activate
Copy from existing profile then rename
To look at, change or create profiles use SU02
SAP AG
CSU Chico1402/14/98 14SAP Security Lecture
SAP Security
Standard Profiles common to all SAP installations
SAP_ALL (unlimited access to system)
SAP_NEW (allows older standard profiles to work in newer SAP releases)
S_A_SYSTEM: System Administrator
S_A_SHOW: Display authorizations only
SAP AG
CSU Chico1502/14/98 15SAP Security Lecture
SAP Security: Users
User Profiles assign profiles to specific user IDs
Users can belong to Group, I.e. ABAP Developers, C&I Admin
Can’t assign authorizations to groups only to individual users
User Group is a field in some authorization objects
Groups useful to separate responsibility, I.e. more than one security administrator, each responsible for a group of users
SAP AG
CSU Chico1602/14/98 16SAP Security Lecture
SAP Security: Users
Name the ID for the User
Set the password
Lock/unlock the account
Define time period for the ID
Set default printer and printing rights
Define PIDs (Parameters)
Define profiles
SAP AG
CSU Chico1702/14/98 17SAP Security Lecture
SAP Security: Users
Rules for setting passwords:
Must be at least 3 characters
Can not begin with ! or ?
First 3 characters can not be a sequence of 3 characters in user ID. I.e. if by user id is gcorbitt, my password can not contain orb, or cor.
First 3 characters can not be the same, I.e. ccc
Can not use “pass” or “sap”
SAP AG
CSU Chico1802/14/98 18SAP Security Lecture
SAP Security: Users
PID :Parameter ID
Example of parameter:
default menu options, I.e. fast entry
default currency
posting period options
SAP AG
CSU Chico1902/14/98 19SAP Security Lecture
SAP Security: Users
User types
Dialog
BDC: inbound interfaces (I.e. data coming in from a legacy system)
CPIC: machine to machine ID connect through UNIX (I.e. EDI inbound or outbound)
BDC and CPIC do not have expiration dates on the passwords
SAP AG
CSU Chico2002/14/98 20SAP Security Lecture
SAP Security: Transactions SU01: Creates and maintains users
SU02: Creates and maintains profiles
SU53: Displays LAST authorization failure
ST01: Traces keystrokes
SU03: Lists objects and classes
SM04: Monitors user activity
SE16: Looks at specific tables in SAP (T003 = auth. group)
SA38: Looks at programs (AUTHORITY-CHECK)
SU12: Deletes all users (usually disabled)
SU10: Adds or deletes a profile to all users
SAP AG
CSU Chico2102/14/98 21SAP Security Lecture
SAP Security: Coming Attractions
SAP Profile Generator (31.G, R4)
Makes it easier to track and maintain multiple profiles per user
Uses menu paths to create authorizations or profiles
Activity Groups similar to our functional profiles
Activity Group Maintenance (31.G)
Allows for profile updates, parameter settings by group instead of by individual user
Hopefully allows for resetting expiration, start dates, printer options, etc. by groups of users instead of one user at a time
SAP AG
CSU Chico2202/14/98 22SAP Security Lecture
Application of SAP Security to Classroom Activity
Define what “jobs” or roles we want the students to have per class --functional profiles
Set up authorizations for each job or role - job profiles
Assign job profiles to users
Document existing authorizations for Display and Create Activities for each “application” object
Create authorizations for Display and Create where missing
Create a standard profile that any user could have (view only to all modules)