Q. SAP Security T-codes A. Frequently used security T-codes SU01 Create/ Change User SU01 Create/ Change User PFCG Maintain Roles SU10 Mass Changes SU01D Display User SUIM Reports ST01 Trace SU53 Authorization analysis Q List few security Tables Click here for security tables Q How to create users? Execute transaction SU01 and fill in all the field. When creating a new user, you must enter an initial password for that user on the Logon data tab. All other data is optional. Q What is the difference between USOBX_C and USOBT_C? The table USOBX_C defines which authorization checks are to be performed within a transaction and which not (despite authoritycheck command programmed ). This table also determines which authorization checks are maintained in the Profile Generator. The table USOBT_C defines for each transaction and for each authorization object which default values an authorization created from the authorization object should have in the Profile Generator. Q What authorization are required to create and maintain user master records?

The following authorization objects are required to create and maintain user master records: S_USER_GRP: User Master Maintenance: Assign user groups S_USER_PRO: User Master Maintenance: Assign authorization profile

S_USER_AUT: User Master Maintenance: Create and maintain authorizations Dialog users are used for individual user. Check for expired/initial passwords Possible to change your own password. Check for multiple dialog logon A Service user - Only user administrators can change the password. No check for expired/initial passwords. Multiple logon permitted System users are not capable of interaction and are used to perform certain system activities, such as background processing, ALE, Workflow, and so on. A Reference user is, like a System user, a general, nonpersonally related, user. Additional authorizations can be assigned within the system using a reference user. A reference user for additional rights can be assigned for every user in the Roles tab.

Q List R/3 User Types1.

2.

3.

4.

Q What is a derived role? Derived roles refer to roles that already exist. The derived roles inherit the menu structure and the functions included

(transactions, reports, Web links, and so on) from the role referenced. A role can only inherit menus and functions if no transaction codes have been assigned to it before. The higher-level role passes on its authorizations to the derived role as default values which can be changed afterwards. Organizational level definitions are not passed on. They must be created anew in the inheriting role. User assignments are not passed on either. Derived roles are an elegant way of maintaining roles that do not differ in their functionality (identical menus and identical transactions) but have different characteristics with regard to the organizational level. Q What is a composite role? A composite role is a container which can collect several different roles. For reasons of clarity, it does not make sense and is therefore not allowed to add composite roles to composite roles. Composite roles are also called roles. Composite roles do not contain authorization data. If you want to change the authorizations (that are represented by a composite role), you must maintain the data for each role of the composite role. Creating composite roles makes sense if some of your employees need authorizations from several roles. Instead of adding each user separately to each role required, you can set up a composite role and assign the users to that group.

The users assigned to a composite role are automatically assigned to the corresponding (elementary) roles during comparison. Follow the link to learn more

Q. What does the different color light mean in profile generator?

A.

Q. What are the different tabs in PFCG?

A. Q What does user compare do? If you are also using the role to generate authorization profiles, then you should note that the generated profile is not entered in the user master record until the user master records have been compared. You can automate this by scheduling report FCG_TIME_DEPENDENCY on a daily. Q. Can we convert Authorization field to Org, field A. Authorization field can be changed to Organization field using PFCG_ORGFIELD_CREATE or ZPFCG_ORGFIELD_CREATE Use SE38 or SA38 to run the above report.

Organizational level fields should only be created before you start setting up your system. If you create organizational level fields later, you might have to do an impact analysis. The authentication data may have to be postprocessed in roles.

The fields "Activity", "ACTVT" and "Transaction code", "TCD" cannot be converted into an organizational level field. In addition, all affected roles are analyzed and the authorization data is adjusted. The values of the authorization field which is

now to become the organizational level field are removed and entered into the organizational level data of the role. Note: Table for Org Element- USORG Refer to Note 323817 for more detail. Q. How many profiles can be assigned to any user master record. A. Maximum Profiles that can be assigned to any user is ~ 312. Table USR04 (Profile assignments for users). This table contains both information on the change status of a user and also the list of the profile names that were assigned to the user. The field PROFS is used for saving the change flag (C = user was created, M = user was changed), and the name of the profiles assigned to the user. The field is defined with a length of 3750 characters. Since the first two characters are intended for the change flag, 3748 characters remain for the list of the profile names per user. Because of the maximum length of 12 characters per profile name, this results in a maximum number of 312 profiles per user. Q. Can you add a composite role to another composite role? A. No

Q. How to reset SAP* password from oracle database. A. Logon to your database with orasid as user id and run this sql delete from sapSID.usr02 where bname='SAP*' and mandt='XXX'; commit; Where mandt is the client. Now you can login to the client using sap* and password pass

Q. What is difference between role and profile. A. A role act as container that collect transaction and generates the associated profile. The profile generator (PFCG) in SAP System automatically generates the corresponding authorization profile. Developer used to perform this step manually before PFCG was introduced bySAP. Any maintenance of the generated profile should be done using PFCG. Q. What is user buffer? A. When a user logs on to the SAP R/3 System, a user buffer is built containing all authorizations for that user. Each user has their own individual user buffer. For example, if user Smith logs on to the system, his user buffer contains all authorizations of role USER_SMITH_ROLE. The user buffer can be displayed in transaction SU56. A user would fail an authorization check if: The authorization object does not exist in the user buffer The values checked by the application are not assigned to the authorization object in the user buffer

The user buffer contains too many entries and has overflowed. The number of entries in the user buffer can be controlled using the system profile parameter auth/number_in_userbuffer.

Q. How to find out all roles with T-code SU01? A. You can use SUIM > Roles by complex criteria or RSUSR070 to find out this. Go to the Selection by Authorization Value. In Object 1 put S_TCODE and hit enter. And put SU01 in Transaction code and hit execute (clock with check) button. I use authorization object, as you can use this to test any object.

You can also get this information directly from table, if you have access to SE16 or SE16N. Execute SE16N Table AGR_1251 Object S_TCODE VALUE (low) SU01 Q. How to find out all the users who got SU01 ? A. You can use SUIM >User by complex criteria or (RSUSR002) to find this out. Go to the Selection by Authorization Value. In Object 1 put S_TCODE and hit enter. And put SU01 in Transaction code and hit execute (clock with check) button. I use authorization object, as you can use this to test any object. Q. How to find out all the roles for one composite role or a selection of composite roles? A. Execute SE16N Table AGR_AGRS Composite roles You can put multiple composite roles using the more button Q. How to find out all the derived roles for one or more Master (Parent) roles? A. Execute SE16N Table AGR_DEFINE Use either agr_name field or Parent_agr field. Q. How can I check all the Organization value for any role? A. Execute SE16N Table AGR_1252

Role Type in the role here and hit execute. You can always download all the information to spreadsheet also using . Q. How do I restrict access to files through AL11? A. First create an alias. Go to t-code AL11 > configure > create alias. Let say we are trying to restrict alias DIR_TEMP which is /tmp. Open PFCG and assign t-code AL11, and change the authorization for S_DATASET as mentioned below Activity 33 Physical file name /tmp/* Program Name with Search Help * Q. How can I add one role to many users? A. SU10. If you have less than 16 users then you can paste the userids. If you have more than 16 users Click on Authorization data and click on next to users and upload from clipboard . Hit the change button and go to the role tab and add the roles to be assigned and hit save. Q. What are the Best practices for locking expired users? A. Lock the user. Remove all the roles and profiles assigned to the user. Move them to TERM User group. Q. How can be the password rules enforced ? A. Password rules can be enforced using profile parameter. Follow the link to learn more about the profile parameter. Q. How to remove duplicate roles with different start and end date from user master? A. You can use PRGN_COMPRESS_TIMES to do this. Please refer to note 365841 for more info. Q. How come the users have authorization in PFCG, but user still complains with no authorization?

A. Make sure the user master is compared. May be the there is a user buffer overflow Also check the profile- Follow the instruction below. SUIM > User by complex criteria. Put the userid of user who is having issue. Execute Double click on the user id and expand the tree. Select the profile in question and see if the authorization is correct or not. If not do the role reorg in PFCG and see if that helps. Q. How can I have a display all roles. A. Copy sap_all and open the role and change the activity to 03 and 08 Q. How can I find out all actvt in sap? A. All possible activities (ACTVT) are stored in table TACT (transaction SM30), and also the valid activities for each authorization object can be found in table TACTZ (transaction SE16). Q. What is SAP? A. SAP is the name of the company founded in 1972 under the German name (Systems, Applications, and Products in Data Processing) is the leading ERP (Enterprise Resource Planning) software package. Q. Explain the concept of Business Content in SAP Business Information Warehouse? A. Business Content is a pre-configured set of role and taskrelevant information models based on consistent Metadata in the SAP Business Information Warehouse. Business Content provides selected roles within a company with the information they need to carry out their tasks. These information models essentially contain roles, workbooks, queries, InfoSources, InfoCubes, key figures, characteristics, update rules and extractors for SAP R/3,

mySAP.com Business Applications and other selected applications. Q. What is IDES? A. International Demonstration and Education System. A sample application provided for faster learning and implementation. Q. What is SAP R/3? A. A third generation set of highly integrated software modules that performs common business function based on multinational leading practice. Takes care of any enterprise however diverse in operation, spread over the world. In R/3 system all the three servers like presentation, application server and database server are located at different system. Q. What are presentation, application and database servers in SAP R/3? A. The application layer of an R/3 System is made up of the application servers and the message server. Application programs in an R/3 System are run on application servers. The application servers communicate with the presentation components, the database, and also with each other, using the message server. All the data are stored in a centralized server. This server is called database server. Q. What should be the approach for writing a BDC program? A. Convert the legacy system data to a flat file and convert flat file into internal table. Transfer the flat file into sap system called sap data transfer. Call transaction(Write the program explicitly) or create sessions (sessions are created and processed ,if success data will transfer). Q. What are the major benefits of reporting with BW over R/3? Q. Would it be sufficient just to Web-enable R/3 Reports? A. Performance Heavy reporting along with regular OLTP

transactions can produce a lot of load both on the R/3 and the database (cpu, memory, disks, etc). Just take a look at the load put on your system during a month end, quarter end, or yearend now imagine that occurring even more frequently. Data analysis BW uses a Data Warehouse and OLAP concepts for storing and analyzing data, where R/3 was designed for transaction processing. With a lot of work you can get the same analysis out of R/3 but most likely would be easier from a BW. Q. What is the difference between OLAP and Data Mining? A. OLAP - On line Analytical processing is a reporting tool configured to understand your database schema, composition facts and dimensions. By simple point-n-clicking, a user can run any number of canned or user-designed reports without having to know anything of SQL or the schema. Because of that prior configuration, the OLAP engine builds and executes the appropriate SQL. Mining is to build the application to specifically look at detailed analyses, often algorithmic; even more often misappropriate called reporting. Q. What is Extended Star Schema and how did it emerge? A. The Star Schema consists of the Dimension Tables and the Fact Table. The Master Data related tables are kept in separate tables, which has reference to the characteristics in the dimension table(s). These separate tables for master data is termed as the Extended Star Schema. Q. Define Meta data, Master data and Transaction data A. Meta Data: Data that describes the structure of data or MetaObjects is called Metadata. In other words data about data is known as Meta Data. Master Data: Master data is data that remains unchanged over a long period of time. It contains information that is always needed in the same way. Characteristics can bear master data in BW. With master data

you are dealing with attributes, texts or hierarchies. Transaction data: Data relating to the day-to-day transactions is the Transaction data. Q. What is Bex? A. Bex stands for Business Explorer. Bex enables end user to locate reports, view reports, analyze information and can execute queries. The queries in workbook can be saved to there respective roles in the Bex browser. Bex has the following components: Bex Browser, Bex analyzer, Bex Map, Bex Web. Q. What are variables? A. Variables are parameters of a query that are set in the parameter query definition and are not filled with values until the queries are inserted into workbooks. There are different types of variables which are used in different application: Characteristics variables, Hierarchies and hierarchy node, Texts, Formulas, Processing types, User entry/Default type, Replacement Path. Q. What is AWB?. What is its purpose? A. AWB stands for Administrator WorkBench. AWB is a tool for controlling, monitoring and maintaining all the processes connected with data staging and processing in the business information warehousing. Q. What is the significance of ODS in BIW? A. An ODS Object serves to store consolidated and debugged transaction data on a document level (atomic level). It describes a consolidated dataset from one or more InfoSources. This dataset can be analyzed with a BEx Query or InfoSet Query. The data of an ODS Object can be updated with a delta update into InfoCubes and/or other ODS Objects in the same system or across systems. In contrast to multi-dimensional data storage with InfoCubes, the data in ODS Objects is stored in transparent, flat database tables.

Q. What is Extractor? A. Extractors is a data retrieval mechanisms in the SAP source system. Which can fill the extract structure of a data source with the data from the SAP source system datasets. The extractor may be able to supply data to more fields than exist in the extract structure. Q. How do I change the name of master / parent role keeping the name of derived/child role same? I would like to keep the name of derived /child role same and also the profile associated with the child roles. A. First copy the master role using PFCG to a role with new name you wish to have. Then you have to generate the role. Now open each derived role and delete the menu. Once the menus are removed it will let you put new inheritance. You can put the name of the new master role you created. This will help you keep the same derived role name and also the same profile name. Once the new roles are done you can transport it. The transport automatically includes the Parent roles. What is the difference between C (Check) and U (Unmaintained)? A. Background: When defining authorizations using Profile Generator, the table USOBX_C defines which authorization checks should occur within a transaction and which authorization checks should be maintained in the PG. You determine the authorization checks that can be maintained in the PG using Check Indicators. It is a Check Table for Table USOBT_C. In USOBX_C there are 4 Check Indicators. CM (Check/Maintain) - An authority check is carried out against this object. - The PG creates an authorization for this object and field values are displayed for changing.

- Default values for this authorization can be maintained. C (Check) - An authority check is carried out against this object. - The PG does not create an authorization for this object, so field values are not displayed. - No default values can be maintained for this authorization. N (No check) - The authority check against this object is disabled. - The PG does not create an authorization for this object, so field values are not displayed. - No default values can be maintained for this authorization. U (Unmaintained) - No check indicator is set. - An authority check is always carried out against this object. - The PG does not create an authorization for this object, so field values are not displayed. - No default values can be maintained for this authorization..

R/3 Security Tips

QucikViewer (SQVI) QuickViewer (SQVI) is a tool for generating reports. SAP Query offers the user a whole range of options for defining reports. SAP Query also supports different kinds of reports such as basic lists, statistics, and ranked lists. QuickViewer (SQVI), on the other hand, is a tool that allows even relatively inexperienced users to create basic lists. I have created a tutorial for SQVI. SQVI

Tutorial User assignment Never insert generated profiles directly into the user master record (Transaction SU01). Assign the role to the user in the Roles tab in transaction SU01 or choose the User tab in role maintenance (PFCG) and enter the user to whom you want to assign the role or profile. If you then compare the user master records, the system inserts the generated profile in the user master record. Do not assign any authorizations for modules you have not yet installed If you intend to gradually add modules to your system, it is important you do not assign any authorizations for those modules you have not yet installed. This ensures that you cannot accidentally change data in your production system you may need at a later stage. Leave the corresponding authorizations or organizational levels open. Creating SPRO Display only. You might be asked to give SPRO display while implementing your SAP. Igenerally give these authoriztion to make it display only. Please test it. Object S_PROJECT S_PROJECT S_RFC S_RFC Field Value PROJEC * T_ID PROJ_C * ONF ACTVT 03 RFC_NA * ME

S_RFC S_TABU_CLI

RFC_TY * PE CLIIDM ' AINT DICBER * CLS Deactivate or remove PIEC and TASK

S_TABU_DIS ACTVT 03 S_TABU_DIS

S_TRANSPR TTYPE T S_CODE

REMOV SPRO E

Creating Authorization Fields In authorization objects, authorization fields represent the values to be tested during authorization checks. To create authorization fields, choose Tools --> ABAP Workbench --> Development --> Other Tools --> Authorization Objects --> Fields. To create an authorization field, proceed as follows:1. 2.

Choose Create authorization field. On the next screen, enter the name of the field. Field names must be unique and must begin with the letter Y or Z.

3. Assign a data element from the ABAP Dictionary to the field. You can often use the fields defined by SAP in your own authorization objects. If you create a new authorization object, you do not need to define your own fields. For example, you can use the SAP field ACTVT in your own authorization objects to represent a wide variety of actions in the system.

Creating Authorization Objects An authorization object groups together up to ten authorization fields that are checked together in an authorization check. To create authorization fields, choose Tools --> ABAP Workbench, Development --> Other tools --> Authorization objects --> Objects. Enter a unique object name and the fields that belong to the object. Object names must begin with the letter Y or Z in accordance with the naming convention for customer-specific objects. You can enter up to ten authorization fields in an object definition. You must also enter a description of the object and documentation for it. Ensure that the object definition matches the ABAP AUTHORITY-CHECK calls that refer to the object. Locking Security Holes through IMG transactions Even though you have restricted your users from SU01 or PFCG (to modifiy themselves or other people) they can get into these areas by the different IMG transaction codes. If your core team or user community has access to: OY20 OY21 OY22 OY24 OY25 OY27 OY28 Authorizations User profiles Create subadministrator Client maintenance CS BC: Set up Client Create Super User Deactivate SAP*

Security Tables Table USR02 Description Logon data

USR04 UST04 USR10 UST10C USR11 USR12 USR13 USR40 USGRP USGRPT USH02 USR01 USER_ADDR AGR_1016 AGR_1016B

User master authorization (one row per user) User profiles (multiple rows per user) Authorisation profiles (i.e. &_SAP_ALL) Composit profiles (i.e. profile has sub profile) Text for authorisation profiles Authorisation values Short text for authorisation Tabl for illegal passwords User groups Text table for USGRP Change history for logon data User Master (runtime data) Address Data for users Name of the activity group profile Name of the activity group profile

AGR_1250 AGR_1251 AGR_1252 AGR_AGRS AGR_DEFINE AGR_HIER2 AGR_HIERT AGR_OBJ AGR_PROF AGR_TCDTXT AGR_TEXTS AGR_TIME AGR_USERS USOBT

Authorization data for the activity group Authorization data for the activity group Organizational elements for authorizations Roles in Composite Roles Role definition Menu structure information - Customer vers Role menu texts Assignment of Menu Nodes to Role Profile name for role Assignment of roles to Tcodes File Structure for Hierarchical Menu - Cus Time Stamp for Role: Including profile Assignment of roles to users Relation transaction to

authorization object (SAP) USOBT_C USOBX USOBXFLAGS USOBX_C Relation Transaction to Auth. Object (Customer) Check table for table USOBT Temporary table for storing USOBX/T* chang Check Table for Table USOBT_C

R/3 Security Tcodes

A S Cl R L I M C T Li T B r y ie e n ai o st o T S A e s c st n m ol of ol a o y P at t ot al ta p s End User R/3 Security- Audit Check a m ol s W -tr e cl la in a u -e s t T o ta m > a Cl ie ti s r P M t > a e rr bl A ie n o y > u e S h C s m a I k e d s t st C u A rn et y U o C fo > D S M b a > m B t c 1. e C s d n p u a s 3 I ri M r A is U D S G u S i A C I M e m o P s d t nf z S > pl 5 Role Administration is U A t e n P rt o ni p S r i s a d e a o at -m U a 3 pl 5 c h is W ( p y ti r m n T e t M r m io > 2 M i ti c P M y a 6 ti h vi tr o b y ( al of -a is r ai e m L C 5 ai n li u e la ti P y vi ri c a r et ( w C il > st tr n a s at D o : n is ti r st F u o t < P z ti k w b it u C e a ta s/ > io bj c S ta n tr e p u a C s n y F > at s b e et hi st p o r ti M S in d U n k fi e in a s o P u G e User Administration : o U D io e w a n in C a U ef s S ct tr cr g T l r ti s a t a r E D -e o m r fi di n s P h o a e T S y s ip u r ol o e t h b c n P M e v > cl a g al s C e ul r d M st (I ti a c e n > h o r uf t u e > el T U h ie n r m o ti M S G c ts P 3 e ni o a n t: M s D ri a fe e r n o a cl s T et g. > ai U e k o / r D S ai 0 m n ti s T C a u is ty r n r p u bl T ts ie y A e a U 0 n I p o is U ( fo al ct of r h n si > pl c U S p o P m e > r in n st d bl rs ti T s ta 1 e n a fil pl 0 ta T r io s o U u n M C h s U M S ri s a D di ts m . o hi e in a di r e a 1 in A S cr Li -rt pl n al g o y e 1 o a U e t ai ff in m i ( n s r S U at c a y D ( bl u e st > s o M g ly t n A T c r 0 d Profile Generator Configuration 0 e h t V v s di , n Fi a fu M U s io at m U D di of o P p a e cr h it u ti k m r u 2 I e _ t el p r ff b is ll n ai 0 e n o et > s is R a m r n d C e o t a o a P M al M B o e et tr U t > ct n 3 rs of O e pl V I li u p o a rt / s at P r h s n u e ly G n > rt r w a p h P io t R P rs w a _ nf 3 st t s fil g of D tr M e r o at s r n cr C O G a m t ti g / e Z s r S n y B A s h fr e C o ai c a of ri fa m p u e t ) s r c n 1 o of a U D ) R r b o M m h w n k u > z S il ai o P at > h M c y t n fil a 0 il Transport d 2 a c A G y ri m ai nl s ta I t U e n s a e B ai t > st di d _ n e 5 t e r , at z c o p M in n h G s ti 2 d ti te e t p a r n -T y ff M al c s P a V io bj at x P t k T d e o 4 n o h r si T ta m st > 2 ai s e u a _ io u S in P d rt < e ic ri r n a of n s in I > T a s) r C a. e o r M D S ct c r y di oi of n u m a z e B C n S il ol a E O r n D m e li P c t b C p e D y E cl fi m a p s c n R o S P pl t at r u h C c C e o x f t a s at s) n r k > o A st E el ti M et Z T t U ol n C a o io at ff e L e C s m si o h p a t e _i n M D U c R s d u 4 T R 8 0 1 s M 3 2 C t r n o e c 9 p g r o e at cl t n a is s al ol e 3 ) * 4 s) n 1 0 m S rs . 5 > 8 h e s r k

A m a T M s c e n d r e ti o a h x ts m e n d ol o m a ts T s n e M to a S C _ e ta bl y o c There comes a time when you have to deal with auditors. I have n bl e s > d a together a check list to go through. If this is a new put u M t A e s implementation you should go through this and may be you can s ai e u impress your boss. ( n m t If V t h you feel I should add more email me admin@sapecc.com SAP R/3 user ID SAP* and other system user id has been _ e o adequately secured. D n ri D a z The production system has been set to productive. A n Access Restriction: SCC4 and SE06 T c S_DEVELOP is secured ) e Change management is secured and controlled Transport access to production is restricted Developer access in production Change critical number range is restricted Custom tables has authorization group Locking of sensitive systems transaction codes BDC user types should has only required access Run Program in the back ground Changes to critical SAP R/3 tables are logged Scheduling and Monitoring Batch jobs Access to run reports should be restricted. Critical and custom SAP R/3 tables are restricted. SAP R/3 user ID SAP* and other system user id has been adequately secured. Performed the following steps to confirm that user ID SAP* has been adequately secured:

Verified whether default password of SAP* was changed in all production clients: Execute transaction code SA38, and run report RSUSR003. Reviewed RSUSR003 report to verify that the parameter login/no_automatic_user_sapstar is set (value =0).

Who has sap_all andsap_new Execute transaction code SUIM Click on User Click on List of users according to complex selection criteria. Click on By user profiles. Enter SAP_ALL in the Profile field and click Execution button Execute transaction code SUIM Click on User Click on List of users according to complex selection criteria. Click on By user profiles. Enter SAP_NEW in the Profile field and click on the Execution button Risk: The SAP_ALL profile grants a user full/complete access to all functions in the SAP system and has the potential to be misused. The SAP_ALL profile should only be assigned to a minimal number of users on the system. The default SAP R/3 passwords for DDIC,

SAPCPIC and EarlyWatch (in client 066) have been changed and access restricted to the super user. Performed the following procedures to verify that the default SAP R/3 passwords for DDIC, SAPCPIC and EarlyWatch have been changed and access restricted to the super user ID:

Execute transaction: SA38 Program: RSUSR003 - PASS - 19920706 - ADMIN - SUPPORT

Default passwords that should be changed: SAP* DDIC SAPCPIC

EarlyWatch

Risk: SAP comes supplied with a number of default user IDs, all of which have default passwords. The passwords to these IDs are well known, and therefore if they are not changed, the IDs could potentially be misused To review any passwords which are not allowed for users to use: Execute transaction code: SE16 Table name: USR40 Risk: Table USR40 is used to prevent users from using a list of commonly guessed passwords. If it is not used it increases the possibility that users could select trivial passwords or you can use profile parameter to do this The SAP R/3 system profile parameters have

been set to appropriate values. Performed the following procedures to determine whether the SAP R/3 system profile parameters have been set to appropriate values: click here for more deail on profile parameter

R/3 Security- Audit Check

The production system has been set to productive.

To verify that the company codes utilized in the SAP R/3 systems are set to productive. There are various company codes that come as default within SAP. This is to ensure that only the company codes that are being used should be checked and setup as productive. SOX team/ Security team should perform the following steps:

Execute transaction code: OBR3

Review Productive column and ensure applicable global settings have not been checked off.

The production client settings have been flagged to not allow changes to programs and configuration. Performed the following steps to verify that production client settings have been flagged to not allow changes to programs and configuration:

Execute transaction code SCC4 (all clients) and SE06 Double click on the applicable production client. Verify that changes to client dependent and client independent objects are not allowed and that the client is set to productive. R/3 Security- Audit Check

Access Restriction: SCC4 and SE06 Transaction codes SCC4 and SE06 are critical transactions which can be used to prevent direct changes being made to the production system. If these transactions are not appropriately set there is a risk that unauthorized changes may be made directly in the production system, without going through the appropriate change management process. Performed the following steps to verify that the ability to make changes to client and system settings is restricted and access

privileges are appropriately assigned based on job responsibilities. Perform the following steps Query 1 Execute transaction code: SUIM Select User by complex criteria Authorization object: S_TCODE Transaction code value: SCC4 Authorization object: S_TABU_DIS Activity: 02 and 03 Authorization Group: SS Authorization object: S_TABU_CLI Indicator for cross client maintenance: X Query 2 Execute transaction code: SUIM Authorization object: S_TCODE Transaction code value: SCC4 Authorization object: S_ADMI_FCD System Administration Function: T000 Authorization object: S_CTS_ADMI Administration task: INIT Query 3

Execute transaction code: SUIM Authorization object: S_TCODE Transaction code value: SE06 Authorization Objects: s_transprt Activity Value: * Request Type: * Authorization Objects: s_cts_admi Administration Task: RELE

S_DEVELOP is secured Only the SAP R/3 super user has S_DEVELOP authorization object with critical activity values in the production system. Performed the following procedures to verify that only super user has S_DEVELOP authorization object with critical activity values in the production system: Query

Execute transaction code: SUIM S_TCODE: SE38

Authorization Object: S_DEVELOP All fields: * Risk: The risk here is that users who have this access, have the ability to perform development related functions in the production system. Such access should be restricted to developers in the development system only.

Change management is secured and controlled Performed the following procedures to ensure that SAP R/3 change management environment provides a secure and controlled structure for software changes.

Start the transaction SE16, enter the table name and choose option Display.

TCESYST

Environments

Inspect the table TCESYST which details the various environments. TCETRAL Cross Transports

Inspecte the table TCETRAL, note various transport layers. Reviewed transport layers . TCEDELI Recipient systems

Inspect the table TCEDELI which details with SAP systems receive released transports.

Transport access to production is restricted Performed the following procedures to verify that the ability to make transports to production is restricted and access privileges are appropriately assigned based on job responsibilities: Risk: The risk here is that users who have this access, have the ability to move code from the development environment to the production environment. Executed transaction: SUIM Authorization object: S_TCODE Transaction code value: SE11 Authorization Object: S_TRANSPRT Activity value: 01 OR 43 Request Type: DTRA OR CUST

Developer access in production

The ability to make changes to the SAP R/3 Data Dictionary is restricted and access privileges are appropriately assigned based on job responsibilities. Performed the following procedures to verify that the ability to make changes to the SAP R/3 Data Dictionary is restricted and access privileges are appropriately assigned based on job responsibilities: Executed transaction: SUIM Authorization object: S_TCODE Transaction code value: SE11 Authorization object: S_DEVELOP Activity value: 01 or 02 Other fields: * Risk: The risk here is that users who have this access, have the ability to maintain the SAP database (data dictionary). Identify users who can do development in Production Execute transaction code: SUIM S_TCODE: SE38 Authorization Object: S_DEVELOP Activity: 02 and 03 All fields: LEAVE BLANK All fields: *

Risk: The risk here is that users who have this access, have the ability to perform development related functions in the production system. Such access should be restricted to developers in the development system only.

Execute transaction code: SUIM S_TCODE: SE38 Authorization Object: S_DEVELOP Development Object ID: PROG Activity: 02 All fields: * AND LEAVE BLANK Risk: The risk here is that users who have this access, have the ability to perform development related functions in the production system. Such access should be restricted to developers in the development system only. Execute transaction code: SE16 Table Name: DEVACCESS Risk: Developer key is required along with the open system to make changes within production. Change critical number range is restricted. (company code, charts of accounts etc.) Performed the following procedures to verify that the SAP system appropriately restricts the ability to change critical number

ranges (i.e., company codes, chart of accounts, accounting period data, etc.). Execute transaction code SUIM Authorization object: S_TCODE Transaction code value: SNRO Authorization object: S_NUMBER Activity: 02 Number of number range: * Risk: The risk here is that users who have this access, have the ability to maintain critical number ranges. Custom tables has auth group Performed the following procedures to verify that all customized SAP R/3 tables have been assigned to the appropriate authorization group: Executed transaction code: SE16 Table name: TDDAT Table name: Z*, Y* Risk: If tables are not assigned to authorization groups it is not possible to appropriately control direct access to tables. Locking of sensitive systems transaction codes in Production environment. Query

The authorization to lock and unlock transaction codes should only granted to selected few users. This also applies to costumer developed tcodes provided they are entered in table TSTCA through transaction code SE93 Do check using the following report in production who has this access. Execute transaction: SM01 OR Execute transaction: SE16 Table Name: TSTC C info field: 20 to 20 Risk: SAP recommends that certain sensitive transactions be locked in the production system to prevent accidental or malicious use. The risk therefore is that these transactions be accidentally run, or run with malicious intent. Query Generated a list of users who have access to lock/unlock transaction codes. Execute transaction code: SUIM S_TCODE: SM01 Authorization object: S_ADMI_FCD Field value: TLCK (lock/unlock transactions)

Risk: These users have the ability to lock or unlock sensitive transactions which should not be run in the production system. BDC user types should has only required access. Don't need sap_all To verify that BDC users are assigned only authorizations to perform the required task, performed the following steps: Execute transaction code SUIM Click on User Click on List of users according to complex selection criteria. Click on By user ID. Then execute by clicking on the small green check mark. Click on Other view twice to display the user type for all listed user IDs. Risk: The risk here is that these IDs have been provided super user access rights, which is excessive based on the typical needs for these IDs. Such IDs could potentially be misused. An overview of jobs scheduled in the SAP R/3 system is performed regularly. Performed the following steps to produce a listing of batch input sessions: Execute transaction code SM35 Enter a * in the Session name field and Created By field. Click on Incorrect Tab.

Risk: If batch sessions are not monitored on a regular basis, there is a risk that important batch sessions will contain errors or not be completely processed and therefore processing of critical financial information will not be complete and the issue will not be identified on a timely basis

Run Program in the back ground By default user is allowed to schedule reports for background processing, but cannot release. Authorization for to release jobs is controlled by S_BTCH_JOB. Activity RELE is needed to release jobs. Activity PROT is required to display log. The other authorization like delete change andmove should only be assigned to the batch adminstrator. S_BTCH_ADM should be granted to batch administrator and not to all the users. This is a critical authorization can release other users jobs. Controls access to jobs in all clients of a system. S_BTCH_NAM can be used to schedule jobs under a different user id. Never give * as this would allow the user to start batch jobs under any user id. To check who all have acces to this production follow the instruction below Execute transaction code SUIM S_tcode: SM36/SM37 Authorization Objects: S_BTCH_JOB, S_BTCH_NAM Job Operations: RELE: Summary of jobs for a group: * Background user ID.: * Risk: The risk here is that users who have this access, have the ability to run programs directly in the background, bypassing

transaction level security in SAP, and could potentially run programs /transactions they are not explicitly authorized to run. Batch input - SM35 Batch input transaction code SM35 needs authorizationforobject S_BDC_MONI. You can restrict the privileages tocertain sesssion byentering the respective session name or name range. If you use name range then naming convetion should be used properly. Execute transaction code SUIM S_tcode: SM35 Authorization Objects: S_BDC_MONI Batch Input monitoring activity: * Session Name: * Risk: The risk here is that users who have this access, have the ability to process batch transactions without being explicitly authorized to do so. Changes to critical SAP R/3 tables are logged and management regularly reviews the logs. Run transaction SE16, table DD09L and noted that tables have been selected for logging. Query Execute transaction code: SUIM S_TCODE: SE01 Authorization object: S_TRANSPRT Activity: 02

Field Object in Workbench Organizer: UPGR Risk: The risk here is that users who have this access, have the ability to transport matchcodes into the production system. Such access should be restricted to basis administrators only. Scheduling Batch jobs By default user is allowed to schedule reports for background processing, but cannot release. Authorization for to release jobs is controlled by S_BTCH_JOB. Activity RELE is needed to release jobs. Activity PROT is required to display log. The other authorization like delete change andmove should only be assigned to the batch adminstrator. S_BTCH_ADM should be granted to batch administrator and not to all the users. This is a critical authorization can release other users jobs. Controls access to jobs in all clients of a system. S_BTCH_NAM can be used to schedule jobs under a different user id. Never give * as this would allow the user to start batch jobs under any user id. To check who all have acces to this production follow the instruction below. Performed the following steps to verify which users have the ability to change the SAP R/3 job schedule: Execute transaction code SA38, RSUSR002 S_tcode: SM36 (Schedule) Authorization Object: S_BTCH_JOB

Job Operations: RELE Summary of jobs for a group: *, * Risk: The potential risk here is that users who have this access, have the ability to run programs directly in the background, bypassing transaction level security in SAP, and could potentially run programs or transactions they are not explicitly authorized to run. Monitoring Batch jobs Run transaction SM37 to check if any of the jobs that had been during the last year are still active. Risk: If jobs are not monitored on a regular basis, there is a risk that jobs will not run to completion and therefore processing of critical financial information will not be complete and the issue will not be identified on a timely basis Access to run reports should be restricted. Execute transaction code SUIM S_tcode: SA38 Authorization Objects: S_PROGRAM User action ABAP program: SUBMIT ( foreground and background) Authorization Group: *, * Risk: The risk here is that users who have this access, have the ability to run programs directly, bypassing transaction level

security in SAP, and could potentially run programs /transactions they are not explicitly authorized to run. Execute transaction code SUIM S_tcode: SA38 Authorization Objects: S_PROGRAM User action ABAP program: EDIT (maintain attributes, text elements, ABAP/4 utilities to copy and delete programs) Authorization Group: * Risk: The risk here is that users who have this access, have the ability to maintain program attributes. Critical and custom SAP R/3 tables are restricted. Execute transaction SUIM Authorization Object: S_TCODE Transaction Code: SM31 (enhanced tables maintenance) Authorization object: S_TABU_DIS Activity: 02 AND 03 Risk: The risk here is that users who have this access, have the ability to maintain table data directly in the production system. This includes transactional, masterfile, security and configuration data. Execute transaction SUIM Authorization Object: S_TCODE

Transaction Code: SM31 Authorization object: S_TABU_DIS Activity: 02 AND 03 Authorization Object: S_TABU_CLI Identify if custom transactions have references to authorization objects.

Execute transaction code: SE16 Table name: TSTCA / TSTC TCODE: Z* Check table TSTCA and verified that no Z transactions existed. Verified in table TSTC that the majority were secured by Authorization objects. Since all transactions are secured by S_Tcode this control is still effective. Introduction SAP Business Information Warehouse (SAP BW) as a core component of SAP NetWeaver data warehousing functionality, provides both a business intelligence platform and a suite of business intelligence tools. With the tool set provided, relevant business information can be integrated into SAP BW and transformed and consolidated there. SAP BW enables analysis and interpretation as well as the distribution of this information. Based on this analysis, sound decisions can be made and goal oriented activities can be initiated. With extensive predefined

information models provided for the various roles in a company (BI Content), SAP BW also increases the usability of these analyses and enables a quick, cost-effective implementation. Data warehousing in SAP BW represents the integration, transformation, consolidation, cleanup and storage of data. It also signifies the extraction of data for analysis and interpretation. The data warehousing process includes data modeling, data extraction and the management of the data warehouse management processes. SAP BW Authorization Specifics In an SAP BW system there are two different types of authorization objects.1.

Standard authorization objects: This type of authorization objects is provided by SAP and covers all checks for e.g. system administration tasks, data modelling tasks, and for granting access to InfoProviders for reporting. For this type of authorizations the same concept and technique is used as in an SAP R/3 system. Reporting authorization objects: For more granular authorization checks on an InfoProviders data you need another type of authorization objects defined by the customer. With these objects you can specify which part of the data within an InfoProvider a user is allowed to see.

2.

Both types of authorization objects use the same authorization framework. Technically they are treated in the same way. However, the design of reporting authorizations is more complex because you need to design the reporting authorization objects first. This is an additional step that needs to be treated with care because the structure of the authorization objects determines the possible use in regards to selections, combinations and granularity. In your project you need expertise in the area of

reporting authorizations; knowledge of the basis authorization framework is not sufficient. User Type in BW There are different types of users in SAP BW. Most of your users will be the users who execute queries and workbooks. These people could be considered "reporting users" or "end users." To read more about how to secure reporting users click here There are also users who develop new queries. Some people may refer to them as "power users" or "data analysts." The users who develop queries may also create new workbooks and may be responsible for publishing that information to the right audience. Then, there are users who create new objects like InfoCubes, InfoAreas, and InfoObjects. They also schedule data loads, create update rules for InfoCubes, monitor performance, and set up source systems. The users who do these tasks are normally referred to as "administration users." read more about how to secure administrator users click here Using Workbooks model Generally power user create query to suit their teams needs and save the results in a workbook. They may want to save the workbooks to their Favorites folder for easy retrieval later, or they may want to save the workbooks to a location where other users can execute the same workbook. ..More Linking BW to Enterprise Portal (EP) Step-by-step list, explaining how to link a BW system to an EP system. ...More Setting up RFC to R3 system BW RFC / ALE Setup.In SAP BW, you should create a system (not a dialog) user called BWALE. BWALE should have the authorization profile (not Role)S_BI-WHM_RFC. ...More Transaction Code in BW

RRMX: Launches the BEx Analyzer, which is used to create and execute queries RSA1: Launches the Administrator Workbench, which is used by SAP BW administrator

Reporting User Security Authorization Objects Used Primarily by Reporting Users In order to execute any query, you must have access to S_RS_ICUBE, S_RS_COMP, S_RS_COMP1 and S_RS_FOLD. S_RS_COMP is a powerful object that enables you to make choices on how to secure. There is one field in S_RS_COMP that relates to the query, and another field that relates to the InfoCube. This gives you the option to secure by query name, InfoArea, or InfoCube. Tips InfoArea = group of InfoCubes InfoCube = actual data InfoObject=field (for example: company code, plant, or cost center)

Administrator There are users who create new objects like InfoCubes, InfoAreas, and InfoObjects. They also schedule data loads, create update rules for InfoCubes, monitor performance, and set up source systems. The

users who do these tasks are normally referred to as "administration users." Some of the common tasks performed by administration users are: Set up and maintain different source systems and connections to SAP BW

Manage metadata and define new InfoObjects, DataSources, and InfoSources DesignInfoCubes

Create transfer rules and update rules

Schedule and monitor data-loading processes Administration authorization objects are primarily used when doing anything in the Administrator Workbench (transaction codeRSA1). The primary objects used are: S_RS_ADMWB: Administrator Workbench - Objects Authorization object S_RS_ADMWB is the most critical authorization object in administration protection. When you do anything in transaction code RSA1, object S_RS_ADMWB is the first object checked. There are two fields in this object: Activity and Administrator Workbench Object. Each of the two fields can have a variety of values. The possible values for the Administrator Workbench field are:

SourceSys: Working with a source system InfoObject:Creating, maintaining InfoObjects

Monitor: monitoring data brought over from the source systems Workbench: Checked as you execute transaction code RSA1

InfoArea:Creating and maintaining InfoAreas ApplComp: Limiting which application components you can access InfoPackage: Creating and scheduling InfoPackages for data extraction

Metadata: Replication and management of the metadata repository The following list shows possible values for the Activity field. Maintain - 03 Execute-16 Administer document storage - 23 Update metadata - 66 Other Authoization objects for Admin user Authorization object/ Technical name Administrator Workbench -Objects S_RS_ADMWB Description

Authorizations for working with individual objects of the Administrator Workbench. In detail, these are: source system, InfoObject, monitor, application component, InfoArea, Administrator Workbench, settings, metadata, InfoPackage, InfoPackage group, Reporting Agent settings, Reporting Agent package, documents (for metadata, master data, hierarchies, transaction data), document

store administration, InfoSpoke.

Administrator Workbench InfoObject S_RS_IOBJ

Authorizations for working with individual InfoObjects and their sub-objects Until Release 3.0A, only general authorization protection was possible with authorization object S_RS_ADMWB. General authorization protection for InfoObjects still works as in the past. Special protection with S_RS_IOBJ is only used if there is no authorization for S_RS_ADMWB-IOBJ. Authorizations for working with InfoSources with flexible updating and their sub-objects

Administrator Workbench InfoSource (flexible update) S_RS_ISOUR Administrator Workbench InfoSource (direct update) S_RS_ISRCM Administrator Workbench InfoCube S_RS_ICUBE Administrator Workbench MultiProvider

Authorizations for working with InfoSources with direct updating and their sub-objects

Authorizations for working with InfoCubes and their sub-objects

Authorizations for working with MultiProviders and their sub-objects Until BW 3.0B, Support Package 1,

S_RS_MPRO

authorizations for MultiProviders were checked by using the authorization object S_RS_ICUBE. As of BW 3.0B, Support Package 2, this can be maintained, or you can change the check over to the authorization object S_RS_MPRO. To do this, choose in Customizing under Business Information Warehouse General BW Settings Settings for Authorizations.

Administrator Authorizations for working with ODS Workbench ODS objects and their sub-objects. object S_RS_ODSO Administrator Authorizations for working with InfoSets Workbench - InfoSet S_RS_ISET Administrator Workbench hierarchy S_RS_HIER Authorizations for working with hierarchies

Administrator Authorizations for processing master data Workbench Master in the Administrator Workbench data maintenance S_RS_IOMAD Linking BW to Enterprise Portal (EP) Summary Step-by-step list, explaining how to link a BW system to an EP system. (Note: Those are the personal notes an EP novice, they should not be used as a reference!)

Linking a BW System to the Enterprise Portal (EP6.0): In the following article, I want to share my experience in linking a BW System (release BW3.5) to an Enterprise Portal (release BW6.0SP2). Before diving into the subject matter, I want to note that I am fairly technically experienced in the BW system, however so far only had very limited exposure to the EP, or to J2EE platforms in general. Given this, first I was ready to hand over the task of linking the two systems to an experienced colleague. On a second thought, however, I said to myself "heck, lets give it a try". After browsing through the documentation and some system settings, after about 2 hours I had successfully built (and tested) the connection (again, with NO prior experience in this area at all)! (Ok, I admit, 5 minutes counseling by an EP expert probably had helped as well). [Before I go into details, just a warning: The steps before worked for me. However results may vary, things depend partially on your local IT infrastructure. Also, some of my statements below *could* be incorrect. For any serious activities, you should make sure to either receive the proper training, or to consult with an expert in the respective area.] Those were the steps I had to take (btw, I had super user rights on the EP): 1. Once logged into the EP, choose "System Administration", then "System Configuration", then "System". 2. You will see a screen "System Landscape Editor", and on the left to it "Portal Content". Right-Click on "Portal Content", and choose New >> System".

3. The System Wizard comes up. Choose "SAP_R3_LoadBalacing" (if your system is load balanced, like in my case). Click "next". 4. Enter the following: System Name (here I choose the 3 digit system name from the logon, something like BW1?) System ID (here I choose the logical system ID, like BW1CLNTT003; you can get this e.g. from table T000 in the BW system) System ID Prefex (a prefix to find and group your settings, e.g. BW) Then save as system. Click "next". 1. Choose "Property Category = Connector", and maintain the following fields: Application Host (the address of the host; you can get this e.g. from the BW WAD from a web query URL string; it?s what comes after http:// and before ?:[port]"; something like ? usbw0101.xxx.com") Logical System ID (you can get from table T000 in the BW system, something like "BW1CLNT003") SAP Client (BW client name) SAP System Name (here I entered the 3 letter system name, like "BW1") SAP System Number (you get this e.g. from the BW logon properties) Server Port (this again you get e.g. from the query URL string mentioned above, it?s the number which comes after the Application host; e.g. ?8100?) System Template Name (here I used again the logical system ID

from above) System Type ("SAP_BW", of course) 1. Choose "Property Category = WAS", and maintain the following fields: WAS description (same as System Name above, e.g. "BW1") WAS host name (same as application host above, but together with port number from above, i.e. something like "usbw0101.xxx.com:8100") WAS path "/sap/bw/bex" WAS protocol ("http") 1. Choose "Property Category = User Management", and maintain the following: Logon Method ("SAPLOGONTICKET"). User mapping fields ("{003,800}Client;Language") User Mapping Type ("admin, user") Save all your settings. 1. Still from the same screen, choose "System Aliases". Create and save a new "System Alias". Basically, I picked the logical system ID "BW1CLNT003" as system alias, and saved this.2.

Almost finished: As a next step, I had to perform what?s called ?user mapping? (so the EP can talk to the BW on behalf of a specific user). I went to "User Administration", the "User Mapping". I searched (in this case) for my user in "Users", then (under "Logon Data for System") selected the BW system, and maintained the login settings.

Final Step: Now you are ready to test the system connection! For this purpose, go to "System Administration", then "Support", from here to "SAP Application". Under "Tool" select "BWReport", and push ?Run?. Select your BW system, and a BEx Web

Application Query String (you can use the string from the WAD URL above, basically the piece which starts with "cmd"; e.g. like? cmd=ldoc&TEMPLATE_ID=LSTEMP?). Execute, and you should see the query results right in your Portal!

Enterprise Portal SAP Enterprise Portal offers users a single point of access to all applications, information, and services needed to accomplish their daily tasks. Links to back-end and legacy applications, selfservice applications, company intranet services, and Internet services are all readily available in the users portal.

Portal Architecture overview The security features of SAP Enterprise Portal include: Authentication Confirms or denies user identity through user ID and password, This can be done by using the existing LDAP Server Authorization Enforces role-based authorization for all content under the administrative control of the portal and prevents unauthorized access. If you plan to have external users (internet users ) access your portal or backend system. Have a proxy server installed and place it in DMZ. Follow the link below at the bottom of this page for installing proxy server. The advantage is you dont have your portal server facing the world, and disadvantage is that you

have additional hardware. I prefer proxy server for internal users also. I can hide the port number from users.

Single Sign-On (SSO) Single Sign-On (SSO) provides secure access to multiple systems without requiring users to reenter ID and password information for each application. In a portal environment, an SSO mechanism maps portal authentication information to each application for which a user holds predefined access permissions. This reduces user frustration, providing enhanced interaction with enterprise resources via the portal. You can have SSO enable for Portal using third party tool like Siteminder from Netegrity. This will use Windows authentication. This means once you signon to your windows operating system,you dont have to sign on to portal again. Then you have to enable SSO between Protal and R3 system so that you dont have to sign on to R3 or any other SAP system if

you are accessing data from any of these systems. This can be done using SAP logon. Logon ticket, verifies the digital signature, and extracts the appropriate user ID. If you plan to have external users access your portal / backend system. You can have additional layer of security by giving them secureid or digital certificate. Apache Configuration for J2EE Web Applications This document explains and describes how to set up the Apache Web server for use with the SAP J2EE Engine. This example is based on a Red Hat Linux installation and is transferable to all other operating systems. It will give you instructions how to configure the Apache with Proxy Mode The backend used in the tests was a SAP J2EE Server running Enterprise Portal 6.0. ....more If you are one of those admin who faces few of the issues listed below Users access multiple systems, including SAP and non-SAP Systems. Some systems reside in a dedicated network zone in the intranet but many systems reside on different networks or on the Internet. Users need to have different IDs and passwords to access these systems. Each of these systems also maintains its own password policy. For example, in the SAP HR system, the user has to change his or her password every 30 days. In the next system, the user has to change the password every 90 days. In another system, the user does not need to regularly change his or her password at all. What does this lead to? Users forget their passwords. The administrator is constantly resetting passwords. Keep in mind that this makes social engineering much easier.

Solution is Single Sing On. SSO users access multiple systems based on single authentication.