SlideShare a Scribd company logo

Introduction to SAP Security

Nasir Gondal
Nasir Gondal

SAP Security an introduction, presented at Victoria University to BCO8161

EducationTechnology
1 of 20
SAP Security An Overview Presented to: BCO6181
Agenda 1. 2. 3. 4. 5. What is Security Building blocks Common terminologies used Most Common tools in Security CUA
What is Security? Security concept is same around the globe like in your normal life, security - means removing or restricting unauthorized access to your belongings. For example your Car, laptop or cared cards etc IT Security? Information security (sometimes shortened to InfoSec) is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (electronic, physical, etc...) SAP Security? In the same context of InfoSec. SAP security have the same meaning… or in other words - who can do what in SAP?
Building Blocks • • • • User Master Record Roles Profiles Authorization Objects
User Master Record? A User initially has no access in SAP • When we create access in system it defines UMR User Master Record information includes: • Name, Password, Address, User type, Company information • User Group • Roles and Profiles • Validity dates (from/to) • User defaults (logon language, default printer, date format, etc) User Types: Dialog – typical for most users System – cannot be used for dialog login, can communicate between systems and start background jobs Communications Data – cannot be used for dialog login, can communicate between systems but cannot start background jobs Reference – cannot log in, used to assign additional Authorizations to Users Service – can log in but is excluded from password rules, etc. Used for Support users and Internet services
Roles and Profiles Roles is group of tcode (s), which is used to perform a specific business task. Each role requires specific privileges to perform a function in SAP that is called AUTHORIZATIONS There are 3 types of Roles: • Single – an independent Role • Derived – has a parent and differs only in Organization Levels. Maintain Transactions, Menu, Authorizations only at the parent level • Composite – container that contains one or more Single or Derived Roles
Authorization Objects • Authorization Objects are the keys to SAP security • When you attempt actions in SAP the system checks to see whether you have the appropriate Authorizations • The same Authorization Objects can be used by different Transactions
SAP Application Security
User Buffer? • When a User logs into the system, all of the Authorizations that the User has are loaded into a special place in memory called the User Buffer • As the User attempts to perform activities, the system checks whether the user has the appropriate Authorization Objects in the User Buffer. • You can see the buffer in Transaction ???
Executing a Transaction (Authorization Checks) 1) Does the Transaction exist? All Transactions have an entry in table TSTC 2) Is the Transaction locked? Transactions are locked using Transaction SM01 Once locked, they cannot be used in any client 3) Can the User start the Transaction? Every Transaction requires that the user have the Object S_TCODE=Transaction Name Some Transactions also require another Authorization Object to start (varies depending on the Transaction) 4) What can the User do in the Transaction? The system will check to see if the user has additional Authorization Objects as necessary
Live Demo
How to trace missing Authorization Frequently you find that the role you built has inadequate accesses and will fail during testing or during production usage. Why? Why It happens? Negligence of tester or some other reason How process initiated? This process kicks when security guy receives: • Email or, • phone call or • ticket
How do we determine correct accesses required?  SAP has various tools to analyse access errors and determine correct Authorizations required: Use Last Failed Authorization check - SU53 (60% effective) Use Assignment of Auth Object to Transactions - SU24 (60% effective) Trace the Authorizations for a function - ST01 (90% effective)
Common Terminologies User master Records Roles Authorizations Authority Check user buffer Authorization Errors security matrix Profiles Authorization Objects User menus
SAP Password controls There are some Standard SAP password Controls delivered by SAP which cannot be changed First-time users forced to change their passwords before they can log onto the SAP system, or after their password is reset.* Users can only change their password when logging on. Users can change their password at most, once a day Users can not re-use their previous five passwords. The first character can not be “?” or “!”. The first three characters of the password cannot appear in the same order as part of the user name. all be the same. include space characters. The password cannot be PASS or SAP*.
Password Controls - cont.  SAP Password System Parameters - system wide settings that can be configured by MPL - Minimum Password Length Password locked after unsuccessful login attempts Password Expiration time Password complexity  Illegal Passwords MPL can define passwords that cannot be used Enter impermissible passwords into SAP table USR40 MPL = Master parts List
Tools:  SU01 User Maintenance  PFCG Role Maintenance  SUIM Authorization Reporting Tree  SU02 Maintain Profiles  SU03 Maintain Authorisations  SU10 User Maintenance: Mass Changes  SU21 Maintain Authorization Objects  SU24 Auth Object check under transactions  SU3 Maintain default settings  SU53 Display Authority Check Values  SU56 Display user buffer  ST01 User trace  SM19 Audit Log Configuration  SM20 Display Audit Log  S_BCE_68002111 List of users with Critical Authorisations
CUA Central User Administration is a feature in SAP that helps to streamline multiple users account management on different clients in a multi SAP systems environment. This feature is laudable when similar user accounts are created and managed on multiple clients  Centralized Admin  Data consistency & accuracy  Eliminate redundant efforts
www.about.me/nasirgondal

Recommended

What is sap security
What is sap securityWhat is sap security
What is sap securitygrconlinetraining
 
SAP Security & GRC Framework
SAP Security & GRC FrameworkSAP Security & GRC Framework
SAP Security & GRC FrameworkHarish Sharma
 
Sap Security Workshop
Sap Security WorkshopSap Security Workshop
Sap Security Workshoplarrymcc
 
SAP Security important Questions
SAP Security important QuestionsSAP Security important Questions
SAP Security important QuestionsRagu M
 
Authorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.infoAuthorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.infosapdocs. info
 
Sap security-administration
Sap security-administrationSap security-administration
Sap security-administrationnanda nanda
 
Sap security tasks
Sap security tasksSap security tasks
Sap security tasksSiva Pradeep Bolisetti
 
SAP BI 7 security concepts
SAP BI 7 security conceptsSAP BI 7 security concepts
SAP BI 7 security conceptsSiva Pradeep Bolisetti
 

Recommended

What is sap security
What is sap securityWhat is sap security
What is sap securitygrconlinetraining
 
SAP Security & GRC Framework
SAP Security & GRC FrameworkSAP Security & GRC Framework
SAP Security & GRC FrameworkHarish Sharma
 
Sap Security Workshop
Sap Security WorkshopSap Security Workshop
Sap Security Workshoplarrymcc
 
SAP Security important Questions
SAP Security important QuestionsSAP Security important Questions
SAP Security important QuestionsRagu M
 
Authorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.infoAuthorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.infosapdocs. info
 
Sap security-administration
Sap security-administrationSap security-administration
Sap security-administrationnanda nanda
 
Sap security tasks
Sap security tasksSap security tasks
Sap security tasksSiva Pradeep Bolisetti
 
SAP BI 7 security concepts
SAP BI 7 security conceptsSAP BI 7 security concepts
SAP BI 7 security conceptsSiva Pradeep Bolisetti
 
Anil kumar sap security & GRC
Anil kumar sap security & GRCAnil kumar sap security & GRC
Anil kumar sap security & GRCAnil Kumar
 
sap security interview_questions
sap security interview_questionssap security interview_questions
sap security interview_questionssumitmsn2
 
Iia los angeles sap security presentation
Iia los angeles sap security presentation Iia los angeles sap security presentation
Iia los angeles sap security presentation hkodali
 
081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grc081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grchkodali
 
Sap security interview question & answers
Sap security interview question & answersSap security interview question & answers
Sap security interview question & answersNancy Nelida
 
SU01 - Background and Instruction
SU01 - Background and InstructionSU01 - Background and Instruction
SU01 - Background and InstructionMart Leepin
 
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...akquinet enterprise solutions GmbH
 
SAP Security interview questions
SAP Security interview questionsSAP Security interview questions
SAP Security interview questionsSiva Pradeep Bolisetti
 
SAP GRC 10 Access Control
SAP GRC 10 Access ControlSAP GRC 10 Access Control
SAP GRC 10 Access ControlNasir Gondal
 
165373293 sap-security-q
165373293 sap-security-q165373293 sap-security-q
165373293 sap-security-qAnywhere Gondodza SAP.GRC.FI.B.COM.ACC.HONS (MSU)
 
Sap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online trainingSap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online traininggrconlinetraining
 
Practical guide for sap security
Practical guide for sap security Practical guide for sap security
Practical guide for sap security Siva Pradeep Bolisetti
 
How to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systemsHow to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systemsTL Technologies - Thoughts Become Things
 
SAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsSAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsRohan Andrews
 
Cua setup procedure SAP security
Cua setup procedure SAP securityCua setup procedure SAP security
Cua setup procedure SAP securitySiva Pradeep Bolisetti
 
Creating new users and roles in sap guide
Creating new users and roles in sap guideCreating new users and roles in sap guide
Creating new users and roles in sap guidemehboobhafz
 
Day5 R3 Basis Security
Day5 R3 Basis SecurityDay5 R3 Basis Security
Day5 R3 Basis SecurityGuang Ying Yuan
 
SAP Document Management System Integration with Content Servers
SAP Document Management System Integration with Content Servers SAP Document Management System Integration with Content Servers
SAP Document Management System Integration with Content Servers Verbella CMG
 
SAP SECURITY GRC
SAP SECURITY GRCSAP SECURITY GRC
SAP SECURITY GRCtechgurusuresh
 
SAP HANA SPS08 Security
SAP HANA SPS08 Security SAP HANA SPS08 Security
SAP HANA SPS08 Security SAP Technology
 
Sap Access Risks Procedures
Sap Access Risks ProceduresSap Access Risks Procedures
Sap Access Risks ProceduresInprise Group
 
Ch10 system administration
Ch10 system administration Ch10 system administration
Ch10 system administration Raja Waseem Akhtar
 

More Related Content

What's hot

Anil kumar sap security & GRC
Anil kumar sap security & GRCAnil kumar sap security & GRC
Anil kumar sap security & GRCAnil Kumar
 
sap security interview_questions
sap security interview_questionssap security interview_questions
sap security interview_questionssumitmsn2
 
Iia los angeles sap security presentation
Iia los angeles sap security presentation Iia los angeles sap security presentation
Iia los angeles sap security presentation hkodali
 
081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grc081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grchkodali
 
Sap security interview question & answers
Sap security interview question & answersSap security interview question & answers
Sap security interview question & answersNancy Nelida
 
SU01 - Background and Instruction
SU01 - Background and InstructionSU01 - Background and Instruction
SU01 - Background and InstructionMart Leepin
 
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...akquinet enterprise solutions GmbH
 
SAP GRC 10 Access Control
SAP GRC 10 Access ControlSAP GRC 10 Access Control
SAP GRC 10 Access ControlNasir Gondal
 
Sap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online trainingSap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online traininggrconlinetraining
 
SAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsSAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsRohan Andrews
 
Creating new users and roles in sap guide
Creating new users and roles in sap guideCreating new users and roles in sap guide
Creating new users and roles in sap guidemehboobhafz
 
SAP Document Management System Integration with Content Servers
SAP Document Management System Integration with Content Servers SAP Document Management System Integration with Content Servers
SAP Document Management System Integration with Content Servers Verbella CMG
 
SAP HANA SPS08 Security
SAP HANA SPS08 Security SAP HANA SPS08 Security
SAP HANA SPS08 Security SAP Technology
 

What's hot (20)

Anil kumar sap security & GRC
Anil kumar sap security & GRCAnil kumar sap security & GRC
Anil kumar sap security & GRC
 
sap security interview_questions
sap security interview_questionssap security interview_questions
sap security interview_questions
 
Iia los angeles sap security presentation
Iia los angeles sap security presentation Iia los angeles sap security presentation
Iia los angeles sap security presentation
 
081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grc081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grc
 
Sap security interview question & answers
Sap security interview question & answersSap security interview question & answers
Sap security interview question & answers
 
SU01 - Background and Instruction
SU01 - Background and InstructionSU01 - Background and Instruction
SU01 - Background and Instruction
 
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
 
SAP Security interview questions
SAP Security interview questionsSAP Security interview questions
SAP Security interview questions
 
SAP GRC 10 Access Control
SAP GRC 10 Access ControlSAP GRC 10 Access Control
SAP GRC 10 Access Control
 
165373293 sap-security-q
165373293 sap-security-q165373293 sap-security-q
165373293 sap-security-q
 
Sap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online trainingSap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online training
 
Practical guide for sap security
Practical guide for sap security Practical guide for sap security
Practical guide for sap security
 
How to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systemsHow to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systems
 
SAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsSAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM Workflows
 
Cua setup procedure SAP security
Cua setup procedure SAP securityCua setup procedure SAP security
Cua setup procedure SAP security
 
Creating new users and roles in sap guide
Creating new users and roles in sap guideCreating new users and roles in sap guide
Creating new users and roles in sap guide
 
Day5 R3 Basis Security
Day5 R3 Basis SecurityDay5 R3 Basis Security
Day5 R3 Basis Security
 
SAP Document Management System Integration with Content Servers
SAP Document Management System Integration with Content Servers SAP Document Management System Integration with Content Servers
SAP Document Management System Integration with Content Servers
 
SAP SECURITY GRC
SAP SECURITY GRCSAP SECURITY GRC
SAP SECURITY GRC
 
SAP HANA SPS08 Security
SAP HANA SPS08 Security SAP HANA SPS08 Security
SAP HANA SPS08 Security
 

Similar to Introduction to SAP Security

Sap Access Risks Procedures
Sap Access Risks ProceduresSap Access Risks Procedures
Sap Access Risks ProceduresInprise Group
 
Salesforce admin training 2
Salesforce admin training 2Salesforce admin training 2
Salesforce admin training 2HungPham381
 
How to be a Security Minded Admin by Chris Zullo
How to be a Security Minded Admin by Chris ZulloHow to be a Security Minded Admin by Chris Zullo
How to be a Security Minded Admin by Chris ZulloSalesforce Admins
 
Access Control Fundamentals
Access Control FundamentalsAccess Control Fundamentals
Access Control FundamentalsSetiya Nugroho
 
Getting Started with IBM i Security: User Privileges
Getting Started with IBM i Security: User PrivilegesGetting Started with IBM i Security: User Privileges
Getting Started with IBM i Security: User PrivilegesHelpSystems
 
5 Reasons to Always Keep an Eye on Privileged Business Accounts
5 Reasons to Always Keep an Eye on Privileged Business Accounts5 Reasons to Always Keep an Eye on Privileged Business Accounts
5 Reasons to Always Keep an Eye on Privileged Business AccountsAnayaGrewal
 
3 windowssecurity
3 windowssecurity3 windowssecurity
3 windowssecurityricharddxd
 
Introduction on sap security
Introduction on sap securityIntroduction on sap security
Introduction on sap securityyektek
 
Nt1330 Week 1 Case Study Of EAP.pdfNt1330 Week 1 Case Study Of EAP
Nt1330 Week 1 Case Study Of EAP.pdfNt1330 Week 1 Case Study Of EAPNt1330 Week 1 Case Study Of EAP.pdfNt1330 Week 1 Case Study Of EAP
Nt1330 Week 1 Case Study Of EAP.pdfNt1330 Week 1 Case Study Of EAPEvelyn Donaldson
 
Globalcompose.com sample coursework paper on management of information security
Globalcompose.com sample coursework paper on management of information securityGlobalcompose.com sample coursework paper on management of information security
Globalcompose.com sample coursework paper on management of information securityAcademic Research Paper Writing Services
 
Globalcompose.com sample coursework paper on management of information security
Globalcompose.com sample coursework paper on management of information securityGlobalcompose.com sample coursework paper on management of information security
Globalcompose.com sample coursework paper on management of information securityAcademic Research Paper Writing Services
 
System security by Amin Pathan
System security by Amin PathanSystem security by Amin Pathan
System security by Amin Pathanaminpathan11
 
Annual OktCyberfest 2019
Annual OktCyberfest 2019Annual OktCyberfest 2019
Annual OktCyberfest 2019Fahad Al-Hasan
 
Lecture 11 understanding requirements (3)
Lecture 11 understanding requirements (3)Lecture 11 understanding requirements (3)
Lecture 11 understanding requirements (3)IIUI
 

Similar to Introduction to SAP Security (20)

Sap Access Risks Procedures
Sap Access Risks ProceduresSap Access Risks Procedures
Sap Access Risks Procedures
 
Ch10 system administration
Ch10 system administration Ch10 system administration
Ch10 system administration
 
Ch10
Ch10Ch10
Ch10
 
Salesforce admin training 2
Salesforce admin training 2Salesforce admin training 2
Salesforce admin training 2
 
Sap
SapSap
Sap
 
How to be a Security Minded Admin by Chris Zullo
How to be a Security Minded Admin by Chris ZulloHow to be a Security Minded Admin by Chris Zullo
How to be a Security Minded Admin by Chris Zullo
 
Chapter 7
Chapter 7Chapter 7
Chapter 7
 
Access Control Fundamentals
Access Control FundamentalsAccess Control Fundamentals
Access Control Fundamentals
 
Getting Started with IBM i Security: User Privileges
Getting Started with IBM i Security: User PrivilegesGetting Started with IBM i Security: User Privileges
Getting Started with IBM i Security: User Privileges
 
5 Reasons to Always Keep an Eye on Privileged Business Accounts
5 Reasons to Always Keep an Eye on Privileged Business Accounts5 Reasons to Always Keep an Eye on Privileged Business Accounts
5 Reasons to Always Keep an Eye on Privileged Business Accounts
 
3 windowssecurity
3 windowssecurity3 windowssecurity
3 windowssecurity
 
Devi
DeviDevi
Devi
 
Introduction on sap security
Introduction on sap securityIntroduction on sap security
Introduction on sap security
 
Nt1330 Week 1 Case Study Of EAP.pdfNt1330 Week 1 Case Study Of EAP
Nt1330 Week 1 Case Study Of EAP.pdfNt1330 Week 1 Case Study Of EAPNt1330 Week 1 Case Study Of EAP.pdfNt1330 Week 1 Case Study Of EAP
Nt1330 Week 1 Case Study Of EAP.pdfNt1330 Week 1 Case Study Of EAP
 
Globalcompose.com sample coursework paper on management of information security
Globalcompose.com sample coursework paper on management of information securityGlobalcompose.com sample coursework paper on management of information security
Globalcompose.com sample coursework paper on management of information security
 
Globalcompose.com sample coursework paper on management of information security
Globalcompose.com sample coursework paper on management of information securityGlobalcompose.com sample coursework paper on management of information security
Globalcompose.com sample coursework paper on management of information security
 
Privileged Access Manager Product Q&A
Privileged Access Manager Product Q&APrivileged Access Manager Product Q&A
Privileged Access Manager Product Q&A
 
System security by Amin Pathan
System security by Amin PathanSystem security by Amin Pathan
System security by Amin Pathan
 
Annual OktCyberfest 2019
Annual OktCyberfest 2019Annual OktCyberfest 2019
Annual OktCyberfest 2019
 
Lecture 11 understanding requirements (3)
Lecture 11 understanding requirements (3)Lecture 11 understanding requirements (3)
Lecture 11 understanding requirements (3)
 

Recently uploaded

Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...Sapna Thakur
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...christianmathematics
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...fonyou31
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAssociation for Project Management
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpinRaunakKeshri1
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfJayanti Pande
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room servicediscovermytutordmt
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfchloefrazer622
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphThiyagu K
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhikauryashika82
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Disha Kariya
 
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...PsychoTech Services
 
General AI for Medical Educators April 2024
General AI for Medical Educators April 2024General AI for Medical Educators April 2024
General AI for Medical Educators April 2024Janet Corral
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 

Recently uploaded (20)

Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpin
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdf
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
 
General AI for Medical Educators April 2024
General AI for Medical Educators April 2024General AI for Medical Educators April 2024
General AI for Medical Educators April 2024
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 

Introduction to SAP Security

  • 2. Agenda 1. 2. 3. 4. 5. What is Security Building blocks Common terminologies used Most Common tools in Security CUA
  • 3. What is Security? Security concept is same around the globe like in your normal life, security - means removing or restricting unauthorized access to your belongings. For example your Car, laptop or cared cards etc IT Security? Information security (sometimes shortened to InfoSec) is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (electronic, physical, etc...) SAP Security? In the same context of InfoSec. SAP security have the same meaning… or in other words - who can do what in SAP?
  • 4. Building Blocks • • • • User Master Record Roles Profiles Authorization Objects
  • 5. User Master Record? A User initially has no access in SAP • When we create access in system it defines UMR User Master Record information includes: • Name, Password, Address, User type, Company information • User Group • Roles and Profiles • Validity dates (from/to) • User defaults (logon language, default printer, date format, etc) User Types: Dialog – typical for most users System – cannot be used for dialog login, can communicate between systems and start background jobs Communications Data – cannot be used for dialog login, can communicate between systems but cannot start background jobs Reference – cannot log in, used to assign additional Authorizations to Users Service – can log in but is excluded from password rules, etc. Used for Support users and Internet services
  • 6. Roles and Profiles Roles is group of tcode (s), which is used to perform a specific business task. Each role requires specific privileges to perform a function in SAP that is called AUTHORIZATIONS There are 3 types of Roles: • Single – an independent Role • Derived – has a parent and differs only in Organization Levels. Maintain Transactions, Menu, Authorizations only at the parent level • Composite – container that contains one or more Single or Derived Roles
  • 7. Authorization Objects • Authorization Objects are the keys to SAP security • When you attempt actions in SAP the system checks to see whether you have the appropriate Authorizations • The same Authorization Objects can be used by different Transactions
  • 8.
  • 10. User Buffer? • When a User logs into the system, all of the Authorizations that the User has are loaded into a special place in memory called the User Buffer • As the User attempts to perform activities, the system checks whether the user has the appropriate Authorization Objects in the User Buffer. • You can see the buffer in Transaction ???
  • 11. Executing a Transaction (Authorization Checks) 1) Does the Transaction exist? All Transactions have an entry in table TSTC 2) Is the Transaction locked? Transactions are locked using Transaction SM01 Once locked, they cannot be used in any client 3) Can the User start the Transaction? Every Transaction requires that the user have the Object S_TCODE=Transaction Name Some Transactions also require another Authorization Object to start (varies depending on the Transaction) 4) What can the User do in the Transaction? The system will check to see if the user has additional Authorization Objects as necessary
  • 13. How to trace missing Authorization Frequently you find that the role you built has inadequate accesses and will fail during testing or during production usage. Why? Why It happens? Negligence of tester or some other reason How process initiated? This process kicks when security guy receives: • Email or, • phone call or • ticket
  • 14. How do we determine correct accesses required?  SAP has various tools to analyse access errors and determine correct Authorizations required: Use Last Failed Authorization check - SU53 (60% effective) Use Assignment of Auth Object to Transactions - SU24 (60% effective) Trace the Authorizations for a function - ST01 (90% effective)
  • 15. Common Terminologies User master Records Roles Authorizations Authority Check user buffer Authorization Errors security matrix Profiles Authorization Objects User menus
  • 16. SAP Password controls There are some Standard SAP password Controls delivered by SAP which cannot be changed First-time users forced to change their passwords before they can log onto the SAP system, or after their password is reset.* Users can only change their password when logging on. Users can change their password at most, once a day Users can not re-use their previous five passwords. The first character can not be “?” or “!”. The first three characters of the password cannot appear in the same order as part of the user name. all be the same. include space characters. The password cannot be PASS or SAP*.
  • 17. Password Controls - cont.  SAP Password System Parameters - system wide settings that can be configured by MPL - Minimum Password Length Password locked after unsuccessful login attempts Password Expiration time Password complexity  Illegal Passwords MPL can define passwords that cannot be used Enter impermissible passwords into SAP table USR40 MPL = Master parts List
  • 18. Tools:  SU01 User Maintenance  PFCG Role Maintenance  SUIM Authorization Reporting Tree  SU02 Maintain Profiles  SU03 Maintain Authorisations  SU10 User Maintenance: Mass Changes  SU21 Maintain Authorization Objects  SU24 Auth Object check under transactions  SU3 Maintain default settings  SU53 Display Authority Check Values  SU56 Display user buffer  ST01 User trace  SM19 Audit Log Configuration  SM20 Display Audit Log  S_BCE_68002111 List of users with Critical Authorisations
  • 19. CUA Central User Administration is a feature in SAP that helps to streamline multiple users account management on different clients in a multi SAP systems environment. This feature is laudable when similar user accounts are created and managed on multiple clients  Centralized Admin  Data consistency & accuracy  Eliminate redundant efforts