1. 1.what needs to be secured in the company??
Material Master
Vendor Master
Employee Master
Asset Master
Profit & Loss Reports
Financial Information.
2.From Whom????
The AUthenticated Users who are created in SAP.
3. How to Protect???????????????
1.who does what and upto what level and which jurisdiction......
Example: A Purchasing Officer Creates and Approves Purchase Order for
value not more then 10,000(ten thousand only)for his division(028)
2.Define the SOD(Seggregation of Duties/Separation of Duties)
SOD is a Matrix which is used to specify the position along with Roles and
Responsibilities.
4. what tools are Used???????????
1.VIRSA tool a third party tool owned by SAP
2.Approva tool
From SAP
SU01,Su10,Su20,Su21,Su22,Su23,Su24,Su25,Su53,Su56
SUIM,SU99,PFCG,PFUD,SU02,SU3,Sm30,Se38,SE54,SA38,sE12
St01
_____________________________________________________
SOX (Sarbanes Oxley Act-404).
it specifies that a Single Business transaction Should not be assigned to a
Single User to avoid the malpractices and misutilization if public Funds.
Example:
1.Hire Requisition
2.Hiring(Recruiting)
3.Job Assignment
4.Time Recording
5.Pay Roll Processing
6.Salary Disbursement.
2. 1.Purchase Requisition
2.Purchase Approval and Release
3.Invoice and Billing
4.Goods Delivery
5.Goods Receipt
6.Payment to the vendor
7.Reconciliation
All the above activities should not be assigned to a single User.
They need to spread across the users.
Role Matrix/SOD
It is a matrix which contains positions/jobs along with assigned
transactions.
The Roles are assigned to Users to get authorizations to transactions.
Authentication:
it is a process of Providing UserID and Password to Login.
Authorization:it is the process of assigning roles to user to perform certain
activity.
There is no role to restrict authorizations.if a user is authorised means he
is allowed to perform certain activities.
Designing Security:
it is also implemented in similar and parallel to SAP Implementation.
i.e ASAP Methodology is used to design,develop,tranport,test and
production use.
1.Analysis and Conception Phase:
2.Desiging Phase
3.Implementation
4.Testing
5.Cutover Phase
1.Analysis and Conception Phase:
Understand the Security Requirements of the Customer.
Assemble the Project Implementation Team and gather the Requirements
related to security.
Identify the Assests,Materials,Financial Structure(Account
Receivables,Account Payables)
3. Identify the Actions(activities that needs to be protected) on a Specific
Field,Area,Object
Create,modify,display,reverse,approve,print,upload,download etc are the
actions on an Object PO for Field(purchasing Area)(02)
* means all the possible areas.
Do not Specify Asterick(*) for any Open Field.
Get the Requirements and Design a Role Matrix for Each Module.
Identify the jobs/positions and Responsibilities and Define the matrix.
*************************************************************
Desiging Phase:
Define the Role Matrix/SOD Blue Print and refine till it gets approved/sign-
of.
*************************************************************
Development/Implementation/Realization Phase:
Develop the Roles in the Cust Client and Transport them to TEST Client for
Testing.
Assign the roles to Business Process Owners and Test Them.
*************************************************************
Testing/Quality Assurance/Final Prep
release the roles in Developement for transportation.Import the Same in
QTST Client in QAS System.
After Sucessfull Testing Import them to TRNG Client(where END Users are
trained on the system Roles
___________________________________________________________
Cutover Phase/Go-live Phase
Transport them to Production System
_____________________________________________________
Initializing Profile Generator:
SU25: initially fill the customer tables
This is the first step to be executed before starting to work on Security.
USOBT and USOBX are the SAP Standard Tables
4. USOBT--------Transaction vs Authorization Object
USOBX--------Check Indicators Table
when you execute above transaction(SU25 initial fill) it copies the entries
from USOBT and USOBX to Customer Tables USOBT_C and
USOBX_C.Then Customer can modify accordingly.
if this is run after certain settings all the customer settings will be lost.
How Security Works??????????????????????????????????????
1.User ID and Password(authentication of User)
To stop misusing system credentials or impersonation by others variuos
security parameters for UID and password are set.(30 Days expiry,alpa
numeric passwords,min length,disallow multiple logons)
2.when a user executes a Transaction it checks whether it is locked or not
in SM01
3.it checks whether transaction is allowed to execute in Authorization
Object S_TCODE
4.it checks the table TSTCA to check for minimum authorizations that are
required to execute the transaction.
5.it checks all the Authorization objects assigned to transaction in Su24 are
avaialble in the User Context.
6.it also checks for Authorization Objects which are included in the
program using command AUTHORITY-CHECK
Each Transaction is checked under Object S_TCODE field name is TCD
SU24:
it gets the values from tables USOBT and USOBX
USOBT contains the List of Authorization Objects assigned to a
Transaction which can be checked when a transaction is executed.
USOBX Contains the list of Authorization Objects that needs to be
(checked,not checked,check and Maintain,unmaintained4)
There are certain Objects which needs security but may not require to be
checked.So they can set to CHECK-NO in SU24.
Each Change is Client Independent(Repository) and requires a Work bench
Request.
5. Programming Authorizations
Each Program that needs to be secured Uses Command
AUTHORITY-CHECK followed by Authorization Object,Field,Value and
Activity.
The Authorization is controlled at field level and based on activity.These
are used in the programs and checked by using Authority-check command.
it is recommended to advice developers to use this command in their
programs to secure programs.
Authorizations:
Authorization Field:The Lowest granular field that needs to protected is
known as authorization field.
These are defined in Transaction SU20.These are performed at repository
level so,they are at cross-client level.each New field requires naming
convention(Y,Z).
These are also referred as database table Fields.(PO,SO,Salary)
Authorization Activity:The Type of action that will be performed on the
Field.
Create,Modify/Update,Display,Delete,Approve etc
These Activities are defined in table "TACT". it is editable in SM30.
Activities are identified by using two alpa numeric letters.
Authorization
The Field with activity or value is referred as an Authorization.
PO--Create(01),Display(03).Modify(03)
PO--Purchasing org(0001),Area(002),Plant(SRN)
The Group of not more then 150 Authorizations are called as an
Authorization Profile.
if the authorizations exceed ie. more then 150,then another prfoile is
created with name_1 and grouped into a composite Profile.
Authorization Object:
6. The Group of not more then 10 Relative Authorization Fields is known as
Authorization Object.
These are defined in SU21 .Each Authorization Object is assigned with
predefined Activities that are stored in the table "TACTZ"
Authorization Classes:
The Group of relative Authorization Objects are called as
Authorization/object Class which are defined in Su22
This Authorization Object is assigned to Transaction in SU24 and marked
to check/uncheck to maintain in PFCG.
Authorization Role: These are referred as Activity Groups until version 46B.
from 46C Activity Groups are named as Roles.
Role is a synonym which contains Profile,Menus,URL,Reports etc..
Role is only a Name but Authorizations are available through Profiles only.
Roles are created in Transaction PFCG(Profile Create and Generate)
_____________________________________________________
1.Su01
2.Sm01
3.S_TCODE
4.TSTCA
5.SU24
6.Authority-check
_____________________________________________________
User Context:
it is a part of roll area(roll file) where User Related information is stored.it is
like a Cookie on the Browser.
it is available till the user is logged-in.User Context is lost when the log-of
SU56 is used to display the User Context Information.
User Context Contains Authorizations,screens etc
-----------------------------------------------------
Missing Authorizations:
1.user Executes a Transaction
2.it checks in the USer Context i.e Su56 for availability
3.if it is not available it records in SU53.
7. IT CHECKS FOR MISSING Authorization Object,Authorization
Field,TCODE,Field Value,Activitity, and Oraganization Value and records
then in SU53
SU53 records only the last missing Authorization.
Su53 Could not log missing authorizations for the earlier sessions except
the current Session.
So ST01 is used to trace the authorizations.
----------------------------------------------------
Role:Roles are defined in PFCG and Roles Contains Authorization
Fields,Values,activities,Authorization Objects,Profiles,Composite
Profiles,Authorization Classes,Transactions,Menus,URLS,Reports etc.
Execute PFCG and Create Role
1.Define the Roles as per naming conventions
2.Create Roles in one Client(Golden Client) and Transport them to other
clients and Systems in the Landscape
3.Role can be uploaded and Downloaded into the System
4.Roles can be transported using transports massively
5.Ensure that roles does not contain Duplicate Authorizations.
6.ASSIGN ONLY THE ROLES THAT ARE APPROVED/REQUIRED as per
SOD
****************************************************************
PFCG is used for the following:
1.Create/Modify/Display/Delete a role.
2.Role can be download to File System.(Download)
3.Role can be Uploaded into SAP System(Upload)
Specify the Role Name and Click on Create:(you can also copy a Role from
the existing Role)
Describe the Role with short Description
Describe the Role with Description Tab(This Role is Created for Plant
Maintenance(Planning Division)
this Role contains the Following Transactions
(specify the list of Transactions along with Role Owner)
DEscirption is used to identify the role Creater/Modifier/Owner of the Role
Further chnages to the role should be performed by obtaining approval
from role owner
Click on menu Tab
it is used to include Transactions,Reports,Menus,URL and Other
Applications
8. Menu:
Menus are used to provide user freindly navigational Elements.These are
defined in SE43.
SAP provides SAP Easy Access Menu which can be overwritten by User
Menu.
we can create our own menus in Se43.
we can include authorizations based on Menus.
we can copy transactions from SAPmenu/UserMenu/Area Menus(SE43)
Note:when custom Programs/Reports are included they are automatically
created/assigned with a Transaction
Code that starts with "Y"
menus are only used to include a Transaction but The authorizations are
required to be maintained as per SU24 Check and Maintain Options
(Yes/NO)
Click on Authorizations TAB
Click on Change Authorization Data to maintain the Open Fields and
Activities.
Example Su01 is assigned to the role.The User Who is assigned with the
role can create USer but with certain Restrictions(Only to a
client,group,role,profile etc)
Change authorization Data provides the List of Open Fileds(for
Authorization Objects that are checked in Su24)
The Auth Classes,objects,profiles,Fileds are displayed in Traffic Light
Colours
YELLOW---------Activity or Field Value is Missing
RED------------Organizational Value is Missing(SALES Organisation,sales
Area,Distribution Channel,Plant,storage location etc)
Green---------all the values are maintained.
Click on Organizational values and Provide the details as per SOD to
ensure that all the red lights are turned off.
9. For Yellow Lights we need to open manually and Mainain the fields and
Activities.
we can also include objects manually(it is not recommended,inturn assign
them to Transaction in Su24 for automatic availability in PFCG)
save the Role,Generate Profile(Profile contains Authorizations).
The Role is effective only after generation of Profiles
for each change in a role profile generation is Required.
Assign the Role to the User and perform USER COMPARISON so,that role
is effective immediatly.
miniAPps are no more Use which are used upto 46C
Personalization:
it is used to restrict the out put of a report/program
during time recording-it should display last one week and future one week
salary last month
These Personalization objects are recorded using transaction "PERSREG"
Profiles are widely used upto 46B with the combination of Activity Groups.
Activity Groups are renamed as Roles in 46C.
So while working with system versions less then 46C
AG,CAG(composite),DAG(derived) are widely discussed
Earlier Profiles are created in Su02 like SAP_ALL and SAP_new.
SAP Discontinued the Usage of Profiles and Introduced the Roles since
46C.
but the Profile tab is till available in Su01 Transaction.
SAp_ALL and SAP_new are only the Composite profiles that are still
available in the systems(Current Versions)
Profiles are no more Created only Generated while creating a Role.
Profiles can be massivley generated(after a Role Upload,Role
Tranport)using SUPC.
During the Transport only Roles are transported(i.e no profiles are
transported along with Roles)
So it is required to generate the Profiles using SUPC
Depending up on the Number of Authorizations in the role Composite
Profiles are created automatically.
10. it is not recommended to assign profiles in the current systems based on
Netweaver,instead assign Roles which contains Profiles.
SAP_ALL and SAP_NEW are only assigned in TEST/SAND/QTST/TRNG
systems,but not on CUST/PROD Systems.
Single Role:
The Role That is created in PFCG in the Customer naming Convention. it
provides certain authorizations when assigned to a user.
Single Role can be Referencing Role which will be a base to create other
Roles(Copy Role).Single Role Can be a Parent Role to create child
Roles.Single Roles can be grouped to create Composite Roles.
These Roles cannot be differentiated physically but only identified by using
naming Conventions.
WILL_COMP_MM_DIV_10
WILL_DER_SD_SAREA_345
WILL_PARENT_SD_SAREA
_______________________________________________________
cOMPOSITE rOLES: The Group of Roles for Administrative Convenience or
for easy maintenance.
Example;
A Zonal Manager Belongs to a Distribution Channel like
Vishakapatnam(Srikakulam,VZNAGRAM,EG,WG)
Each District has a District Manager where he can work only on his
allocated district.
The Four Distrcit Manager Roles are grouped and assigned to Zonal
Manager. The Role Enhancement(assign,reassign,delete)for all the roles
automatically Result in Zonal Manager Role.
go to pfcg
specify a role name
Company Code,Contr Area,DIV,Sales org,DC
1.00101 0001 01,02,0001,01,12,14,10
-----------------------------
Creeate a Composite Role
Authorization TAB is missing because we cannot assign any additional
Authorizations only we can include Roles.
No Profiles are generated(only the profiles in the included Roles are used).
11. Menus can be Compressed by avoiding duplicates
what ever the Changes in the Roles will be effected in the Composite Role.
we can only Composite compress menus in Composite Roles
and Include Roles.
Profiles are transported along with Composite Roles.
----------------------------------------------------
Parent Role:
it is a Single Role which will be referenced to create child roles.
in most of the scenarios the parent role is not assigned to any user.
it is considered as a Template to create other roles.
The major advantage is the changes in Parent roles are automatically
adjusted to child/derived roles. but it is not possible while copying
roles.copying is only one time activity.where as parent-child reationship is
life long until relation is broken/deleted.
Creating a Child Role/Derived Role:
1.go to pfcg
2.specify Role name that should identify the Derived Role.
3.Click on Create
4.go to description TAB Specify the Parent Role Name in derived from Role
and save....
5.menu TAB is missing i.e you cannot add any object through Menu TAB
and we can say MENUS are FIXED
6. while modifying parent role derived roles cannot be modified.
7.Maintain the Open Fields(Org levels,field values,actvts)
8.save and generate the profile
Updating or Enhancing a Parent Role:
go to PFCg
Select the parent Role
Include or exclude in the menus
click on change authorization data
maintain the open Fileds.
save and generate the Profile for parent Role
12. Click on Adjust Derived Roles.
It automatically adjust all the derived Roles except the org values.
parent Role Impart all the authorizations to Child/derived roles but not the
ORG VALUES.
Parent Role and Child Roles are differed by Organization values
These are used to create a PLANT Manager,warehouse Incharge,Division
Manager,DEpot manager etc roles which are similar in all the activities but
only differed by ORG Values.
The parent role impart all the properties to the child roles.
the child inherits all the roles except organizational values which needs to
be maintained in the child Roles.
Delete Inheritance
The Child Role can break the relationship with parent,since then no
updates/inheritance/imparting applies.
go to pfcg
select the role
go to description tab
click on delete inheritance
***************************************************************
Profile Update/User Comparison
when ever there is a change in role assignment in the User Master Records
it may not effective immediatly.
1.Transaction PFUD should be executed to to update the profiles in User
Master Records.
2.Use Option User Comaparison in PFCG(User TAB) to update UMR.
3.Run a Report PFCG_TIME_DEPENDENCY in SA38 or schedule
periodically in SM36.
it is also referred as User Master Reconciliation.
it is recommended to use the 3 option because it is scheduled in the
background mode during off peak hours.
remaining two options may consume more time in the dialog mode and
hence may congest the system as well.
***************************************************************
User Administration
The User Administration can be controlled in the Following ways
13. 1.Single Control----small oraganizations,partnership firms,individual
companies
2. Principle of Dual Control----The User administration is performed by an
administrator and role assignment,authorization changes are performed by
another administrator
3.Principle of TRIPLET Control:
a.User Administrator can be scattered based on Groups
b.Role Assigner
c.Authorization Administrator
1.User Administrator: who works with SU01,Su10 but only based on his
User Group.He may/may not be be allowed to assign roles and profiles.
2.Role Assigner: User ADMinistrator or Business Process Owner is
authorized to assign Roles/profiles to the users.
3.Authorization Administrartor; Creation/Modification/Deletion of Roles are
Performed by an Authorization Administrator who can generate
Profiles.(also called as Profile Administrator).
The User administration is restricted by Using User
Groups,Roles,Clients,Authorizations and Profiles.
----------------------------------------------------------------User Groups:
User Groups are created in SUGR
These are used to maintain the users massively in SU10 while assigning
Roles to the users.
User Group for Authorization Check:
This is used to facilitate the Usermanagement to manage the users those
who are assigned with the user group in their Role(S_USER_GRP)
Similarly the Roles also can be controlled by using
S_USER_AGR,S_USER_AUT (ZMM*-------ZMZ*)(ZSD*------ZSZ*)
________________________________________________________________
User Management
Users are created in Su01 and or maintained massively in Su10.
Some companies opt to use third party tools like LDAP,Custom
Programs,IDM Tools to poulate users into SAP Systems.
1.Su01
2.Su10
3.LDAP
14. 4.Z Programs to create Users based on HR Excel Sheet with different
roles,profiles and parameters.
5.SECATT
6.SCUA
_____________---------------___________________________
Su01 is used to create,modify,delete,display,lock,unlock,change
password,copy user etc but only a single user.
Su10 is used to create users massivley but with same details.
SU01/Su10
Address TAB
it is used to maintain the details of the users like first
name,lastname,title,language,department and location.
Logon Data:
Alias it is used for internet Users for additional Authorization
it is mostly used in CRM
User type: There are 5 types of Users
1.Dialog ;is the only user who can communicate with the system
interactively .Each of the session can be logged/traced and responsible for
the actions during audit.
Multiple logons are allowed.but we can restrcit them.SAP recommends not
to allow multiple logons for Sensitive areas like P&L,Finance and HR
divisions.
2.Service User is also similar to Dialog but not eligible for tracing,logging.it
is an anonymous user used for reporting and other general activities.
Multiple logons are allowed
3.System User: no Dialog is allowed.only to login in the background
mode.This user is used to communicate with in the System(example:
CUA,ALE,IDOC,standard background jobs etc)
4.Communication: no Dialog is allowed.only to login in the background
mode.This user is used to communicate between the Systems(example:
SCC9(remote Client Copy),CUA,ALE IDOC)
5.Reference user: this is used to provide additional authorizations to the
exisiting users.it is used only when a user goes on leave/vacation etc.
The Exisiting User is marked as Reference user so that logon is disabled.
The USer id is specified in the delegated User Role(Reference user for
additional Rights).
The User is responsible for complete activities and may be logged and
traced..
15. Note: tracing should only be allowed under exceptional
circumstances.Tracing writes enormous log files on the system.
Default:
Specify Printer ,Decimal Notation,Date Format,time zone etc
These are used by default when not specified.They are overridden by
program values.
Parameters:
These are used to provide default values to the input fileds.
The Frequently keyed inputs can be configured as parameters.
example(companycode,sales organization,sales areas,sales divisions etc
).it is used to reduce the dialog steps.
Process:
1.go to the input field
2.press F1
3.go to technical properties
4.select parameter id
5.specify paramter id and value in su01
Roles:
These are defined in PFCg
Profiles:
These are generated in PFCG.Do not assign any profiles,
They are automatically assigned based on the role,
Groups;
These are used for mass maintenance for a group of users
Personalization:
it is used to restrict the user selection criteria and out put
mostly the output is restricted in terms of 20 lines per page.current
month,last week(today-7)
License data:
Need to Specify the USer type to calculate the Licenses used.
however this is maintained in USMM during year end SAP Auditing.
SAP Calculates Users based on this information.
______________________________________
16. Calling Transactions:
when one transaction is assigned the user may be able to call one more
transactions example SM51.Sm50 etc
Table TCDCOUPLES stores the details of calling and called transactions.
Use Transaction Se97 to check the Indicator to Yes if they need to be
checked
_____________________________________________________________
List of Critical Transactions that should not be assigned together :::::::
SU99 transaction is used to provide the list of transactions that are critical
for security..
Customer can maintain their exception list
These details are stored in Table SUKRI.
**************************************************************
Restricting Access to tables and Programs:
if SA38 is assigned to a user he can execute all the programs.
if SM30 is assigned to a user he can maintain all the tables.
Restricting Programs:
SAP Recommends to use AUTHORITY-CHECK to program internally to
secure the programs. but due to lack of programming skills most of the
programmers does not use above commands.
So, SAP Recommends to use Authorization Groups to bind the programs
externally.
go to SE54 to define Authorization Groups
*************************************************************Handling Missing
Authorizations
CUA
LDAP
GRC
SAP Security parameters
******************************************
Handling Missing Authorizations:
1.user creates a ticket that while accessing certain transactions it is
displayed with a pop message that "you are not authorized".example Va01
transaction.
it can be due to following reasons:
17. a.)transaction is not assigned to the user
resol: Assign the transaction to the user based on approval
b.)Transaction is assigned in UMR but user could not access.
resol: User Master reconciliation-----PFCG User Comparison,PFUD or
schedule PFCG_TIME_DEPENDENCY in BTC
c.)user can access the transaction but could not create sales document,PO
for specific Field(Company,sales Organization,Division,plant,etc)
Identify the Missing Field through SU53 and assign them
D.)User is able to access the role until yesterday.today morning he could
not access.......
Role Expired or Role is Updated,or the user is assigned roles temporarliy
for 30days or role is assigned through a reference user.
e.)User is an RFC User and could not communicate using RFC.
resol:The User is Locked in the Source/Target System. The details are
buffered in the system and could not take new values(/$sync,/$tab--------
refresh the buffer).it is not recommended in PRD Systems which
dramatically shoots up reponse time.User Encounters high response times.
Clear hostname buffer in SM51)
Note: it is not recommended to assign the roles/modify/create the roles
without any B&W document(email,Fax,Print Form) along with Necessary
Approvals.
f.)BTC jobs failed to due to logon failure/logon denied.This is displayed in
SM37 logs.
when a user leaves the company his user account is locked for
3 months- 6months and later scheduled for deletion.Mean while all the jobs
scheduled by him are cancelled.So,delete all the jobs(if permitted) and
reschedule the jobs with a BTC User.
Note: Do not activate the Users who are scheduled for deletion.
g.)Transports stopped due to the user TMSADM(Reset the password in
STMS)
Process:
1.User Complained of Missing Authorizations through a ticket.
2.Communicate via email or call the user to send an immediate SU53
screen after transaction failure.
18. (Some times we may not get authorization failure for runtime objecs).Then
Trace the user using ST01
3.The User is not assigned with a Transaction,Authorization Field,Value or
organizational Field.
4.Execute SUIM and Identify the Role With the Above missing
Authorizations.
Ensure that role does not have more authorization then required.
Run a Mitigation Control and identify the risks involved and send all the
details to the Approver/Business Process Owner/Role Owner
Based on Mitigation/Risks the Approver May allow to assign or reject.
Approver may suggest to modify the Role,but after running mitigation if
role is modified it will effect "XY" USers who are assigned with that role.
(which is not allowed as per SOX)
Note: Do not Provide any excessive authorizations to users
Identify the Least effected Role,or define a Temp Roleand assign the
authorizations to the Users(based on approval from Role Owner---
mail,ticket,case,Request,fax,print).
ST01
Authorization Trace:
When missing authorization could not be traced in Su53 then run ST01 .
specify the Username and switch on the trace and ask the user to run the
transaction.
Switch of the trace.
*************************************************************
SAP Security Parameters:
Login/System_client=<Client-Number>
to set the default client for login.
login/accept_sso2_ticket
login/create_sso2_ticket
login/disable_multi_gui_login--to disable multiple logins with same user.
login/disable_password_logon --deactivate password logon
login/failed_user_auto_unlock--Enable automatic unlock off locked user at
midnight
20. The Users are required in the Following scenario.
1.Login to Domain Server
2.Login to Mail Server
3.Login to Web Server
4.Login to Print and File Servers.
5.Login to SAP Systems.(ERP,SCM,SRM,BI and XI)
Too Many Systems,too many users,too many passwords,
SAP Recommends to configure CUA between the clients and systems.
SAP also Supports LDAP,so that Users are created in Directory Server and
populated to other Systems Using LDAP Protocol.
i,e Users are created in DirectoryServer and pouplated to other systems.(1-
5)
Configuring DS in SAP.
1.Use Transaction LDAP to define connection to Directory Server.
2.Define RFC Connection of type 'T' in SM59 pointing to Directory Server i.e
using Program ID
3.Create a System User(not in Su01).Create User in LDAP Transaction.
4.Distinguished Name:
it is specifies the User Attributes
c= company
cn=common name
sn=suername
o= organization
These details are provided by System Admin.
5.Server--Name of the LDAP Server
Connector-----RFC Connection Defined in SM59
6.USer---User Defined in LDAPUSER Table
7.DEfine the Mapping between Fields in LDAPMAP
8.schedule a Report RSLDAPSYNC_User to synchronise between Directory
Server and SAP System.
9.Use report RSLDAPTEST to check LDAP
Defining LDAP Server
21. Click on LDAP Server
Provide Server name
Hostname-----name of the DS
Pornumber----389
Product-----MS ADS
Protocol---LDAP Version3
System Logon -Specify User
***********************************************SOX(sarbanes Oxley Act 404)
After Enron Scandal US govt passed an ACT(SOX 404 to protect the
interest of all the stake holder/share holders of the company.
Each public limited Company has to ensure that their share holders
interests are protected by using Internal Controls.
SAP provided PFCG to create Roles and assign them to the Users.
it is not intelligent in the following areas.
1.why,when and how a role is created and assigned.
2.what is the change history of the role(modification History)
3.What are risks involved in modifying the role and assiging the role.
4.How to identify the Risks in the system
5.How to ensure that all the security compliances are met.
SAP Could not address all the above using SAP Security.
SAP certified third party tools like VIRSA,APPROVA,security weaver
perform most of the above tasks
These Tools has their own programs ,Tables,Reports.
SAP Procured VIRSA and released a Product SAP GRC
Governance,risks and Compliance with the Following Tools
1.Virsa Role Expert
2.Virsa Compliance Calibrator
3.Virsa Access Enforcer
4.Virsa Fire Fighter