2. Introduction - Custom Security
Teams involved in Custom Security design
Different Project cycles of Custom Security design
Technical Tips for effective implementation
4/6/2014H&M Internal v1.0 2
3. 4/6/2014H&M Internal v1.0 3
Additional control over SAP standard transactions/processes where the default
authorization controls provided by SAP is not sufficient
(or)
Control any newly created SAP development object
(eg: A custom report, transaction code or table, etc.,)
Implemented via ABAP code which invloves either standard/custom authorization
object
Custom authorization object (which involves standard/custom Auth. Object class
and Auth. Fields) is created by the Security team, while the ABAP code is done by
the Development team
6. FA
Sec
Dev
Sec
FA
Sec, Dev
FA
Sec, Dev
4/6/2014H&M Internal v1.0 6
Acronyms for teams
• FA – Functional
Area
• Sec – Security
• Dev - Development
- Create
RDD
- Unit test
- Unit test
- Move security
objects, ABAP code
to T, Q
- Integration testing
- Move role
changes, ABAP
code to P
- ABAP auth check code
- Finalize security design
Scenario: 1
Sec fully involved
7. FA
Dev
FA
Dev
FA
Sec
Dev
Sec
FA
Dev, Sec
FA
Dev, Sec
4/6/2014H&M Internal v1.0 7
Acronyms for teams
• FA – Functional
Area
• Sec – Security
• Dev - Development- Create FS
- Move ABAP
code to T
- ABAP Auth
check code
- Integration testing - Unit test
- ABAP
development
Scenario: 2
- Create
RDD
- Integration testing
- Finalize
security design
- Unit test
- Unit test
- Move security
objects, ABAP code
to P
- Move security
objects, ABAP code
to T, Q
Sec involved very late
Impact:Sizeable
8. FA
Dev
FA
Dev
FA
Sec
Dev
Sec
FA
Dev, Sec
FA
Dev, Sec
4/6/2014H&M Internal v1.0 8
Acronyms for teams
• FA – Functional
Area
• Sec – Security
• Dev - Development- Create FS
- Move ABAP
code to T
- ABAP Auth
check code
- Integration testing - Unit test
- ABAP
development
Scenario: 2
- Create
RDD
- Integration testing
- Finalize
security design
- Unit test
- Unit test
- Move security
objects, ABAP code
to P
- Move security
objects, ABAP code
to T, Q
- Dev to inform Sec team
at initial stage of any
custom devleopment
9. FA
Dev
FA
Dev
FA
Sec
Dev
Sec
FA
Dev, Sec
FA
Dev, Sec
4/6/2014H&M Internal v1.0 9
Acronyms for teams
• FA – Functional
Area
• Sec – Security
• Dev - Development- Create FS
- Move ABAP
code to T
- ABAP Auth
check code
- Integration testing - Unit test
- ABAP
development
Scenario: 2
- Create
RDD
- Integration testing
- Finalize
security design
- Unit test
- Unit test
- Move security
objects, ABAP code
to P
- Move security
objects, ABAP code
to T, Q
- Dev to inform Sec team
at initial stage of any
custom devleopment
10. FA
Dev
FA
Dev
FA
Dev
4/6/2014H&M Internal v1.0 10
Acronyms for teams
• FA – Functional
Area
• Sec – Security
• Dev - Development
- Create FS
- Unit test
- Move development
to T,Q
- Integration testing
- Move development to P
- ABAP development
Scenario: 3
Sec not involved
Impact:Sizeable
11. 4/6/2014H&M Internal v1.0 11
Avoid redundant code: Default authorization checks – S_TCODE, S_PROGRAM,
S_RFC, S_TABU_DIS
Report/Transaction authorizations:
• Avoid the possibility of provding backdoor access
• Place authorization code checks before calling other development objects like
program/transaction code
For eg. When statements like CALL TRANSACTION or SUBMIT PROGRAM are used
• Avoid using sy-uname in the development
• Avoid using any sort of hardcoded authorization values
• Use of Standard/Custom authorization objects?
If your custom development is completely a new solution and not related to any of the SAP
standard transaction/process, then use of custom authorization objects is recommended.
Else, the best practise is to use standard authorization objects.
Note: A good understanding of the business requirement and a wide knowledge on the
standard SAP authorization objects is required to decide the type of authorization object that
needs to be used in the custom development.
12. 4/6/2014H&M Internal v1.0 12
Table Authorizations:
• Use Authorization groups for any newly created tables ; Avoid using &NC&
• Avoid using cross-client tables especially business users need to maintain the table entries
• Possible to control table line entries – based on organizational values