SlideShare a Scribd company logo

Introduction to SAP Security

Nasir Gondal
Nasir Gondal

SAP Security an introduction, presented at Victoria University to BCO8161

EducationTechnology
1 of 20
SAP Security An Overview Presented to: BCO6181
Agenda 1. 2. 3. 4. 5. What is Security Building blocks Common terminologies used Most Common tools in Security CUA
What is Security? Security concept is same around the globe like in your normal life, security - means removing or restricting unauthorized access to your belongings. For example your Car, laptop or cared cards etc IT Security? Information security (sometimes shortened to InfoSec) is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (electronic, physical, etc...) SAP Security? In the same context of InfoSec. SAP security have the same meaning… or in other words - who can do what in SAP?
Building Blocks • • • • User Master Record Roles Profiles Authorization Objects
User Master Record? A User initially has no access in SAP • When we create access in system it defines UMR User Master Record information includes: • Name, Password, Address, User type, Company information • User Group • Roles and Profiles • Validity dates (from/to) • User defaults (logon language, default printer, date format, etc) User Types: Dialog – typical for most users System – cannot be used for dialog login, can communicate between systems and start background jobs Communications Data – cannot be used for dialog login, can communicate between systems but cannot start background jobs Reference – cannot log in, used to assign additional Authorizations to Users Service – can log in but is excluded from password rules, etc. Used for Support users and Internet services
Roles and Profiles Roles is group of tcode (s), which is used to perform a specific business task. Each role requires specific privileges to perform a function in SAP that is called AUTHORIZATIONS There are 3 types of Roles: • Single – an independent Role • Derived – has a parent and differs only in Organization Levels. Maintain Transactions, Menu, Authorizations only at the parent level • Composite – container that contains one or more Single or Derived Roles
Authorization Objects • Authorization Objects are the keys to SAP security • When you attempt actions in SAP the system checks to see whether you have the appropriate Authorizations • The same Authorization Objects can be used by different Transactions
SAP Application Security
User Buffer? • When a User logs into the system, all of the Authorizations that the User has are loaded into a special place in memory called the User Buffer • As the User attempts to perform activities, the system checks whether the user has the appropriate Authorization Objects in the User Buffer. • You can see the buffer in Transaction ???
Executing a Transaction (Authorization Checks) 1) Does the Transaction exist? All Transactions have an entry in table TSTC 2) Is the Transaction locked? Transactions are locked using Transaction SM01 Once locked, they cannot be used in any client 3) Can the User start the Transaction? Every Transaction requires that the user have the Object S_TCODE=Transaction Name Some Transactions also require another Authorization Object to start (varies depending on the Transaction) 4) What can the User do in the Transaction? The system will check to see if the user has additional Authorization Objects as necessary
Live Demo
How to trace missing Authorization Frequently you find that the role you built has inadequate accesses and will fail during testing or during production usage. Why? Why It happens? Negligence of tester or some other reason How process initiated? This process kicks when security guy receives: • Email or, • phone call or • ticket
How do we determine correct accesses required?  SAP has various tools to analyse access errors and determine correct Authorizations required: Use Last Failed Authorization check - SU53 (60% effective) Use Assignment of Auth Object to Transactions - SU24 (60% effective) Trace the Authorizations for a function - ST01 (90% effective)
Common Terminologies User master Records Roles Authorizations Authority Check user buffer Authorization Errors security matrix Profiles Authorization Objects User menus
SAP Password controls There are some Standard SAP password Controls delivered by SAP which cannot be changed First-time users forced to change their passwords before they can log onto the SAP system, or after their password is reset.* Users can only change their password when logging on. Users can change their password at most, once a day Users can not re-use their previous five passwords. The first character can not be “?” or “!”. The first three characters of the password cannot appear in the same order as part of the user name. all be the same. include space characters. The password cannot be PASS or SAP*.
Password Controls - cont.  SAP Password System Parameters - system wide settings that can be configured by MPL - Minimum Password Length Password locked after unsuccessful login attempts Password Expiration time Password complexity  Illegal Passwords MPL can define passwords that cannot be used Enter impermissible passwords into SAP table USR40 MPL = Master parts List
Tools:  SU01 User Maintenance  PFCG Role Maintenance  SUIM Authorization Reporting Tree  SU02 Maintain Profiles  SU03 Maintain Authorisations  SU10 User Maintenance: Mass Changes  SU21 Maintain Authorization Objects  SU24 Auth Object check under transactions  SU3 Maintain default settings  SU53 Display Authority Check Values  SU56 Display user buffer  ST01 User trace  SM19 Audit Log Configuration  SM20 Display Audit Log  S_BCE_68002111 List of users with Critical Authorisations
CUA Central User Administration is a feature in SAP that helps to streamline multiple users account management on different clients in a multi SAP systems environment. This feature is laudable when similar user accounts are created and managed on multiple clients  Centralized Admin  Data consistency & accuracy  Eliminate redundant efforts
www.about.me/nasirgondal

Recommended

What is sap security
What is sap securityWhat is sap security
What is sap securitygrconlinetraining
 
SAP Security & GRC Framework
SAP Security & GRC FrameworkSAP Security & GRC Framework
SAP Security & GRC FrameworkHarish Sharma
 
Sap security-administration
Sap security-administrationSap security-administration
Sap security-administrationnanda nanda
 
SAP Security important Questions
SAP Security important QuestionsSAP Security important Questions
SAP Security important QuestionsRagu M
 
Authorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.infoAuthorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.infosapdocs. info
 
Sap Security Workshop
Sap Security WorkshopSap Security Workshop
Sap Security Workshoplarrymcc
 
Implementing SAP security in 5 steps
Implementing SAP security in 5 stepsImplementing SAP security in 5 steps
Implementing SAP security in 5 stepsERPScan
 
Iia los angeles sap security presentation
Iia los angeles sap security presentation Iia los angeles sap security presentation
Iia los angeles sap security presentation hkodali
 

Recommended

What is sap security
What is sap securityWhat is sap security
What is sap securitygrconlinetraining
 
SAP Security & GRC Framework
SAP Security & GRC FrameworkSAP Security & GRC Framework
SAP Security & GRC FrameworkHarish Sharma
 
Sap security-administration
Sap security-administrationSap security-administration
Sap security-administrationnanda nanda
 
SAP Security important Questions
SAP Security important QuestionsSAP Security important Questions
SAP Security important QuestionsRagu M
 
Authorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.infoAuthorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.infosapdocs. info
 
Sap Security Workshop
Sap Security WorkshopSap Security Workshop
Sap Security Workshoplarrymcc
 
Implementing SAP security in 5 steps
Implementing SAP security in 5 stepsImplementing SAP security in 5 steps
Implementing SAP security in 5 stepsERPScan
 
Iia los angeles sap security presentation
Iia los angeles sap security presentation Iia los angeles sap security presentation
Iia los angeles sap security presentation hkodali
 
SAP Governance,Risk and Compliance
SAP Governance,Risk and ComplianceSAP Governance,Risk and Compliance
SAP Governance,Risk and ComplianceTLI GrowthSession
 
SAP BI 7 security concepts
SAP BI 7 security conceptsSAP BI 7 security concepts
SAP BI 7 security conceptsSiva Pradeep Bolisetti
 
Introduction on sap security
Introduction on sap securityIntroduction on sap security
Introduction on sap securityyektek
 
Anil kumar sap security & GRC
Anil kumar sap security & GRCAnil kumar sap security & GRC
Anil kumar sap security & GRCAnil Kumar
 
Sap security tasks
Sap security tasksSap security tasks
Sap security tasksSiva Pradeep Bolisetti
 
SAP SECURITY GRC
SAP SECURITY GRCSAP SECURITY GRC
SAP SECURITY GRCtechgurusuresh
 
Sap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online trainingSap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online traininggrconlinetraining
 
SAP GRC
SAP GRC SAP GRC
SAP GRC Kellton Tech Solutions Ltd
 
081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grc081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grchkodali
 
Sap basis made easy
Sap basis made easySap basis made easy
Sap basis made easyDurga Balaji M
 
SAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsSAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsRohan Andrews
 
Day5 R3 Basis Security
Day5 R3 Basis SecurityDay5 R3 Basis Security
Day5 R3 Basis SecurityGuang Ying Yuan
 
SAP GRC 10 Access Control
SAP GRC 10 Access ControlSAP GRC 10 Access Control
SAP GRC 10 Access ControlNasir Gondal
 
Sap basis administrator user guide
Sap basis administrator user guideSap basis administrator user guide
Sap basis administrator user guidePoguttuezhiniVP
 
Sap security interview question & answers
Sap security interview question & answersSap security interview question & answers
Sap security interview question & answersNancy Nelida
 
Practical guide for sap security
Practical guide for sap security Practical guide for sap security
Practical guide for sap security Siva Pradeep Bolisetti
 
sap security interview_questions
sap security interview_questionssap security interview_questions
sap security interview_questionssumitmsn2
 
SAP Security interview questions
SAP Security interview questionsSAP Security interview questions
SAP Security interview questionsSiva Pradeep Bolisetti
 
100 sap basis_interviwe_questions
100 sap basis_interviwe_questions100 sap basis_interviwe_questions
100 sap basis_interviwe_questionsbhaskarbi
 
SU01 - Background and Instruction
SU01 - Background and InstructionSU01 - Background and Instruction
SU01 - Background and InstructionMart Leepin
 
Sap Access Risks Procedures
Sap Access Risks ProceduresSap Access Risks Procedures
Sap Access Risks ProceduresInprise Group
 
Ch10 system administration
Ch10 system administration Ch10 system administration
Ch10 system administration Raja Waseem Akhtar
 

More Related Content

What's hot

SAP Governance,Risk and Compliance
SAP Governance,Risk and ComplianceSAP Governance,Risk and Compliance
SAP Governance,Risk and ComplianceTLI GrowthSession
 
Introduction on sap security
Introduction on sap securityIntroduction on sap security
Introduction on sap securityyektek
 
Anil kumar sap security & GRC
Anil kumar sap security & GRCAnil kumar sap security & GRC
Anil kumar sap security & GRCAnil Kumar
 
Sap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online trainingSap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online traininggrconlinetraining
 
081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grc081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grchkodali
 
SAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsSAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsRohan Andrews
 
SAP GRC 10 Access Control
SAP GRC 10 Access ControlSAP GRC 10 Access Control
SAP GRC 10 Access ControlNasir Gondal
 
Sap basis administrator user guide
Sap basis administrator user guideSap basis administrator user guide
Sap basis administrator user guidePoguttuezhiniVP
 
Sap security interview question & answers
Sap security interview question & answersSap security interview question & answers
Sap security interview question & answersNancy Nelida
 
sap security interview_questions
sap security interview_questionssap security interview_questions
sap security interview_questionssumitmsn2
 
100 sap basis_interviwe_questions
100 sap basis_interviwe_questions100 sap basis_interviwe_questions
100 sap basis_interviwe_questionsbhaskarbi
 
SU01 - Background and Instruction
SU01 - Background and InstructionSU01 - Background and Instruction
SU01 - Background and InstructionMart Leepin
 

What's hot (20)

SAP Governance,Risk and Compliance
SAP Governance,Risk and ComplianceSAP Governance,Risk and Compliance
SAP Governance,Risk and Compliance
 
SAP BI 7 security concepts
SAP BI 7 security conceptsSAP BI 7 security concepts
SAP BI 7 security concepts
 
Introduction on sap security
Introduction on sap securityIntroduction on sap security
Introduction on sap security
 
Anil kumar sap security & GRC
Anil kumar sap security & GRCAnil kumar sap security & GRC
Anil kumar sap security & GRC
 
Sap security tasks
Sap security tasksSap security tasks
Sap security tasks
 
SAP SECURITY GRC
SAP SECURITY GRCSAP SECURITY GRC
SAP SECURITY GRC
 
Sap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online trainingSap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online training
 
SAP GRC
SAP GRC SAP GRC
SAP GRC
 
081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grc081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grc
 
Sap basis made easy
Sap basis made easySap basis made easy
Sap basis made easy
 
SAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsSAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM Workflows
 
Day5 R3 Basis Security
Day5 R3 Basis SecurityDay5 R3 Basis Security
Day5 R3 Basis Security
 
SAP GRC 10 Access Control
SAP GRC 10 Access ControlSAP GRC 10 Access Control
SAP GRC 10 Access Control
 
Sap basis administrator user guide
Sap basis administrator user guideSap basis administrator user guide
Sap basis administrator user guide
 
Sap security interview question & answers
Sap security interview question & answersSap security interview question & answers
Sap security interview question & answers
 
Practical guide for sap security
Practical guide for sap security Practical guide for sap security
Practical guide for sap security
 
sap security interview_questions
sap security interview_questionssap security interview_questions
sap security interview_questions
 
SAP Security interview questions
SAP Security interview questionsSAP Security interview questions
SAP Security interview questions
 
100 sap basis_interviwe_questions
100 sap basis_interviwe_questions100 sap basis_interviwe_questions
100 sap basis_interviwe_questions
 
SU01 - Background and Instruction
SU01 - Background and InstructionSU01 - Background and Instruction
SU01 - Background and Instruction
 

Similar to Introduction to SAP Security

Sap Access Risks Procedures
Sap Access Risks ProceduresSap Access Risks Procedures
Sap Access Risks ProceduresInprise Group
 
Salesforce admin training 2
Salesforce admin training 2Salesforce admin training 2
Salesforce admin training 2HungPham381
 
How to be a Security Minded Admin by Chris Zullo
How to be a Security Minded Admin by Chris ZulloHow to be a Security Minded Admin by Chris Zullo
How to be a Security Minded Admin by Chris ZulloSalesforce Admins
 
Access Control Fundamentals
Access Control FundamentalsAccess Control Fundamentals
Access Control FundamentalsSetiya Nugroho
 
Getting Started with IBM i Security: User Privileges
Getting Started with IBM i Security: User PrivilegesGetting Started with IBM i Security: User Privileges
Getting Started with IBM i Security: User PrivilegesHelpSystems
 
5 Reasons to Always Keep an Eye on Privileged Business Accounts
5 Reasons to Always Keep an Eye on Privileged Business Accounts5 Reasons to Always Keep an Eye on Privileged Business Accounts
5 Reasons to Always Keep an Eye on Privileged Business AccountsAnayaGrewal
 
3 windowssecurity
3 windowssecurity3 windowssecurity
3 windowssecurityricharddxd
 
Nt1330 Week 1 Case Study Of EAP.pdfNt1330 Week 1 Case Study Of EAP
Nt1330 Week 1 Case Study Of EAP.pdfNt1330 Week 1 Case Study Of EAPNt1330 Week 1 Case Study Of EAP.pdfNt1330 Week 1 Case Study Of EAP
Nt1330 Week 1 Case Study Of EAP.pdfNt1330 Week 1 Case Study Of EAPEvelyn Donaldson
 
Globalcompose.com sample coursework paper on management of information security
Globalcompose.com sample coursework paper on management of information securityGlobalcompose.com sample coursework paper on management of information security
Globalcompose.com sample coursework paper on management of information securityAcademic Research Paper Writing Services
 
Globalcompose.com sample coursework paper on management of information security
Globalcompose.com sample coursework paper on management of information securityGlobalcompose.com sample coursework paper on management of information security
Globalcompose.com sample coursework paper on management of information securityAcademic Research Paper Writing Services
 
System security by Amin Pathan
System security by Amin PathanSystem security by Amin Pathan
System security by Amin Pathanaminpathan11
 
Annual OktCyberfest 2019
Annual OktCyberfest 2019Annual OktCyberfest 2019
Annual OktCyberfest 2019Fahad Al-Hasan
 
Lecture 11 understanding requirements (3)
Lecture 11 understanding requirements (3)Lecture 11 understanding requirements (3)
Lecture 11 understanding requirements (3)IIUI
 

Similar to Introduction to SAP Security (20)

Sap Access Risks Procedures
Sap Access Risks ProceduresSap Access Risks Procedures
Sap Access Risks Procedures
 
Ch10 system administration
Ch10 system administration Ch10 system administration
Ch10 system administration
 
Ch10
Ch10Ch10
Ch10
 
Salesforce admin training 2
Salesforce admin training 2Salesforce admin training 2
Salesforce admin training 2
 
Sap
SapSap
Sap
 
How to be a Security Minded Admin by Chris Zullo
How to be a Security Minded Admin by Chris ZulloHow to be a Security Minded Admin by Chris Zullo
How to be a Security Minded Admin by Chris Zullo
 
Chapter 7
Chapter 7Chapter 7
Chapter 7
 
Access Control Fundamentals
Access Control FundamentalsAccess Control Fundamentals
Access Control Fundamentals
 
Getting Started with IBM i Security: User Privileges
Getting Started with IBM i Security: User PrivilegesGetting Started with IBM i Security: User Privileges
Getting Started with IBM i Security: User Privileges
 
165373293 sap-security-q
165373293 sap-security-q165373293 sap-security-q
165373293 sap-security-q
 
5 Reasons to Always Keep an Eye on Privileged Business Accounts
5 Reasons to Always Keep an Eye on Privileged Business Accounts5 Reasons to Always Keep an Eye on Privileged Business Accounts
5 Reasons to Always Keep an Eye on Privileged Business Accounts
 
3 windowssecurity
3 windowssecurity3 windowssecurity
3 windowssecurity
 
Devi
DeviDevi
Devi
 
Nt1330 Week 1 Case Study Of EAP.pdfNt1330 Week 1 Case Study Of EAP
Nt1330 Week 1 Case Study Of EAP.pdfNt1330 Week 1 Case Study Of EAPNt1330 Week 1 Case Study Of EAP.pdfNt1330 Week 1 Case Study Of EAP
Nt1330 Week 1 Case Study Of EAP.pdfNt1330 Week 1 Case Study Of EAP
 
Globalcompose.com sample coursework paper on management of information security
Globalcompose.com sample coursework paper on management of information securityGlobalcompose.com sample coursework paper on management of information security
Globalcompose.com sample coursework paper on management of information security
 
Globalcompose.com sample coursework paper on management of information security
Globalcompose.com sample coursework paper on management of information securityGlobalcompose.com sample coursework paper on management of information security
Globalcompose.com sample coursework paper on management of information security
 
Privileged Access Manager Product Q&A
Privileged Access Manager Product Q&APrivileged Access Manager Product Q&A
Privileged Access Manager Product Q&A
 
System security by Amin Pathan
System security by Amin PathanSystem security by Amin Pathan
System security by Amin Pathan
 
Annual OktCyberfest 2019
Annual OktCyberfest 2019Annual OktCyberfest 2019
Annual OktCyberfest 2019
 
Lecture 11 understanding requirements (3)
Lecture 11 understanding requirements (3)Lecture 11 understanding requirements (3)
Lecture 11 understanding requirements (3)
 

Recently uploaded

psychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docxpsychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docxPoojaSen20
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxnegromaestrong
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesCeline George
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxVishalSingh1417
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxVishalSingh1417
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphThiyagu K
 
ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701bronxfugly43
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsMebane Rash
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...christianmathematics
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDThiyagu K
 
Making and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdfMaking and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdfChris Hunter
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibitjbellavia9
 
PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPoojaSen20
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfAdmir Softic
 

Recently uploaded (20)

psychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docxpsychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docx
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptx
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
Making and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdfMaking and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdf
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docx
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 

Introduction to SAP Security

  • 2. Agenda 1. 2. 3. 4. 5. What is Security Building blocks Common terminologies used Most Common tools in Security CUA
  • 3. What is Security? Security concept is same around the globe like in your normal life, security - means removing or restricting unauthorized access to your belongings. For example your Car, laptop or cared cards etc IT Security? Information security (sometimes shortened to InfoSec) is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (electronic, physical, etc...) SAP Security? In the same context of InfoSec. SAP security have the same meaning… or in other words - who can do what in SAP?
  • 4. Building Blocks • • • • User Master Record Roles Profiles Authorization Objects
  • 5. User Master Record? A User initially has no access in SAP • When we create access in system it defines UMR User Master Record information includes: • Name, Password, Address, User type, Company information • User Group • Roles and Profiles • Validity dates (from/to) • User defaults (logon language, default printer, date format, etc) User Types: Dialog – typical for most users System – cannot be used for dialog login, can communicate between systems and start background jobs Communications Data – cannot be used for dialog login, can communicate between systems but cannot start background jobs Reference – cannot log in, used to assign additional Authorizations to Users Service – can log in but is excluded from password rules, etc. Used for Support users and Internet services
  • 6. Roles and Profiles Roles is group of tcode (s), which is used to perform a specific business task. Each role requires specific privileges to perform a function in SAP that is called AUTHORIZATIONS There are 3 types of Roles: • Single – an independent Role • Derived – has a parent and differs only in Organization Levels. Maintain Transactions, Menu, Authorizations only at the parent level • Composite – container that contains one or more Single or Derived Roles
  • 7. Authorization Objects • Authorization Objects are the keys to SAP security • When you attempt actions in SAP the system checks to see whether you have the appropriate Authorizations • The same Authorization Objects can be used by different Transactions
  • 8.
  • 10. User Buffer? • When a User logs into the system, all of the Authorizations that the User has are loaded into a special place in memory called the User Buffer • As the User attempts to perform activities, the system checks whether the user has the appropriate Authorization Objects in the User Buffer. • You can see the buffer in Transaction ???
  • 11. Executing a Transaction (Authorization Checks) 1) Does the Transaction exist? All Transactions have an entry in table TSTC 2) Is the Transaction locked? Transactions are locked using Transaction SM01 Once locked, they cannot be used in any client 3) Can the User start the Transaction? Every Transaction requires that the user have the Object S_TCODE=Transaction Name Some Transactions also require another Authorization Object to start (varies depending on the Transaction) 4) What can the User do in the Transaction? The system will check to see if the user has additional Authorization Objects as necessary
  • 13. How to trace missing Authorization Frequently you find that the role you built has inadequate accesses and will fail during testing or during production usage. Why? Why It happens? Negligence of tester or some other reason How process initiated? This process kicks when security guy receives: • Email or, • phone call or • ticket
  • 14. How do we determine correct accesses required?  SAP has various tools to analyse access errors and determine correct Authorizations required: Use Last Failed Authorization check - SU53 (60% effective) Use Assignment of Auth Object to Transactions - SU24 (60% effective) Trace the Authorizations for a function - ST01 (90% effective)
  • 15. Common Terminologies User master Records Roles Authorizations Authority Check user buffer Authorization Errors security matrix Profiles Authorization Objects User menus
  • 16. SAP Password controls There are some Standard SAP password Controls delivered by SAP which cannot be changed First-time users forced to change their passwords before they can log onto the SAP system, or after their password is reset.* Users can only change their password when logging on. Users can change their password at most, once a day Users can not re-use their previous five passwords. The first character can not be “?” or “!”. The first three characters of the password cannot appear in the same order as part of the user name. all be the same. include space characters. The password cannot be PASS or SAP*.
  • 17. Password Controls - cont.  SAP Password System Parameters - system wide settings that can be configured by MPL - Minimum Password Length Password locked after unsuccessful login attempts Password Expiration time Password complexity  Illegal Passwords MPL can define passwords that cannot be used Enter impermissible passwords into SAP table USR40 MPL = Master parts List
  • 18. Tools:  SU01 User Maintenance  PFCG Role Maintenance  SUIM Authorization Reporting Tree  SU02 Maintain Profiles  SU03 Maintain Authorisations  SU10 User Maintenance: Mass Changes  SU21 Maintain Authorization Objects  SU24 Auth Object check under transactions  SU3 Maintain default settings  SU53 Display Authority Check Values  SU56 Display user buffer  ST01 User trace  SM19 Audit Log Configuration  SM20 Display Audit Log  S_BCE_68002111 List of users with Critical Authorisations
  • 19. CUA Central User Administration is a feature in SAP that helps to streamline multiple users account management on different clients in a multi SAP systems environment. This feature is laudable when similar user accounts are created and managed on multiple clients  Centralized Admin  Data consistency & accuracy  Eliminate redundant efforts