isaca - intro to sap security v3 final 03

March 31st, 2010

ISACA PresentationIntroduction to SAP Security

Cleberson R. Siansi – CISA, CGEIT, ACP

Stephen F Rose – MA

Introduction to SAP SecuritySession Objectives

This session is intended to provide an introduction to SAP security for SAP R/3(4.6c/4.7) and ECC (5.0/6.0) environments, with particular focus on theauthorization concept and how it supports the structural framework used indefining user access requirements.

Introduction to SAP SecuritySession Agenda

• Overview of SAP

• Overview of SAP Security

• SAP Authorization Concept Details

• Profile Generator (PFCG)

Overview of SAP

Overview of SAPWhat is SAP?

SAP = Systems Applications and Products in Data Processing

An order in SAP can automatically generate a inventory movementand purchase order without any “human” intervention

SAP integrates all business processing through one applicationLinks operational results and the financial aspects of those results

SAP can track financial results, procurement, sales,manufacturing, human resources and payroll

SAP comprises of 18 - 20 modules in finance, logistics and HROne or more SAP modules can be implemented

SAP is typically accessible by the entire business organizationMost company information and transactions originate from SAP

Multifunctional

Integrated

Enterprise Wide

Modular

“Real Time”

Overview of SAPHow SAP Works

1. Order -SAP S.D.

2. Availability -SAP MMInventory

3. Production -SAP P.P.

4. Manpower -SAP H.R.

5. Purchasing -SAP P.P.

6. Order Tracking -SAP M.M.

7. Reporting -SAP F.I.C.O

Overview of SAPSAP Modules

MMPurchasingGoods receiptInventory ControlInvoice Verification

PersonnelAdministrationPayroll Accounting

COCost Center / Profit CenterProfitability Analysis

IMInventoryManagement

AMAsset accounting

SD

HR

SalesDistributionInvoicing

FIAccounts payableAccounts receivableGeneral ledgerCash managementConsolidation

PPRe-order controlProductionPlanning & Control

BASISApplication SecuritySegregation of DutiesChange ControlSystem Parameters

Materials Management Sales & Distribution Production Planning Financial Accounting

Human Resources Controlling

Overview of SAPSAP in Numbers

Scope and role SAP plays in today's global economy:

– 85% of the Fortune 500 run SAP software

– 80% of Fortune 1,000 companies run SAP software

– 60% of Fortune 2,000 companies run SAP software

– 70% of the world economy's transactions in some shape or form touch anSAP system

– 2.5 billion utility bills are processed by SAP software each year

– 65% of all chocolate in the world is manufactured using SAP software

Overview of SAPSAP in Numbers

– Based on software revenue, SAP is the number one business softwaresupplier in every industry and solution segment

– SAP has developed and markets more than 25 industry-specific softwaresolutions

– SAP has more the 82,000 customers across 120 countries

– Approximately 64,000 SAP customers are small businesses or midsizecompanies

– SAP is the first leading vendor to deliver a comprehensive suite ofintegrated SOA-based enterprise software solutions

– 43,000 systems currently run on the SOA-ready SAP NetWeaver platform

– 13,000 systems currently run on NetWeaver-based SAP ERP 6.0

Source: http://www.optimalsol.com/NE-Thought-SAP-Economic-Upturn-One.html

Overview of SAP Security

Overview of SAP SecurityRoles, Profiles and Authority Checks

A Role is a bucket containing:

– Transaction Codes

– Authorization Data (Authorization Objects and FieldValues)

– User assignments

A Profile is a “key ring” that containsauthorizations (cut keys)

Authority Checks

– Performed by SAP to ensure that a user ID has the correctauthorization object and field value combination (cut key)to execute a particular task

– There may be multiple authority checks in one program(typically one at the start of the program as well asthroughout the program)

Profile

Authorizations andField Values

An authorization object is a template for security that containsfields with blank values (an uncut key)

– Authorization Object may be reused for many transactions

– Authorization Objects and Field Values are stored in two key SAP tables

> USOBX_C: Transaction-to-object relationships

> USOBT_C: Transaction-to-object field value relationships

» Both tables are maintained via transaction code SU24 and used by PFCG(Profile Generator)

An authorization is an authorization object with completed fields(a cut key)

– It takes one or more “keys” to open the doors to access a particular task,or transaction, within SAP

Overview of SAP SecurityAuthorization Objects vs. Authorizations

Level 3: Authorization AccessExamples: F_BKPF_BUK, M_MATE_BUK

User Master Record

Level 1: User ID AccessLogin w/ UserID and Password

Level 2: Transaction Code AccessObject: S_TCODEExamples: FB01, MM01

Role/Profile

Authorization Object Field Values

Overview of SAP SecurityLevels required to access a particular function in SAP

Overview of SAP SecurityAuthority Check

Example of an SAP Authorization Object

Example: Object F_BKPF_BUK(Accounting Document: Authorization for company code)

In General, objects protect:

• a certain data element / function

• for a specific action

• in a specific context

This object protects:

• accounting document (= posting)

• activity (create, display, etc.)

• for company code (= of a legalentity)

Overview of SAP SecurityAuthorization Concepts

GENERICBUILDING BLOCKS

EXAMPLE

User wants to change a posting for PwC

Object F_BKPF_BUK Authorization XYZ

Field 1 Activity (ACTVT) Change (02)

Field 2 Company (BUKRS) PwC Corporate (Company Code XYZ)

Example of an SAP Authorization Object


Create Vendor

Conventionalapproach

protection viamenu/function

SAP approachprotection oncevia authorization

TransactionMK01 FK01 XK01

Keep in mind! In SAP, you can perform the same function with differenttransactions


SAP Authorization Concept Details

• USOBX_C table

– T-code

– Object

– Flag (N = No Check, C =Check, CM = Check Maintain)

> Ignore U since it is essentially thesame as C

• USOBT_C table

– T-code

– Object

– Field

– Low

– High

Maintaining these tables is the key to increasing efficiency, consistency, and integrityof the role design and future design changes by avoiding manual and changedauthorizations in the roles.

Overview of SAP SecuritySU24 – Relationship of authorizations to transaction codes


Maintains the USOBX_C table

• T-code to object relationship andspecial handling flag

Maintains the USOBT_C table

• T-code to object to default fieldvalue relationship

These tables are clientindependent. Modifications viatransaction code SU24modifications will affect allclients in an SAP system.

SAP Tables SAP Building Blocks

USOBT_C

USOBX_C

T-Code

Object

T-code

Object

Flag

Fields

Low High

Flag = CM

Why are These Tables “Misused” and “Underutilized”?

• Many companies do not even use transaction SU24 to maintaintheir customer tables (USOBX_C and USOBT_C)

• Others do some maintenance via transaction SU24, but do notfully understand the relationship between these underlyingtables and the Profile Generator (PFCG)

• These tables are a key to reducing the maintenance and riskassociated with roles!


N: No Check

• We do not have the ability to turn on an object that is not checked by SAP, asthat would require changes to the source code. However, we can bypasschecks with the check indicator flags. To bypass a check, set the flag to NoCheck.

• This is useful for objects where we star every value in every instance theobject is used. The object is not used for security control.

• We can only bypass authority checks by moving the check mark to NoCheck.

• Basis objects (S_*) cannot be disabled.


C: Check

• SAP default – An authority check is performed by SAP if the ABAP code callsit, but the Profile Generator (PFCG) will not include the object in any rolescreated with the tcode

CM: Check Maintain

• Check Maintain means the same as check, but Maintain means that theauthorizations will be pulled into the role when that T-code is placed in themenu tab of PFCG for a role.


U: Unmaintained

• This check status is rarely used

• This status is very similar to the Check status. An authority check statementcan still be called, and no object values will be maintained or entered into theProfile Generator.


Profile Generator (PFCG)

Profile Generator (PFCG)Traditional Security Approach

SU01 SU02 SU03

End User Maintenance•Create User•Change User•Delete User•Assign Profiles•Setup Defaults

Profile Maintenance•Create Profile•Change Profile•Delete Profile•Assign Authorizations

Simple Composite

Authorization Maintenance•Create Authorization•Change Authorization•Delete Authorization

Transaction Codes:

Profile Generator (PFCG)Security Administration via Profile Generator

• The profile generator is an automated tool (transaction code PFCG) used toassist in the design, capture and maintenance of profiles

• Simplifies the Authorization process

• Uses transaction codes to define access

• Based on the TRANSACTIONS selected SAP determines the relatedAUTHORIZATION OBJECTS and, where applicable, the FIELD VALUESfrom tables USOBX_C and USOBT_C

• The remaining FIELD VALUES for the selected AUTHORIZATIONOBJECTS to create the AUTHORIZATIONS need to be filled in

• Role is therefore a collection of Authorizations

• When generated, a Role creates a corresponding Profile

PFCG uses the USOBX_C and USOBT_C tables to pre-fill theAuthorizations tab of a role based on the transaction codes enteredon the Menu tab of a role

Based on the tcodesentered on the Menutab…

PFCG will look up the objectswith a Check/Maintain flagand populate theAuthorizations tab


Simple Role Example:

1. Create a simple role and add t-code SE16 “DataBrowser” to the Menu tab



2. Assign Authorizations (objects & field values)



2. Assign Authorizations (objects & field values)Authorization objects which default into the role are defined in tableUSOBX_C, these objects have their flag value set to “Check Maintain”




2. Assign Authorizations (objects & field values)Two authorization objects were found with their flag value set to “CheckMaintain”: S_TABU_DISP & S_TABU_LIN


2. Assign Authorizations (objects & field values)Default fields & field values for the auth. objects are then defined onUSOBT_C, these are brought into Profile Generator automatically


T-Code (PFCG)Table (USOBT_C)


3. Generate the profile


T-Code (PFCG)


3. Generate the Profile


Object status definitions

Standard – Auth object was inserted from USOBT_C, and all fieldswere filled in by default. (“Nice, nothing to do”)

Maintained – Auth object was inserted from USOBT_C, and theadministrator filled in the “blank” fields, without changing the defaultvalues from USOBT_C. (“Working with the table”)

Changed – Auth object was inserted from USOBT_C, and theadministrator changed a default field value from the recommendedvalue in USOBT_C. (“Fighting with the table”)

Manual – Auth object was manually inserted into the role, and wasnot brought in by USOBT_C. This object is not “related” to anytcode on the Menu tab and will not be removed when the Menu tabchanges. (“Ignoring the table”)

Profile Generator (PFCG)Relationship Between SU24 and the Profile Generator

SAP SecurityQuestions

SAP SecurityContact Us

Cleberson R. Siansi

[email protected]

(248) 219 5394

Stephen F. Rose

[email protected]

(248) 312-8923

isaca - intro to sap security v3 final 03

Documents