7/22/2019 RSUSR 008 009 New - Critical Authorizations

1/10

1Users with Critical Authorization - Lodewijk Borsboom - www.sap-security.nl

Users with Critical Authorizations

By Lodewijk Borsboom

Contents

1. INTRODUCTION 12. CUSTOMIZING 22.1. Critical Authorizations 22.2. Customizing Critical Combinations 42.3. Customizing Reports 62.3.1. For Critical Authorizations 6

2.3.2. For Critical combinations 73. REPORTING 93.1. Reporting Critical Combinations 93.2. Reporting Critical Authorizations 10

1. Introduction

This instruction is about the ABAP report RSUSR008_009_NEW or transaction codeS_BCE_68002111.This transaction is also included in the SUIM menu:

7/22/2019 RSUSR 008 009 New - Critical Authorizations

2/10

2Users with Critical Authorization - Lodewijk Borsboom - www.sap-security.nl

2. Customizing

2.1. Critical Authorizations

Click on Critical Authorizations (Kritieke bevoegdheden)

.

Then, double-click on the left column on Critical Authorization (Kritieke bevoegdheid)

Here you find all authorization IDs which are:

Critical of itself: ZK*Only Critical in combination with another authorization ID: ZT*

A combination of 2 ZT-authorization IDs equals one of the businesss defined SoDCriterion.

7/22/2019 RSUSR 008 009 New - Critical Authorizations

3/10

3Users with Critical Authorization - Lodewijk Borsboom - www.sap-security.nl

Select the record with ZT01 - Post Vendor Credit Memo (Crediteurenfacturen boeken)

and double-click in the left column on Authorization data (Bevoegdheidsgegevens)

Here you see the details of 1 part of the SoD criterion, in this case on transaction level

only. But you can also specify on object levels.

With a Groupyou can choose if the criteria have an OR or an AND relation.

If you specify more than one Group, the groups always have an AND relationwith each other.

In this specific case it shows that the user will comply with this authorization ID when he

is authorized for at least one of the named transactions (because of the OR operator).

7/22/2019 RSUSR 008 009 New - Critical Authorizations

4/10

4Users with Critical Authorization - Lodewijk Borsboom - www.sap-security.nl

Execute the actions above for authorization ID ZT02 Creditor Payments (Betalingen aan

crediteuren) as well. You will see the screen below:

2.2. Customizing Critical Combinations

In order to define these 2 authorization IDs as one SoD conflict, you have to navigateback to the start of the transaction and click on Critical combinations (Kritieke

combinaties):

Then, click in the left column on Combination (Combinatie)

7/22/2019 RSUSR 008 009 New - Critical Authorizations

5/10

5Users with Critical Authorization - Lodewijk Borsboom - www.sap-security.nl

In here, the SoD conflicts are described according to the following naming conventions:

Combination1 Authorization ID 1 Authorization ID 2 Classification

ZC01 _ ZT01 ZT02 _ H

All classifications are assigned to a different color:

H (High) = Red (Rood)

M (Medium) = Purple (Paars)L (Low) = Yellow (Geel)

Select ZC01_ZT01ZT02_H H: Post Vendor Credit Memo_ Creditor Payments)

(Crediteurenfacturen boeken_Betalingen aan crediteuren) and double-click on CriticalAuthorization (Kritieke bevoegdheid)

7/22/2019 RSUSR 008 009 New - Critical Authorizations

6/10

6Users with Critical Authorization - Lodewijk Borsboom - www.sap-security.nl

The following screen appears:

In here, the link is established between the 2 authorization IDs. This link always has anAND-logic.

2.3. Customizing Reports

2.3.1. For Critical Authorizations

Click on Critical Authorizations (Kritieke bevoegdheden)

One report variant has been made.

Select ZVIVARE_GEVOELIGEDAT (Display & Change Authorization for Sensitive Data) anddouble-click on Critical Authorization (Kritieke bevoegdheid) in the left column:

7/22/2019 RSUSR 008 009 New - Critical Authorizations

7/10

7Users with Critical Authorization - Lodewijk Borsboom - www.sap-security.nl

On this screen you notice that this report variant is only covering Authorization IDs ZK01& ZK02:

2.3.2. For Critical combinations

Navigate back to the start of the transaction and click on Critical combinations (Kritiekecombinaties):

7/22/2019 RSUSR 008 009 New - Critical Authorizations

8/10

8Users with Critical Authorization - Lodewijk Borsboom - www.sap-security.nl

4 Reporting variants have been made:

Select ZVIVARE_HOOG and double-click on Combination (Combinatie)

Only the classified-High SoD-criteria are presented here.You have the flexibility to report on self-chosen divisions of the SoD concept.

7/22/2019 RSUSR 008 009 New - Critical Authorizations

9/10

9Users with Critical Authorization - Lodewijk Borsboom - www.sap-security.nl

3. Reporting

Selecting a variant is mandatoryUsing selection criteria is optional

The output is always based on userids. If you want to analyze roles only, you would needto have set of test users in a test environment: one dedicated user for each role.

3.1. Reporting Critical Combinations

Select the variant ZVIVARE_ALLESSelect userid ZFCOORD-VAKWPress ExecuteSee the report below:

7/22/2019 RSUSR 008 009 New - Critical Authorizations

10/10

10Users with Critical Authorization - Lodewijk Borsboom - www.sap-security.nl

This user (that represents composite role ZF-COORDINATOR-VAKW) has 3 conflictsMEDIUM and 1 conflict HIGH.

3.2. Reporting Critical Authorizations

Select variant: ZVIVARE_GEVOELIGEDATSelect userid ZFCOORD-VAKW

Press Execute

This user can access sensitive data