SAP Security Overview v 1.0
of 69
-
Upload
hari-narayanan -
Category
Documents
-
view
9 -
download
0
description
SAP Security Overview v 1.0
Transcript of SAP Security Overview v 1.0
PowerPoint Presentation
Business Solutions Division
2013 Technology PartnersPage #1
AgendaIntroduction to SECURITY in SAP.Identify & discuss the SECURITY components.
2013 Technology PartnersPage #2
ObjectivesIntroducing SAP ERPUnderstanding SAPSecurity Architecture and ControlsBrief explanation of somehigh level Application Security components
2013 Technology PartnersPage #3ContentsIntroduction to SAP SecurityIntroduction to SAPSAP Security ControlsSAP Security Architecture and ComponentsQ & A Single Sign-OnSummary2013 Technology PartnersPage #Introduction to SAP
2013 Technology PartnersPage #5What is SAPSAP what does it stand for?Systems, Applications and Products in Data Processing 2013 Technology PartnersPage #6What is SAP - Modules
2013 Technology PartnersPage #7What is SAP - Processes
2013 Technology PartnersPage #Evolution of SAP Architecture
2013 Technology PartnersPage #ContentsIntroduction to SAP SecurityIntroduction to SAPSAP Security ControlsSAP Security Architecture and ComponentsQ & A SummarySingle Sign-On2013 Technology PartnersPage #
SAP SECUTIRYAn Overview
2013 Technology PartnersPage #11Why is Security Important?Security is the doorway to the SAP system.
Security is a way of protecting information from unauthorized use.
Security can unlock the flexibility of the system and customize it for each user.
Information stored in SAP is one of your companys most valuable business assets.
SAP application security controls who can do what in SAP.
2013 Technology PartnersPage #SAP being the ERP/ business application system, any security vulnerability may result into financial loss, business disruptions, misstatement of financial information, etc.
Unlike infrastructure vulnerability, SAP Security vulnerability may directly impact the business.
SAP is an integrated system therefore any error may lead to a widespread impact
Why is Security Important?
2013 Technology PartnersPage # Security ObjectivesConfidentiality: prevent users from viewing and disclosing confidential information.
Integrity: ensure the accuracy of the information in your companys system.
Availability: prevent the accidental or deliberate loss or damage of your companys information resources.
2013 Technology PartnersPage #Application appropriate security controls need to be enforced in SAP
Infrastructure The supporting infrastructure needs to be secured as wellNetwork routers, switches, firewallsServer application server and database serverOperating systemDatabasePCs/ Laptops presentation layer of the SAP system
What needs to be secured
2013 Technology PartnersPage #ContentsIntroduction to SAP SecurityIntroduction to SAPSAP Security ControlsSAP Security Architecture and ComponentsQ & A SummarySingle Sign-On2013 Technology PartnersPage #Security ControlsTwo main categories:Preventive Controls: Prohibits inappropriate accessDetective controls: Rely on other process to identify inconsistencies
These controls can be implemented in following ways
2013 Technology PartnersPage #Authorization ControlsAllow users in SAP to perform their work while securing transactions from unauthorized access
Its a complex and scalable conceptDetermines WHAT activity can be performed by a user as well as WHERE it can be performedEnforced through a pseudo object oriented concept using authorization objectsAuthorizations are assigned to Roles, which are then assigned to users.
SAP checks user master record for required authorization
SAP also provides information on which authorizations are required for each transaction.
2013 Technology PartnersPage #Authorization ControlsWhat should be reviewed?
Access to critical/ sensitive activities are controlled
User access is appropriate, i.e., based on their roles and responsibilities to the business process.
Roles are appropriate, i.e., authorizations within roles are as per the role definition
2013 Technology PartnersPage #Segregation of Duties (SoD)Segregation of Duties (SoD) is one of the most fundamental principles of effective internal controls, i.e., no individual employee should be having the complete control over the entire or major phase of a process.
Access control forms a very important part of the overall control framework in a business environment for different risks like:FraudTheftMisuse of dataInnocent errors
Benefits of SoDComplianceControls
2013 Technology PartnersPage #
SoD is typically enforced through a combination of access control and mitigating control Example: In accounts payable, segregation of duties should exist between purchasing, goods receiving, invoice processing and cash disbursement functionalities.Segregation of Duties (SoD)Graphical representation of SoD Example
2013 Technology PartnersPage #21SoD What needs to be reviewedSoD framework has been defined
Users do not contain any SoD conflicts
Roles are free from SoD conflicts
If SoD conflicts exist for some users, there are appropriate mitigation controls.It is important to check whether mitigation controls are working.They should be documented and checked in regular intervals
2013 Technology PartnersPage #BASIS ControlsSafeguard Special UsersParameter based controls on usersEnable AuditingManage Appropriate Client SettingsChange Control through STMSSchedule System Alerts, Reports2013 Technology PartnersPage #Parameter based controls on usersSAP has parameters to set pre-defined controls on user security, e.g., Logon, Passwords, etc.
Defines the minimum allowed length of a new password
Locks user after the specified number of wrong logon attempts2013 Technology PartnersPage #Safeguard Special UsersStarting with installations of SAP Web Application Server release 6.10 and higher, the passwords of SAP* and DDIC are selected during the installation processA super user should be created in each of the utilized clients, and the widely-known passwords of the special users should be changed.A report can be used to list the special users for all clients, and it also shows whether the password has been reset or is still as delivered.The changes for special users should be done by basis team during installation and post-installation to ensure enough special user security.
Standard SAP special users list are shown belowClient000066011New ClientUser SAP*, DDICSAP*, Early WatchSAP*, DDICSAP*Default PasswordPrompted for during installationPassword confidentialPrompted for during installationPassword confidential2013 Technology PartnersPage #Enable AuditingThe Security Audit Log
The system Log (including Statistics records in CCMS)
Logging of specific activities, e.g.,Logging Workflow ExecutionLogging Using Change DocumentsLogging Changes to Table DataLogging Changes Made Using the Change & Transport SystemLogging Changes Made to User and Authorization Information
SAP has in-built features that can be used to analyze security aspects of the SAP System in detail.2013 Technology PartnersPage #Enable Auditing Security Audit LogThis log is a tool designed for auditors to take a detailed look at what occurs in the SAP System. By activating the audit log through the Transaction SM19, we can record of those activities that you specify for your audit. This includes
Successful and unsuccessful dialog logon attemptsSuccessful and unsuccessful RFC logon attemptsRFC calls to function modulesChanges to user master recordsSuccessful and unsuccessful transaction startsChanges to the audit configuration2013 Technology PartnersPage #Manage Appropriate Client Settings
Maintain settings for different systems/ clients based on purpose, e.g.,Golden Configuration Client ABAP Development ClientQuality SystemProduction System
Set the client role, e.g., Production, Test, Customization etc.Allow/ Prevent customization:Changes and transports for client-specific Customizing objectsChanges to cross-client objectsFlag that locks the logon procedureProtection against SAP upgradePermission on ECATT procedures2013 Technology PartnersPage #Change Control through STMSSTMS: SAP Transport Management SystemAdministering & controlling new development requests.Managing transportsRecording of where and by whom changes are madeConfiguring systems landscape
2013 Technology PartnersPage #Schedule System Alerts, ReportsAlert Management (ALM): This comes into play, when business-critical problems occur to prevent delays in the processing of critical situations.
Earlywatch Report: This process (configured through Solution Manager) identifies potential problems early, avoids bottlenecks and monitors the performance of your systems. SAP EarlyWatch Alert monitors the most important business processes and systems.
2013 Technology PartnersPage #Business Process ControlsRefers to automated (and IT dependent) controls available in SAP for various business processes such as purchasing, financial, reporting, inventory, HR, etc.
Broadly classified under following three categories:Inherent controlsConfigurable controlsProcedural controls2013 Technology PartnersPage #Business Process ControlsInherent controls Enforced by default in SAPPurchases Order cannot be created with an invalid vendor
Configurable controls Switches that can be set by turning them on or off bases on business requirementsConfigured through Implementation Guide (IMG)Examples: PO approval hierarchy, Tolerance limits for three way match, etc.
Procedural controls IT dependent controls (e.g., review of exception reports)2013 Technology PartnersPage #ContentsIntroduction to SAP SecurityIntroduction to SAPSAP Security ControlsSAP Security Architecture and ComponentsQ & A SummarySingle Sign-On2013 Technology PartnersPage #Security Architecture and ComponentsAuthorization ConceptDetailsOverview Roles,Profiles & AuthorizationsRoles and ProfilesProfile Generator (PFCG)User Master RecordLevels of Security2013 Technology PartnersPage #Overview Role Profile Authorization Role is a bucket containing:Transaction CodesAuthorization Data (Authorization Objects and Field Values)User assignments
A Profile is a key ring that contains authorizations (cut keys)
Authority ChecksPerformed by SAP to ensure that a user ID has the correct authorization object and field value combination (cut key) to execute a particular taskThere may be multiple authority checks in one program (typically one at the start of the program as well as throughout the program)
2013 Technology PartnersPage #Authorization Concept DetailsAuthorizations define the allowed permissions for an access.Authorizations are instances of Authorization Objects.Authorization Objects define the template for designing Authorizations.Authorization Objects are grouped into Authorization Object Classes.
2013 Technology PartnersPage #Authorization Concept DetailsAuthorization Object Vs. Authorization
An authorization object is a template for security that contains fields with blank values (an uncut key)Authorization Object may be reused for many transactionsAuthorization Objects and Field Values are stored in two key SAP tablesUSOBX_C: Transaction-to-object relationshipsUSOBT_C: Transaction-to-object field value relationshipsBoth tables are maintained via transaction code SU24 and used by PFCG
An authorization is an authorization object with completed fields (a cut key)It takes one or more keys to open the doors to access a particular task, or transaction, within SAP2013 Technology PartnersPage #Authorization Concept DetailsAuthorization Objects are the keys to SAP Security When you attempt actions in SAP, the system checks to see whether you have the appropriate AuthorizationsThe same Authorization Objects can be used by different TransactionsExample: Object F_BKPF_BUK (Accounting Document: Authorization for company code)
2013 Technology PartnersPage #Authorization Concept Details
2013 Technology PartnersPage #Authorization Concept DetailsSU24 Relationship of authorizations to transaction codesMaintains the USOBX_C tableT-code to object relationship and special handling flag
Maintains the USOBT_C tableT-code to object to default field value relationship
These tables are client independent. Modifications via transaction code SU24 modifications will affect all clients in an SAP system.
2013 Technology PartnersPage #Roles and ProfilesProfiles contain Authorization Objects
Roles contain Profiles
Profiles that come delivered with the system or were created from scratch can be assigned directly to users
Profiles that were created for a Role are attached to that Role cannot be assigned directly. You must assign the Role and the system will then assign the user the correct Profile
2013 Technology PartnersPage #Roles and ProfilesRoles are built on top of Profiles and include additional components such as:User menusPersonalization
In modern SAP systems, users are typically assigned the appropriate Roles by the security team
The system will automatically add the appropriate Profile(s) for each Role assigned****Authorization Objects only exist in Profiles (either on their own or when nested in roles)
2013 Technology PartnersPage #Roles & ProfilesSingle Roles Template Task Roles:A task resembles a business process step and is a collection of SAP transactions and related authorization objects. A task is implemented as a single role in SAP. The transactions in a single role are related to each other. The template task role is the central role that defines the authorizations for the task
Composite Roles Function Roles:A function (or position) resembles a function or job position of a user and is a collection of tasks, executed by that function.A function is implemented as a composite role in SAPIn each area of SAP functional roles can be distinguished.Per function in the organization function-roles are created
2013 Technology PartnersPage #
SAP technical viewBusiness viewBusiness Process Step (Activity)Business Process TaskBusiness Position (Function)Single RoleTransactionComposite RoleUserRoles & Profiles2013 Technology PartnersPage #Profile Generator (PFCG)The profile generator is an automated tool (transaction code PFCG) used to assist in the design, capture and maintenance of profiles
Simplifies the Authorization process
Uses transaction codes to define accessBased on the TRANSACTIONS selected SAP determines the related AUTHORIZATION OBJECTS and, where applicable, the FIELD VALUES from tables USOBX_C and USOBT_CThe remaining FIELD VALUES for the selected AUTHORIZATION OBJECTS to create the AUTHORIZATIONS need to be filled in
Role is therefore a collection of Authorizations
When generated, a Role creates a corresponding Profile2013 Technology PartnersPage #Profile Generator (PFCG)PFCG uses the USOBX_C and USOBT_C tables to pre-fill the Authorizations tab of a role based on the transaction codes entered on the Menu tab of a role
Based on the Transactions entered on the Menu tab
PFCG will look up the objectswith a Check/Maintain flagand populate theAuthorizations tab
2013 Technology PartnersPage #Profile Generator (PFCG)
Adding Transaction to the Role Menu
Authorization Tab to assign/ maintain Authorization Objects
2013 Technology PartnersPage #Profile Generator (PFCG)Assign Authorizations (objects & field values)Default fields & field values for the auth. objects are then defined on USOBT_C, these are brought into Profile Generator automatically
2013 Technology PartnersPage #Profile Generator (PFCG)
Profile Generator Button
Profile generation after assignment/ maintenance of the Authorizations2013 Technology PartnersPage #User Master RecordA user can only access the SAP System if there is an appropriate user master record. A user master record defines the authorizations assigned to a user.
It is Required to establish access for Users.
Created when a User is created.
User Master Records are client-dependent!
2013 Technology PartnersPage #User Master RecordUser Master Record information includes:Name, Password, Address, Company informationUser Group (used for security administration or searching capabilities)Reference to Roles and Profiles (access capabilities are not stored directly in user master records)User typesDialog typical for most usersSystem cannot be used for dialog login, can communicate between systems and start background jobsCommunications Data cannot be used for dialog login, can communicate between systems but cannot start background jobsReference cannot log in, used to assign additional Authorizations to UsersService can log in but is excluded from password rules, etc. Used for Support users and Internet servicesValidity dates (from/to)User defaults (logon language, default printer, date/decimal formats)2013 Technology PartnersPage #User Master RecordExample of User Master Records through Transaction SU01
Create User Button
2013 Technology PartnersPage #User Master Record
Address Tab
To Maintain:Name,Address,Company Information, etc.2013 Technology PartnersPage #User Master Record
Logon Data Tab
To Maintain:Password,User Type, User Group,Validity dates, etc.2013 Technology PartnersPage #
User Master RecordDefaults Tab
To Maintain:Language,Decimal, Date Format,Printers, etc.2013 Technology PartnersPage #User Master Record
Parameters Tab
To Maintain user specific parameters2013 Technology PartnersPage #
User Master RecordRoles Tab
To Maintain Role Assignments2013 Technology PartnersPage #User Master Record
Profiles Tab
Shows the corresponding profiles of the Roles.
Allows to manually add profiles too. 2013 Technology PartnersPage #Levels of Security
2013 Technology PartnersPage #Levels of SecurityWhat can the User do in the Transaction?
Does the Transaction Exist?
Is the Transaction locked?
Can the User start the Transaction?2013 Technology PartnersPage #ContentsIntroduction to SAP SecurityIntroduction to SAPSAP Security ControlsSAP Security Architecture and ComponentsQ & A SummarySingle Sign-On2013 Technology PartnersPage #Single Sign On (SSO)
2013 Technology PartnersPage #Single Sign On - RequirementsThe user master record should be built in a manner which keeps the provision for making Single-Sign-On (SSO) integration simple in the future. Making SSO implementation simple implies less re-work during integration. Therefore, the naming convention should be finalized before implementation.
Unique User ID or Employee ID (along with other information) is expected to be managed in a centralized identity management system, e.g., Active Directory while creating users. The following information should be in sync.User ID (Unique User ID/ Employee ID as per Active Directory)First Name (As per Active Directory)Last Name (As per Active Directory)Email ID (As per Active Directory)Secure Network Communication (SNC) details2013 Technology PartnersPage #ContentsIntroduction to SAP SecurityIntroduction to SAPSAP Security ControlsSAP Security Architecture and ComponentsQ & A SummarySingle Sign-On2013 Technology PartnersPage #Summary
2013 Technology PartnersPage #Summary
Business Process ReviewConfiguration ReviewBlueprint ReviewIT Automated Controls ReviewIT Application Controls ReviewBASIS Review (Alerts, Earlywatch reports, etc.)IT General Controls Review (Audit Logs)Technical ReviewAuthorization ReviewAccess ReviewSoD ReviewRole ReviewUser Review2013 Technology PartnersPage #Summary
An indicative security framework2013 Technology PartnersPage #
Questions?
2013 Technology PartnersPage #68
Thank You!2013 Technology PartnersPage #69
