Structural Authorizations

Regular role authorisation is used for regular authorization. for example Transaction codes : PA20, PR20, CAT2, CADO, PPMDT, PR05 - It is done based on role assigned by Security group.

The user id mentioned in IT 0105 is assigned to the TC PFCG

The structural authorization has both benefits of positive and negative tests. Benefit being as soon as the manager moves from 1 position to another, he can no longer access his old team's information. Disadvantage being the maintenance and initial design needs to be well thought out. also the Org management has to be defined in advance and any modifications later on can cause headaches.

Steps to do Structural Authorization:

Step1 : TC OOAC
Activate the Structural Authorization switch

Step 2 : TC OOSP
Create Structural Authorization profiles

Step 3 : Assign Structural Authorization profile to user Id
TC : SE38 and assign report RHRPROFL0 enter object id for example ( Org unit )

Assign regular Role authorization..

SAP Security Internal Controls

Few Examples of Internal Controls implemented at a customer SAP Security implementation. The controls were checked on a monthly basis for 600+ SAP Security tickets. I was instrumental in documenting the SAP Security controls along with the audit team at Motorola. My Duties also consisted of gathering evidence for the controls. Presenting the evidence in monthly control meetings. And with the internal audit team. Making suggestions as to changes in the control. Used to guide the internal audit team in preparing reports for external auditors, explaining the reports to them. following are some examples.

1.) Each change in SAP has to be initiated along with a ticket.
2.) Each change has to be approved by Manager, Role owners, Compliance team, SAP Security team
3.) Each emergency change request has to be reviewed by the control owner
4.) Critical transactions which can modify tables like SM30 have not been used in SAP during the month.

Best Practices in SAP Security

There are many best practices in SAP Security which need to be pursued for a cleaner leaner SAP Security Design. following are some examples.

1.) One transaction in one SAP role. as far as possible transactions should not be repeated in several roles. This would help logical selection of a role by a manager.

2.) Split roles into two kinds
a.) Transaction based
b.) Organization key based.

3.) Try to keep transaction limit in a role upto 15-20 transactions.

4.) Role Naming should follow KISS principles. for eg : - ZF:FI_AP_clerkentry

SAP Critical Transactions

TCode	Risk Description
CA87	Mass Replace Work Center
CAT6	Human Resources
CL04	Delete Class
F.34	Credit Limit Mass Changes
F.80	Mass Reversal of Documents
F044	Vendor Archiving
FI12	Change House Banks/Bank Accounts
IP30	Run Date Monitoring
LN08	Number range maint.: LVS_LENUM
MMPV	Close Periods
MMRV	Allow Posting to previous Period
PA20	Display HR Master Data
PA30	Maintain HR Master Data
PA70	Fast Entry
PA97	Compensation Administration - Matrix
PFCG	Role Maintenance - System integrity, stability at risk
RZ04	Maintain SAP Instances
SA38	ABAP Reporting -Can run programs not protected appropriately
SARA	Archiving Management - Should be restricted to Archive Admin
SCC1	Client Copy - Special Selections
SCC4	Client Admin. - System stability & integrity at risk
SCC5	Delete Client - System stability at risk
SCC6	Client Import - System stability & integrity at risk
SCC9	Remote Client Copy - System stability & integrity at risk
SCCL	Local Client Copy - System stability & integrity at risk
SE01	Transport Organizer - System stability & integrity at risk
SE11	Data Dictionary Maint. - System stabiltiy & integrity at ris
SE13	Maintain tech tables settings - System stabilitiy at risk.
SE16	Data Browser - Exposure to confidential information
SE37	Function Builder
SE38	ABAP Editor - System stabiltiy & integrity at risk
SM01	Lock Transactions - System stabiltiy at risk
SM02	System Messages - Should be restricted to System Admins only
SM30	Table Maintenance - System integrity & stability at risk
SM49	Execute OS commands - System stability at risk
SM50	Work Process overview - System stability at risk
SU01	User Maintenance - Should be restricted to User Admins only
SU02	Profile Maintenance - System stability and integrity at risk
SU03	Maintain Authorizations
SU05	Maintain Internet user
SU10	User Mass Maint - System stabilty at a very high risk
SU20	Authorization Object fields
SU21	Authorization Objects
SU24	Maintain Assignment of Authorization Objects
SU25	Profile Generator Upgrade and First Installation

Useful SAP security tables

R/3 Security Tables

Security Tables
Table	Description
USR02	Logon data
USR04	User master authorization (one row per user)
UST04	User profiles (multiple rows per user)
USR10	Authorisation profiles (i.e. &_SAP_ALL)
UST10C	Composit profiles (i.e. profile has sub profile)
USR11	Text for authorisation profiles
USR12	Authorisation values
USR13	Short text for authorisation
USR40	Tabl for illegal passwords
USGRP	User groups
USGRPT	Text table for USGRP
USH02	Change history for logon data
USR01	User Master (runtime data)
USER_ADDR	Address Data for users
AGR_1016	Name of the activity group profile
AGR_1016B	Name of the activity group profile
AGR_1250	Authorization data for the activity group
AGR_1251	Authorization data for the activity group
AGR_1252	Organizational elements for authorizations
AGR_AGRS	Roles in Composite Roles
AGR_DEFINE	Role definition
AGR_HIER2	Menu structure information - Customer vers
AGR_HIERT	Role menu texts
AGR_OBJ	Assignment of Menu Nodes to Role
AGR_PROF	Profile name for role
AGR_TCDTXT	Assignment of roles to Tcodes
AGR_TEXTS	File Structure for Hierarchical Menu - Cus
AGR_TIME	Time Stamp for Role: Including profile
AGR_USERS	Assignment of roles to users
USOBT	Relation transaction to authorization object (SAP)
USOBT_C	Relation Transaction to Auth. Object (Customer)
USOBX	Check table for table USOBT
USOBXFLAGS	Temporary table for storing USOBX/T* chang
USOBX_C	Check Table for Table USOBT_C

CATT Scripts

User Guide for Data Upload

The use of CATT is for bulk uploading of data. Although CATT is primarily a testing tool, it can be used for the mass upload of data. The way CATT works is like a real user actually inputting on the SAP screen. You prepare a set of data that are required to be input into the system and execute what you called a Test Case and CATT will do the repeatative task of keying datafor you.

Over-all procedure

The over-all procedure to upload data using CATT is as follows:
· Creation of the CATT test case & recording the sample data input.
· Download of the source file template.
· Modification of the source file.
· Upload of the data from the source file.

Details of each step are provided in the following paragraphs.

Detailed Procedure

Creation of the CATT test case:

Creation of the test case is completed as follows:
· Execute Transaction SCAT
· Name the test case. Test case name must start with “Z”. It is also good practice to include the transaction code in
the test case name (e.g. Z_SU01_UPLOAD for the mass user build)
· Click the “Record” button.
· Enter the transaction code (e.g. SU01)
· Continue recording the transaction. Ensure data is entered into every field that is to be used during the upload.
· Save the test case.

Download the source file template

Download of source file template is conducted in two stages as follows:
· Creation of import parameters:
· Within transaction SCAT, Double Click on the TCD line in the “Maintain Functions” screen.
· Click the Field List button (Field list is displayed).
· For every field that you wish to upload data, double click in the Column New field contents (This creates an
import parameter).
· In the Maintain Import Parameter Pop-Up:
· Delete the default value if not required.
· Press Enter
· The New field contents column now contains the character & followed by the field name (e.g. &Userid). This is the name of the import parameter.
· Repeat this for every field (in every screen) to be uploaded.
· Back out and save the CATT test case
· Download of source file template:
· Use the path GOTO -> Variants -> Export Default
· Select path and file name (e.g. C:\TEMP\Z_SU01_UPLOAD.TXT)
· Click Transfer

Modify the source file

The downloaded source file template is now populated with the data that is to be uploaded. This is completed as follows:
· Using Excel, open the tab-delimited text file.
· Do not change any of the entries that already exist.
1st row contains the field names.
2nd row contains the field descriptions.
3rd row displays the default values which are set in the test case.
4th row contains a warning that changing the default values in the spreadsheet has no effect on the actual default values.
· The data to be uploaded can be entered in the spreadsheet from row 4 onwards (delete the 4th row warning &
replace with data for upload).
· Save the file as a Text file (Tab delimited).

Upload data from the source file

Uploading the data is completed as follows:
· Execute the CATT test case
· In the Execute screen:
· Set processing mode to Errors or Background (your choice).
· Set variants to External from file.
· Click the Choose button and select the file to be uploaded.
· If uploading to another client, click the Remote execution button and select the RFC connection to the required client.
· If uploading to the current client, click the execute button

SAP PCI compliance

The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized:

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security

SAP Security Blog

This blog is under construction and i want to make it the largest SAP Security blog climb after climb, step after step as i have plenty to contribute in this field. Please visit regularly to get SME articles on SAP Security. some of the topics which will figure in near future are as follows.

1.1. Overview of SAP R/3
1.2. Security’s Role
1.3. Audience
1.3.1. Security Administrators
1.3.2. Managers
1.3.3. Audit Staff
1.4. How to get the most from the book
1.5. Conventions
1.6. Acknowledgments
1.7. Trademarks
2. Security and Controls
2.1. Concept and Purpose
2.2. Assessing Risk
2.3. Segregation of Duties
2.4. Compensating Controls
2.4.1. Change Documents
2.4.2. History Tables
2.4.3. Table Logging
2.4.4. Use
3. Control Areas in SAP
3.1. “Physical” Universe
3.1.1. Environments
3.1.2. Change Control
3.1.3. Change-ability
3.1.4. Defaults
3.1.5. Secure the System
3.1.6. Control Access
3.2. Authorization Profiles - Access.
3.2.1. Naming Conventions
3.2.2. Naming conventions - Authorizations
3.2.3. Process Oriented Profiles
3.2.4. Risk Assessments
3.2.5. Control Profile Development
3.2.6. Profile Development Standards
3.2.7. Role Minimization
3.2.8. Grass Root Development
3.2.9. No Wild Card Activity Values
3.2.10. No Parent-Child Roles
3.2.11. No Composite Roles
3.2.12. Role Use Management
3.3. ABAP execution - reporting and update control.
3.3.1. Background
3.3.2. ABAP/4 Run-time control
3.3.3. Controlling Execution of Reports
3.4. System Integrity - Ensuring long-term continuity
3.5. System Settings
4. SAP Authorization Concept
4.1. Overview
4.1.1. Authorization Objects
4.1.2. Authorizations
4.1.3. Profiles
4.1.4. Roles
4.1.5. Users
5. Security Data in SAP
5.1. List of commonly used Security Tables in SAP
5.1.1. Overall List
5.1.2. Use of each table
5.1.3. Maintenance
5.2. Other SAP data ( Domain Values, Data Elements)
5.2.1. Overall list
5.2.2. Use of data
5.2.3. Maintenance
6. Authorization Checking in SAP
6.1. Transaction Lock
6.2. Transaction Access ( S_TCODE)
6.3. Alternative Access Control
6.3.1. Segregation of duties (TSTCA)
6.3.2. Report execution (S_PROGRAM)
6.3.3. Internal Checks
7. Security tools
7.1. Security Menu
7.2. User Maintenance
7.2.1. SU01
7.2.2. SU10
7.2.3. PFCG
7.2.4. RHPROFL0
7.2.5. HRUSER
7.3. Authorization maintenance
7.4. Profile Maintenance
7.5. PD Profiles – Structural Authorizations
7.6. Profile generator
7.7. Table Maintenance
7.8. Authorization Groups
7.9. Organizational Levels
7.9.1. Overview
7.9.2. Maintaining Organizational Level Definition.
7.9.3. Pitfalls using Organizational Levels
7.10. Call Transaction Control - SE97
7.11. Trouble Shooting Utilities
7.11.1. ST03
7.11.2. STAT
7.11.3. SM21
7.11.4. ST22
7.11.5. SU53
7.11.6. SU56
8. SAP Security Automation
9. Audit Information System
9.1. Security Audit Log
9.1.1. Purpose
9.1.2. Implementation Considerations
9.1.3. Integration
9.1.4. Filters
9.1.5. Alerts in the Computing Center Management System Alert Monitor
9.1.6. Activities
9.2. Security Alerts in the CCMS Alert Monitor
9.2.1. Comparing the Security Audit Log and the System Log
9.2.2. Prerequisites
9.3. User Activity Logs
10. Security Reports
10.1. Overview
10.2. SUIM
10.3. OPF0
10.4. Required reports
11. Security System Parameter Settings
12. Configuration
12.1. Access to Customizing - IMG Access
12.2. SSM_CUST
12.3. PRGN_CUST
12.4. Profile Generator
12.5. Human Resources
12.6. Configurable Access
12.6.1. Overview
12.6.2. Authorization Groups
12.6.3. User Exits
12.6.4. User Status B_USERSTAT
12.6.5. General Ledger Accounts
12.6.6. Storage Location
12.6.7. Tax Reporter Spool Authorizaton
13. User Ids
13.1. Overview
13.2. User Groups
13.3. Password
13.3.1. The Initial Password
13.3.2. Password Requirements
13.4. User Buffer
13.5. Logging On
13.6. Logon Errors
13.7. Password Controls
13.7.1. Setting Password Controls
13.7.2. Setting Password Length and Validity
13.7.3. Specifying Impermissible Passwords
13.8. Id Maintenance
13.9. Administering User Ids
13.10. ID Deletion
13.11. Special User Ids
13.11.1. SAP*
13.11.2. SAPCPIC
13.11.3. DDIC
13.11.4. EARLYWATCH
13.11.5. TMSADM
13.11.6. WF-Batch
13.12. Change Documents
14. Logon controls
14.1. System Parameter Settings
14.2. Logon User Exit
15. Global Access Control
15.1. Transaction Code Locking
15.2. Global Check Disabling
15.3. SAP_ALL
16. Profile Generator
16.1. What is Profile Generator
16.1.1. Components of Profile Generator
17. Exploring Profile Generator Menus and Buttons
17.1. Menu Bar
17.2. Function Bar
18. Functions in Profile Generator
18.1. Tasks
18.2. Agents
18.3. SAP Business Workflow
18.4. Personal Planning and Development (PD)
18.5. Session Manager (SESS)
19. Using Profile Generator
19.1. Activating Profile Generator
19.1.1. Setting the Instance Profile Parameter
19.1.2. Setting an Active Plan Version
19.1.3. Loading SAP default Values (SU25)
19.1.4. Menu Activation
19.1.5. Automatic Transport Request
19.2. Configuring Profile Generator
19.2.1. Maintaining Check Indicators and Field Values (SU24)
19.2.2. Adding Transactions to the Customer Menu
19.3. Activity Group Maintenance
19.3.1. Creating
19.3.2. Copying
19.3.3. Displaying
19.3.4. Generating
19.3.5. Deleting
19.3.6. Removing a transaction
19.3.7. Manually inserting and Authorization Object
19.3.8. Transporting
20. Security Strategies and Methodologies
20.1. Profile Creation
20.2. Maintaining Profiles
20.3. Naming Conventions
20.4. Change management
20.5. Controlling Configuration
21. Central User Administration
22. Workplace
23. Security User Exits
23.1. Exit Options
23.1.1. Overview
23.1.2. User Exits via CMOD
23.1.3. Business partner functions
23.1.4. Field Exists
23.2. Logon Exit
23.3. Logon Screen
23.4. Undocumented
24. Tips and Tricks
24.1. Modifying Logon Screen
24.2. Displaying Authorization Failures
24.3. Organization Levels
24.4. Adding Custom Values
24.5. Useful Default Settings
24.6. Stopping the “Multiple logon Notification” Screen
25. System Upgrades
26. Security Weaknesses
26.1. User Ids
26.2. Reference Users
26.3. Trojan Horse
26.4. New Buffering
26.5. SM59
26.6. Visible Passwords
26.7. S_DEVELOP Access
26.8. Table display
27. Appendices
27.1. Appendix A: Security Tables
27.2. Tables
27.3. Appendix B:
27.4. Appendix C: Segregation of Duties Configuration for RSUSR009





" THANK YOU for Visiting my Blog "