Introduction to SAP

Security

Wednesday March 31, 2010

Kyle Balcerzak
SAP Security Consultant
Download the presentation recording with audio from the
Symmetry Knowledge Center

www.sym-corp.com/knowledge-center
Symmetry Corporation

Lifecycle Support for any SAP application on any platform combination

Implementation Support

SAP Certified Hosting

SAP NetWeaver / Basis administration

Security Design & Administration

Upgrade & Project Support

Symmetry’s 21st Century Approach to Managed Services

Quality
Proactive support delivered
by US-based experts

Accessibility
24x7 direct access to your
support team

Affordability
Highly competitive fixed-price
contracts
Introducing

Kyle Balcerzak
SAP Security Consultant
What We’ll Cover
Introduction – Why is Security Important?
Legal Requirements
SOX, HIPAA, ITAR
Risks & Controls
Why Unregulated Companies Should Care
Security Architecture
User Master Record
Roles
Profiles
Authorization Objects
User Buffer
4 Doors to SAP Security
Managing Security
Security Team
Role owners and the approval process
Periodic Access Validation
Troubleshooting and information
Security Tools
Why is Security Important?
Security is the doorway to the SAP system.
Security is a way of protecting information from unauthorized use.
Security can unlock the flexibility of the system and customize it for
each user.
Information stored in SAP is one of your company’s most valuable
business assets.
What is SAP Security?
SAP application security controls who can do what in SAP.

Examples:
Who can approve purchase requisitions over $10,000 (ME54N)?

Who can view other employees’ social security numbers in the system
(PA20)?

Who can update vendor bank information (XK02)?

Who can create or modify users (SU01)?

Security Objectives
Confidentiality - prevent users from viewing and disclosing
confidential information.
Integrity - ensure the accuracy of the information in your company’s
system.
Availability - prevent the accidental or deliberate loss or damage of
your company’s information resources.
Security Against Whom?
When people think about system security, they usually think about
people outside the company
business espionage
political rivals
In reality, you need to protect against your own people
Curiosity
Accidental access
Intentional access
Factors to Consider
How important is your SAP system and the data stored in it to your
business?

Do you have a policy requiring certain levels of security?

Do your internal or external auditors require a certain level of

security for the information stored in your system?

Will you need some degree of security in the foreseeable future?

Legal Requirements
SOX, HIPAA, ITAR
Segregation of Duties vs. Excessive Access
Controls – Preventive vs. Detective
Why Smaller Companies Should Care
Sarbanes-Oxley (SOX) Act

Executives are ultimately responsible for confirming the design and

effectiveness of internal controls

Excessive access and Segregation of Duties issues are key points

Ultimately – data integrity is key

SOX Continued

Segregation of Duties
One user can perform two or more conflicting actions that causes a risk.
Example:
Activities: Someone can create vendor master records and then process
accounts payable payments
Risk: Gives someone the access to create a fictitious vendor and generate
fraudulent payments to that vendor

Excessive Access
One action that a user can perform that is outside their area of
expertise, jurisdiction, or allows critical access
Example:
Activity: End user can use SP01 to see the spool request for all users
Risk: Users may view sensitive financial documents or payroll information for
example.
HIPAA and ITAR
Health Insurance Portability and Accountability Act
Personal health information can be shared with appropriate people for
patient care.
Typically comes into play in SAP HR systems.
Data privacy concerns
If an employee has a potentially embarrassing injury at work, these details
are stored in the system and should only be viewed by authorized personnel.

International Traffic in Arms Regulations

Controls the import/export of defense related articles and information.
Data privacy concerns
Information and material specifically about defense and military technologies
must only be shared with US Persons or those who are approved.
Shipping concerns
Unauthorized users should not have access to change shipping information
of customer.
Controls – Preventive vs. Detective
In order to prevent fraud, accidental errors, and protect sensitive
information we must have controls.

There are two main categories of controls:

Preventive controls: prohibit inappropriate access

Authorizations, configuration, User-Exits, and so on

Detective controls: rely on other processes to identify inconsistencies

Alerts, periodic reporting, system monitoring
Why Unregulated Companies Should Care
Why should we care about segregating duties, excessive access or
documenting our business processes if we are not publicly traded or
subject to legal requirements?
Documentation
Reduction in errors
Cost of errors
Loss of customers
Fraud happens
Protection of trade secrets
Preserve confidential information
Security Architecture
Authorization Objects Intro
User Master Record
Roles – Single, Derived, Composite
Task-based vs. Job-based Roles
Profiles
Authorization Objects
User Buffer
4 Doors to SAP Security
Authorization Concept

User Master
User
Record

Roles

Profiles

Authorization SAP
Objects Functionality
Authorization Objects
Authorization Objects are the keys to SAP security
When you attempt actions in SAP the system checks to see whether
you have the appropriate Authorizations
The same Authorization Objects can be used by different
Transactions
Example – in order to display a table, a user must have the
Authorization Object S_TABU_DIS with the appropriate values
User Master Records
Required to establish access for Users.

Created when a User is created.

User Master Records are client-dependent!

User Master Records
User Master Record information includes:
Name, Password, Address, Company information
User Group (used for security administration or searching capabilities)
Reference to Roles and Profiles (access capabilities are not stored
directly in user master records)
User type
Dialog – typical for most users
System – cannot be used for dialog login, can communicate between
systems and start background jobs
Communications Data – cannot be used for dialog login, can communicate
between systems but cannot start background jobs
Reference – cannot log in, used to assign additional Authorizations to Users
Service – can log in but is excluded from password rules, etc. Used for
Support users and Internet services
Validity dates (from/to)
User defaults (logon language, default printer, date/decimal formats)
User Master Record
Roles and Profiles
Users are assigned Roles and Profiles which contain Authorization
Objects
Profiles contain Authorization Objects

User Master
Roles contain Profiles User
Record

Profiles that come delivered with the

Roles
system or were created from scratch
can be assigned directly to users
Profiles

Profiles that were created for a Role

Authorization SAP
are attached to that Role cannot be Objects Functionality
assigned directly. You must assign
the Role and the system will then
assign the user the correct Profile
Roles
Roles are ‘built on top’ of Profiles and include additional components
such as:
User menus
Personalization
Workflow
In modern SAP systems, users are typically assigned the
appropriate Roles by the security team
The system will automatically add the appropriate Profile(s) for each
Role assigned
****Authorization Objects only exist in Profiles (either on their own or
when “nested” in roles)
A Role has several parts, including:
Description Documentation
Menu Profile
Tips for Managing Roles
Roles typically do not change often
It is strongly recommended that they be created in a Development
client, then transported to Quality (tested, hopefully) and finally
promoted to Production.
Roles should originate from the same client (pick one to be your
“security development” client).
It is much easier to assign an existing Role to a User than to create
or modify a Role.
SAP’s template Roles are intended only for example.
Best practice is to have Users tell you the exact Transactions they
require and build Roles from scratch.
At the very least, copy them into your own namespace
Be aware that many of them contain too much access so be careful!
Roles
Roles
Profile for a Role:
Roles – Types
There are 3 types of Roles:
Single – an independent Role
Derived – has a parent and differs only in Organization Levels. Maintain
Transactions, Menu, Authorizations only at the parent level
Composite – container that contains one or more Single or Derived
Roles

Derived Role example:

Purchaser Parent
ME21N, ME22N for all or no Purchasing Organizations

Purchaser Child 1
ME21N, ME22N for Purchasing Organization 0001

Purchaser Child 2
ME21N, ME22N for Purchasing Organization 0002
Roles – Types
Composite Role example:
Task-based vs. Job-based Roles
Task-based
Each Role can performs one function (usually one or only a few
Transactions)
Vendor master creation
Create sales order

Job-based
Each Role contains most functions that a user will need for their job in
the organization
A/P Clerk
Buyer
Warehouse Manager

Hybrid approach
Profiles
Authorization Objects are stored in Profiles
Profiles are the original SAP Authorization infrastructure
Ultimately – a user’s Authorization comes from the Profile/s that they
have assigned
Profiles are different from Roles.

User Master
User
Record

Roles

Profiles

Authorization SAP
Objects Functionality
Examples of Delivered Profiles
SAP_ALL
Delivered with the system
Contains almost all Authorization Objects

SAP_NEW
Contains the new objects in the current release that are required to
keep old transactions functioning.
It does NOT contain all new Authorization Objects for that release

S_A.xxxxxxx
Standard BASIS Profiles for various job functions (i.e. customizing,
development, administration, etc.)
Authorization Objects
Authorization Objects are the keys to SAP Security
When you attempt actions in SAP, the system checks to see
whether you have the appropriate Authorizations
The same Authorization Objects can be used by different
Transactions
Example – in order to display a table, a user must have the
Authorization Object S_TABU_DIS with the appropriate values
User Buffer
When a User logs into the system, all of the Authorizations that the
User has are loaded into a special place in memory called the User
Buffer
As the User attempts to perform activities, the system checks
whether the user has the appropriate Authorization Objects in the
User Buffer.
You can see the
buffer in
Transaction
SU56
Example of Authorization Check
When attempting to execute a Transaction, each instance of a
required Authorization Object that a user has is checked by the
system until the system finds a match.

Example: User would like to create a Sales Order of the Document

Type “Standard Order” (OR).
One of the Authorization Objects that the system looks for is:
V_VBAK_AAT
There are two fields – Activity and Order Type
To create a sales order for this type, the user will need:
V_VBAK_AAT with:
Activity – 01 (Create)
Order Type – OR (Standard Order)
Example of Authorization Check
To create a sales order for the Standard Order type, the user will need:
V_VBAK_AAT with:
Activity – 01 (Create)
Order Type – OR (Standard Order)
The user might have this Object several times from several Roles. The
system keeps checking until it finds a match:
Role 1
V_VBAK_AAT
Activity – 03 (Display)
Order Type – * (All Order Types)
V_VBAK_AAT
Activity – 01 (Create)
Order Type – B1, B2, CS
Role 2
V_VBAK_AAT
Activity – 01 (Create)
Order Type – OR, RE
Authorization Checks
How does SAP test whether the user has Authorization to execute
functions? What happens when I try to start and run a Transaction?
Authorization Checks – Executing a Transaction

1. Does the Transaction Exist?

Authorization Checks – Executing a Transaction

2. Is the Transaction locked?

1. Does the Transaction Exist?

Authorization Checks – Executing a Transaction

3. Can the User start the Transaction?

2. Is the Transaction locked?

1. Does the Transaction Exist?

Authorization Checks – Executing a Transaction
4. What can the User do in the Transaction?

3. Can the User start the Transaction?

2. Is the Transaction locked?

1. Does the Transaction Exist?

Authorization Checks – Executing a Transaction
1) Does the Transaction exist?
All Transactions have an entry in table TSTC
2) Is the Transaction locked?
Transactions are locked using Transaction SM01
Once locked, they cannot be used in any client
3) Can the User start the Transaction?
Every Transaction requires that the user have the Object
S_TCODE=Transaction Name
Some Transactions also require another Authorization Object to start
(varies depending on the Transaction)
4) What can the User do in the Transaction?
The system will check to see if the user has additional Authorization
Objects as necessary
Managing Security
Security Team
Role Owners and the Approval Process
Periodic Access Validation
Troubleshooting and Information
User Information System (SUIM)
SU53
Authorization Trace (ST01)
Security Audit log (SM19/SM20)
Security Tools
Central User Administration
SAP NetWeaver Identity Management
SAP GRC Access Control Suite
Symsoft ControlPanelGRC
SAP is a Complex Ecosystem
There are many different SAP applications with different areas of
expertise required
Some of these require specialized security knowledge, e.g. HCM
and BI/BW
Examples:
ECC (Sales and Distribution (SD), Materials Management (MM),
Financial and Cost Accounting (FICO), Warehouse Management (WM),
Quality Management (QM), Plant Maintenance (PM), Human Capital
Management (HCM))
Business Information Warehouse (BI/BW)
Customer Relationship Management (CRM)
Supplier Relationship Management (SRM)
Advanced Planner and Optimizer/Supply Chain Management
(SCM/APO)
Portal
…And whatever else SAP dreams up!
Security Team
Important to select an appropriate security team.
Size consideration based on your organization
Auditing requirements
Amount of changes
Security staff knowledge
Role changes should be done by the security team
User assignments can be processed by the security team or the
basis team
Unlocking Users/resetting passwords of Users can be done by the
helpdesk
Security Team
Outsourcing is a good option for many companies.

Key reasons to outsource

Expert help available – it’s hard for part-time security staff to understand
all of the complexities of SAP Security
Internal staff may get overloaded and need extra help.
Project work
Provide coverage during vacations/sick days

Key considerations in choosing an outsourcing provider

Ongoing access to a team vs. consultant randomly assigned by a help
desk
24x7 access to support
Fixed rate support vs. charge by the hour
Role Owners and the Approval Process
The security team may know how to make changes to access, but
will need to work with the business to determine what changes
should be made.
Changes include making changes to Roles (modifying
Authorizations, adding/removing Transactions) and assigning those
Roles to users.

Have Role changes approved by the Role owner

Have User assignment changes approved by both a manager and the

Role owner.

The business is often not aware of the implications of changes that are
requested. Your security team should be able to point out potential risks
when access is requested.
Periodic Access Validation
It’s a good idea to have Role matrix reports generated and reviewed
periodically by Role owners
Ensures that inappropriate changes were not made
Accountability
Consider doing this quarterly or at least yearly
Periodic Access Validation
Example output of a report that was generated by
ControlPanelGRC:
User Information System
Transaction SUIM
Great place to get information about Users/Roles
TIP – has had bugs over the years. If something seems incorrect, query
the appropriate table directly.
SU53
Last Authorization check that failed.
May or may not be the Authorization that the User actually needs.
Look at context clues to determine if it is appropriate.
User may need more Authorization Objects after this one is added.
Authorization Trace
Transaction ST01
Records all Authorization Checks performed while a User is in the
system.
Does not include Structural Authorizations in HR Security.

ControlPanelGRC Security
Troubleshooter makes this
process easier by recording
the steps to recreate the
issue, the Authorization
Trace, and sending the
output the Security Team.
Security Audit Log
Records information about what Users are doing
Logon/logoff
Transactions/reports started or attempted to start
Password changes
Workstation name of User
Is not on by default.
Transactions SM19/SM20.
Does not record what data was changed by the User.
Central User Administration (CUA)
Manage Users from one SAP client
Simplifies User administration and can save a lot of time – especially for
large environments
If you own SAP, you already own this. All you need is someone to configure
it
There are several “gotchas” that frequently come up when installing. We
recommend contacting a consultant who is CUA savvy
Asynchronous! Ultimately, the Users and Roles exist in each client. CUA is
only the place you log in to make changes!
SOL-100
DEV-100
CUA Central
System
QAS-100

PRD-100
SAP Netweaver Identity Management
SAP’s Identity Management Solution
Cross system/cross vendor integration
Separate landscape/installation
Highly configurable, contact someone who specializes in this
product.
SAP GRC Access Controls
Risk Analysis and Remediation
Find SoDs, excessive access for both Roles and Users
Alert Monitoring
Compliant User Provisioning
Workflow for User creations/modifications
Incorporates SoD checks
Superuser Privilege Management
Emergency, temporary access
Logs some of the user’s actions, notifies managers when used
Enterprise Role Management
Workflow for Role creations/modifications
Incorporates SoD checks
SymSoft ControlPanelGRC
2nd generation compliance automation solution

User & Role Manager

Accelerates User and Role change management
Risk Analyzer
Real time risk analysis and mitigation of Segregation of Duties and Sensitive Authorization risks
Usage Analyzer
Monitors Transaction executions to provide
Notification of executed risks
Reverse Business Engineering (RBE) tool
License Optimization tool
Transport Manager
Automates processing of change requests with auditable workflow
Batch Manager
Cross system infrastructure for compliant scheduling, monitoring and tracking of batch jobs
Emergency Access Manager
Manages temporary access – access is tracked by User and reports are routed for review
AutoAuditor
Allows compliance reports to be scheduled and sent to Users for documented review
Key Points
Security is the doorway to the SAP system
Security is a way of protecting information from unauthorized use
Security can unlock the flexibility of the system and customize it for each user
Information stored in SAP is one of your company’s most valuable business
assets.
SAP Security is complex and often difficult to manage and understand
There are legal requirements that influence SAP Security
Not all companies are required to comply with these regulations
All businesses benefit from having well defined processes

There are tools available to help manage security – but ultimately a good
security team is key
Download the presentation recording with audio from the
Symmetry Knowledge Center

www.sym-corp.com/knowledge-center
Kyle Balcerzak
414-732-2743
kbalcerzak@sym-corp.com