1.  SAP AG CSU Chico 102/14/981SAP Security Lecture MINS 298C SAP Configuration & Use: Security Copyright 1996, 1997, 1998- James R. Mensching, Gail Corbitt Contents of this file are for the exclusive use of the special MINS 298C class dealing with SAP software at CSU Chico for the Fall, 1998 semester. Any other use in either electronic or hardcopy form is prohibited without the express written permission of the author. This material is confidential. Do not share it with anyone not enrolled in the class. Security Lecture Security Lecture

2.  SAP AG CSU Chico 202/14/982SAP Security Lecture SAP Security Purpose of Security: Assign users rights to perform job tasks that they need to do. Prohibit users from doing tasks that they are not supposed to do. Objectives of presentation Define key security concepts Examine relationship between user and security concepts Apply concepts to real situations

3.  SAP AG CSU Chico 302/14/983SAP Security Lecture SAP Security Security is performed at the object level 30 + Object classes, such as Basis Administration, FI, MM Master Data (View Objects within classes by using SU03) About 500 + objects within the 30 + classes SAP Security works on a pass-fail system. It checks constraints until if finds a failure. Levels of Setting: Authorization Object in the form of authorization (test on an object) Profile (sets of authorizations) User ID

4.  SAP AG CSU Chico 402/14/984SAP Security Lecture SAP Security Framework Object Authorization Object Authorization Object Authorization Functional Profile Functional Profile Job Profile USER User ID

5.  SAP AG CSU Chico SAP Security Framework Functional Profile Functional Profile Job Profile USER User ID Class Profile

6.  SAP AG CSU Chico 502/14/985SAP Security Lecture SAP Security Components Authorization Object: something in the system that potentially needs protecting (company code, document type, etc.) Fields: attributes that can be used to set protection (1- 10 fields per object that vary with object) Activity: such as create, update, delete, view.. Authorization Group: Values that the object needs IDOC Type Profile (set of authorizations) User Master Record (all profiles for that user)

7.  SAP AG CSU Chico 602/14/986SAP Security Lecture SAP Security Components Levels of Security Administration: SAP Super User User ID Maintenance Activation Administration Authorization Maintenance Program Developer Objects & Classes Authorizations (values of objects) Profiles User IDs

8.  SAP AG CSU Chico 702/14/987SAP Security Lecture SAP Security and Business Processes Business Task Business Task PROCESSPROCESS Object Authorization Object Authorization Functional Profile Job Profile Functional Profile User ID User

9.  SAP AG CSU Chico 802/14/988SAP Security Lecture SAP Security Authorization: Set of specified values for fields in an Authorization Object = test conditions for the object Standard Authorizations provided by SAP Object: F_BKPF_BED: Customer Account Activity: * Account Group: * Never Change or Delete an SAP authorization Custom Authorizations (should start with Z)

10.  SAP AG CSU Chico 902/14/989SAP Security Lecture SAP Security Example Object Class: Financial Accounting Authorization: ZS_D01 Authorization Object: F_BKPF_BED: Customer Account Activity: 01-03, 10 (create, change, print,post) Account Group: CALF, HAW SAP programs perform AUTHORITY-CHECK on objects for values in fields

11.  SAP AG CSU Chico 1002/14/9810SAP Security Lecture SAP Security: Creating an Authorization Create a name for the authorization Start with the letter Z Don’t use underscore as second character Example: ZS_D01 Use SU03 to create the authorization (Tools --> Administration -->Maintain Users) Create (first icon: sheet of paper) Maintain values sets the values you want Save Activate

12.  SAP AG CSU Chico 1102/14/9811SAP Security Lecture SAP Security Profile: Set of Authorization Objects Simple Profile: 1 Authorization Object Composite Profile: more than one authorization object Can have a composite made up of composites

13.  SAP AG CSU Chico 1202/14/9812SAP Security Lecture SAP Security User Master Record Composite Profile Profile Simple Profile Composite Profile Authorization Object Authorization Fields

14.  SAP AG CSU Chico 1302/14/9813SAP Security Lecture SAP Security SAP Standard Profile: F_BKPF_KANZ (Display vendor Accounts) Custom Profile: AA:FIAR_M01 Create profile then activate Copy from existing profile then rename To look at, change or create profiles use SU02

15.  SAP AG CSU Chico 1402/14/9814SAP Security Lecture SAP Security Standard Profiles common to all SAP installations SAP_ALL (unlimited access to system) SAP_NEW (allows older standard profiles to work in newer SAP releases) S_A_SYSTEM: System Administrator S_A_SHOW: Display authorizations only

16.  SAP AG CSU Chico 1502/14/9815SAP Security Lecture SAP Security: Users User Profiles assign profiles to specific user IDs Users can belong to Group, I.e. ABAP Developers, C&I Admin Can’t assign authorizations to groups only to individual users User Group is a field in some authorization objects Groups useful to separate responsibility, I.e. more than one security administrator, each responsible for a group of users

17.  SAP AG CSU Chico 1602/14/9816SAP Security Lecture SAP Security: Users Name the ID for the User Set the password Lock/unlock the account Define time period for the ID Set default printer and printing rights Define PIDs (Parameters) Define profiles

18.  SAP AG CSU Chico 1702/14/9817SAP Security Lecture SAP Security: Users Rules for setting passwords: Must be at least 3 characters Can not begin with ! or ? First 3 characters can not be a sequence of 3 characters in user ID. I.e. if by user id is gcorbitt, my password can not contain orb, or cor. First 3 characters can not be the same, I.e. ccc Can not use “pass” or “sap”

19.  SAP AG CSU Chico 1802/14/9818SAP Security Lecture SAP Security: Users PID :Parameter ID Example of parameter: default menu options, I.e. fast entry default currency posting period options

20.  SAP AG CSU Chico 1902/14/9819SAP Security Lecture SAP Security: Users User types Dialog BDC: inbound interfaces (I.e. data coming in from a legacy system) CPIC: machine to machine ID connect through UNIX (I.e. EDI inbound or outbound) BDC and CPIC do not have expiration dates on the passwords

21.  SAP AG CSU Chico 2002/14/9820SAP Security Lecture SAP Security: Transactions SU01: Creates and maintains users SU02: Creates and maintains profiles SU53: Displays LAST authorization failure ST01: Traces keystrokes SU03: Lists objects and classes SM04: Monitors user activity SE16: Looks at specific tables in SAP (T003 = auth. group) SA38: Looks at programs (AUTHORITY-CHECK) SU12: Deletes all users (usually disabled) SU10: Adds or deletes a profile to all users

22.  SAP AG CSU Chico 2102/14/9821SAP Security Lecture SAP Security: Coming Attractions SAP Profile Generator (31.G, R4) Makes it easier to track and maintain multiple profiles per user Uses menu paths to create authorizations or profiles Activity Groups similar to our functional profiles Activity Group Maintenance (31.G) Allows for profile updates, parameter settings by group instead of by individual user Hopefully allows for resetting expiration, start dates, printer options, etc. by groups of users instead of one user at a time

23.  SAP AG CSU Chico 2202/14/9822SAP Security Lecture Application of SAP Security to Classroom Activity Define what “jobs” or roles we want the students to have per class --functional profiles Set up authorizations for each job or role - job profiles Assign job profiles to users Document existing authorizations for Display and Create Activities for each “application” object Create authorizations for Display and Create where missing Create a standard profile that any user could have (view only to all modules)