SAP Security

advertisement
MINS 298C
SAP Configuration & Use: Security
Copyright 1996, 1997, 1998- James R. Mensching, Gail Corbitt
Contents of this file are for the exclusive use of the special
MINS 298C class dealing with SAP software at CSU Chico
for the Fall, 1998 semester. Any other use in either electronic
or hardcopy form is prohibited without the express written
permission of the author. This material is confidential.
Do not share it with anyone not enrolled in the class.
Security Lecture
02/14/98
 SAP AG
CSU
Chico
SAP Security Lecture
1
SAP Security
 Purpose of Security:

Assign users rights to perform job tasks that they need to do.

Prohibit users from doing tasks that they are not supposed to do.
 Objectives of presentation

Define key security concepts

Examine relationship between user and security concepts

Apply concepts to real situations
02/14/98
 SAP AG
CSU
Chico
SAP Security Lecture
2
SAP Security
 Security is performed at the object level

30 + Object classes, such as Basis Administration, FI, MM Master
Data (View Objects within classes by using SU03)

About 500 + objects within the 30 + classes
 SAP Security works on a pass-fail system. It checks
constraints until if finds a failure.
 Levels of Setting:

Authorization Object in the form of authorization (test on an object)

Profile (sets of authorizations)

User ID
02/14/98
 SAP AG
CSU
Chico
SAP Security Lecture
3
SAP Security Framework
Object
Authorization
Functional
Profile
Job
Profile
Object
Authorization
User ID
Object
Authorization
02/14/98
 SAP AG
CSU
Chico
Functional
Profile
USER
SAP Security Lecture
4
SAP Security Framework
Functional
Profile
Class
Profile
Job
Profile
User ID
Functional
Profile
USER
CSU
Chico
 SAP AG
SAP Security Components
 Authorization Object: something in the system that
potentially needs protecting (company code, document
type, etc.)
 Fields: attributes that can be used to set protection (110 fields per object that vary with object)

Activity: such as create, update, delete, view..

Authorization Group: Values that the object needs

IDOC Type
 Profile (set of authorizations)
 User Master Record (all profiles for that user)
02/14/98
 SAP AG
CSU
Chico
SAP Security Lecture
5
SAP Security Components
 Levels of Security Administration:
SAP Super User
User ID
Maintenance
User IDs
02/14/98
 SAP AG
CSU
Chico
Activation
Administration
Profiles
SAP Security Lecture
Authorization
Maintenance
Authorizations
(values of objects)
Program
Developer
Objects &
Classes
6
SAP Security and Business Processes
Business
Task
Business
Task
Object
Authorization
Object
Authorization
02/14/98
 SAP AG
CSU
Chico
Functional
Profile
Functional
Profile
SAP Security Lecture
P
R
O
C
E
S
S
Job
Profile
User ID
7
User
SAP Security
 Authorization: Set of specified values for fields in an
Authorization Object = test conditions for the object
 Standard Authorizations provided by SAP

Object: F_BKPF_BED: Customer Account

Activity: *

Account Group: *
 Never Change or Delete an SAP authorization
 Custom Authorizations (should start with Z)
02/14/98
 SAP AG
CSU
Chico
SAP Security Lecture
8
SAP Security Example
 Object Class: Financial Accounting
 Authorization: ZS_D01
 Authorization Object: F_BKPF_BED: Customer
Account
 Activity: 01-03, 10 (create, change, print,post)
 Account Group: CALF, HAW
 SAP programs perform AUTHORITY-CHECK on objects
for values in fields
02/14/98
 SAP AG
CSU
Chico
SAP Security Lecture
9
SAP Security: Creating an Authorization
 Create a name for the authorization

Start with the letter Z

Don’t use underscore as second character

Example: ZS_D01
 Use SU03 to create the authorization (Tools -->
Administration -->Maintain Users)

Create (first icon: sheet of paper)

Maintain values sets the values you want

Save

Activate
02/14/98
 SAP AG
CSU
Chico
SAP Security Lecture
10
SAP Security
 Profile: Set of Authorization Objects
 Simple Profile: 1 Authorization Object
 Composite Profile: more than one authorization object
 Can have a composite made up of composites
02/14/98
 SAP AG
CSU
Chico
SAP Security Lecture
11
SAP Security
User Master Record
Composite Profile
Simple
Profile
Profile
Composite
Profile
Authorization
Object
Authorization
Fields
02/14/98
 SAP AG
CSU
Chico
SAP Security Lecture
12
SAP Security
 SAP Standard Profile: F_BKPF_KANZ (Display vendor
Accounts)
 Custom Profile: AA:FIAR_M01
 Create profile then activate
 Copy from existing profile then rename
 To look at, change or create profiles use SU02
02/14/98
 SAP AG
CSU
Chico
SAP Security Lecture
13
SAP Security
 Standard Profiles common to all SAP installations

SAP_ALL (unlimited access to system)

SAP_NEW (allows older standard profiles to work in newer SAP
releases)

S_A_SYSTEM: System Administrator

S_A_SHOW: Display authorizations only
02/14/98
 SAP AG
CSU
Chico
SAP Security Lecture
14
SAP Security: Users
 User Profiles assign profiles to specific user IDs
 Users can belong to Group, I.e. ABAP Developers, C&I
Admin
 Can’t assign authorizations to groups only to
individual users
 User Group is a field in some authorization objects
 Groups useful to separate responsibility, I.e. more than
one security administrator, each responsible for a
group of users
02/14/98
 SAP AG
CSU
Chico
SAP Security Lecture
15
SAP Security: Users
 Name the ID for the User
 Set the password
 Lock/unlock the account
 Define time period for the ID
 Set default printer and printing rights
 Define PIDs (Parameters)
 Define profiles
02/14/98
 SAP AG
CSU
Chico
SAP Security Lecture
16
SAP Security: Users
 Rules for setting passwords:

Must be at least 3 characters

Can not begin with ! or ?

First 3 characters can not be a sequence of 3 characters in user ID.
I.e. if by user id is gcorbitt, my password can not contain orb, or cor.

First 3 characters can not be the same, I.e. ccc

Can not use “pass” or “sap”
02/14/98
 SAP AG
CSU
Chico
SAP Security Lecture
17
SAP Security: Users
 PID :Parameter ID
 Example of parameter:

default menu options, I.e. fast entry

default currency

posting period options
02/14/98
 SAP AG
CSU
Chico
SAP Security Lecture
18
SAP Security: Users
 User types

Dialog

BDC: inbound interfaces (I.e. data coming in from a legacy system)

CPIC: machine to machine ID connect through UNIX (I.e. EDI
inbound or outbound)

BDC and CPIC do not have expiration dates on the passwords
02/14/98
 SAP AG
CSU
Chico
SAP Security Lecture
19
SAP Security: Transactions
 SU01: Creates and maintains users
 SU02: Creates and maintains profiles
 SU53: Displays LAST authorization failure
 ST01: Traces keystrokes
 SU03: Lists objects and classes
 SM04: Monitors user activity
 SE16: Looks at specific tables in SAP (T003 = auth. group)
 SA38: Looks at programs (AUTHORITY-CHECK)
 SU12: Deletes all users (usually disabled)
 SU10: Adds or deletes a profile to all users
02/14/98
 SAP AG
CSU
Chico
SAP Security Lecture
20
SAP Security: Coming Attractions
 SAP Profile Generator (31.G, R4)

Makes it easier to track and maintain multiple profiles per user

Uses menu paths to create authorizations or profiles

Activity Groups similar to our functional profiles
 Activity Group Maintenance (31.G)

Allows for profile updates, parameter settings by group instead of by
individual user

Hopefully allows for resetting expiration, start dates, printer options,
etc. by groups of users instead of one user at a time
02/14/98
 SAP AG
CSU
Chico
SAP Security Lecture
21
Application of SAP Security to Classroom
Activity
 Define what “jobs” or roles we want the students to
have per class --functional profiles
 Set up authorizations for each job or role - job profiles
 Assign job profiles to users
 Document existing authorizations for Display and
Create Activities for each “application” object
 Create authorizations for Display and Create where
missing
 Create a standard profile that any user could have
(view only to all modules)
02/14/98
 SAP AG
CSU
Chico
SAP Security Lecture
22
Download