SAP SECURITY ONLINE TRAINING

MAGNIFIC IT CONSULTING Page 1

Introduction
What is Security
Building blocks
Common terminologies used Most Common
tools in Security
CUA
What is Security?
Security concept is same around the globe like in your normal life, security
means removing or restricting unauthorized access to your belongings. For
example your Car, laptop or cared cards etc
IT Security?
Information security (sometimes shortened to InfoSec) is the practice
defending information from unauthorized access, use, disclosure, disruption,
modification, perusal, inspection, recording or destruction. It is a general
term
that can be used regardless of the form the data may take (electronic,
physical,
SAP Security?
In the same context of InfoSec. SAP securities have the same meaning or
in other words - who can do what in SAP?
Building Blocks
User Master
Record Roles
SAP SECURITY ONLINE TRAINING

MAGNIFIC IT CONSULTING Page 2

Profiles Authorization
Objects
User Master Record?
A User initially has no access in SAP
When we create access in system it defines UMR User Master Record
information includes:
Name, Password, Address, User type, Company information
User Group
Roles and Profiles
Validity dates (from/to)
User defaults (logon language, default printer, date format, etc)
User Types: Dialog typical for most users System cannot be used for
dialog login, can communicate between systems and start background jobs
Communications Data cannot be used for dialog login, can communicate
between systems but cannot start background jobs Reference cannot log in,
used to assign additional Authorizations
Roles and Profiles Roles is group of tcode (s), which is used to perform a
specific business task.
Each role requires specific privileges to perform a function in SAP that is
called AUTHORIZATIONS There are 3 types of Roles:
Single an independent Role
Derived has a parent and differs only in Organization Levels. Maintain
Transactions, Menu, Authorizations only at the parent level
Composite container that contains one or more Single or Derived Roles

SAP SECURITY ONLINE TRAINING

MAGNIFIC IT CONSULTING Page 3

Authorization Objects
Authorization Objects are the keys to SAP security
When you attempt actions in SAP the system checks to see whether you have the
appropriate Authorizations
The same Authorization Objects can be used by different Transactions
User Buffer?
When a User logs into the system, all of the Authorizations that the User has are
loaded into a special place in memory called the User Buffer
As the User attempts to perform activities, the system checks whether the user
has the appropriate Authorization Objects in the User Buffer.
You can see the buffer in Transaction.
Executing a Transaction (Authorization Checks)
1) Does the Transaction exist? All Transactions have an entry in table TSTC
2) Is the Transaction locked? Transactions are locked using Transaction SM01
Once locked, they cannot be used in any client
3) Can the User start the Transaction? Every Transaction requires that the user
have the Object S_TCODE=Transaction Name Some Transactions also
require another Authorization Object to start (varies depending on the
Transaction)
4) What can the User do in the Transaction? The system will check to see if the
user has additional Authorization Objects as necessary
How to trace missing Authorization Frequently you find that the role you built has
inadequate accesses and will fail during testing or during production usage. Why?
Why It happens?
Negligence of tester or some other reason How process initiated?
This process kicks when security guy receives:
SAP SECURITY ONLINE TRAINING

MAGNIFIC IT CONSULTING Page 4

Email or
phone call or
ticket
How do we determine correct accesses required?
SAP has various tools to analyze access errors and determine correct
Authorizations required: Use Last Failed Authorization check - SU53 (60%
effective)
Use Assignment of Auth Object to Transactions - SU24 (60% effective)
Trace the Authorizations for a function - ST01 (90% effective)
Common Terminologies
User master Records Roles Authorizations Authority
Check user buffer Authorization Errors security matrix
Profiles Authorization Objects User menus
SAP Password controls There are some Standard SAP password Controls delivered
by SAP which cannot be changed
First-time users forced to change their passwords before they can log onto
the SAP system, or after their password is reset.
Users can only change their password when logging on.
Users can change their password at most, once a day
Users can not re-use their previous five passwords.
The first character cannot be ? or !.
The first three characters of the password cannot
appear in the same order as part of the user name.
all be the same.
SAP SECURITY ONLINE TRAINING

MAGNIFIC IT CONSULTING Page 5

Include space characters.
The password cannot be PASS or SAP*.
Password Controls - cont.
SAP Password System Parameters - system wide settings that can be configured
by MPL - Minimum Password Length Password locked after unsuccessful login
attempts Password Expiration time Password complexity
Illegal Passwords MPL can define passwords that cannot be used
Enter impermissible passwords into SAP table USR40 MPL = Master parts
List
Tools:
SU01 User Maintenance
PFCG Role Maintenance
SUIM Authorization Reporting Tree
SU02 Maintain Profiles
SU03 Maintain Authorizations
SU10 User Maintenance: Mass Changes
SU21 Maintain Authorization Objects
SU24 Auth Object check under transactions
SU3 Maintain default settings
SU53 Display Authority Check Values
CUA Central User Administration is a feature in SAP that helps to streamline
multiple users account management on different clients in a multi SAP systems
environment. This feature is laudable when similar user accounts are created and
managed on multiple clients
Centralized Admin
SAP SECURITY ONLINE TRAINING

MAGNIFIC IT CONSULTING Page 6

Data consistency & accuracy
Eliminate redundant efforts

www.magnifictraining.com - " SAP SECURITY ONLINE TRAINING " contact
us:info@magnifictraining.com or+1-6786933994,+1-6786933475,
+919052666559,+919052666558 By Real Time Experts from Hyderabad,
Bangalore,India,USA,Canada,UK, Australia, South Africa.