SAP Security ( Part - 1 )

- By Jagraj Singh
SAP Security Consultant

User Administration - Address Data - SU01 / SU01D

The user master record consists of a client valid and clear, free selectable name. The name can be assigned in the corresponding address field to a specific employee. Also
assigned here is the password, that is provided by the user administrator first of with an initial password. Furthermore, the user can be assigned to a user group; that does not
indicate an increase of rights, but makes allows easier sorting as well as a segregation of duties in the user management organization [as a restriction field within an
authorization]. The user record can be provided with validity time period, no entry indicates unlimited validity. An accounting number can be registered for the CPU-time account.
A user record consists among others of the following elements:
User name
Assigned client
Password
Company address
User type
Start menu
Logon language
Personal output control
Time zone
Activity groups / roles
Profiles
Authorizations
Parameters Adjustments

Logon Data
Types of Users:

Dialog - User type for exactly one interactive user (all logon types including Internet users).
During a dialog logon, the system checks whether the password has expired or is initial.
The user can change his or her password himself or herself.
Multiple dialog logons are checked and, where appropriate, logged.
Every employee should generally be defined as a dialog user.

Communications - User type for dialog-free communication between systems (such as RFC users for ALE, Workflow, TMS and CUA):
A dialog logon is not possible.
Whether the system checks for expired or initial passwords depends on the logon method (interactive or not interactive).
Due to a lack of interaction, no request for a change of password occurs.

System - User type that is a dialog user available to a larger, anonymous group of users.
Assign only very restricted authorizations for this user type.
During a logon, the system does not check whether the password has expired or is initial.
Only the user administrator can change the password.
Multiple logons are permissible.

Service - Service users are user, for example, for an anonymous system access through an ITS service.
After an individual authentication, an anonymous session begun with a service user can be continued as a person related session with a dialog user.

Reference - User type for general, non-person related users that allows the assignment of additional identical authorizations, such as for Internet users created with
transaction SU01.
You cannot log on to the system with a reference user.

User Group - SUGR

User groups are basically an instrument for the user administration, but you can also utilize them for internal organization of users. Users can be assigned to multiple user
groups.
There are two different fields for user groups in the user master [transaction SU01]:
Groups on the group tab

This field is for the internal organization of users and helpful e.g. for mass maintenance - if you want to maintain users of a certain group. This group is also called the General
user group.
User groups for authorization check- Logon tab

This field allows restricting user maintenance to specific groups based on the authorization object S_USER_GRP. If a user has an assignment maintained in this field, the user
administrator will need the corresponding group assigned to his authorization based on S_USER_GRP to be able to actually maintain this user.

The Reference Users

Reference users serve to pass on access rights to other users. A reference user gets rights assigned. Each user may have exactly one reference user assigned to
him, whose authorizations he will receive at the logon in addition to his already existing rights. Reference user of the corresponding type cannot logon to a system.
They are substantially used to equip internet users with identical authorizations.
In the context of user evaluations within SAP, the authorizations that were obtained through a reference user will not be considered! The assignment of reference
users to users is separately to be checked in the table USREFUS. Reference users are assigned to user within the register sheet Roles:

With the flag REF_USER_CHECK within the table PRGN_CUST you can adjust, which message is to be displayed, in case a user who is not of the type reference is
assigned as a reference user: 'W' (default) Warning, 'E' Error, 'S' Simple message, 'I' no message.
An overview of created reference users is prepared by the report RSUVM013.

Users - Important Tables Info

1.

USR02 - User Master

2.

USR04 - User Master Authorizations

3.

UST04 - User Profiles

4.

USR10 - Authorization Profiles

5.

UST10C - Composite Profiles

6.

USR11 - Text for authorization profiles

7.

USR12 - Authorization Values

8.

USR13 - Short Text for Authorizations

9.

USR40 - Table for illegal passwords

10.

USGRP - User Groups

11.

USH02 - Change history for logon data

12.

USER_ADDR - Address data for users

SAP Special users / Standard Users

SAP* - The user SAP* exists right after the installation in all clients. He has the composite profile SAP_ALL assigned and with that all relevant authorizations for the system set
up. If someone deletes the user SAP*, a login is possible with the standard password PASS including the corresponding SAP_ALL authorizations. To prevent a login of the SAP*
after a deletion, the parameter login/no_automatic_user_sapstar can be utilized.
With a parameter setting to 0 the login is possible. Any value higher than 0, prevents a login after the deletion. The standard password for this user directly after the installation is
06071992. The standard password after deletion is PASS.
The preferable method to protect this user is the deactivation of SAP*:
- Remove all authorizations from this user.
- Lock the user account.
- Set the parameter login/no_automatic_user_sapstar to 1.
- Activate the audit log for this user.
You can also consider assigning this user to a user administration group that is protected by a dual control principle.

DDIC - The user DDIC is established in the client 000 and 001 with the installation [and copies of these]. This standard user is utilized to cover installation and release updates
including changes to the data dictionary. The use of the transport management system is restricted to Display only. This is the protection against direct developments. As the
technical steps related to this process are initiated in the client 000, the DDIC only needs to be a dialog user in this client. In all other clients he can be set to the user type
system.
The standard password for this user directly after the installation is 19920706. The report RDDPWCHK allows checking the password that is assigned to the user DDIC. In case
the password matches, the dialog window will be closed. For mismatches the message False is displayed.

TMSADM - The user TMSADM is automatically created at the set up the change and transport management system in the client 000.
This user type is Communication, and he is utilized for transports by the CTS. He has the profile S_A.TMSADM assigned that authorizes the use of RFC with display of the
development environment e.g. as well as writing to the file system. The standard password for this user directly after the installation is PASSWORD.

ECATT Script
Click the below link for detailed video on ECATT Script for Mass user creation
https://www.youtube.com/watch?v=Pix760LK1b0
http://sapsecurityanalyst.com/WP/general-disclaimer/mass-user-creation
http://scn.sap.com/people/santosh.karadkar/blog/2008/04/17/create-mass-users-usingecatt

Thank You