Professional Documents
Culture Documents
Security
Kyle Balcerzak
SAP Security Consultant
Download the presentation recording with audio from the
Symmetry Knowledge Center
www.sym-corp.com/knowledge-center
Symmetry Corporation
Implementation Support
Quality
Proactive support delivered
by US-based experts
Accessibility
24x7 direct access to your
support team
Affordability
Highly competitive fixed-price
contracts
Introducing
Kyle Balcerzak
SAP Security Consultant
What We’ll Cover
Introduction – Why is Security Important?
Legal Requirements
SOX, HIPAA, ITAR
Risks & Controls
Why Unregulated Companies Should Care
Security Architecture
User Master Record
Roles
Profiles
Authorization Objects
User Buffer
4 Doors to SAP Security
Managing Security
Security Team
Role owners and the approval process
Periodic Access Validation
Troubleshooting and information
Security Tools
Why is Security Important?
Security is the doorway to the SAP system.
Security is a way of protecting information from unauthorized use.
Security can unlock the flexibility of the system and customize it for
each user.
Information stored in SAP is one of your company’s most valuable
business assets.
What is SAP Security?
SAP application security controls who can do what in SAP.
Examples:
Who can approve purchase requisitions over $10,000 (ME54N)?
Who can view other employees’ social security numbers in the system
(PA20)?
Segregation of Duties
One user can perform two or more conflicting actions that causes a risk.
Example:
Activities: Someone can create vendor master records and then process
accounts payable payments
Risk: Gives someone the access to create a fictitious vendor and generate
fraudulent payments to that vendor
Excessive Access
One action that a user can perform that is outside their area of
expertise, jurisdiction, or allows critical access
Example:
Activity: End user can use SP01 to see the spool request for all users
Risk: Users may view sensitive financial documents or payroll information for
example.
HIPAA and ITAR
Health Insurance Portability and Accountability Act
Personal health information can be shared with appropriate people for
patient care.
Typically comes into play in SAP HR systems.
Data privacy concerns
If an employee has a potentially embarrassing injury at work, these details
are stored in the system and should only be viewed by authorized personnel.
User Master
User
Record
Roles
Profiles
Authorization SAP
Objects Functionality
Authorization Objects
Authorization Objects are the keys to SAP security
When you attempt actions in SAP the system checks to see whether
you have the appropriate Authorizations
The same Authorization Objects can be used by different
Transactions
Example – in order to display a table, a user must have the
Authorization Object S_TABU_DIS with the appropriate values
User Master Records
Required to establish access for Users.
User Master
Roles contain Profiles User
Record
Purchaser Child 1
ME21N, ME22N for Purchasing Organization 0001
Purchaser Child 2
ME21N, ME22N for Purchasing Organization 0002
Roles – Types
Composite Role example:
Task-based vs. Job-based Roles
Task-based
Each Role can performs one function (usually one or only a few
Transactions)
Vendor master creation
Create sales order
Job-based
Each Role contains most functions that a user will need for their job in
the organization
A/P Clerk
Buyer
Warehouse Manager
Hybrid approach
Profiles
Authorization Objects are stored in Profiles
Profiles are the original SAP Authorization infrastructure
Ultimately – a user’s Authorization comes from the Profile/s that they
have assigned
Profiles are different from Roles.
User Master
User
Record
Roles
Profiles
Authorization SAP
Objects Functionality
Examples of Delivered Profiles
SAP_ALL
Delivered with the system
Contains almost all Authorization Objects
SAP_NEW
Contains the new objects in the current release that are required to
keep old transactions functioning.
It does NOT contain all new Authorization Objects for that release
S_A.xxxxxxx
Standard BASIS Profiles for various job functions (i.e. customizing,
development, administration, etc.)
Authorization Objects
Authorization Objects are the keys to SAP Security
When you attempt actions in SAP, the system checks to see
whether you have the appropriate Authorizations
The same Authorization Objects can be used by different
Transactions
Example – in order to display a table, a user must have the
Authorization Object S_TABU_DIS with the appropriate values
User Buffer
When a User logs into the system, all of the Authorizations that the
User has are loaded into a special place in memory called the User
Buffer
As the User attempts to perform activities, the system checks
whether the user has the appropriate Authorization Objects in the
User Buffer.
You can see the
buffer in
Transaction
SU56
Example of Authorization Check
When attempting to execute a Transaction, each instance of a
required Authorization Object that a user has is checked by the
system until the system finds a match.
The business is often not aware of the implications of changes that are
requested. Your security team should be able to point out potential risks
when access is requested.
Periodic Access Validation
It’s a good idea to have Role matrix reports generated and reviewed
periodically by Role owners
Ensures that inappropriate changes were not made
Accountability
Consider doing this quarterly or at least yearly
Periodic Access Validation
Example output of a report that was generated by
ControlPanelGRC:
User Information System
Transaction SUIM
Great place to get information about Users/Roles
TIP – has had bugs over the years. If something seems incorrect, query
the appropriate table directly.
SU53
Last Authorization check that failed.
May or may not be the Authorization that the User actually needs.
Look at context clues to determine if it is appropriate.
User may need more Authorization Objects after this one is added.
Authorization Trace
Transaction ST01
Records all Authorization Checks performed while a User is in the
system.
Does not include Structural Authorizations in HR Security.
ControlPanelGRC Security
Troubleshooter makes this
process easier by recording
the steps to recreate the
issue, the Authorization
Trace, and sending the
output the Security Team.
Security Audit Log
Records information about what Users are doing
Logon/logoff
Transactions/reports started or attempted to start
Password changes
Workstation name of User
Is not on by default.
Transactions SM19/SM20.
Does not record what data was changed by the User.
Central User Administration (CUA)
Manage Users from one SAP client
Simplifies User administration and can save a lot of time – especially for
large environments
If you own SAP, you already own this. All you need is someone to configure
it
There are several “gotchas” that frequently come up when installing. We
recommend contacting a consultant who is CUA savvy
Asynchronous! Ultimately, the Users and Roles exist in each client. CUA is
only the place you log in to make changes!
SOL-100
DEV-100
CUA Central
System
QAS-100
PRD-100
SAP Netweaver Identity Management
SAP’s Identity Management Solution
Cross system/cross vendor integration
Separate landscape/installation
Highly configurable, contact someone who specializes in this
product.
SAP GRC Access Controls
Risk Analysis and Remediation
Find SoDs, excessive access for both Roles and Users
Alert Monitoring
Compliant User Provisioning
Workflow for User creations/modifications
Incorporates SoD checks
Superuser Privilege Management
Emergency, temporary access
Logs some of the user’s actions, notifies managers when used
Enterprise Role Management
Workflow for Role creations/modifications
Incorporates SoD checks
SymSoft ControlPanelGRC
2nd generation compliance automation solution
There are tools available to help manage security – but ultimately a good
security team is key
Download the presentation recording with audio from the
Symmetry Knowledge Center
www.sym-corp.com/knowledge-center
Kyle Balcerzak
414-732-2743
kbalcerzak@sym-corp.com