SAP Audit Ination and Approach.doc

SAP Audit Information and ApproachAuthorization Example1. User Master RecordUser: Frank W. LyonsProfile: Example2. Profile: Example Object: Authorizations: S_Program ABAP: 3. Authorization: ABAP: Object: S_Program Values: Fields: *Program Group SUBMIT, VARIANTActivityAuthorization System:1.ProfilesOne or more assigned to a user2.ObjectsMust be unique names with one or more fields3.FieldsContain values for authority checking4.AuthorizationsCan have the same names as they are physically and physically linked to an objectField group for an object has multiple values and can be shared across objectsInitial Defaults1.Initial Clients Client 000Standard model Client 001Model for user defined clients. (template)2.Initial User Ids SAP*Default super user. A user master record is created during installation but it is not needed by SAP* to access the complete system. If the SAP* master record is deleted, the SAP* account has the following special privileges: It is not subject to authorization checks and therefore has all authorizations It has the password “PASS”, which can not be changed without creating a new user master record. To prevent deletion, assign SAP* user to a group called SUPER and only super user should be able to maintain user group SUPER.3.Initial Security Parameters Parameters for user logon login/min_password/lng Minimum password length default is (3) login/password_expiration_time Number of days after which a password must be changed. The default is zero, which does not enforce password changes. Recommended value = 45. login/fails_to_session_end Number of times a user can enter an incorrect password before the system ends the login attempt. The default is (3). login/fails_to_user_lock Number of times a user can enter an incorrect password before the system locks the user against further logon attempts. The default is (12). Recommend (3). When a password is locked in this manner, it is automatically unlocked by the system at the start of the next day (midnight). Adding Users1. Each user must have a master record.2.Each user master record refers to one or more profiles that determine the access rights for the user.3.Master record contains: User ID Password User groups User type Period of validity references to authorization profilesMaster records can be deleted but it will affect the audit trail. Better to lock the users master record Menu Path: Tools - Administration - User Maintenance - User - Lock/Unlock.4.User Group If a person is assigned to a user group, only the administrators who are authorized for that user group can alter user master records. If a user is not assigned to a group then any user administrator can alter the user master record.Adding ProfilesProfiles and Authorizations exist in both maintenance and active versions. Allows for updates to maintenance before it is activated. Separation of maintenance and activation functions.1.System ProfilesSAP Standard and Super User ProfilesS_A.SYSTEMUnlimited access to all users, profiles, and authorizationsS_A.ADMINAuthorizations for SAP system administration. This includes all authorizations except for: Maintenance of users in user group SUPER Maintenance of profiles and authorizations with names beginning “S_A.”S_A.CUSTOMIZAuthorizations for use in the SAP Customizing systemS_A.DEVELOPAuthorizations for use in the SAP Development environment (excludes any user or profile authorizations)S_A.USERBasis system authorizations for end-users (e.g., S_Program, S_DBC_MONI, etc.2.Startup ProfilesProfile NameDescriptionS_ABAP_ALLAll ABAP/4 authorizationsS_ADMI_ALLAll system administration functionsS_BDC_ALLAll batch input activitiesS_BTCH_ALLAll batch processing authorizationsS_DDIC_ALLDDIC: All authorizationsS_DDIC_SUData Dictionary: All authorizationsS_NUMBERNumber range maintenance: All authorizationsS_SCD0_ALLChange documents: All authorizationsS_SCRP_ALLAll SAPscript text, styles, layout sets maintenanceS_SPOOL_ALLAll spool authorizationsS_SYST_ALLAll system authorizationsS_TABU_ALLStandard table maintenance: All authorizationsS_TSKH_ALLAll system administration authorizationsS_USER_ALLUser maintenance: All authorizationsSAP_ALLProvides unlimited access to maintain all SAP R/3 system authorizations, with the following exceptions: Maintenance of users in user group SUPER Maintenance of profiles and authorizations with names beginning S_USERSAP_ANWENDAll SAP R/3 (excluding system) application authorizationsSAP_NEWProvides unlimited access to all authorizations added with new releases of SAP R/3.Z_ANWENDAll user authorizations (excluding BC system)3.Profiles and their associated authorization value sets are stored in USRxx tables.Adding AuthorizationsAuthorization objects are used to check a users authority to perform actions and access data in R/3. A users action is approved only if the user passes the authorization test for each field listed in an object.1.Authorization Objects SAP contains a number of authorization objects that are used to restrict the ability of users to perform certain functions and access information. Authorization objects can contain up to ten authorization IDs representing such system elements as transactions, tables, fields, or programs. A user is allowed access if the their master record lists the object for which the authorization is being tested and the user passes the authorization test for each authorization ID. An authorization value set is required for access 02 = change Authorization Profiles are used to grant the authorization value sets to a user. The user master record refers to profiles and the profiles, in turn, refer, to value sets that determine the access capabilities of the user. New authorization objects can be created by Menu Path: System - Services - Table Maintenance. Merely creating a new object does not initiate any authorization checking. Either ABAPs need to be modified to test the new objects, or additional authorization checks need to be defined. First assign a object class for the new object. Next use AUTHORITY-CHECK for ABAP/4 programs Or add additional authorization checks to the TSTC (transaction table) Menu Path: System - Services - Table Maintenance.2.Objects Objects are defined in the system and contain one or more fields that are used to test user access.3.Authorization Value Sets Are lists of all values (for each field) for which a user is authorized. Usually used to define tasks Profile allocate the tasks (authorization value set) to logical functions. These profiles are assigned to a physical user (master record).4.Basis System Authorization ObjectsObjectFieldsUsesS-PROGRAMProgram group ActivityABAP/4 programs that may be run.S_EDITORProgram group ActivityABAP/4 programs that may be displayed or editedABAP/4 QueryS_QUERYActivityWhether a user can run queries and whether the user can maintain ABAP/4 Query user groups System Administration FunctionsAdministration FunctionsA variety of system functions such as:1. Whether a user may enter a value interactively to pass an authorization test that he does not have authorization for in his user master record2. Access to the ABAP/4 Dictionary3. Access to the interface painter4. System trace authority5. Ability to add or delete additional authorization tests in the TSTC table6. Execute host operating system commandsCentral Field SelectionActivityAuthorization groupWhich ABAP/4 programs a user can use to dynamically alter attributes of fieldsTable MaintenanceAuthorization class ActivityAuthorize users to view and/or modify table contentsBatch Processing: Batch AdministratorAdministratorGive user administrator authorization over background processingBatch Processing: Batch User NameAuthorized userSpecify user Ids that a user may specify as the authorization for running background jobsBatch Processing: Operations on Batch JobsOperations Job GroupSpecify the operations that users may perform on background jobs (Release, delete, etc.)Batch Input AuthorizationsQueue group name ActivityAuthorize a user to work with batch input sessionsQueue Management AuthorizationsQueue group nameActivityManagement of queues for trouble-shooting or problem analysisAuthorization Check for SM04, SM50AdministrationTo authorized users to lock or unlock transactions and to manage user sessions other than their own.Authorization for Update AdministrationAdministrationAuthorization to manage update records for other usersEnqueue:Displaying and Deleting Lock EntriesActivitiesAuthorize users to maintain lock entries of other usersSpool: Device AuthorizationOutput DeviceAuthorizes users to use particular printersSpool ActionsSpool action ValueAuthorizes an administrator to perform specified actions on the spool systemPublic Holiday and Calendar Access PrivilegesActivityAuthorization to display and/or maintain calendarsNumber Range MaintenanceActivityNumber range objectAuthorize users to maintain number rangesChange DocumentsActivityAuthorization to display, maintain, and/or delete change documentsTools Performance MonitorAuthorization nameAuthorization to use sensitive functions of the performance monitorObjects - Authorizations S_TOOLS_EXAccess to view logon parameters S_PROGRAMABAP program accessFieldsValuesCommentsP_GROUP*Program group P_ACTIONSUBMITExecute programEDITMaintain program attributes and textsVARIANTStart and maintain variantsBTCSUBMIT Submit programs for background execution S_EDITORABAP program accessFieldsValuesCommentsP_GROUP*Program groupEDIT_ACTIONSHOWDisplay program sourceEDITAmend program source S_BDC_MONIBatch input sessionFieldsValuesCommentsBDCGROUPID*Name of batch session for which a user is authorized (e.g. “FRANK”)BDCAKTIABTCSubmit sessions for executionAONLRun sessions in interactive modeANALAnalyze sessions, log and queueFREERelease sessionsLOCKLock/unlock sessionsDELEDelete sessions S_NUMBERNumber range authorizationFieldsValuesCommentsNROBJ*Number range object name for a vendorACTVT02Change03Display11Change the last-used number in a number range interval13Initialize the last-used number when transporting ranges between clients17Maintain number range object (pre 3.0) S_SCDOChange document authorizationFieldsValuesCommentsACTVT02Maintain and display change documents06Delete change documents08Display change documents12Maintain change document objectsProcesses1. BatchNumber of transactions entered into the system as a batch. Batch inputs can take place in the background where no changes can be made or in the foreground where transactions containing errors can be interactively corrected. Restricting Access The Batch Input object restricts user activities in different batch input sessions. ANALAnalyze sessions. Display session, log, and queue dump DELEDelete sessions LOCKLock and unlock sessions FREERelease sessions ABTCSubmit sessions for background execution AONLRun sessions in interactive modes2.On-Line 3.BackgroundProgram executes on a background processing server without interactive user input. To run it must be scheduled.This can be done two ways:Menu Path: ABAP/4 - System Services - Reporting - Batch Request functionFrom background processing menu by selecting goto - Batch Request In either case the user must have a User ID to run the job. Users could be authorized to run background jobs but not foreground jobs.Before a background job can run, it must be released. The releasing of jobs is usually restricted to “Batch Administrators”. Restricting Access The field Admin in the Batch Admin object is used to give a user administration authorizations. If this field contains a “Y”, the user has access to all background jobs in a SAP system and can perform any operation on any job. The field Activity in the S_PROGRAM object determines activities users are able to perform on an ABAP. A value of BTCSUBMIT allows a user to schedule the ABAP/4 program for background execution. The Auth user field of the Batch User Name object is used to restrict user-IDs specified as the authorized user for running a job. The Operation field of the Operations on Batch Jobs object is used to specify the operations that a user can perform on their own jobs. This is used to restrict users from deleting or releasing jobs. 4.ServicesCan run on different servers. Dialog Update Enqueue Background Message Server CPI-C Gateway Server Spool5.Work Processes TSKHTask Handler DYNPScreen Processor ABAPProgram Processor DB-SSDatabase interface that converts ABAP/4 SQL into DBMS SQL.TransactionsSAP transactions allow different functions to be performed within R/3. Menu selection also generates transactions. To see which transaction is currently executing select Menu Path: System - Status.System transactions are applicable to the basis system and application transactions are specific to a certain module.Transactions can be locked and unlocked using Menu Path: Administration - Tcode Administration. When a transaction is locked, users can not execute that transaction. To perform this function, a user requires the authorization object Authorization check for SM04, SM05 with a value of S in the Admin field.1.Controlled by DYNP processor Checks whether additional authorization checks are required to run the transaction (in TSTC Table). Interprets the Dynpros, which involves creating the screens and applying the logic defined in the dynpro (field checks, etc.).2. All transactions are listed in the TSTC Table. This table includes: An indicator that the transaction has been locked or is available to be used. The ability to lock and unlock transactions is controlled using authorization object Authorization Check for SM04, SM50. Additional authorization checks to be performed. Only users with the value TCOD in the field, Admin Functions in object, System Admin Functions have the ability to add, alter, or delete these additional authorization tests. If a transaction is not marked as requiring authorization checks then any user can run the transaction.Transaction types: SU93 and SU91Displays changes master records and profiles SE30 Trace function SU53Authorization check failures SU02 Activation of profiles SU03Activation of authorizations SU0Assignment of user ID SU01Assignment of users to profiles and alter the password of any user SU10Assignment of profiles for a range of users SU12Delete all users TU02View logon parameters SM52Unix command line prompt SU21Grouping of objects into object classes (example is Basis Administration, Financial Accounting)TablesSAP is characterized by the use of thousands of application and control tables. The setup of the control tables, to a large extent, determines in which way a SAP installation functions.Logical views provided by the ABAP/4 Dictionary of all data (control data, master data, and transaction data) stored in SAP system.All control tables start with the letter “T”.Control tables can be displayed and maintained on-line. Menu Path: System - Services - Table Maintenance. In order to restrict tables a number of table authorization classes should be defined. All standard tables have been assigned to authorization classes. Authorization object, Table Maintenance is used to maintain the tables in each authorization class. Two levels of access are allowed value = 02 (add, change, or delete) and 03 (display only).To modify a table structure Menu Path: Tools - CASE - Development - Data Dictionary - Maintenance.Logging of changes can be accomplished by using change document objects to specify which tables are logged and the level of logging performed on each table.1.TSTCTransactions2.MACMatchcodes3.T001Details about a company4.T001BDefines accounting periods for company T001.5.USRxxProfiles6.TUSR04Authorization Profiles7.TUSR01User master record8.TUSR02User ID and password9.TUSR03Extended information about the user.10.TUSR05Field defaults for each R/3 user and field.11.TOBJPre-defined authorization objects and fields12.TOBJTDescriptive text of the authorization objects.13.TUSR10Authorization Profiles and DescriptionsandTUSR1114.T055Field group fields15.T055GField groups16.T055TField Group descriptions17.AUTHInternal table - Financial objects18.TACTActivity codes19.TACTT Activity codes descriptions20.TACTZValid activity codes for each authorization object21.USR40Custom password checks22.TDDATDefines the link between tables and their authorization c