SAP Audit Information and ApproachAuthorization Example 1. User Master Record User: Frank W. Lyons Profile: Example 2. Profile: Example Object: Authorizations: S_Program ABAP: 3. Authorization: ABAP: Values: * SUBMIT, VARIANT Object: S_Program Fields: Program Group Activity 1 Authorization System: 1. 2. 3. 4. object Field group for an object has multiple values and can be shared across objects Profiles Objects Fields Authorizations One or more assigned to a user Must be unique names with one or more fields Contain values for authority checking Can have the same names as they are physically and physically linked to an 2 Initial Defaults 1. Initial Clients • Client 000 • Client 001 2. Initial User Ids • SAP* Default super user. A user master record is created during installation but it is not needed by SAP* to access the complete system. If the SAP* master record is deleted, the SAP* account has the following special privileges: • It is not subject to authorization checks and therefore has all authorizations • It has the password “PASS”, which can not be changed without creating a new user master record. • To prevent deletion, assign SAP* user to a group called SUPER and only super user should be able to maintain user group SUPER. Standard model Model for user defined clients. (template) 3 The default is (12). When a password is locked in this manner. 4 . • login/fails_to_session_end • Number of times a user can enter an incorrect password before the system ends the login attempt.3. which does not enforce password changes. The default is (3). Recommended value = 45. Initial Security Parameters • Parameters for user logon • login/min_password/lng • Minimum password length default is (3) • login/password_expiration_time • Number of days after which a password must be changed. The default is zero. • login/fails_to_user_lock • Number of times a user can enter an incorrect password before the system locks the user against further logon attempts. Recommend (3). it is automatically unlocked by the system at the start of the next day (midnight). Administration . only the administrators who are authorized for that user group can alter user master records.User . Better to lock the user’s master record Menu Path: Tools . 5 . 2. 3.User Maintenance . Each user must have a master record. 4.Adding Users 1.Lock/Unlock. User Group • If a person is assigned to a user group. If a user is not assigned to a group then any user administrator can alter the user master record. Each user master record refers to one or more profiles that determine the access rights for the user. Master record contains: • • • • • • User ID Password User groups User type Period of validity references to authorization profiles Master records can be deleted but it will affect the audit trail. ADMIN S_A. S_Program.g. profiles. etc. System Profiles SAP Standard and Super User Profiles S_A. 1. S_DBC_MONI..SYSTEM S_A.” Authorizations for use in the SAP Customizing system Authorizations for use in the SAP Development environment (excludes any user or profile authorizations) Basis system authorizations for endusers (e. and authorizations Authorizations for SAP system administration. Separation of maintenance and activation functions.DEVELOP S_A. Allows for updates to maintenance before it is activated.Adding Profiles Profiles and Authorizations exist in both maintenance and active versions. 6 .USER Unlimited access to all users. This includes all authorizations except for: • Maintenance of users in user group SUPER • Maintenance of profiles and authorizations with names beginning “S_A.CUSTOMIZ S_A. Profiles and their associated authorization value sets are stored in USRxx tables. styles. All user authorizations (excluding BC system) Profile Name S_ABAP_ALL S_ADMI_ALL S_BDC_ALL S_BTCH_ALL S_DDIC_ALL S_DDIC_SU S_NUMBER S_SCD0_ALL S_SCRP_ALL S_SPOOL_ALL S_SYST_ALL S_TABU_ALL S_TSKH_ALL S_USER_ALL SAP_ALL SAP_ANWEND SAP_NEW Z_ANWEND 3. layout sets maintenance All spool authorizations All system authorizations Standard table maintenance: All authorizations All system administration authorizations User maintenance: All authorizations Provides unlimited access to maintain all SAP R/3 system authorizations.2. 7 . with the following exceptions: • Maintenance of users in user group SUPER • Maintenance of profiles and authorizations with names beginning S_USER All SAP R/3 (excluding system) application authorizations Provides unlimited access to all authorizations added with new releases of SAP R/3. Startup Profiles Description All ABAP/4 authorizations All system administration functions All batch input activities All batch processing authorizations DDIC: All authorizations Data Dictionary: All authorizations Number range maintenance: All authorizations Change documents: All authorizations All SAPscript text. refer. • Next use AUTHORITY-CHECK for ABAP/4 programs • Or add additional authorization checks to the TSTC (transaction table) Menu Path: System . or programs. The user master record refers to profiles and the profiles. to value sets that determine the access capabilities of the user. • New authorization objects can be created by Menu Path: System Services . Authorization Objects • SAP contains a number of authorization objects that are used to restrict the ability of users to perform certain functions and access information. 8 . • A user is allowed access if the their master record lists the object for which the authorization is being tested and the user passes the authorization test for each authorization ID. • First assign a object class for the new object. Merely creating a new object does not initiate any authorization checking. A user’s action is approved only if the user passes the authorization test for each field listed in an object.Table Maintenance. Either ABAPs need to be modified to test the new objects. • An authorization value set is required for access 02 = change • Authorization Profiles are used to grant the authorization value sets to a user. in turn. tables. Authorization objects can contain up to ten authorization IDs representing such system elements as transactions.Adding Authorizations Authorization objects are used to check a user’s authority to perform actions and access data in R/3. or additional authorization checks need to be defined. fields.Services .Table Maintenance. 1. • Usually used to define tasks • Profile allocate the tasks (authorization value set) to logical functions. 9 . Authorization Value Sets • Are lists of all values (for each field) for which a user is authorized.2. 3. These profiles are assigned to a physical user (master record). Objects • Objects are defined in the system and contain one or more fields that are used to test user access. Access to the interface painter 4. Execute host operating system commands Object S-PROGRAM S_EDITOR ABAP/4 Query S_QUERY System Administration Functions Administration Functions Central Field Selection Activity Authorization group Which ABAP/4 programs a user can use to dynamically alter 10 . System trace authority 5. Basis System Authorization Objects Fields Program group Activity Program group Activity Activity Uses ABAP/4 programs that may be run.4. ABAP/4 programs that may be displayed or edited Whether a user can run queries and whether the user can maintain ABAP/4 Query user groups A variety of system functions such as: 1. Ability to add or delete additional authorization tests in the TSTC table 6. Access to the ABAP/4 Dictionary 3. Whether a user may enter a value interactively to pass an authorization test that he does not have authorization for in his user master record 2. Authorization to manage update records for other users Authorize users to maintain lock entries of other users Authorizes users to use particular printers Authorizes an administrator to perform specified actions on the spool system Authorization to display .) Authorize a user to work with batch input sessions Management of queues for trouble-shooting or problem analysis To authorized users to lock or unlock transactions and to manage user sessions other than their own. SM50 Authorization for Update Administration Administration Enqueue: Activities Displaying and Deleting Lock Entries Spool: Device Output Device Authorization Spool Actions Spool action Value Public Holiday and Activity 11 attributes of fields Authorize users to view and/or modify table contents Give user administrator authorization over background processing Specify user Ids that a user may specify as the authorization for running background jobs Specify the operations that users may perform on background jobs (Release. etc. delete.Table Maintenance Batch Processing: Batch Administrator Batch Processing: Batch User Name Authorization class Activity Administrator Authorized user Batch Processing: Operations on Batch Jobs Batch Input Authorizations Queue Management Authorizations Operations Job Group Queue group name Activity Queue group name Activity Authorization Check for Administration SM04. and/or delete change documents Authorization to use sensitive functions of the performance monitor 12 . maintain.Calendar Access Privileges Number Range Maintenance Change Documents Activity Number range object Activity Tools Performance Monitor Authorization name and/or maintain calendars Authorize users to maintain number ranges Authorization to display. log and queue Release sessions Lock/unlock sessions Delete sessions • S_EDITOR Fields Values P_GROUP EDIT_ACTION * SHOW EDIT • S_BDC_MONI Fields Values * ABTC AONL ANAL FREE LOCK DELE BDCGROUPID BDCAKTI 13 .Objects . “FRANK”) Submit sessions for execution Run sessions in interactive mode Analyze sessions.Authorizations • S_TOOLS_EX • S_PROGRAM Fields P_GROUP P_ACTION Values Access to view logon parameters ABAP program access Comments * Program group SUBMIT Execute program EDIT Maintain program attributes and texts VARIANT Start and maintain variants BTCSUBMIT Submit programs for background execution ABAP program access Comments Program group Display program source Amend program source Batch input session Comments Name of batch session for which a user is authorized (e.g. • S_NUMBER Fields NROBJ ACTVT Values * 02 03 11 13 17 • S_SCDO Fields ACTVT Values 02 06 08 12 Number range authorization Comments Number range object name for a vendor Change Display Change the last-used number in a number range interval Initialize the last-used number when transporting ranges between clients Maintain number range object (pre 3.0) Change document authorization Comments Maintain and display change documents Delete change documents Display change documents Maintain change document objects 14 . 3. Batch inputs can take place in the background where no changes can be made or in the foreground where transactions containing errors can be interactively corrected.Batch Request In either case the user must have a User ID to run the job. Batch Number of transactions entered into the system as a batch. On-Line Background Program executes on a background processing server without interactive user input. To run it must be scheduled. log. Users could be authorized to run background jobs but not foreground jobs. it must be released.Processes 1. • ANAL Analyze sessions. Display session. Before a background job can run.System Services . This can be done two ways: Menu Path: ABAP/4 . • Restricting Access • The Batch Input object restricts user activities in different batch input sessions.Batch Request function From background processing menu by selecting goto . and queue dump • DELE Delete sessions • LOCK Lock and unlock sessions • FREE Release sessions • ABTC Submit sessions for background execution • AONL Run sessions in interactive modes 2.Reporting . The releasing of jobs is usually restricted to “Batch Administrators”. • Restricting Access 15 . the user has access to all background jobs in a SAP system and can perform any operation on any job. This is used to restrict users from deleting or releasing jobs. A value of BTCSUBMIT allows a user to schedule the ABAP/4 program for background execution. If this field contains a “Y”. 4. • • • • • • • Dialog Update Enqueue Background Message Server CPI-C Gateway Server Spool 5.• • • • The field Admin in the Batch Admin object is used to give a user administration authorizations. The field Activity in the S_PROGRAM object determines activities users are able to perform on an ABAP. Work Processes • • • • TSKH DYNP ABAP DB-SS Task Handler Screen Processor Program Processor Database interface that converts ABAP/4 SQL into DBMS SQL. The Auth user field of the Batch User Name object is used to restrict user-IDs specified as the authorized user for running a job. The Operation field of the Operations on Batch Jobs object is used to specify the operations that a user can perform on their own jobs. 16 . Services Can run on different servers. Status. System Admin Functions have the ability to add. a user requires the authorization object Authorization check for SM04. Menu selection also generates transactions. 2. All transactions are listed in the TSTC Table. The ability to lock and unlock transactions is controlled using authorization object Authorization Check for SM04. SM50. or delete these additional authorization tests. etc. 17 . alter. SM05 with a value of S in the Admin field. To perform this function. Only users with the value TCOD in the field. Transactions can be locked and unlocked using Menu Path: Administration Tcode Administration. This table includes: • An indicator that the transaction has been locked or is available to be used. Admin Functions in object.). When a transaction is locked. Controlled by DYNP processor • Checks whether additional authorization checks are required to run the transaction (in TSTC Table). 1. To see which transaction is currently executing select Menu Path: System . users can not execute that transaction. • Interprets the Dynpros. which involves creating the screens and applying the logic defined in the dynpro (field checks. • Additional authorization checks to be performed.Transactions SAP transactions allow different functions to be performed within R/3. System transactions are applicable to the basis system and application transactions are specific to a certain module. • If a transaction is not marked as requiring authorization checks then any user can run the transaction. Transaction types: • SU93 and SU91 profiles • SE30 • SU53 • SU02 • SU03 • SU0 • SU01 • • • • • SU10 SU12 TU02 SM52 SU21 Financial Displays changes master records and Trace function Authorization check failures Activation of profiles Activation of authorizations Assignment of user ID Assignment of users to profiles and alter the password of any user Assignment of profiles for a range of users Delete all users View logon parameters Unix command line prompt Grouping of objects into object classes (example is Basis Administration. Accounting) 18 . determines in which way a SAP installation functions. To modify a table structure Menu Path: Tools . All control tables start with the letter “T”. master data.Development . Control tables can be displayed and maintained on-line. The setup of the control tables. All standard tables have been assigned to authorization classes. Authorization object. to a large extent. or delete) and 03 (display only). In order to restrict tables a number of table authorization classes should be defined.Maintenance. and transaction data) stored in SAP system.Table Maintenance. Table Maintenance is used to maintain the tables in each authorization class. Menu Path: System . Logical views provided by the ABAP/4 Dictionary of all data (control data. 19 .Tables SAP is characterized by the use of thousands of application and control tables. change. Logging of changes can be accomplished by using change document objects to specify which tables are logged and the level of logging performed on each table.Data Dictionary .Services .CASE . Two levels of access are allowed value = 02 (add. Authorization Profiles and Descriptions 14. Profiles Authorization Profiles User master record User ID and password Extended information about the user. TSTC Transactions MAC T001 T001B USRxx TUSR04 TUSR01 TUSR02 TUSR03 TUSR05 TOBJ TOBJT TUSR10 and TUSR11 T055 T055G T055T AUTH TACT TACTT Matchcodes Details about a company Defines accounting periods for company T001. 10.1. 5. 7. 2. Pre-defined authorization objects and fields Descriptive text of the authorization objects. 3. 4. 15. Field group fields Field groups Field Group descriptions Internal table . 19. 13. 17. 11. 9. 6.Financial objects Activity codes Activity codes descriptions 20 . Field defaults for each R/3 user and field. 12. 8. 16. 18. 20. 24. 22. TACTZ USR40 TDDAT T000 T001 TGSB Valid activity codes for each authorization object Custom password checks Defines the link between tables and their authorization classes SAP Clients SAP companies Business Areas and Plants 21 . 25. 23. 21. user type. user master records will display added or deleted from the list in the user master records. The servers in an SAP system record events and problems in a set of local and central system logs. Local logs keep only messages issued by the local application server.Logs Errors and important events are logged in the system logs. System logs are configured by setting parameters in the system profile. period of validity. This log is a valuable control over unauthorized changes to users’ access capabilities and needs to be reviewed daily. Each application server has a local log file. the log of changes to profiles could be used to identified changed profiles. It will not display modified profiles rather.System log. and account number. For example. These logs may be displayed and maintained online from the Menu Path: Tools . and authorization value sets. • Changes to a user’s password. profiles. 22 .Monitoring . These logs should be reviewed daily. Transaction SU93 and SU91 display changes made to a user’s master record or profiles. the system reports both the old and new version of any lines that have changed. • For each item in the log. Logging of Changes to Authorizations: • All changes to user master records. user group.Administration . it is possible to display all user master records and/or profiles that contain a specific object.Current Information • Displays detailed information on user master records. SAP includes SAPDBA program that is used to perform database administration tasks. 1. Modules SAP application modules. QM. PP. PS. and authorization value sets. OC Change Management Backup and Recovery Daily backups are necessary to ensure the recoverability of data. authorization objects. BC SAP Basis module Logistics: Human Resources: SD. CO. 3. MM. 4. With this facility. Redo logs (Oracle) should also be archived daily. Security Administration 23 . AM. SAP can be backed up on-line. authorization profiles. PM HR Financial and Administration: FI.Reports for Auditing Security • Menu Path: Information . 2. in the event of a disaster. • User Groups S_USER_GRP Fields User group Values Names of the user groups for which an administrator is authorized. The system provides a number of standard authorization objects that can be used. 01: Create user master records add profiles to new or existing records 02: Edit 03: Display 05: Lock or unlock user 06: Delete a user master record 08: Display user change records Administrator actions 24 . profiles and/or authorization value sets need to be tightly controlled.Users who are able to change user master records. The names of the authorization value sets for which an administrator is authorized 01: Create authorization value set 02: Edit 03: Display 06: Delete 07: Activate 08: Display change records 22: Enter authorizations into a profile Authorization name Administrator actions • Table Maintenance S_TABU_DIS 25 . 01: Create profiles and enter authorizations into them Administrator actions 02: Edit 03: Display 06: Delete a profile 08: Display change records 22: Add profiles to user master record • Authorizations Value Sets S_USER_AUT Fields Object name Values The names of the authorization objects for which an administrator is authorized.• Authorization Profile S_USER_PRO Fields Profile name Values The profile names for which an administrator is authorized. Fields DICBERCLS ACTVT Values Table classes for which a user access is authorized Activity code • Table Maintenance Across Clients S_TABU_CLI Fields CLIDMAINT Object S_USER_GRP • Determines which user groups can be administered and consequently all users who are assigned to those groups. Values Access indicator 26 . Object S_ADMI_FCD • “Systems Administration Functions” provides powerful systems administration functions. 55. 59) • UADM Update Administration (SM13) • T000 Create New Client • TLCK Lock/Unlock Transactions • SPADAuthorization for spool administration in all clients • SPARAuthorization for client-dependent spool administration • SP01 Authorization for administration of spool requests in spool output control (all users and clients) • SPORSpool administration • BTCH Test environment. batch • UNIXExecute UNIX commands from SAPMSOS0 • RSET Reset/delete data without archiving • SYNC Reset buffers 27 . including the following (field = “Systems Administration Functions”): • NADM Network Administration (SM54. • A table can be specified that contains all the values allowed for a particular field.Info System • Dictionary changes should be reviewed daily. This Dictionary gives R/3 the functionality to control the environment. • Changes are logged by the system and can be queried using the ABAP/4 Dictionary Information System Menu Path: Development . When any input is not valid in terms of the domain. but it makes use of its own ABAP/4 Dictionary. Only users with the value = DDIC in the Admin Function fields can make changes to the ABAP/4 Dictionary or use the database table utility. it will not be accepted and the user will have to correct the entry in the DYNPRO screen before continuing. If a table is specified. 28 . • Restricting Access • Controlled by the authorization object System Admin Functions. numeric. 1. etc. • It is not possible to further restrict access to alterable tables. date. there must be procedures for ensuring that the table’s contents are kept up-to-date. Each field in the ABAP/4 Dictionary is described by a domain. The ABAP/4 Dictionary provides the following domain checks: • The format of the field must match the definition in the ABAP/4 Dictionary (character.) • A number of discrete values may be contained in the domain that are valid for the field.ABAP/4 Dictionary R/3 uses an external database (Oracle in most cases) to hold application data.ABAP/4 Dictionary . ABAP also can contain SQL statements allowing almost unrestricted access to the database. Location • On Application Server • Restricting Access Each ABAP needs to be assigned to an authorization group in the report attributes set when creating an ABAP report. etc. Any ABAP that has not been assigned to an authorization group may be run by any user with authorization for object S_PROGRAM. ABAP/4 must be tightly controlled. create new records. 1. ABAP/4 is a comprehensive programming language. No ABAP statement changes should be allowed in the production system’s environment. ABAP statements can be written that will read and update data.ABAP/4 Programming ABAP/4 is the fourth generation interpretative language in which all R/3 applications are written. 29 . The Basis System is written in C. Therefore any user that can run transaction SA38 (or SE38 to develop ABAP/4 programs). Otherwise they may write a dynamic SQL that allows complete access to all client’s data. none of the ABAPs are assigned to authorization groups. The S_EDITOR authorization object is used to restrict authorization groups a user is able to edit. This object further restricts the manner in which a user is able to run an ABAP. Variants are parameters that are passed to an ABAP program. Any user with S_EDITOR authorization object is able to edit any ABAP program that has not been assigned to an authorization group.ABAP that have been assigned to a program group can only be run by users who are authorized to that program group using object S_PROGRAM. In the standard system. the database interface checks are still in play for all ABAPs and the user will not be able to act on data for which they have no authority. No users should have S_EDITOR. It is recommended that all ABAPs be placed in authorization classes and that users should only have authorization for authorization classes (ABAPs) that are required for their job functions. ABAP/4 Query 30 . can run any of the standard ABAPs. • SUBMIT The user may start programs interactively • BTCSUBMIT The user may submit programs for execution in the background partition. • ABAPs may be developed on-line using the SAP ABAP editor. No matter what. • EDIT The user can maintain attributes and text elements and use utilities for copying and deleting reports ( This does not allow the user to edit ABAP/4 programs). • VARIANT The user may maintain variants. The ABAP programs can be assigned to authorization groups. This should be restricted to administrators. regardless of who wrote the query. • In order to create or maintain ABAP/4 Queries. Users cannot access any information to which the user would otherwise not have access.ABAP/4 Query is the report writing software that allows users to generate reports quickly and easily without programming knowledge. • In order to maintain the ABAP/4 Query user groups. • Ensure that procedures are in effect to update the user groups when job assignments change. a user needs the value = 23 (Maintain Environment) in the activity field of the ABAP/4 Query authorization object. 31 . It generates an ABAP program. • Restricting Access • Must be assigned to a user group before they can be run • User group contains the functional areas and the names of all people authorized to run queries. a user must be a member of one or more user groups and have a value = 02 (change) in the activity field of the ABAP/4 Query authorization object. • Any user can run any queries defined for a user group of which he/she is a member. Development .Operating Systems 1. Dynpros can be developed on-line using the standard SAP Dynpro Screen Painter Menu Path: Tools .Case . They include details of the processing logic to be performed on the fields. NT Database Management Systems 1. Oracle Dynpros Screen Generator Dynpros are the input screens used when processing SAP transactions.Screen Painter. tested. Controls need to be in place to ensure that changes to Dynpros are authorized. Unix • Start-Up Profiles are stored in /usr/sap<SAP System Name>/sys/profile 2. 1. and approved. 2. 32 . Number Ranges SAP provides an “internal” and “external” numbering mechanism 1. 1. 2. Stored in Table MAC Table MAC can be edited on-line using transaction SM31 and accessible through the Menu Path: System . 33 . Internal numbers are sequential codes given by the system for documents. article numbers.Services . Matchcodes These are secondary indexes to enable users to find specific records when the primary key is unknown. etc.Table Maintenance. Both internal and external numbers are stored in a file SYSV. 2. personnel numbers. It should only be given to the system administrators (SUPERUSER). 4. 3. 5. none of the ABAPs are assigned to authorization groups. Unlike normal ABAP statements. Default logon Ids • • • • SAP* password = 06071992 SAP* password = PASS DDIC password = 19920706 Oracle • Sys password = change_on_install • System password = manager • Sapr3 password = sapr3 • SAP/R3 application ID • SAPDBA • Front-end to SQL*DBA • Can perform all DBA functions within SAP • Authentication is completed in UNIX 34 . In the standard system. Use open SQL statements. But using ABAPs with AUTHORITY-CHECK statement. Do not use native SQL calls in ABAPs as they will bypass the dictionary consistency checks. 2. native SQL and open SQL do not trigger any authorization checks at run time. the users authority can be checked at run time for specified objects. SAP* is the default user ID and it has unlimited access capabilities.Weaknesses 1. Default system profiles may provide too much authority. Ad-hoc Queries • SQL*Plus • ODBC 7.6. Oracle Tables • User02 Table contains all SAP user IDs and passwords 35 . Standard Reports RSAVGL00 RSDECOMP RSDELSAP RSKEYS00 RSTABL00 RSSTAT92 RSSTAT95 RSPARAM RSUSER01 RSUSR000 Table comparison across clients Comparing tables across two systems Delete SAP* from client 066 (EarlyWatch client) Tables comparison: system versus sequential file As for RSKEYS00 Table changes for a selected month Table access statistics Display system parameters settings Test SAP_ALL List all active users 36 . GL .Vendor .Financial Authorization Objects Master Data .Customer .Bank Documents Balance Sheets Credit Control Data Payment Runs Dunning Runs Example: Object = Company Codes Fields Company codes Values 01 02 03 05 06 08 Create Change Display Block/Unblock Delete Display change documents 37 .