Basis tasks and a basic understanding of the system security. Before you start with this tutorial, we assume that you are well-versed with SAP Basis activities. wm-greece.info Page 1 of 9 wm-greece.infoch. SAP BASIS and Security. Administration. An Article From thespot4sap LTD. Contents. automatically mitigated. SAP Basis Security. The crown jewels exposed. Tom Schouten and Jeroen Kunis. Organizations today are exposed to new security risks.
|Language:||English, Spanish, German|
|Distribution:||Free* [*Sign up for free]|
Preface: Introduction to SAP Security and Authorizations concept. 9. 1 User maintenance overview. User master record. User types. User. “SAP Security Secure Business in Open Environments” wm-greece.info ft/wm-greece.info .. SAP BASIS security. SAP BASIS and Security Administration - Download as .rtf), PDF File .pdf), Text File .txt) or read online. basis.
USR12 — Authorization Values. You can use the activities to specify the types of processing such as creating, deleting, displaying change documents. Manual — It means that at least one authorization field has been manually added, i.
Changed — It means that the proposed value in at least one of the fields in an authorization instance has been changed. Maintained — It means that at least one of the field values in an authorization instance was blank when it was pulled from SU24 i. An authorization is actually similar to an object. Different authorization objects will have different sets of authorization fields. Make sure before moving to User tab from authorization tab, the status is saved and generated.
Click on Authorization Tab and then change authorization data. Assign authorization according to the requirement. This is basically updating profile information into user master record so that user are allowed to use the transaction contained in the menu tree of their role.
If you are also using the role to generate authorization profile, then you should note that the generated profile is not entered in the user master record until the user master record have been compared. Mention user name. Click on user comparison button.
Assign user and click on user comparison button. Click on complete comparison. Save it now you can see the green button which means the comparison is done successfully. Composite Role Creation Composite roles can simplify the user administration. They consist of single roles. Users who are assigned a composite role are automatically assigned the associated single roles during the compare.
We can not add composite role to composite role. We can maintain composite role in SAP system by using one of the following navigation method. Update the composite role name in the role field. Click on composite role tab to create new composite roles in SAP. Step Description Tab. Update the descriptive text of the composite role.
Enter the descriptive long text of the composite role. Click on save button and save the data. Step Role Tab. Enter list of all single role which you want into composite role ans enter. PFCG is used to create maintain and modify the roles.
How will the log reports goes to controller? This is done when ever role is already assigned to users and changes are done in that role. In order to get the changes adjusted in the roles, user comparision is done. Just to say all the t-codes which can affect roles and user master records are critical ones.
GRC Landscape is 2 system landscape, 1.
What is the use of SU56? As a result you see users or programs trying to log on to unauthorized systems like hackers, users logging on to the wrong servers, unbalanced system loads, or even sniffing. One example of security violations in the network environment is when end users log on directly to the database server when this has an administrative instance.
Another one I have seen many times is when the rlogin service is completely unprotected and users have logged on through the network and stopped the wrong servers. It is the Network administrators' responsibility to design and implement a security network topology that takes into consideration an automatic monitoring and intrusion detection system.
As a result you see software failures, transport of copied programs without security checks, or problems when upgrading your system. It is the task of the Basis administrator together with users in charge of customizing and developers to properly set the system to basic security standards and to define a security policy that makes sure that there is some type of filtering and monitoring within the transport system.
SNC can raise your system to high security standards because it can cover several layers such as the presentation authentication and Single Sign-On layer, the remote communications layer, the network layer, and even the Internet layer. The natural openness of the SAP systems and the endless possibilities of communicating with and exchanging data between SAP and other systems require stringent security analysis from the point of view of external or remote communications mainly in the areas of the RFC and CPIC protocols, which are used in other interfacing techniques such as ALE or BAPIs.
As a result you see unexpected connections or program executions from other systems, software failures, or access to confidential information. It is the job of Basis administrators together with Network administrators and developers to implement standard security measures to avoid leaving holes at the remote communication level.
Some standard measures are as follows: SAP security services must guarantee the integrity, confidentiality, and authenticity of any type of business documents such as electronic files, mail messages, and others. And these mechanisms can be deployed using external security services like digital certificates and digital envelopes. As a result you see documents intercepted by unauthorized persons or access to confidential information.
It is the job of the Basis administrators and expert security consultants with the help of the legal department to define and implement secure mechanisms like encryption methods for protecting the secure transfer of documents.
You can use the SSF functions to "wrap" SAP systems data in secure formats before the data are transmitted over insecure communications links.
These secure formats are based on public and private keys using cryptographic algorithms. Despite the fact that the communication infrastructure might be well protected, it is also necessary to protect the private keys that are used in digital signatures and envelopes because if this information is intercepted, the cryptographical strategy will be useless.
This includes SAP components such as the application servers when these act as the senders of the messages and therefore hold the private keys. In addition to the risk that exists in case the private key falls into the wrong hands, it must also be considered that criminals can be interested in sabotaging the communications and could modify the public keys repository for the partners with whom the company system communicates.
If this method of protecting private keys is selected, companies should develop a communication campaign so that users are informed of the importance of not sharing or letting others use their smart cards.
From the point of view of the server and in order to improve performance, the recommendation is the use of a crypto box instead of a smart card.
If the security products use an address book for holding the public keys just in the case of the private keys, then the files must be protected from unauthorized access or modifications. An alternative is to use certificates that are issued by a trusted Certification Authority CA to grant the authenticity of those certificates. There are several countries that have regulated the use of cryptography and digital signatures. However, these rules or laws frequently generate a big amount of controversy and even change.
Some countries already accept the digital signatures as a valid proof of obligation and therefore digital signatures can be used for secure business.
As a result you see many types of attacks on Web servers that might make systems unavailable or compromise critical information. There are thousands of Internet security incidents and break-ins reported; some of them make the CNN headlines.
There are dozens of books and hundreds of Web sites covering security, hacking, and protection software. It is the job of the Basis administrator, Network administrator, and Web administrator to set in place a system design for implementing the best security measures that protect against attacks to the SAP systems that are tightly connected to the Internet.
It also accounts for the overall system landscape: You want to be sure that certain protective procedures are set in place to guard against insecure programs or Trojan horses that may travel from one system to another.
Last but not least, a security infrastructure must include robust logging and auditing capabilities; the mechanisms you will need to monitor and enforce your security policies. Logging and monitoring address the efficiency of the security measures and the capacities of the system for detecting weaknesses, vulnerabilities, and any other security problem.
There are logging and auditing facilities in the SAP security infrastructure at every level. These tools are complemented by other logging facilities such as those available at operating system level, database auditing statements, network and Internet monitoring and management, and others. The difficulty for monitoring the whole SAP security infrastructure is that there is no single tool for doing that automatically although the evolution of the CCMS and the AIS tools make us think that it might happen.
The focus of the SAP Trust Center Service is to provide global one-step authentication and digital signature technology for enabling collaborative business scenarios. The trust infrastructure relies on already existing business relationships between SAP and its customers.
The SAP Trust Center provides more trust than any other existing trust center because these do not typically rely on existing business relationships. This service provides a smooth migration from password-based authentication to certificate-based authentication.
SAP customers using the Trust Center Services can be sure that only authorized partners and employees are accessing information and conducting business in Marketplaces.