ISACA Presentation Introduction to SAP Security

March 31st, 2010

Cleberson R. Siansi CISA, CGEIT, ACP Stephen F Rose MA

Introduction to SAP Security

Session Objectives

This session is intended to provide an introduction to SAP security for SAP R/3 (4.6c/4.7) and ECC (5.0/6.0) environments, with particular focus on the authorization concept and how it supports the structural framework used in defining user access requirements.

Introduction to SAP Security

Session Agenda

Overview of SAP Overview of SAP Security SAP Authorization Concept Details Profile Generator (PFCG)

Overview of SAP

Overview of SAP
What is SAP?

SAP = Systems Applications and Products in Data Processing

Integrated Multifunctional Modular Enterprise Wide Real Time

SAP integrates all business processing through one application Links operational results and the financial aspects of those results SAP can track financial results, procurement, sales, manufacturing, human resources and payroll SAP comprises of 18 - 20 modules in finance, logistics and HR One or more SAP modules can be implemented SAP is typically accessible by the entire business organization Most company information and transactions originate from SAP An order in SAP can automatically generate a inventory movement and purchase order without any human intervention

Overview of SAP
How SAP Works

3. Production SAP P.P. 2. Availability SAP MM Inventory 4. Manpower SAP H.R.

1. Order SAP S.D.

5. Purchasing SAP P.P.

7. Reporting SAP F.I.C.O

6. Order Tracking SAP M.M.

Overview of SAP
SAP Modules

Materials Management Sales & Distribution Production Planning

Financial Accounting

MM
Purchasing Goods receipt Inventory Control Invoice Verification

SD
Sales Distribution Invoicing

PP
Re-order control Production Planning & Control

FI
Accounts payable Accounts receivable General ledger Cash management Consolidation

IM
Inventory Management

BASIS
Application Security Segregation of Duties Change Control System Parameters

AM
Asset accounting

HR
Personnel Administration Payroll Accounting

CO
Cost Center / Profit Center Profitability Analysis

Human Resources

Controlling

Overview of SAP
SAP in Numbers Scope and role SAP plays in today's global economy: 85% of the Fortune 500 run SAP software 80% of Fortune 1,000 companies run SAP software 60% of Fortune 2,000 companies run SAP software 70% of the world economy's transactions in some shape or form touch an SAP system 2.5 billion utility bills are processed by SAP software each year 65% of all chocolate in the world is manufactured using SAP software

Overview of SAP
SAP in Numbers Based on software revenue, SAP is the number one business software supplier in every industry and solution segment SAP has developed and markets more than 25 industry-specific software solutions SAP has more the 82,000 customers across 120 countries Approximately 64,000 SAP customers are small businesses or midsize companies SAP is the first leading vendor to deliver a comprehensive suite of integrated SOA-based enterprise software solutions 43,000 systems currently run on the SOA-ready SAP NetWeaver platform 13,000 systems currently run on NetWeaver-based SAP ERP 6.0
Source: http://www.optimalsol.com/NE-Thought-SAP-Economic-Upturn-One.html

Overview of SAP Security

Overview of SAP Security

Roles, Profiles and Authority Checks

A Role is a bucket containing:

Transaction Codes Authorization Data (Authorization Objects and Field Values) User assignments

Profile

A Profile is a key ring that contains authorizations (cut keys) Authority Checks

Authorizations and Field Values

Performed by SAP to ensure that a user ID has the correct authorization object and field value combination (cut key) to execute a particular task There may be multiple authority checks in one program (typically one at the start of the program as well as throughout the program)

Overview of SAP Security

Authorization Objects vs. Authorizations

An authorization object is a template for security that contains fields with blank values (an uncut key)
Authorization Object may be reused for many transactions Authorization Objects and Field Values are stored in two key SAP tables
> USOBX_C: Transaction-to-object relationships > USOBT_C: Transaction-to-object field value relationships

Both tables are maintained via transaction code SU24 and used by PFCG (Profile Generator)

An authorization is an authorization object with completed fields (a cut key)

It takes one or more keys to open the doors to access a particular task, or transaction, within SAP

Overview of SAP Security

Levels required to access a particular function in SAP

Level 1:

User ID Access Login w/ UserID and Password Transaction Code Access Object: S_TCODE Examples: FB01, MM01 Authorization Access Examples: F_BKPF_BUK, M_MATE_BUK

Level 2:

Level 3:

User Master Record Role/Profile Authorization Object Field Values

Overview of SAP Security

Authority Check

Overview of SAP Security

Authority Check

Overview of SAP Security

Authority Check

Overview of SAP Security

Authority Check

Overview of SAP Security

Authority Check

Overview of SAP Security

Authority Check

Overview of SAP Security

Authorization Concepts Example of an SAP Authorization Object Example: Object F_BKPF_BUK (Accounting Document: Authorization for company code)

In General, objects protect: a certain data element / function

This object protects: accounting document (= posting)

for a specific action

activity (create, display, etc.)

in a specific context

for company code (= of a legal entity)

Overview of SAP Security

Authorization Concepts Example of an SAP Authorization Object

EXAMPLE GENERIC BUILDING BLOCKS Object Field 1 Field 2 F_BKPF_BUK Activity (ACTVT) Company (BUKRS) User wants to change a posting for PwC

Authorization XYZ Change (02) PwC Corporate (Company Code XYZ)

Overview of SAP Security

Authorization Concepts

Keep in mind! In SAP, you can perform the same function with different transactions

MK01

Transaction FK01

XK01

Conventional approach protection via menu/function

Create Vendor

SAP approach protection once via authorization

SAP Authorization Concept Details

Overview of SAP Security

SU24 Relationship of authorizations to transaction codes

USOBX_C table
T-code Object Flag (N = No Check, C = Check, CM = Check Maintain)
> Ignore U since it is essentially the same as C

USOBT_C table
T-code Object Field Low High

Maintaining these tables is the key to increasing efficiency, consistency, and integrity of the role design and future design changes by avoiding manual and changed authorizations in the roles.

Overview of SAP Security

SU24 Relationship of authorizations to transaction codes

Maintains the USOBX_C table

T-code to object relationship and special handling flag

SAP Tables

SAP Building Blocks T-code

USOBX_C

Object Flag

Maintains the USOBT_C table

T-code to object to default field value relationship
Flag = CM

T-Code USOBT_C Object Fields Low High

These tables are client independent. Modifications via transaction code SU24 modifications will affect all clients in an SAP system.

Overview of SAP Security

SU24 Relationship of authorizations to transaction codes

Why are These Tables Misused and Underutilized? Many companies do not even use transaction SU24 to maintain their customer tables (USOBX_C and USOBT_C) Others do some maintenance via transaction SU24, but do not fully understand the relationship between these underlying tables and the Profile Generator (PFCG) These tables are a key to reducing the maintenance and risk associated with roles!

Overview of SAP Security

SU24 Relationship of authorizations to transaction codes

N: No Check
We do not have the ability to turn on an object that is not checked by SAP, as that would require changes to the source code. However, we can bypass checks with the check indicator flags. To bypass a check, set the flag to No Check. This is useful for objects where we star every value in every instance the object is used. The object is not used for security control. We can only bypass authority checks by moving the check mark to No Check. Basis objects (S_*) cannot be disabled.

Overview of SAP Security

SU24 Relationship of authorizations to transaction codes

C: Check
SAP default An authority check is performed by SAP if the ABAP code calls it, but the Profile Generator (PFCG) will not include the object in any roles created with the tcode

CM: Check Maintain

Check Maintain means the same as check, but Maintain means that the authorizations will be pulled into the role when that T-code is placed in the menu tab of PFCG for a role.

Overview of SAP Security

SU24 Relationship of authorizations to transaction codes

U: Unmaintained
This check status is rarely used This status is very similar to the Check status. An authority check statement can still be called, and no object values will be maintained or entered into the Profile Generator.

Profile Generator (PFCG)

Profile Generator (PFCG)

Traditional Security Approach

Transaction Codes:

SU01

SU02

SU03

Simple

Composite

End User Maintenance

Create User Change User Delete User Assign Profiles Setup Defaults

Profile Maintenance
Create Profile Change Profile Delete Profile Assign Authorizations

Authorization Maintenance
Create Authorization Change Authorization Delete Authorization

Profile Generator (PFCG)

Security Administration via Profile Generator

The profile generator is an automated tool (transaction code PFCG) used to assist in the design, capture and maintenance of profiles Simplifies the Authorization process Uses transaction codes to define access Based on the TRANSACTIONS selected SAP determines the related AUTHORIZATION OBJECTS and, where applicable, the FIELD VALUES from tables USOBX_C and USOBT_C The remaining FIELD VALUES for the selected AUTHORIZATION OBJECTS to create the AUTHORIZATIONS need to be filled in Role is therefore a collection of Authorizations When generated, a Role creates a corresponding Profile

Profile Generator (PFCG)

Security Administration via Profile Generator

PFCG uses the USOBX_C and USOBT_C tables to pre-fill the Authorizations tab of a role based on the transaction codes entered on the Menu tab of a role

Based on the tcodes entered on the Menu tab

PFCG will look up the objects with a Check/Maintain flag and populate the Authorizations tab

Profile Generator (PFCG)

Security Administration via Profile Generator

Simple Role Example: 1. Create a simple role and add t-code SE16 Data Browser to the Menu tab

Profile Generator (PFCG)

Security Administration via Profile Generator

Simple Role Example: 2. Assign Authorizations (objects & field values)

Profile Generator (PFCG)

Security Administration via Profile Generator

Simple Role Example: 2. Assign Authorizations (objects & field values)

Authorization objects which default into the role are defined in table USOBX_C, these objects have their flag value set to Check Maintain

Profile Generator (PFCG)

Security Administration via Profile Generator

Simple Role Example: 2. Assign Authorizations (objects & field values)

Two authorization objects were found with their flag value set to Check Maintain: S_TABU_DISP & S_TABU_LIN

Profile Generator (PFCG)

Security Administration via Profile Generator

Simple Role Example: 2. Assign Authorizations (objects & field values)

Default fields & field values for the auth. objects are then defined on USOBT_C, these are brought into Profile Generator automatically

Table (USOBT_C)

T-Code (PFCG)

Profile Generator (PFCG)

Security Administration via Profile Generator

Simple Role Example: 3. Generate the profile

T-Code (PFCG)

Profile Generator (PFCG)

Security Administration via Profile Generator

Simple Role Example: 3. Generate the Profile

Profile Generator (PFCG)

Relationship Between SU24 and the Profile Generator

Object status definitions Standard Auth object was inserted from USOBT_C, and all fields were filled in by default. (Nice, nothing to do) Maintained Auth object was inserted from USOBT_C, and the administrator filled in the blank fields, without changing the default values from USOBT_C. (Working with the table) Changed Auth object was inserted from USOBT_C, and the administrator changed a default field value from the recommended value in USOBT_C. (Fighting with the table) Manual Auth object was manually inserted into the role, and was not brought in by USOBT_C. This object is not related to any tcode on the Menu tab and will not be removed when the Menu tab changes. (Ignoring the table)

SAP Security
Questions

SAP Security
Contact Us

Cleberson R. Siansi
cleberson.r.siansi@us.pwc.com (248) 219 5394

Stephen F. Rose
stephen.f.rose@us.pwc.com (248) 312-8923