Adm950 en Col62

ADM950Secure SAP System Management

other solution

Date

Training Center

Instructors

Education Website

Participant HandbookCourse Version: 62Course Duration: 2 Day(s)Material Number: 50085738

An SAP course - use it to learn, reference it for work

Copyright

Copyright 2010 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP AG. The information contained herein may be changedwithout prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary softwarecomponents of other software vendors.

Trademarks

Microsoft, WINDOWS, NT, EXCEL, Word, PowerPoint and SQL Server areregistered trademarks of Microsoft Corporation.

IBM, DB2, OS/2, DB2/6000, Parallel Sysplex, MVS/ESA, RS/6000, AIX,S/390, AS/400, OS/390, and OS/400 are registered trademarks of IBM Corporation.

ORACLE is a registered trademark of ORACLE Corporation.

INFORMIX-OnLine for SAP and INFORMIX Dynamic ServerTM are registeredtrademarks of Informix Software Incorporated.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, the Citrix logo, ICA, Program Neighborhood, MetaFrame, WinFrame,VideoFrame, MultiWin and other Citrix product names referenced herein are trademarksof Citrix Systems, Inc.

HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C, WorldWide Web Consortium, Massachusetts Institute of Technology.

JAVA is a registered trademark of Sun Microsystems, Inc.

JAVASCRIPT is a registered trademark of Sun Microsystems, Inc., used under license fortechnology invented and implemented by Netscape.

SAP, SAP Logo, R/2, RIVA, R/3, SAP ArchiveLink, SAP Business Workflow, WebFlow, SAPEarlyWatch, BAPI, SAPPHIRE, Management Cockpit, mySAP.com Logo and mySAP.comare trademarks or registered trademarks of SAP AG in Germany and in several other countriesall over the world. All other products mentioned are trademarks or registered trademarks oftheir respective companies.

Disclaimer

THESEMATERIALS ARE PROVIDED BY SAP ON AN "AS IS" BASIS, AND SAP EXPRESSLYDISCLAIMS ANY AND ALL WARRANTIES, EXPRESS OR APPLIED, INCLUDINGWITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY AND FITNESS FOR APARTICULAR PURPOSE, WITH RESPECT TO THESE MATERIALS AND THE SERVICE,INFORMATION, TEXT, GRAPHICS, LINKS, OR ANY OTHER MATERIALS AND PRODUCTSCONTAINED HEREIN. IN NO EVENT SHALL SAP BE LIABLE FOR ANY DIRECT,INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES OF ANYKIND WHATSOEVER, INCLUDING WITHOUT LIMITATION LOST REVENUES OR LOSTPROFITS, WHICH MAY RESULT FROM THE USE OF THESE MATERIALS OR INCLUDEDSOFTWARE COMPONENTS.

g201052131633

About This HandbookThis handbook is intended to complement the instructor-led presentation of thiscourse, and serve as a source of reference. It is not suitable for self-study.

Typographic ConventionsAmerican English is the standard used in this handbook. The followingtypographic conventions are also used.

Type Style Description

Example text Words or characters that appear on the screen. Theseinclude field names, screen titles, pushbuttons as wellas menu names, paths, and options.

Also used for cross-references to other documentationboth internal and external.

Example text Emphasized words or phrases in body text, titles ofgraphics, and tables

EXAMPLE TEXT Names of elements in the system. These includereport names, program names, transaction codes, tablenames, and individual key words of a programminglanguage, when surrounded by body text, for exampleSELECT and INCLUDE.

Example text Screen output. This includes file and directory namesand their paths, messages, names of variables andparameters, and passages of the source text of aprogram.

Example text Exact user entry. These are words and characters thatyou enter in the system exactly as they appear in thedocumentation.

Variable user entry. Pointed brackets indicate that youreplace these words and characters with appropriateentries.

2006/Q2 2010 SAP AG. All rights reserved. iii

About This Handbook ADM950

Icons in Body TextThe following icons are used in this handbook.

Icon Meaning

For more information, tips, or background

Note or further explanation of previous point

Exception or caution

Procedures

Indicates that the item is displayed in the instructor'spresentation.

iv 2010 SAP AG. All rights reserved. 2006/Q2

Contents

Course Overview ......................................................... viiCourse Goals .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .viiCourse Objectives ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .vii

Unit 1: Introduction to Internal Security Auditing .................. 1

SAP System Security: Goals and Methods ... . . . . . . . . . . . . . . . . . . . . . .2

Unit 2: The SAP Audit Information System and Other SAPSecurity Monitoring Tools.............................................. 23

Configuring and Using the Audit Information System ... . . . . . . . . . 24Configuring and Using Security Audit Tools .. . . . . . . . . . . . . . . . . . . . . . 44

Unit 3: Governance Risk and Compliance ......................... 81

Security Challenges Today ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82SAP solutions for GRC.... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Unit 4: Securing Systems through User, Role, and AuthorizationMaintenance.............................................................. 109

Using Logs to Monitor the Application... . . . . . . . . . . . . . . . . . . . . . . . . . . 111Customizing the Role Maintenance Tools in SAP Solutions ...136Securing User and Group Administration... . . . . . . . . . . . . . . . . . . . . . .158

Unit 5: SAP Security Optimization Self Service ................. 197

SAP Security Optimization ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .198

Unit 6: Securing Production Systems ............................. 209

Change Management and Security.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .210Securing System Administration Services in Production

Systems ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .238

Index ....................................................................... 283

2006/Q2 2010 SAP AG. All rights reserved. v

Contents ADM950

vi 2010 SAP AG. All rights reserved. 2006/Q2

Course OverviewThis course will discuss the tools available to ensure system security accuratelyreflects your company's security policies. We will discuss how to use theAudit Information System to conduct a thorough system audit. We will alsodiscuss system services that should be appropriately protected in a productionenvironment.

Target Audience

This course is intended for the following audiences:

System security auditors

Security administrators

Course Prerequisites

Required Knowledge

SAPTEC mySAP NetWeaver Solution Fundamentals

ADM100 mySAP NetWeaver Administration

Recommended Knowledge

Experience with security issues

Authorization concepts

Course GoalsThis course will prepare you to:

Identify and protect sensitive data in production systems

Use the SAP Audit Information System to structure and conduct a thoroughsecurity audit

Configure important security monitoring and tracing mechanisms

Configure standard SAP role maintenance tools to produce company-specific,security-enhanced roles and authorization profiles

Secure change management mechanisms in production system landscapes

Secure system administration tools against misuse

Course Objectives

After completing this course, you will be able to:

2006/Q2 2010 SAP AG. All rights reserved. vii

Course Overview ADM950

Identify and protect sensitive data in production system

Demonstrate use of the Audit Information System to structure and conduct athorough security audit

Configure standard SAP role maintenance tools to produce company-specific,security-enhanced roles and authorization profiles

Secure change management mechanisms in production system landscapes

Secure system administration tools against misuse

viii 2010 SAP AG. All rights reserved. 2006/Q2

Unit 1Introduction to Internal Security

Auditing

Unit OverviewThis unit discusses the goals of a security audit. It also discusses the tools andservices provided by SAP to assist in security setup and security auditing.

Unit ObjectivesAfter completing this unit, you will be able to:

Define goals for secure enterprise applications

Explain the purpose and procedures for conducting audits of your internalsystem security of your system

Identify tools available for conducting audits of system security

Outline the authorization and role maintenance process

Unit ContentsLesson: SAP System Security: Goals and Methods ... . . . . . . . . . . . . . . . . . . . . . . .2

Exercise 1: ABAP Role - JAVA Group assignment .. . . . . . . . . . . . . . . . . . . . 17

2006/Q2 2010 SAP AG. All rights reserved. 1

Unit 1: Introduction to Internal Security Auditing ADM950

Lesson: SAP System Security: Goals and Methods

Lesson OverviewThis lesson discusses the general goals and methods of system security. It reviewsthe necessity of appropriate system security and the necessity of periodic auditsof the system security setup.

This lesson provides a brief overview of the tools available when setting upsecurity and introduces tools to use when monitoring security. Because rolemaintenance is a critical part of any security implementation, we will review therole maintenance tool and its primary elements and functions.

Lesson ObjectivesAfter completing this lesson, you will be able to:





Business ExampleYou are charged with assessing and then ensuring enterprise data security in yourSAP systems. Before you start, you need to define your goals and plan yourapproach. You will also need to know what information and access should besecured. You must also understand effective approaches and tools available todo this work.

Securing Enterprise ApplicationsWith the increasing use of distributed systems to manage business data, thedemands on security are also on the rise. When using distributed systems, youmust be sure that your data and processes support your business needs withoutallowing unauthorized access to critical information. User errors, negligence, orattempted manipulation on your system should not result in loss of information orprocessing time. These demands on security apply to each of your SAP systems.

Your company could have several SAP solutions implemented, including SAP R/3,SAP Business Intelligence(SAP BI), SAP Customer Relationship Management(SAP CRM), and SAP Supplier Relationship Management (SAP SRM).

2 2010 SAP AG. All rights reserved. 2006/Q2

ADM950 Lesson: SAP System Security: Goals and Methods

Figure 1: SAP Systems

Each SAP system serves different business needs and consists of variousapplications, each of which must be configured in complex and varying scenariosto meet the demands of the business environment. Each SAP system must besufficiently secure.

Figure 2: Secure Business in Open Environments



SAP offers many solutions such as SAP Customer Relationship Management(SAP CRM), my SAP Supply Chain Management (SAP SCM), and SAP ProductLifecycle Management (SAP PLM). Each SAP solution includes specializedsecurity functions. The application security in each SAP solution is distinctive insome way. For example, application security in a SAP CRM mobile environmentdiffers from application security in a SAP SRM environment, which wouldinvolve securing vendors.

Although SAP provides many solutions and many applications, some generalsecurity guidelines should be followed on each SAP system and each application.These security guidelines are generally enforced by internal controls.

Both the security administrator and the security auditor want to ensure that securityon each of your SAP systems is in line with the security policies of your company.

Figure 3: UME

In many SAP solutions it is possible (like ECC 6.0) or even mandatory (likeSolution Manager 4.0) to use beside the ABAP stack the SAPJ2EE engine as aadd-in installation. If both (ABAP and JAVA) runtime environments are usedtogether the user management engine of the SAPJ2EE engine points by help ofthe UME default to a client of the ABAP system. The User Management Engine(UME) provides central user administration for all Java applications. The UME



is completely integrated into SAP NW AS Java, and is configured as the activeuser store during the installation. You can administer the UME using SAP NWAS Java administration tools.

Hint: The communication between the UME and the ABAP usermanagement is performed with the SAPJSF user. After an installation,this user has the ABAP role SAP_BC_JSF_COMMUNICATION_RO,which provides read access from the UME to the ABAP usermanagement. You can obtain write access by adding the roleSAP_BC_JSF_COMMUNICATION.

Figure 4: Groups

The PFCG roles are visible as groups in the UME. The PFCG role (a group) can beassigned a UME role in the UME. If a user is assigned the PFCG role in the ABAPsystem, he or she automatically also receives the authorizations from the UMErole. Assigning authorizations therefore becomes simpler. The authorizations aremainly checked in the ABAP system.

Note: In this class we will look on security concepts and security ofsystem services that are similar across all SAP solutions. The focus ison the ABAP runtime environment since the authorization check forbackend systems will mostly take place here. The recommendation is tostore the data into the ABAP schema. Therefore the authorization checkgenerally reside in the ABAP stack.



SAP Netweaver Identity Management

Identity management is a challenge for most organizations today: the larger theorganization, the greater the challenge. The user must present his or her identityto get access to the many ICT (Information and Communication Technology)applications within the organization. Examples include the various operatingsystems, the HR (Human Resources) system, CRM (Customer RelationshipManagement) systems, databases, directories, physical access control systems,e-mail systems and support systems.

The SAP NetWeaver Identity Management products have their roots inMaXware AS. The first MaXware directory services product, the MaXware DataSynchronization Engine, was released in 1996 and has since grown into thehigh-end identity management product MaXware Identity Center. The MaXwareIdentity Center includes provisioning, workflow and password managementfunctionality. The MaXware Virtual Directory was introduced in 1998, and hasfunctions to join heterogeneous data across multiple data sources, as well asperforming advanced updated functions to multiple repositories.

SAP NetWeaver Identity Management consists of the following components:

Identity Center: The Identity Center is a high-end identity management solution,providing low latency and high availability. It uses a relational database for theconfiguration data and the logging and status information, as well as for theidentity store and all provisioning and workflow states.

Data Synchronization Engine: The Data Synchronization Engine is responsiblefor any low-level operation on the applications and repositories. It runs as partof the Identity Center.

Virtual Directory Server: A virtual directory provides the organization withreal-time access to the identity information, as well as to other critical information,by providing a single access point to all information. The Virtual Directory Servercan also be used to control access to the identity data. It is able to present thesame data in different ways to different groups of users. It can also be used towrite-protect or hide certain attributes, for example when making informationavailable externally.



Figure 5: Netweaver Identity Management Architecture

A layered identity management architecture

A different way of viewing the identity components is to look at this layeredarchitecture.

Applications & Repositories: All existing ICT infrastructure in an organization,including the data repositories and the applications/interfaces that are used toaccess them. These may be business applications of various kinds containingcustomer and product information; specific applications maintaining identity data,such as human resources applications; or applications used to maintain other typesof information, such as document management systems.

Data Services: The Data Services layer builds a uniform, normalized, integratedview of the Applications & Repositories layer. This is achieved throughservices/functions such as synchronizing, joining and publishing data andproviding access to data. The Identity Store is a core component of the DataServices layer. It is used to gather information about all identities throughout allapplications in the organization. In many cases, the identity store may also beimplemented using Virtual Directory Server.

Identity Services: This layer consists of the services that are offered on thebases of the Data Services layer. These include provisioning, authentication,authorization and virtualization.



Identity Applications: This layer consists of all applications using the IdentityServices. This may be the identity-management components of existingapplications, as well as functions such as workflow, federation, single sign-onand self-services.

More information about this new product can be found on: SDN(https://www.sdn.sap.com) --> SAP NetWeaver --> Security --> Identity andAccess Management (under "Key Topics") And SDN (https://www.sdn.sap.com)--> SAP NetWeaver --> Security --> SAP NetWeaver Identity Management FAQ(under "FAQ") There is also a download area for the new component in the ServiceMarket Place, alias /swdc, --> Download --> Installations and Upgrades --> Entriesby application group --> SAP NetWeaver --> SAP NW Identity Management

SDN (https://www.sdn.sap.com) --> SAP NetWeaver --> Security -->Identity and Access Management (under "Key Topics")

SDN (https://www.sdn.sap.com) --> SAP NetWeaver --> Security --> SAPNetWeaver Identity Management FAQ (under "FAQ")

There is a download area for the new component in the Service Market Place, alias/swdc --> Download --> Installations and Upgrades --> Entries by applicationgroup --> SAP NetWeaver --> SAP NW Identity Management

SAP Services for SecuritySAP understands that implementing appropriate security requires a great deal ofeffort. Therefore, SAP offers several services to meet the security demands on anSAP system.

To effectively use SAP services, you need to determine which security demandsapply specifically to your system. We encourage you to carefully analyzeyour requirements on each system and define priorities. Where are you mostvulnerable? What information do you consider critical? Where is criticalinformation stored or transferred? What security options are available to protectyour critical data and communications?

We recommend you establish a security policy that reflects these requirements andpriorities. Your security policy needs to be supported and encouraged by uppermanagement and by your employees. The security policy should be practicedcompany-wide and cover your entire IT infrastructure, including your SAP



systems. It should encompass all security aspects that are important to yoursystem. The following are some of the security aspects that you might considerin your security policy:

User authentication

Authorization protection

Auditing and logging

Integrity protection

Privacy protection

Proof of obligation (non-repudiation)

In this course, we will discuss security aspects that apply to users who have loggedon to your system. Thus we will deal with the top three security aspects in the listabove: user authentication, authorization protection, and auditing and logging.

To enforce your security policy and meet your security requirements on an SAPsystem, we offer a variety of security services based on these aspects. SAP offersseveral services to help meet your security needs.

SAP offers the following services for user authentication:

Password rules

Monitoring of unauthorized logon attempts

Reacting to unauthorized logon attempts

For user authentication, SAP offers password rules that users must follow. Wealso actively monitor authorized logon attempts. Additionally, we can activelyreact to an unauthorized logon attempt.

SAP offers the following services for authorization protection:

Authority checks

Role maintenance tool

Authorization Information System

Trace tools

For authorization protection, SAP offers authority checks that occur withinall SAP systems. We also offer a role maintenance tool, which is used to buildappropriate authorizations.

Our Authorization Information System can be used to research currentauthorizations and debug authorization problems. The trace tool enables youto perform an authorization-specific trace, which lists each authorization objectrequired for a specific function.



SAP offers the following services for auditing and logging:

Audit Information System

Security audit log

Application and table logs

The Audit Information System supports both business audits and system audits.This role-based solution provides online help for the auditors and guides themthrough the process of creating a thorough audit.

The security audit log is primarily for the system auditor. This audit log is similarto the system log; it records actions and events that can be evaluated at a later time.The audit log can be configured to log data that is most important to you.

Various application logs and table logs can be used as required to log specificactions that occur on your system.

Keep in mind that the most important factor in providing system security is yourown security policy! We recommend you dedicate sufficient time and allocateample resources to implement your security policy and to maintain the level ofsecurity that you desire.

Your security policy should address the following questions:

Who is responsible for your IT security?

What needs to be protected?

Who is attacking?

What is the risk?

Which protection mechanisms are required?

Which procedures are to be enforced?

How much protection can you afford?



Purpose of and Procedures for Security AuditsIt is critical for security to enable and enforce your company's security policies.Conducting a thorough system audit can help ensure these policies are enforcedin your SAP suite of products. When conducting a system security audit, youshould consider several issues:

Are roles assigned to the user consistent with the user's required activities?

Are remote logon and assigned roles consistent with the required actionsand activities?

Is security being monitored consistently?

How does the security administrator know when a security threat hasoccurred?

Is the role maintenance tool configured to provide maximum value?

Are critical applications and tables logged according to the business policies?

How is security involved in changes that are migrated to production?

Are the system authorizations required for each user implemented correctly?

Are users administered in accordance with corporate policies?

Several tools are available to help provide answers to the questions that ariseduring a system security audit:

Audit Information System

Authorization Information System

System Audit Log

Computer Center Management System Alerts

Trace tools

Role maintenance tool

SAP solutions for GRC

The next section covers the primary tool for controlling security access in SAPsystems, the role maintenance tool.

Role Maintenance ToolThe role maintenance tool (transaction PFCG) is the primary tool used tomanage and control security access in all SAP systems. You can access thistool by entering transaction PFCG or by choosing from the menu Tools Administration User Maintenance Role Administration Roles. The termsrole administration and role maintenance were introduced in 4.6C. In earlierreleases, the term activity group was used.



Security administrators use the role maintenance tool to create and maintain allroles and security access. From an auditor's perspective, it is critical to understandhow the tool works and how to evaluate if the tool is being used as effectively aspossible.

In this class we are not concerned with how to use the tool. Instead we areconcerned with how to evaluate the roles that have been created and with how toensure the tool is being used to provide roles that match the security policies ofthe company.

Components of the Role Maintenance ToolThe role maintenance tool (transaction PFCG) has three major components: menu,authorizations, and users.

Figure 6: Major Components of Role Maintenance Tool

The Menu portion contains the business view of what is required for the role.It contains transaction codes, reports, Web addresses, folders, and menu pathsthe user may need. The Authorizations portion contains the actual authorizationobjects and authorization values that are required to support the menu.

The Authorizations portion contains the technical authorization values that arerequired to support the business purpose of the role as described in the menu. TheAuthorizations portion also includes the exact organizational values a user canaccess: sales organizations, cost centers, plants, divisions, and so on.

The Users portion lists everyone who has the role; it can include SAP user IDs, aswell as positions, jobs, and other links from an organizational plan.



Using the PFCG MenuAs stated previously, the Menu portion contains transaction codes, reports, Webaddresses, folders, and menu paths the user may need. The Menu area can be usedto build the look and feel for the user. You can build your own folders, use menupaths created by SAP, or do a combination of your folders and SAP folders.

Figure 7: Menu Portion of a Role

Companies vary widely on how they use the menu. Some companies could usethe menu only to provide input to the authorizations. An SAP system can beconfigured so that when the user logs on to the system, the user sees his or herindividual menus (user menus) that come from the role, or it can be configured sothe user always sees the standard menu provided by SAP. While SAP providesthe option of user menus, many companies still choose to use the SAP standardmenu. Depending on how roles are configured, it could be much easier from amaintenance perspective for everyone to use the SAP standard menu.

Figure 8: User Menu



The user menu lists only the menu items that come from the roles assigned to theuser. In contrast, the SAP standard menu lists all menu paths, even if the user doesnot have access to an area in the menu path.

Note: Several strategies can be used if you are implementing usermenus. Some of those strategies include using composite roles, removingduplicates via table SSM_CUST, and using derived roles when possible.For more information, see SAP Note 357693, Redundancy Avoidance inEasy Access. (ADM940 discusses this topic in detail.)

Additionally, some companies implement Menu roles instead of Authorizationroles. Authorization roles mean there will be several roles with no Menu portionat all.

Let's use the example of a company with 500 plants. The role for the buyeris very similar across all 500 plants. The primary difference is which plant thebuyer should access. To implement security for this task, a company could usederived roles or authorization roles. If authorization roles were used, every buyerwould have two roles. The first role would contain everything that is common toall plants, including all menu paths required. The second role would contain onlyaccess to authorization objects that include the plant field. Each buyer would havea role with values for his or her plant. If the plant changes, only the role for thatbuyer must be updated.

From an audit perspective, implementing without user menus is acceptable.Implementing with the SAP standard menu is also acceptable. The choice ofimplementing user menus does not affect the audit.

The authorization values are of much more interest to a system auditor. Becausethe authorization values provide the actual security for what a user can execute,it is difficult to make a statement that every company should always implementMenu roles. It is also difficult to make a statement that all companies should useuser menus.

As more and more applications use a non-traditional SAP user interface(SAPGUI), such as a Web-based interface, it makes sense to implement usermenus. If, for example, a user enters SAP via a portal, user menus help refine anddesign a Web page that grants access to SAP transactions.

In this course we will focus on user menus, particularly when performingaudit activities. The Audit Information System is implemented as a seriesof menu-driven roles. In order to maximize the use of the Audit InformationSystem, the auditor needs to use the user menus that are provided with the AuditInformation System.



The Roadmap for This CourseDuring this course we will address two primary questions:

What tools does SAP provide for me to conduct a system audit?

When performing a system audit, what should I look for?

During each lesson of this course, we will let you know which question we areaddressing and what SAP recommends you do to perform a thorough system audit.



Exercise 1: ABAP Role - JAVA Groupassignment

Exercise ObjectivesAfter completing this exercise, you will be able to:

Explain how a SAP ABAP role can be linked as a JAVA group to a JAVAsecurity role.

Business ExampleYour company decided to use ECC 6.0 with the JAVA runtime environment. Asthe security administrator you need to understand the connection between ABAPand JAVA roles.

Task:Evaluate the assignment between ABAP roles and JAVA security roles.

1. 1. As user: ADM950-XX try to logon to the UME of the training system byusing the URL: http://hostname:50000/useradmin. Does ist work?

2. 2. Assign to your user: ADM950-XX the role: SAP_J2EE_ADMIN.

3. What is the content of role : SAP_J2EE_ADMIN ?

4. Try again to logon to the UME of your training system. Why does it worknow ?



Solution 1: ABAP Role - JAVA Groupassignment

Task:Evaluate the assignment between ABAP roles and JAVA security roles.

1. 1. As user: ADM950-XX try to logon to the UME of the training system byusing the URL: http://hostname:50000/useradmin. Does ist work?

a) No it does not work because the user has no authorizations for theselected JAVA application.

2. 2. Assign to your user: ADM950-XX the role: SAP_J2EE_ADMIN.

a) Start transaction: SU01 Select your user: ADM950-XX and change it.

b) Choose the Role tabstrip and add the role : SAP_J2EE_ADMIN.

3. What is the content of role : SAP_J2EE_ADMIN ?

a) Start transaction: PFCG select the role: SAP_J2EE_ADMIN anddisplay its content.

b) The role does not contain any transaction nor authorizations.

4. Try again to logon to the UME of your training system. Why does it worknow ?

a) The ABAP role: SAP_J2EE_ADMIN appears in the JAVA environmentas a group and is mapped as a JAVA group to the Java security role :Administrator.

b) The ABAP role: SAP_J2EE_ADMIN provides no authorizations inABAP but administrative rights in JAVA.



Lesson Summary

You should now be able to:





Related Information

http://service.sap.com/security

http://service.sap.com/securityguide

SAP Note 357693, Redundancy avoidance in Easy Access Menu

SAP Note 30724, Data protection and security in SAP systems

SAP Note 389675, Import user menus from a file


Unit Summary ADM950

Unit SummaryYou should now be able to:






ADM950 Test Your Knowledge

Test Your Knowledge

1. The security policies are created by the security team in isolation from thebusiness team.Determine whether this statement is true or false.

True

False

2. SAP offers many types of systems and applications. Each type of SAPsystem (SAP CRM, SAP BI, SAP R/3, SAP SRM, SAP APO) is so variedthat the systems do not share security tools or security services.

Determine whether this statement is true or false.

True

False

3. The following tools are available for conducting thorough system securityaudits.

Choose the correct answer(s).

A Role maintenance tool B System audit log C CCMS security alert D System trace tools E Users and Authorizations information systems F All of the above


Test Your Knowledge ADM950

Answers

1. The security policies are created by the security team in isolation from thebusiness team.

Answer: False

Security policies should be in line with overall company policies and shouldsupport the business team and their security goals.

2. SAP offers many types of systems and applications. Each type of SAPsystem (SAP CRM, SAP BI, SAP R/3, SAP SRM, SAP APO) is so variedthat the systems do not share security tools or security services.

Answer: False

SAP does have many systems; the strategy to secure each system is different.Although some systems can have unique security components, the underlyingcomponents are the same. This means that PFCG, audit log, CCMS alerts,and the information system can all be leveraged across all SAP systems.

3. The following tools are available for conducting thorough system securityaudits.

Answer: F

SAP provides all of these tools for system audits.


Unit 2The SAP Audit Information Systemand Other SAP Security Monitoring

Tools

Unit OverviewThis unit discusses how to configure and how to use tools available to workwith a system security audit. We will discuss configuration and use of the AuditInformation System, the Audit Log, and the CCMS Security Alerts.

Unit ObjectivesAfter completing this unit, you will be able to:

Describe the purpose of the Audit Information System (AIS)

Configure and assign AIS roles and authorizations

Demonstrate the ability to navigate and use the AIS roles

Identify the requirements for configuring the security audit log

Demonstrate how to read the security audit log

Demonstrate use of the security alert monitor in CCMS

Unit ContentsLesson: Configuring and Using the Audit Information System... . . . . . . . . . . 24

Exercise 2: Configure AIS for a System Auditor .. . . . . . . . . . . . . . . . . . . . . . . 37Lesson: Configuring and Using Security Audit Tools.. . . . . . . . . . . . . . . . . . . . . . . 44

Procedure: Maintaining Static Filters .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Procedure: Setting Dynamic Filters .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Procedure: Defining Filters.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Procedure: Displaying the Audit Analysis Report . . . . . . . . . . . . . . . . . . . . . . 58Procedure: Deleting Old Audit Files .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Procedure: Viewing Security Alerts .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Exercise 3: Using the Audit Log and CCMS monitoring... . . . . . . . . . . . . . 69


Unit 2: The SAP Audit Information System and Other SAP Security MonitoringTools ADM950

Lesson: Configuring and Using the Audit InformationSystem

Lesson OverviewThis lesson discusses the configuration and use of the Audit Information System.It discusses the purpose of the Audit Information System and the differencebetween a system audit and a business audit. It also discusses how to configure theAudit Information System and how to use it for system audits.





Business ExampleYou are charged with assessing and then ensuring enterprise data security in yourSAP solutions. You decide to use the Audit Information System tools to conduct athorough, structured audit of system security at your company.

Before using the Audit Information System, you need to understand its purposeand scope, as well as how to set it up.

Our Roadmap for This LessonThis lesson covers the tools SAP provides for conducting a system audit. TheAudit Information System is specifically for system auditors. It must be configuredbefore you can begin your audit.

Purpose of the Audit Information SystemThe Audit Information System (AIS) is an auditing tool that can be used toanalyze security aspects of your SAP system in detail. The Audit InformationSystem improves audit quality and rationalizes audit methods.

The Audit Information System is a collection of programs and transactionsprovided by SAP. These programs and transactions are organized in a role-basedapproach.

The Audit Information System is designed to meet the auditing standards andrequirements for both internal and external auditing.


ADM950 Lesson: Configuring and Using the Audit Information System

Figure 9: Overview of Audit Information System

From an auditor's perspective, you must plan your audits, execute both system andbusiness audits, and do an analysis of the audit results. The Audit InformationSystem enables you to get the data from the SAP tables that is required for youto do analysis. In the business audit, you can perform exports of data to be usedin your audit systems.

In this class we will focus on performing system audits; we will not discussauditing from a business perspective.



Figure 10: Audit Environment

The Audit Information System is based on auditing standards and requirements ofinternal and external auditors.

If the General Ledger is being used for a business audit, a complete record of allaccounting transactions exists within the Audit Information System. A report ofthe individual procedures is available at any time in real time with the followingelements:

Balance sheet and profit and loss (P&L) data

Accounts and transaction figures

Line items and processes

SAP software is used throughout the world. While developing the AuditInformation System, we have taken into consideration the auditing needs in thevarious countries and have met their needs as best as possible. We have takeninto account the needs of internal auditors, external auditors, tax auditors, anddata security officers.



Figure 11: The Audit Information System

The Audit Information System consists of roles that are used to build a user menufor the auditor. Using these roles, the auditor has access to all SAP structuresthat need to be analyzed. Included with the structures is access to online helpto assist in the audit process.

Figure 12: Documentation in the User Menu



Various types of documentation are included in the Audit Information System.There is documentation specifically for the Audit Information System,documentation from the SAP Library, documentation for the business areafrom the Implementation Guide, and links to some Web addresses such ashttp://service.sap.com.

All of this documentation will assist the auditor in understanding the SAP system,and assist the auditor with the collection of data for audit purposes.

System Audit versus Business AuditAIS roles can be divided into two major categories: system audit and businessaudit. The business audit includes accounting, customer, vendors, asset, and taxaudits. Data can be downloaded for audit purposes.

More details about business audits can be found in training course AC900 orWNA210.

Note: AC900 is a global course; WNA210 is a workshop offered inNorth America.

Figure 13: Business Audit

In this class we will work only with the system audit portion of the AuditInformation System. The system audit is divided into three main areas: generalsystem, users and authorizations, repository and tables.



Roles Provided by SAP for AISIn the past, the Audit Information System existed in a single transaction code,SECR. However, the Audit Information System is now delivered with a series ofroles. Roles are assigned to auditors; the roles grant the auditor access to the areasrequired for the audit.

Figure 14: The Development History of AIS

To facilitate working with the Audit Information System, the auditor needs auser ID in the SAP system. This user master record requires a wide range ofdisplay authorizations and should be classified as an informational or limitedprofessional user.

Note: Informational or limited professional user denotes the suggestedlicense data for the audit user ID.

A number of single roles are defined for the Audit Information System. Thesesingle roles are divided into two groups:

Menu roles (SAP_AUDITOR*)

Authorization roles (SAP_CA_AUDITOR*)

Note: SAP recommends you copy the roles provided for the AuditInformation System to create customer-specific roles for your auditors.

The menu roles have only menu items; they contain no authorizations. Theauthorization roles have only authorizations; they have no menu items listed.



Figure 15: Menu versus Authorization Roles (1)

AIS Roles Used for System Audits

System Audit: SAP_AUDITOR_SA

Users and Authorizations Audit: SAP_AUDITOR_SA_CCM_USR

Repository/Tables Audit: SAP_AUDITOR_SA_CUS_TOL

The Audit Information System provides three menu roles for system auditors: onefor general system audits, one for users and authorizations audits, and one forrepository and tables audits.

The system audit covers a wide range of tasks. It includes common securityreports, used to verify aspects of system administration tasks (operating system,instance parameters, RFC destinations, and so on). It also includes system tasksperformed by many users such as: background processing, printing, and changerequest management.

The users and authorizations audit provides various ways to ensure users aremanaged properly and to ensure a user's authorizations correctly reflect the dailytasks the user must perform. This section includes the information system forreporting on users and authorizations, role maintenance, and common reports usedto verify which users have what access.

The repository/tables audit is used to discover who has direct table access inproduction and the extent of the access. It also provides information on tablelogging, specifically related to sensitive financial data. This section also providesinformation on change documents and their use in the SAP system.



Figure 16: Menu versus Authorization Roles (2)

The primary authorization role for the system auditor is SAP_CA_AUDI-TOR_SYSTEM_DISPLAY. This gives the auditor display access to almost allsystem functions. However, it does not give access to all system administrationfunctions. Most companies will have a policy restricting access to systemadministration tasks; normally this policy will apply to auditors.

System auditors should start with the role SAP_CA_AUDITOR_SYSTEM_DIS-PLAY. If this role is not sufficient, the auditor should work with the systemadministrator. If your company prefers to give the auditor more access, SAPprovides the role SAP_CA_AUDITOR_SYSTEM, which offers provides broaderaccess than SAP_CA_AUDITOR_SYSTEM_DISPLAY.

Each of the system audit components has a different menu role. The menu rolegives you access to the transactions and reports you need for a particular area. TheAIS roles used for system audits are as follows:

Separating menu from authorization roles for auditors simplifies the required setupfor an auditor. By having separate menu roles, the auditor's menu will be brokendown into the exact tasks that need to be performed for this audit component area.For example, if someone is auditing system services in production, the menu roleSAP_AUDITOR_SA will have more than adequate transactions and reports thatcan be executed to perform a successful audit of system services in production.

If there is an authorization change that affects all three menu roles, theauthorization change can be made in a single role. Having three menu roles makesit easier to customize a user menu specifically for the tasks the auditor needs toperform.

In addition to the roles we have mentioned for system auditors, there are also rolesfor business audits. The business audit roles are also divided between menu rolesand authorization roles. The following are examples of menu roles for businessaudits:



AIS Menu Roles Used for Business Audits

SAP_AUDITOR_BA_FI_GL Closing

SAP_AUDITOR_BA_FI_AA Tangible Assets

SAP_AUDITOR_BA_MM Materials Management

The following is an example of an authorization role for business audits:

AIS Authorization Roles for Business Audits

SAP_CA_AUDITOR_APPL For applications (except SAP HR)

In addition to the business roles, SAP provides a composite role, whichcontains every role in the Audit Information System. That composite role isSAP_AUDITOR.

Setup Recommendations for AISFrom a system audit perspective, the setup of the Audit Information System isquite simple. There are only a few steps you as a system auditor need to follow:

Copy the SAP roles to your own naming convention

Update the roles (as needed)

Create a user for the auditor

Assign the roles you created to the audit user

If the Audit Information System is going to be set up for both system and businessaudits, some additional steps might need to be done. One of the SAP roles containseverything that is required to set up AIS. This role, SAP_AUDITOR_ADMIN,includes four major tasks that need to be completed:

Copy the roles and create users using your own naming convention.

Set up the online help with a link to the documentation server.

Maintain selection variables for business reports.

Activate a user exit for downloading data from SAP Financials.



Figure 17: Preparatory Work

The Audit Information System includes online help for each role. Many times inthe role you will be linked to online help that explains SAP functions. For it towork properly, the Audit Information System help needs to be linked to yourdocumentation server.

The selection variables are used to provide input for SAP business and financialreports. Examples of data setup in the selection variables include calendar year,chart of accounts, language, posting period, and fiscal year.

Activating the user exit relates to downloaded FI query data. The download ofquery data is a subfunction of the Audit Information System. A special file format,which is defined in an include for the user exit SQUE0001, is used.

Start the queries as usual (for small datasets online, for large datasets in thebackground) and activate the option Private file. The query program writes theresult data to the TEMSE database under the ID that is derived from your user ID(dialog user or background user). Thus, only you can access this data. Start reportRSQUEU01 to execute the download of the results stored in the TEMSE database.

Note: For more information on the user exit, see SAP Note 129170.

Using AIS from a System Audit PerspectiveAfter the roles are set up, you can then begin using the Audit Information System.After you log on with the auditor user ID, you will receive a user menu for allthe AIS functions granted in your role.



Figure 18: Using AIS

After the user menu is set up, you can access everything you need to audit systemservices, users, and repository/tables. Throughout the rest of this course, we willuse this user menu to gain access to all audit functions we require.

ADM950 Lesson and Audit Functions Used

Lesson in ADM950 Audit Menu Component

Configuring and Using Security AuditTools

System Audit

Controlling Access to TransactionCodes, Tables, and Programs

Users and Authorizations;Repository/Tables Audit

Using Logs to Monitor the Application Repository/Tables Audit

Customizing the Role MaintenanceUtilities in SAP

Users and Authorizations;Repository/Tables

Securing User and GroupAdministration

Users and Authorizations

Change Management and Security System Audit; Users andAuthorizations

Securing System AdministrationServices in Production Systems

Users and Authorizations; SystemAudit

To use the Audit Information System, you just need to log on as a user who hasaudit roles assigned. You can work through each section of the menu, using thedocumentation to aid with your task. Oftentimes reports already have variants



prepared that will aid you in your research. You will also notice that many menuitems in the Audit Information System take you to traditional transaction codesin SAP.

After you have completed the exercise for this lesson, you will have an audit usersetup with the roles required to perform a thorough system audit. When you logon as your audit user, you will see the menu paths provided.

Setup for the Remainder of ADM950For the remainder of this course, you will have a user ID who is an auditor, and auser ID who is a super user. Additionally you will have user IDs to audit. For themajority of the course, you will be logged on as your audit user. The followingdetails the user IDs for this course:

User IDs for ADM950 Course

User ID How used

ADM950-## Super user. This user should be used only to build youraudit user. This user has broad access and is created byyour trainer before class.

GRP##-AUDIT Your audit user. You will create this user ID. Afterthis user ID is created, it should be used for all furtherexercises and activities in the course.

FIADMGRP-## Finance administrator. This user mimics an end user andthe user ID is provided. You will perform audits on thisuser.

HRADMGRP-## Human resources administrator. This user mimics an enduser and the user ID is provided. You will perform auditson this user.

SYSADMGRP-## System administrator. This user mimics a systemadministrator and the user ID is provided. You willperform audits on this user.

GRCFFADM-## Administrator Superuser Privilege Management

GRCFFOWN-## Firefighter ID Owner

GRCFFID-## Firefighter

GRCBIZZ-## Firefighter User



Exercise 2: Configure AIS for a SystemAuditor

Exercise ObjectivesAfter completing this exercise, you will be able to:

Demonstrate how to configure the Audit Information System for a systemauditor

Business ExampleYou must provide a system auditor with the ability to do audit functions. To dothis, you have to configure the Audit Information System for a system auditor.

Caution: The prerequisites for this course assume at least an introductionto creating users and roles. If you have not had previous experience withcreating users and updating roles, you might want to use the solutions forthis exercise. The solutions will walk you through each step for creatingthe role and updating the role.

Task 1:Create a user ID that will be an auditor.

1. Create a user ID named GRP##-AUDIT. Put this user in the user groupGuest; give this user no roles or profiles at this time. In the Logon data tab,enter GRP##-AUDIT as the Alias.

Task 2:Create a role for a system auditor.

1. Create a role, GRP##_SYSTEM_AUDITOR, by copying the SAP roleSAP_CA_AUDITOR_SYSTEM.

Task 3:Change your new role, GRP##_SYSTEM_AUDITOR, updating the menu, andgenerating the role.

1. Go into your new role in change mode, go into the Authorizations, andgenerate the role:

2. Generate the role and name the profile GRP##AUDIT.

Continued on next page



3. Update the menu of your new role inserting three roles:SAP_AUDITOR_SA, SAP_AUDITOR_SA_CCM_USR, andSAP_AUDITOR_SA_CUS_TOL.

Caution: It is a prerequisite for the following exercises to dothis step !

4. In the folder Top 10 Security Reports under System Audit, insert transactioncode SM20N. Have it be the first report under System Audit Top 10Security Reports.

5. Using the Description tab, update the documentation for the role. Add to thedocumentation the three roles that you inserted in the Menu.

6. Generate your new role. After selecting the Authorizations tab, select ExpertMode for Profile Generation then choose Edit old data.

Task 4:Assign this role to the user you created and log on as that user.

Note: After this exercise is complete, you should be logged into SAPonly as GRP##-AUDIT.

1. Using the User tab in your role, assign this role to the user GRP##-AUDIT.



Solution 2: Configure AIS for a SystemAuditor

Task 1:Create a user ID that will be an auditor.

1. Create a user ID named GRP##-AUDIT. Put this user in the user groupGuest; give this user no roles or profiles at this time. In the Logon data tab,enter GRP##-AUDIT as the Alias.

a) Choose Tools Administration User Maintenance Users.

b) Enter GRP##-AUDIT in the User field and click the Create icon .

c) Enter a last named and first name of your choice.

d) Click the Logon data tab.

e) In the Alias field, enter GRP##-AUDIT.

f) In the fields for the password, enter a simple password such as INIT.

g) In the User Group for Authorization check field, enter GUEST.

h) Save the user by clicking the Save icon .

Task 2:Create a role for a system auditor.

1. Create a role, GRP##_SYSTEM_AUDITOR, by copying the SAP roleSAP_CA_AUDITOR_SYSTEM.

a) Choose Tools Administration User Maintenance RoleAdministration Roles.

b) Enter SAP_CA_AUDITOR_SYSTEM in the Role field and chooseRole Copy.

c) Enter GRP##_SYSTEM_AUDITOR in the to role field and chooseCopy all.




Task 3:Change your new role, GRP##_SYSTEM_AUDITOR, updating the menu, andgenerating the role.

1. Go into your new role in change mode, go into the Authorizations, andgenerate the role:

a) You should still be in Role Maintenance (transaction code PFCG).Make sure your role GRP##_SYSTEM_AUDITOR is in the Role fieldand choose Role Change (or click the Change icon ).

b) Select the Authorizations tab and click the Change icon or chooseChange Authorization Data.

2. Generate the role and name the profile GRP##AUDIT.

a) Choose Authorizations Generate or click the Generate icon .

b) You will receive a dialog box, You can change the default profile namehere. Enter GRP##AUDIT in the Profile field and click the green checkmark.

3. Update the menu of your new role inserting three roles:SAP_AUDITOR_SA, SAP_AUDITOR_SA_CCM_USR, andSAP_AUDITOR_SA_CUS_TOL.




Caution: It is a prerequisite for the following exercises to dothis step !

a) If you are still in the Change Role: Authorizations screen, use the greenback arrow to exit and select the Menu tab.

b) Under Role menu create three new folders: Repository/Tables Audit,Users and Authorizations Audit , System Audit..

c) In the Copy menus portion of the screen, select From other role.

d) Select SAP_AUDITOR_SA. You will have to scroll down to find thisrole. Once you find the role, double-click it.

A window named Selection of Transactions from the Menu appears.

e) To select everything in the menu, click on each check box . Clickthe green check mark to Add.

f) Select from Role menu now one by one all the newly created foldersand move them under the main folder System Audit

g) Save your role by clicking the Save icon.

h) Repeat steps (c) through (g), first inserting the roleSAP_AUDITOR_SA_CCM_USR and put the created foldersunder the main folder Users and Authorizations Audit, then insertingthe role SAP_AUDITOR_SA_CUS_TOLand put the created foldersunder the main folder Repository/Tables Audit

4. In the folder Top 10 Security Reports under System Audit, insert transactioncode SM20N. Have it be the first report under System Audit Top 10Security Reports.

a) Open the folder System Audit.

b) Click the folder Top 10 Security Reports.

c) Click the Add Transaction icon .

d) Enter SM20N and click the green check mark, Assign transactions.

e) Optionally, to see the transaction code names in the menu, click Switchon technical names .

5. Using the Description tab, update the documentation for the role. Add to thedocumentation the three roles that you inserted in the Menu.

a) Click the Description tab. Read the documentation and add a fewsentences describing how you have updated this role to the end of thedocumentation.

b) Save your role.




6. Generate your new role. After selecting the Authorizations tab, select ExpertMode for Profile Generation then choose Edit old data.

a) Click the Authorizations tab.

b) Click Expert Mode for Profile Generation.

c) Select Edit old status.

d) Choose Authorizations Generate.

Task 4:Assign this role to the user you created and log on as that user.

Note: After this exercise is complete, you should be logged into SAPonly as GRP##-AUDIT.

1. Using the User tab in your role, assign this role to the user GRP##-AUDIT.

a) Click the User tab.

b) Enter GRP##-AUDIT in the User ID field.

c) Click User Compare then choose Complete comparison.

d) Log off your current user ID.

e) Log on as GRP##-AUDIT.



Lesson Summary

You should now be able to:




Related Information

SAP Note 451960 AIS Role Concept/Installation Recommendations

SAP Note 100609 AIS Installation for FI

SAP Note 129170 AIS Download of Query Data

http://service.sap.com/ais

AC900 audit workshop from a business perspective (WNA210 if you arelocated in North America)



Lesson: Configuring and Using Security Audit Tools

Lesson OverviewThis lesson describes the configuration and use of the security audit log. It providesexamples of how to use the log, and what to look for when reading the log.

Additionally, this lesson introduces the options for monitoring security alertsavailable with the Computer Center Management System. You will learn howto use transaction RZ20 to monitor security-related alerts in one or more SAPsystems.


Identify the requirements for configuring the security audit log

Demonstrate how to read the security audit log

Demonstrate use of the security alert monitor in CCMS

Business ExampleWhile auditing your system, you want to start by discovering what types of actionsare happening on your system. You are interested in logons by users, logons byremote users, and specific transaction starts.

The security audit log can assist you in discovering what activities are occurringin your SAP system.

Furthermore, you can tailor the filters that watch for such activity to monitorspecific clients, even specific individuals. You can decide to use these tools in yourorganization to investigate specific security problems or events.

You want the security audit log to be monitored within the context of yourentire landscape. If there are problems, you want to be alerted about them. TheComputer Center Management System provides monitors that, when configured,raise alerts when certain events occur, events that indicate security-sensitiveactivity or even security breaches. Custom security monitors can watch for suchactivity across system boundaries and across an entire solution landscape.


ADM950 Lesson: Configuring and Using Security Audit Tools

The Roadmap for This LessonThis lesson describes the tools SAP provides for conducting a system audit:

Audit Log

CCMS monitoring

Menu Paths in the Audit Information SystemAll the menu paths used in the Audit Information System (AIS) are listed at theend of this lesson. We will use the following menu paths in AIS for this lesson:

System Audit Top 10 Security Reports Security Audit Log Assessment

System Audit System Configuration Parameters System Parameterswith Documentation

System Audit System Configuration Operating System Display SAPDirectories

System Audit System Configuration System CCMS Monitoring

Introducing the Security Audit LogThe security audit log is designed for auditors who need to take a detailed look atwhat occurs in the SAP system. By activating the audit log, you keep a recordof those activities you consider relevant for auditing. You can then access thisinformation for evaluation in an audit analysis report.

The audit log's main objective is to record:

Security-related changes to the SAP system environment (for example,changes to user master records)

Information that provides a higher level of transparency (for example,successful and unsuccessful logon attempts)

Information that enables the reconstruction of a series of events (for example,successful or unsuccessful transaction starts)

Specifically, you can record the following information in the security audit log:

Successful and unsuccessful dialog logon attempts

Successful and unsuccessful RFC logon attempts

Remote function calls (RFCs) to function modules

Successful and unsuccessful transaction starts

Successful and unsuccessful report starts

Changes to user master records

Changes to the audit configuration



Security Audit Log ArchitectureThe security audit log keeps a record of security-related activities in SAP systems.This information is recorded daily in an audit file on each application server.To determine what information should be written to this file, the audit log usesfilters, which are stored in memory in a control block. When an event occurs thatmatches an active filter (for example, a transaction start), the audit log generates acorresponding audit message and writes it to the audit file. A corresponding alertis also sent to the CCMS alert monitor. Details of the events are provided in thesecurity audit log's audit analysis report, as shown in the figure:

Figure 19: Security Audit Logging

Caution: SAP systems maintain their audit logs on a daily basis. Thesystem does not delete or overwrite audit files from previous days; it keepsthem until you manually delete them. Due to the amount of informationthat can accumulate, you should archive these files on a regular scheduleand delete the originals from the application server. Use transaction SM18to archive or delete old audit log files



The Audit File and the Audit RecordThe audit files are located on the individual application servers. You define thename and location of the files in a profile parameter, rsau/local/file..When an event occurs that is to be audited, the system generates a correspondingaudit record or audit message, and writes it to the file. The audit record containsthe following information (if known):

Event identifier (a three-character code)

SAP user ID and client

Terminal name

Transaction code

Report name

Time and date when the event occurred

Process ID

Session number

Miscellaneous information

You define the maximum size of the audit file in the profile parameterrsau/max_diskspace/local. The default value is 1 megabyte (MB) or 1000000bytes. If the maximum size is reached, the auditing process stops.

The following instance parameters are related to the file for the audit log:

rsau/local/file name of the security audit log

rsau/max_diskspace/local maximum size for the file

Using the Audit Log versus Configuring the Audit LogThe system administrator or the security administrator will be the personresponsible for configuring the audit log. While the auditor can use the logto research logon attempts, transaction starts, and other activities; the auditornormally cannot configure the security audit log.

The following sections describe configuration and use of the audit log. To observeconfiguration, you will have to use your power user, ADM950-##. When youwant to look at the log from the perspective of the auditor, use your audit user,GRP##-AUDIT.

The people who work with the audit log have different responsibilities:

Who configures the audit log: system administrator or security administrator

Who uses the audit log: system auditors, security administrators



Configuring FiltersThe system administrator or security administrator defines the events you want toaudit in filters. This information is stored in the control block, which is located inthe application server's shared memory. The SAP system uses this information todetermine which audit messages should be written to the audit file.

Figure 20: Configuring Security Audit Filters

Client

User

Audit class

Weight of events

Filters consist of the following information:

Client

User

Audit class

Weight of events to audit



The audit class returns information about the following:

Dialog logon

RFC/CPIC logon

Remote function call (RFC)

Transaction start

Report start

User master change

You can specify the weight of events to audit:

Audit only critical

Audit important and critical

Audit all events

You specify the information you want to audit in filters that you can either:

Create and save filters permanently in the database

Change filters dynamically on one or more application servers

If you decide to create and save the filters permanently in the database, all ofthe application servers use identical filters to determine which events should berecorded in the audit log. You have to define filters only once for all applicationservers. You can also define several different profiles that you can alternativelyactivate.

Note: When using static filters, you must restart the instance before thefilter is active.

You can also decide to dynamically change the filters used for selecting events toaudit. The system distributes these changes to all active application servers. Youdo not have to restart the instance for the filters to be active. Dynamic filters arenot saved for reuse after system stops or system starts.

Maintaining Static FiltersIf you use static filters, all of the application servers use identical filters fordetermining which events should be recorded in the audit log. You have to definefilters only once for all application servers.

You can also define several different profiles that you can alternatively activate.

To define static filters, you must set the profile parameters listed in the followingtable.



Profile Parameters for Setting Static Filters

Profile Parameter Description

rsau/enable This parameter enables the security auditlog.

rsau/local/file This parameter defines the names andlocations of the audit files (This was anoptional parameter starting with 4.6C.It no longer exists in Web ApplicationServer 6.30.)

rsau/max_diskspace/local This parameter defines the maximumspace to allocate for the audit files.

rsau/selection_slots This parameter defines the number offilters to allow for the security audit log.

The figure shows the screen used to configure security audit filters.



Maintaining Static FiltersPrerequisites

Procedure

1. To access the Security Audit Log Configuration screen from the SAP standardmenu, choose Tools Administration Monitor Security Audit Log Configuration.

The Security Audit: Administer Audit Profile screen appears with the Staticconfiguration tab activated. If an active profile already exists, it is displayedin the Active profile field.

2. Enter the name of the profile to maintain in the Displayed profile field.

3. If you are creating a new audit profile, choose Profile Create. To changean existing profile, choose Profile Change.

The lower section of the screen contains tabs for defining filters. The numberof tabs correspond to the value of the profile parameter rsau/selection_slots.Within each tab, you define a single filter.

4. Define filters for your profile. (See the procedure below.)

5. Make sure the Filter active indicator is set for each of the filters you want toapply to your audit.

6. Save the data.

7. To activate the profile, choose Profile Activate.

8. To make the changes effective you would need to restart the applicationserver. Please don't do it! Use dynamic filters instead (next exercise).

Result

The filters you define are saved in the audit profile. If you activate the profile andrestart the application server, actions that match any of the active filter events arethen recorded in the security audit log.

Note: On some UNIX platforms, you also need to clear shared memoryby explicitly executing the program cleanipc. Otherwise, the oldconfiguration remains in shared memory and the changes to the staticprofile do not take effect.



Setting Dynamic FiltersDynamic filters enable you to respond to real-time events in your systemenvironment, setting traps that can assist you in addressing a security problem.With this option, you can dynamically change the filters used for selecting eventsto audit. The system distributes these changes to all active application servers.

To set dynamic filters, you must set the profile parameters listed in the followingtable.

Profile Parameters for Setting Dynamic Filters

Profile Parameter Description

rsau/local/file This parameter defines names andlocations of the audit files. (This was anoptional parameter starting with 4.6C.It no longer exists in Web ApplicationServer 6.30.)

rsau/max_diskspace/local This parameter defines the maximumspace to allocate for the audit files.

rsau/selection_slots This parameter defines the number offilters to allow for the security audit log.

The figure shows the screen used to configure dynamic security audit filters.

Figure 21: Configuring Dynamic Audit Filters



Setting Dynamic FiltersPrerequisites

Before you can set dynamic filters, you must first take care of the followingprofile parameters:

rsau/local/file

rsau/max_diskspace/local

rsau/selection_slots

rsau/max_diskspace/per_day

rsau/max_diskspace/per_file

Procedure

1. To access the Security Audit Log Configuration screen from the SAP standardmenu, choose Tools Administration Monitor Security Audit Log Configuration.

The Security Audit: Administer Audit Profile screen appears with the Staticconfiguration tab activated.

2. Choose the Dynamic configuration tab or Goto Dynamic configurationfrom the menu.

In the upper section of the screen, you receive a list of the active instancesand their auditing status. The lower section of the screen contains tabs formaintaining filters.

3. Choose Configuration Change.

4. Define filters for the application server. (See the procedure for definingfilters below.)

5. Make sure the Filter active indicator is set for each of the filters you want toapply to the audit on the application server.

6. If you want to distribute the filter definition to all of the application servers,choose Configuration Distribute configuration.

7. To change the auditing status on a single application server, select the statusindicator in the List of active instances table.

A green light indicates an activated audit.

A red light indicates a deactivated audit.




8. To activate the filter (or filters) on all of the application servers, chooseConfiguration Activate audit. To deactivate the filters on all of theapplication servers, choose Configuration Deactivate audit.

Hint: If you receive a program failure message, make sure you havethe authorization S_RFC with the value SECU in your authorizationprofile. (The system uses remote function calls to obtain a list ofservers; for this reason, you need the appropriate authorizations.)

Result

The audit filters are dynamically created on all active application servers. If youactivate the profile(s), any actions that match any of these filters are recorded inthe security audit log. Changes to the filter definitions are effective immediatelyand exist until the application server is shut down.

Defining FiltersIn filters you define the events that the security audit log should record. You canspecify the following information in the filters:

User and SAP system client

Audit class (for example, dialog logon attempts or changes to user masterrecords)

Weight of event (for example, critical or important)

You can define filters that you save in static profiles in the database (see theprocedure for maintaining static profiles) or you can define them dynamically forone or more application servers (see the procedure for setting dynamic filters).



Defining FiltersPrerequisites

The number of filters you can specify is defined in the profile parameterrsau/selection_slots. You can either define static profiles or change filtersdynamically using the Security Audit Log configuration tool. For each allocatedfilter, a tab appears in the lower section of the screen.

Procedure

1. Select the tab for the filter you want to define.

2. Enter the client and user names in the corresponding fields.

Hint: You can use the wildcard (*) value to define the filter for allclients or users. However, a partially generic entry such as 0* orABC* is not possible.

3. Select the corresponding Audit classes for the events you want to audit.

4. Audit events are divided into three categories: critical, important, andnon-critical. Select the corresponding categories to audit.

Only critical events

Important and critical events

All events




5. If you want to define the events to audit more specifically:

Choose Detailed configuration.

A table appears containing a detailed list of the audit classes with theircorresponding event classes (critical, severe, non-critical) and messagetexts. (The message texts correspond to the system log messages AUx.)

Select the events you want to audit. You can select either a singleevent or all events:

Select a single event by activating the Recording indicator for aspecific event.

Select all events for an entire audit class by choosing the auditclass descriptor (for example, Dialog logon).

Choose Accept changes.

Hint: If you have made detailed settings, the audit class and eventclass indicators no longer appear in the corresponding filter tab. Tocancel the detailed settings and reload the default configuration,choose Reset.

6. To activate the filter, select the Filter active indicator.

The Audit Analysis ReportThe security audit log produces an audit analysis report that contains the auditedactivities. Using the audit analysis report, you can analyze events that haveoccurred and have been recorded on a local server, a remote server, or all of theservers in the SAP system.

The audit analysis report produced by the security audit log is similar to the systemlog. You can view the contents of the audit files from the audit analysis report.

When viewing the audit log, you can use the Detail Sel. button under the Eventstab to determine which specific events to record. You can also use Detail Sel. toobserve which events SAP considers critical, severe, and non-critical.



Figure 22: Running the Security Audit Report

When reading the security audit log, you can use a new transaction, SM20N, toexit. When following the menu paths in both AIS and the standard SAP menu, usetransaction code SM20 to assess the security audit log. The menu path in AIS isSystem Audit Top 10 Security Reports Security Audit Log Assessment. Whenyou configure the AIS roles, you might want to change this menu path to pointto SM20N instead of SM20.



Displaying the Audit Analysis Report

1. To access the Security Audit Log analysis screen from the SAP standardmenu, choose Tools Administration Monitor Security SecurityAudit Log Analysis (or you can enter SM20N).

The Security Audit Log: Local Analysis screen appears; local analysis isthe default.

2. Enter any restrictions you want to apply to the audit analysis report in theappropriate fields or by selecting the desired indicators (for example, Fromdate/time, To date/time, User, Transaction, Audit classes, or Events to select).

Hint: Events are classified into three categories, critical, important,and non-critical, with critical being the most important. You canview critical events only, critical and severe events, or all events.

3. If you want to include or exclude specific messages from your report:

Choose Detailed Sel.

Select the Audit events you want to record.

Choose Accept changes (the green check mark).

4. To read the security audit log, choose one of the following options:

Choose Security Audit Log Re-read audit log to initially read or to replacea previously read log.

Choose Security Audit Log Re-display only to view the last audit log youread. For example, you can change the Selection options to modify the auditanalysis report without having to re-read the log.

Choose Security Audit Log Read audit log to merge new informationusing different selection criteria with the current information in the auditanalysis report.

Result

The result is the audit analysis report containing the messages that correspond toyour selection criteria. By selecting an individual message, you can view moredetailed information

Reading the Audit Analysis ReportIn this section, we describe how to read the audit analysis report you producedusing the procedure, Displaying the Audit Analysis Report.



The audit analysis report is divided into four main sections:

Introductory information

Audit data

Statistical analysis

Contents

In the introductory information at the top of the report, you find the selectionoptions applied to the audit file to generate this report (for example, fromdate/time, to date/time, user, and audit classes).

The audit data follows the introductory data and contains the followinginformation for each audit event found in the audit file that applies to yourselection criteria (depending on your display configuration):

Date

Time

Instance

Category (dialog or batch)

Message number

Audit class code (For example, a dialog logon attempt belongs to classnumber 002.)

User

Transaction code

Terminal number

Summary information is included at the end of the audit data (for example, thenumber of records read, the number of records selected, and audit file names).

If you selected With statistical analysis in the display options, a statisticalanalysis completes the report with the following information:

Instance statistics (when analyzing all instances)

Client statistics

Report statistics

Transaction statistics

User statistics

Message statistics

A list of con

Documents

Adm950 en Col62