SAP Audit Information Approach

5/24/2018 SAP Audit Information Approach

1/37

SAP Audit Information and Approach

Authorization Example

1. User Master Record

User: Frank W. LonsProfile: Example

2. Profile: Example

Object: Authorizatios: !"Pro#ram A$AP:%. Authorizatio: A$AP: Object: !"Pro#ram &alues: 'ields: ( Pro#ram )roup !U$M*+, &AR*A-+ Actiit/

1


2/37

Authorizatio !/stem:

1. Profiles Oe or more assi#ed to a user

2. Objects Must be ui0ue ames ith oe or morefields

%. 'ields otai alues for authorit/ chec3i#

4. Authorizatios a hae the same ames as the/ areph/sicall/ ad ph/sicall/ li3ed to a

object

'ield #roup for a object has multiple alues ad ca be shared across objects

2


3/37

Initial !efaults

1. *itial liets

liet 555 !tadard model

liet 551 Model for user defied cliets. 6template7

2. *itial User *ds

!AP( 8efault super user. A user master record is created duri#

istallatio but it is ot eeded b/ !AP( to access the completes/stem. *f the !AP( master record is deleted, the !AP( accout hasthe folloi# special priile#es:

*t is ot subject to authorizatio chec3s ad therefore has allauthorizatios

*t has the passord 9PA!!, hich ca ot be cha#ed

ithout creati# a e user master record.

+o preet deletio, assi# !AP( user to a #roup called

!UPER ad ol/ super user should be able to maitai user#roup !UPER.

%


4/37

%. *itial !ecurit/ Parameters

Parameters for user lo#o

lo#i;mi"passord;l# Miimum passord le#th default is 6%7

lo#i;passord"expiratio"time

-umber of da/s after hich a passord must be

cha#ed. +he default is zero, hich does ot eforcepassord cha#es. Recommeded alue < 4=.

lo#i;fails"to"sessio"ed

-umber of times a user ca eter a icorrect

passord before the s/stem eds the lo#i attempt.

+he default is 6%7. lo#i;fails"to"user"loc3

-umber of times a user ca eter a icorrect

passord before the s/stem loc3s the user a#aistfurther lo#o attempts. +he default is 6127.Recommed 6%7. >he a passord is loc3ed i thismaer, it is automaticall/ uloc3ed b/ the s/stem atthe start of the ext da/ 6midi#ht7.

4


5/37

Addin" Users

1. Each user must hae a master record.

2. Each user master record refers to oe or more profiles that determiethe access ri#hts for the user.

%. Master record cotais:

User *8

Passord

User #roups

User t/pe

Period of alidit/

refereces to authorizatio profiles

Master records ca be deleted but it ill affect the audit trail. $etter to loc3the user?s master record Meu Path: +ools @ Admiistratio @ UserMaiteace @ User @ oc3;Uloc3.

4. User )roup

*f a perso is assi#ed to a user #roup, ol/ the admiistrators hoare authorized for that user #roup ca alter user master records. *f auser is ot assi#ed to a #roup the a/ user admiistrator ca alterthe user master record.

=


6/37

Addin" Profiles

Profiles ad Authorizatios exist i both maiteace ad actie ersios.Allos for updates to maiteace before it is actiated. !eparatio of

maiteace ad actiatio fuctios.

1. !/stem Profiles

SAP Standard and Super UserProfiles!"A.!B!+EM Ulimited access to all users,

profiles, ad authorizatios!"A.A8M*- Authorizatios for !AP s/stem

admiistratio. +his icludes allauthorizatios except for:

Maiteace of users i user

#roup !UPER

Maiteace of profiles ad

authorizatios ith amesbe#ii# 9!"A.

!"A.U!+OM*C Authorizatios for use i the !APustomizi# s/stem

!"A.8E&EOP Authorizatios for use i the !AP8eelopmet eiromet 6excludesa/ user or profile authorizatios7

!"A.U!ER $asis s/stem authorizatios for ed@users 6e.#., !"Pro#ram,!"8$"MO-*, etc.

D


7/37

2. !tartup Profiles

Profile #ame !escription!"A$AP"A All A$AP;4 authorizatios!"A8M*"A All s/stem admiistratio fuctios!"$8"A All batch iput actiities!"$+"A All batch processi# authorizatios!"88*"A 88*: All authorizatios!"88*"!U 8ata 8ictioar/: All authorizatios!"-UM$ER -umber ra#e maiteace: All

authorizatios!"!85"A ha#e documets: All

authorizatios!"!RP"A All !APscript text, st/les, la/out sets

maiteace!"!POO"A All spool authorizatios!"!B!+"A All s/stem authorizatios!"+A$U"A !tadard table maiteace: All

authorizatios!"+!F"A All s/stem admiistratio

authorizatios!"U!ER"A User maiteace: All authorizatios!AP"A Proides ulimited access to maitai

all !AP R;% s/stem authorizatios,

ith the folloi# exceptios: Maiteace of users i user

#roup !UPER

Maiteace of profiles ad

authorizatios ith amesbe#ii# !"U!ER

!AP"A->E-8 All !AP R;% 6excludi# s/stem7applicatio authorizatios

!AP"-E> Proides ulimited access to allauthorizatios added ith ereleases of !AP R;%.

C"A->E-8 All user authorizatios 6excludi# $s/stem7

%. Profiles ad their associated authorizatio alue sets are stored iU!Rxx tables.

G


8/37

Addin" Authorizations

Authorizatio objects are used to chec3 a user?s authorit/ to perform actiosad access data i R;%. A user?s actio is approed ol/ if the user passesthe authorizatio test for each field listed i a object.

1. Authorizatio Objects

!AP cotais a umber of authorizatio objects that are used to

restrict the abilit/ of users to perform certai fuctios ad accessiformatio. Authorizatio objects ca cotai up to teauthorizatio *8s represeti# such s/stem elemets astrasactios, tables, fields, or pro#rams.

A user is alloed access if the their master record lists the object

for hich the authorizatio is bei# tested ad the user passes theauthorizatio test for each authorizatio *8.

A authorizatio alue set is re0uired for access 52 < cha#e

Authorizatio Profiles are used to #rat the authorizatio alue sets

to a user. +he user master record refers to profiles ad the profiles,i tur, refer, to alue sets that determie the access capabilities ofthe user.

-e authorizatio objects ca be created b/ Meu Path: !/stem @!erices @ +able Maiteace. Merel/ creati# a e object doesot iitiate a/ authorizatio chec3i#. Either A$APs eed to bemodified to test the e objects, or additioal authorizatio chec3seed to be defied.

'irst assi# a object class for the e object.

-ext use AU+OR*+B@EF for A$AP;4 pro#rams

Or add additioal authorizatio chec3s to the +!+

6trasactio table7 Meu Path: !/stem @ !erices @ +able

Maiteace.

H


9/37

2. Objects

Objects are defied i the s/stem ad cotai oe or more fields

that are used to test user access.

%. Authorizatio &alue !ets

Are lists of all alues 6for each field7 for hich a user is authorized.

Usuall/ used to defie tas3s

Profile allocate the tas3s 6authorizatio alue set7 to lo#ical

fuctios. +hese profiles are assi#ed to a ph/sical user 6masterrecord7.

I


10/37

4. $asis !/stem Authorizatio Objects

$%&ect Fields Uses!@PRO)RAM Pro#ram #roup Actiit/ A$AP;4 pro#rams that

ma/ be ru.!"E8*+OR Pro#ram #roup Actiit/ A$AP;4 pro#rams that

ma/ be displa/ed oredited

A$AP;4 Juer/!"JUERB

Actiit/ >hether a user ca ru0ueries ad hether theuser ca maitaiA$AP;4 Juer/ user#roups

!/stem Admiistratio'uctios Admiistratio'uctios A ariet/ of s/stemfuctios such as:

1. >hether a user ma/eter a alueiteractiel/ to pass aauthorizatio test that hedoes ot haeauthorizatio for i hisuser master record

2. Access to theA$AP;4 8ictioar/%. Access to theiterface paiter4. !/stem traceauthorit/=. Abilit/ to add ordelete additioalauthorizatio tests i the+!+ table

D. Execute hostoperati# s/stemcommads

etral 'ield !electio Actiit/Authorizatio #roup

>hich A$AP;4pro#rams a user ca useto d/amicall/ alter

15


11/37

attributes of fields+able Maiteace Authorizatio class

Actiit/Authorize users to iead;or modif/ tablecotets

$atch Processi#: $atchAdmiistrator

Admiistrator )ie user admiistratorauthorizatio oer

bac3#roud processi#$atch Processi#: $atchUser -ame

Authorized user !pecif/ user *ds that auser ma/ specif/ as theauthorizatio forrui# bac3#roud

jobs$atch Processi#:Operatios o $atch

Kobs

Operatios Kob )roup !pecif/ the operatiosthat users ma/ perform

o bac3#roud jobs6Release, delete, etc.7$atch *putAuthorizatios

Jueue #roup ameActiit/

Authorize a user toor3 ith batch iputsessios

Jueue Maa#emetAuthorizatios

Jueue #roup ameActiit/

Maa#emet of 0ueuesfor trouble@shooti# or

problem aal/sisAuthorizatio hec3 for!M54, !M=5

Admiistratio +o authorized users toloc3 or uloc3

trasactios ad tomaa#e user sessiosother tha their o.

Authorizatio forUpdate Admiistratio

Admiistratio Authorizatio to maa#eupdate records for otherusers

E0ueue:8ispla/i# ad 8eleti#oc3 Etries

Actiities Authorize users tomaitai loc3 etries ofother users

!pool: 8eice

Authorizatio

Output 8eice Authorizes users to use

particular priters!pool Actios !pool actio &alue Authorizes a

admiistrator to performspecified actios o thespool s/stem

Public olida/ adaledar Access

Actiit/ Authorizatio to displa/ad;or maitai

11


12/37

Priile#es caledars-umber Ra#eMaiteace

Actiit/-umber ra#e object

Authorize users tomaitai umber ra#es

ha#e 8ocumets Actiit/ Authorizatio todispla/, maitai, ad;ordelete cha#edocumets

+ools PerformaceMoitor

Authorizatio ame Authorizatio to usesesitie fuctios ofthe performace moitor

12


13/37

$%&ects ' Authorizations

!"+OO!"EL Access to ie lo#o parameters

!"PRO)RAM A$AP pro#ram access

Fields (alues )omments

P")ROUP ( Pro#ram #roupP"A+*O- !U$M*+ Execute pro#ram

E8*+ Maitai pro#ram attributes ad texts&AR*A-+ !tart ad maitai ariats$+!U$M*+ !ubmit pro#rams for bac3#roud

executio

!"E8*+OR A$AP pro#ram access


P")ROUP ( Pro#ram #roupE8*+"A+*O- !O> 8ispla/ pro#ram source

E8*+ Amed pro#ram source

!"$8"MO-* $atch iput sessio


$8)ROUP*8 ( -ame of batch sessio for hich a user isauthorized 6e.#. 9'RA-F7

$8AF+* A$+ !ubmit sessios for executioAO- Ru sessios i iteractie modeA-A Aal/ze sessios, lo# ad 0ueue

'REE Release sessiosOF oc3;uloc3 sessios8EE 8elete sessios

1%


14/37

!"-UM$ER -umber ra#e authorizatio


-RO$K ( -umber ra#e object ame for a edor

A+&+ 52 ha#e5% 8ispla/11 ha#e the last@used umber i a umber

ra#e iteral1% *itialize the last@used umber he

trasporti# ra#es betee cliets1G Maitai umber ra#e object 6pre %.57

!"!8O ha#e documet authorizatio


A+&+ 52 Maitai ad displa/ cha#e documets5D 8elete cha#e documets5H 8ispla/ cha#e documets12 Maitai cha#e documet objects

14


15/37

Processes

1. $atch -umber of trasactios etered ito the s/stem as a batch. $atch iputs ca ta3e place i thebac3#roud here o cha#es ca be made or i

the fore#roud here trasactios cotaii# errorsca be iteractiel/ corrected.

Restricti# Access

+he $atch *put object restricts user actiities i differet batch

iput sessios.

A-A Aal/ze sessios. 8ispla/ sessio, lo#, ad 0ueue dump

8EE 8elete sessios

OF oc3 ad uloc3 sessios

'REE Release sessios

A$+ !ubmit sessios for bac3#roud executio

AO- Ru sessios i iteractie modes

2. O@ie

%. $ac3#roud Pro#ram executes o a bac3#roud processi#serer ithout iteractie user iput. +o ru it must

be scheduled.

+his ca be doe to a/s:

Meu Path: A$AP;4 @ !/stem !erices @ Reporti# @ $atch Re0uest fuctio

'rom bac3#roud processi# meu b/ selecti# #oto @ $atch Re0uest

* either case the user must hae a User *8 to ru the job. Users could beauthorized to ru bac3#roud jobs but ot fore#roud jobs.

$efore a bac3#roud job ca ru, it must be released. +he releasi# of jobsis usuall/ restricted to 9$atch Admiistrators.

Restricti# Access

1=


16/37

+he field A d m i n i the $atch Admi object is used to #ie a user

admiistratio authorizatios. *f this field cotais a 9B, the userhas access to all bac3#roud jobs i a !AP s/stem ad ca performa/ operatio o a/ job.

+he field A cti v it y i the !"PRO)RAM object determiesactiities users are able to perform o a A$AP. A alue of$+!U$M*+ allos a user to schedule the A$AP;4 pro#ram for

bac3#roud executio.

+he Aut h user field of the $atch User -ame object is used to

restrict user@*8s specified as the authorized user for rui# a job.

+he O p e r a t i o n field of the Operatios o $atch Kobs object is

used to specif/ the operatios that a user ca perform o their ojobs. +his is used to restrict users from deleti# or releasi# jobs.

4. !erices

a ru o differet serers.

8ialo#

Update

E0ueue

$ac3#roud

Messa#e !erer

P*@ )atea/ !erer

!pool

=. >or3 Processes

+!F +as3 adler

8B-P !cree Processor

A$AP Pro#ram Processor

8$@!! 8atabase iterface that coerts A$AP;4 !J ito8$M! !J.

1D


17/37

*ransactions

!AP trasactios allo differet fuctios to be performed ithi R;%. Meuselectio also #eerates trasactios. +o see hich trasactio is curretl/executi# select Meu Path: !/stem @ !tatus.

!/stem trasactios are applicable to the basis s/stem ad applicatiotrasactios are specific to a certai module.

+rasactios ca be loc3ed ad uloc3ed usi# Meu Path: Admiistratio @+code Admiistratio. >he a trasactio is loc3ed, users ca ot executethat trasactio. +o perform this fuctio, a user re0uires the authorizatio

object Aut h o r iz at i o n c h e c k for !M54, !M5= ith a alue of ! i theA d m i n field.

1. otrolled b/ 8B-P processor

hec3s hether additioal authorizatio chec3s are re0uired to ru

the trasactio 6i +!+ +able7.

*terprets the 8/pros, hich ioles creati# the screes ad

appl/i# the lo#ic defied i the d/pro 6field chec3s, etc.7.

2. All trasactios are listed i the +!+ +able. +his table icludes:

A idicator that the trasactio has bee loc3ed or is aailable to

be used. +he abilit/ to loc3 ad uloc3 trasactios is cotrolledusi# authorizatio object Authorizatio hec3 for !M54, !M=5.

Additioal authorizatio chec3s to be performed. Ol/ users ith

the alue +O8 i the field, A d m i n Fu n c t i o n s in o b j e c t ,

S y st e m A d m i n F u n ct i o n s hae the abilit/ to add, alter, ordelete these additioal authorizatio tests.

*f a trasactio is ot mar3ed as re0uiri# authorizatio chec3s thea/ user ca ru the trasactio.

1G


18/37

+rasactio t/pes:

!UI% ad !UI1 8ispla/s cha#es master records ad profiles

!E%5 +race fuctio !U=% Authorizatio chec3 failures

!U52 Actiatio of profiles

!U5% Actiatio of authorizatios

!U5 Assi#met of user *8

!U51 Assi#met of users to profiles ad alter the

passord of a/ user

!U15 Assi#met of profiles for a ra#e of users

!U12 8elete all users

+U52 &ie lo#o parameters

!M=2 Uix commad lie prompt

!U21 )roupi# of objects ito object classes

6example is $asis Admiistratio,'iacial Accouti#7

1H


19/37

*a%les

!AP is characterized b/ the use of thousads of applicatio ad cotroltables. +he setup of the cotrol tables, to a lar#e extet, determies i hicha/ a !AP istallatio fuctios.

o#ical ies proided b/ the A$AP;4 8ictioar/ of all data 6cotrol data,master data, ad trasactio data7 stored i !AP s/stem.

All cotrol tables start ith the letter 9+.

otrol tables ca be displa/ed ad maitaied o@lie. Meu Path: !/stem @

!erices @ +able Maiteace. * order to restrict tables a umber of tableauthorizatio classes should be defied. All stadard tables hae bee

assi#ed to authorizatio classes. Authorizatio object, Ta b l e

M a i nt e n a n c e is used to maitai the tables i each authorizatio class.+o leels of access are alloed alue < 52 6add, cha#e, or delete7 ad 5%6displa/ ol/7.

+o modif/ a table structure Meu Path: +ools @ A!E @ 8eelopmet @ 8ata8ictioar/ @ Maiteace.

o##i# of cha#es ca be accomplished b/ usi# cha#e documet objectsto specif/ hich tables are lo##ed ad the leel of lo##i# performed o eachtable.

1I


20/37

1. +!++rasactios

2. MA Matchcodes

%. +551 8etails about a compa/

4. +551$ 8efies accouti# periods for compa/ +551.

=. U!Rxx Profiles

D. +U!R54 Authorizatio Profiles

G. +U!R51 User master record

H. +U!R52 User *8 ad passord

I. +U!R5% Exteded iformatio about the user.

15. +U!R5= 'ield defaults for each R;% user ad field.

11. +O$K Pre@defied authorizatio objects ad fields

12. +O$K+ 8escriptie text of the authorizatio objects.

1%. +U!R15 Authorizatio Profiles ad 8escriptiosad+U!R11

14. +5== 'ield #roup fields

1=. +5==) 'ield #roups

1D. +5==+ 'ield )roup descriptios

1G. AU+ *teral table @ 'iacial objects

1H. +A+ Actiit/ codes

1I. +A++ Actiit/ codes descriptios

25


21/37

25. +A+C &alid actiit/ codes for each authorizatio object

21. U!R45 ustom passord chec3s

22. +88A+ 8efies the li3 betee tables ad their authorizatioclasses

2%. +555 !AP liets

24. +551 !AP compaies

2=. +)!$ $usiess Areas ad Plats

21


22/37

Lo"s

Errors ad importat eets are lo##ed i the s/stem lo#s. +hese lo#s shouldbe reieed dail/.

+he serers i a !AP s/stem record eets ad problems i a set of localad cetral s/stem lo#s. +hese lo#s ma/ be displa/ed ad maitaied o@liefrom the Meu Path: +ools @ Admiistratio @ Moitori# @ !/stem lo#.

ocal lo#s 3eep ol/ messa#es issued b/ the local applicatio serer. Eachapplicatio serer has a local lo# file.

!/stem lo#s are cofi#ured b/ setti# parameters i the s/stem profile.

+rasactio !UI% ad !UI1 displa/ cha#es made to a user?s master recordor profiles.

o##i# of ha#es to Authorizatios:

All cha#es to user master records, profiles, ad authorizatio alue

sets. 'or example, user master records ill displa/ added ordeleted from the list i the user master records. *t ill ot displa/

modified profiles rather, the lo# of cha#es to profiles could be usedto idetified cha#ed profiles.

ha#es to a user?s passord, user t/pe, user #roup, period of

alidit/, ad accout umber.

'or each item i the lo#, the s/stem reports both the old ad e

ersio of a/ lies that hae cha#ed. +his lo# is a aluablecotrol oer uauthorized cha#es to users? access capabilities adeeds to be reieed dail/.

22


23/37

Reports for Auditi# !ecurit/

Meu Path: *formatio @ urret *formatio

8ispla/s detailed iformatio o user master records,

authorizatio profiles, authorizatio objects, adauthorizatio alue sets. >ith this facilit/, it is possible todispla/ all user master records ad;or profiles that cotai aspecific object.

+odules

!AP applicatio modules.

1. $ !AP $asis module

2. o#istics: !8, MM, PP, JM, PM

%. uma Resources: R

4. 'iacial ad Admiistratio: '*, O, AM, P!, O

)han"e +ana"ement

,ackup and -ecoer

8ail/ bac3ups are ecessar/ to esure the recoerabilit/ of data, i the eetof a disaster.

!AP icludes !AP8$A pro#ram that is used to perform databaseadmiistratio tas3s.

!AP ca be bac3ed up o@lie.

Redo lo#s 6Oracle7 should also be archied dail/.

Securit Administration

2%


24/37

Users ho are able to cha#e user master records, profiles ad;orauthorizatio alue sets eed to be ti#htl/ cotrolled. +he s/stem proides aumber of stadard authorizatio objects that ca be used.

User )roups !"U!ER")RP

Fields (aluesUser #roup -ames of the user #roups for

hich a admiistrator isauthorized.

Admiistrator 51: reate user master recordsactios add profiles to e or

existi# records52: Edit5%: 8ispla/5=: oc3 or uloc3 user5D: 8elete a user master record5H: 8ispla/ user cha#e records

24


25/37

Authorizatio Profile !"U!ER"PRO

Fields (alues

Profile ame +he profile ames forhich a admiistrator isauthorized.

Admiistrator 51: reate profiles ad eteractios authorizatios ito them

52: Edit5%: 8ispla/5D: 8elete a profile

5H: 8ispla/ cha#e records22: Add profiles to user master

record

Authorizatios &alue !ets !"U!ER"AU+

Fields (aluesObject ame +he ames of the authorizatio

objects for hich aadmiistrator is authorized.

Authorizatio +he ames of the authorizatioame alue sets for hich a

admiistrator is authorized

Admiistrator 51: reate authorizatio alueactios set

52: Edit5%: 8ispla/5D: 8elete5G: Actiate5H: 8ispla/ cha#e records 22: Eter authorizatios ito a

profile

+able Maiteace !"+A$U"8*!

2=


26/37

Fields (alues

8*$ER! +able classes for hich a useraccess is authorized

A+&+ Actiit/ code

+able Maiteace Across liets !"+A$U"*

Fields (alues

*8MA*-+ Access idicator

Object !"U!ER")RP

8etermies hich user #roups ca be admiistered ad

cose0uetl/ all users ho are assi#ed to those #roups.

2D


27/37

Object !"A8M*"'8

9!/stems Admiistratio 'uctios proides poerful s/stems

admiistratio fuctios, icludi# the folloi# 6field < 9!/stemsAdmiistratio 'uctios7:

-A8M @ -etor3 Admiistratio 6!M=4, ==, =I7

UA8M @ Update Admiistratio 6!M1%7

+555 @ reate -e liet

+F @ oc3;Uloc3 +rasactios

!PA8 @ Authorizatio for spool admiistratio i all

cliets

!PAR @ Authorizatio for cliet@depedet spooladmiistratio

!P51 @ Authorizatio for admiistratio of spool

re0uests i spool output cotrol 6all usersad cliets7

!POR @ !pool admiistratio

$+ @ +est eiromet, batch

U-*L @ Execute U-*L commads from

!APM!O!5

R!E+ @ Reset;delete data ithout archii#

!B- @ Reset buffers

2G


28/37

A,AP/0 !ictionar

R;% uses a exteral database 6Oracle i most cases7 to hold applicatio data,but it ma3es use of its o A$AP;4 8ictioar/. +his 8ictioar/ #ies R;%the fuctioalit/ to cotrol the eiromet.

1. Each field i the A$AP;4 8ictioar/ is described b/ a domai. >hea/ iput is ot alid i terms of the domai, it ill ot be acceptedad the user ill hae to correct the etr/ i the 8B-PRO scree

before cotiui#. +he A$AP;4 8ictioar/ proides the folloi#domai chec3s:

+he format of the field must match the defiitio i the A$AP;48ictioar/ 6character, umeric, date, etc.7

A umber of discrete alues ma/ be cotaied i the domai that

are alid for the field.

A table ca be specified that cotais all the alues alloed for a

particular field. *f a table is specified, there must be procedures foresuri# that the table?s cotets are 3ept up@to@date.

Restricti# Access

otrolled b/ the authorizatio object Sy st e m A d m i nF u n ct i o n s . Ol/ users ith the alue < 88* i the Admi'uctio fields ca ma3e cha#es to the A$AP;4 8ictioar/ or usethe database table utilit/.

*t is ot possible to further restrict access to alterable tables.

ha#es are lo##ed b/ the s/stem ad ca be 0ueried usi# the

A$AP;4 8ictioar/ *formatio !/stem Meu Path: 8eelopmet @A$AP;4 8ictioar/ @ *fo !/stem

8ictioar/ cha#es should be reieed dail/.

2H


29/37

A,AP/0 Pro"rammin"

A$AP;4 is the fourth #eeratio iterpretatie la#ua#e i hich all R;%applicatios are ritte. +he $asis !/stem is ritte i .

A$AP;4 is a comprehesie pro#rammi# la#ua#e. A$AP statemets cabe ritte that ill read ad update data, create e records, etc. A$AP alsoca cotai !J statemets alloi# almost urestricted access to thedatabase.

A$AP;4 must be ti#htl/ cotrolled. -o A$AP statemet cha#es should bealloed i the productio s/stem?s eiromet.

1. ocatio

O Applicatio !erer

Restricti# Access

Each A$AP eeds to be assi#ed to a authorizatio #roup i the reportattributes set he creati# a A$AP report. A/ A$AP that has ot

bee assi#ed to a authorizatio #roup ma/ be ru b/ a/ user ithauthorizatio for object !"PRO)RAM.

2I


30/37

A$AP that hae bee assi#ed to a pro#ram #roup ca ol/ be ru b/ usersho are authorized to that pro#ram #roup usi# object !"PRO)RAM.+his object further restricts the maer i hich a user is able to ru aA$AP.

!U$M*+ +he user ma/ start pro#rams iteractiel/

$+!U$M*+ +he user ma/ submit pro#rams for executio i the

bac3#roud partitio.

E8*+ +he user ca maitai attributes ad text elemets

ad use utilities for cop/i# ad deleti# reports 6+his does ot allo the user to edit A$AP;4

pro#rams7.

&AR*A-+ +he user ma/ maitai ariats. &ariats are

parameters that are passed to a A$AP pro#ram.

* the stadard s/stem, oe of the A$APs are assi#ed to authorizatio#roups. +herefore a/ user that ca ru trasactio !A%H 6or !E%H todeelop A$AP;4 pro#rams7, ca ru a/ of the stadard A$APs. *t isrecommeded that all A$APs be placed i authorizatio classes ad thatusers should ol/ hae authorizatio for authorizatio classes 6A$APs7 thatare re0uired for their job fuctios. -o matter hat, the database iterfacechec3s are still i pla/ for all A$APs ad the user ill ot be able to act o

data for hich the/ hae o authorit/.

A$APs ma/ be deeloped o@lie usi# the !AP A$AP editor.

+he A$AP pro#rams ca be assi#ed to authorizatio #roups. +he!"E8*+OR authorizatio object is used to restrict authorizatio#roups a user is able to edit. A/ user ith !"E8*+ORauthorizatio object is able to edit a/ A$AP pro#ram that has ot

bee assi#ed to a authorizatio #roup.

-o users should hae !"E8*+OR. Otherise the/ ma/ rite ad/amic !J that allos complete access to all cliet?s data.

A,AP/0 1uer

%5


31/37

A$AP;4 Juer/ is the report riti# softare that allos users to #eeratereports 0uic3l/ ad easil/ ithout pro#rammi# 3oled#e. *t #eerates aA$AP pro#ram. Users caot access a/ iformatio to hich the user

ould otherise ot hae access.

Restricti# Access

Must be assi#ed to a user #roup before the/ ca be ru

User #roup cotais the fuctioal areas ad the ames of all people

authorized to ru 0ueries.

Esure that procedures are i effect to update the user #roups he

job assi#mets cha#e.

A/ user ca ru a/ 0ueries defied for a user #roup of hichhe;she is a member, re#ardless of ho rote the 0uer/.

* order to create or maitai A$AP;4 Jueries, a user must be a

member of oe or more user #roups ad hae a alue < 52 6cha#e7i the actiit/ field of the A$AP;4 Juer/ authorizatio object.

* order to maitai the A$AP;4 Juer/ user #roups, a user eeds

the alue < 2% 6Maitai Eiromet7 i the actiit/ field of theA$AP;4 Juer/ authorizatio object. +his should be restricted toadmiistrators.

%1


32/37

$peratin" Sstems

1. Uix

!tart@Up Profiles are stored i ;usr;sap!AP !/stem

-ameN;s/s;profile

2. -+

!ata%ase +ana"ement Sstems

1. Oracle

!npros Screen 2enerator

8/pros are the iput screes used he processi# !AP trasactios. +he/iclude details of the processi# lo#ic to be performed o the fields.

1. 8/pros ca be deeloped o@lie usi# the stadard !AP 8/pro!cree Paiter Meu Path: +ools @ ase @ 8eelopmet @ !creePaiter.

2. otrols eed to be i place to esure that cha#es to 8/pros areauthorized, tested, ad approed.

%2


33/37

#um%er -an"es

!AP proides a 9iteral ad 9exteral umberi# mechaism

1. *teral umbers are se0uetial codes #ie b/ the s/stem fordocumets, article umbers, persoel umbers, etc.

2. $oth iteral ad exteral umbers are stored i a file !B!&.

+atchcodes

+hese are secodar/ idexes to eable users to fid specific records he the

primar/ 3e/ is u3o.

1. !tored i +able MA

2. +able MA ca be edited o@lie usi# trasactio !M%1 adaccessible throu#h the Meu Path: !/stem @ !erices @ +ableMaiteace.

%%


34/37

Weaknesses

1. * the stadard s/stem, oe of the A$APs are assi#ed to

authorizatio #roups.

2. 8o ot use atie !J calls i A$APs as the/ ill b/pass thedictioar/ cosistec/ chec3s. Use ope !J statemets.

Uli3e ormal A$AP statemets, atie !J ad ope !J do ottri##er a/ authorizatio chec3s at ru time. $ut usi# A$APs ithAU+OR*+B@EF statemet, the users authorit/ ca be chec3edat ru time for specified objects.

%. !AP( is the default user *8 ad it has ulimited access capabilities. *tshould ol/ be #ie to the s/stem admiistrators 6!UPERU!ER7.

4. 8efault s/stem profiles ma/ proide too much authorit/.

=. 8efault lo#o *ds

!AP( passord < 5D5G1II2

!AP( passord < PA!!

88* passord < 1II25G5D Oracle

!/s passord < cha#e"o"istall

!/stem passord < maa#er

!apr% passord < sapr%

!AP;R% applicatio *8

!AP8$A

'rot@ed to !J(8$A

a perform all 8$A fuctios ithi !AP Autheticatio is completed i U-*L

%4


35/37

D. Ad@hoc Jueries

!J(Plus

O8$

G. Oracle +ables

User52 +able cotais all !AP user *8s ad passords

%=


36/37

Standard -eports

R!A&)55 +able compariso across clietsR!8EOMP ompari# tables across to s/stemsR!8E!AP 8elete !AP( from cliet 5DD 6Earl/>atch cliet7

R!FEB!55 +ables compariso: s/stem ersus se0uetial fileR!+A$55 As for R!FEB!55R!!+A+I2 +able cha#es for a selected mothR!!+A+I= +able access statisticsR!PARAM 8ispla/ s/stem parameters setti#sR!U!ER51 +est !AP"AR!U!R555 ist all actie users

%D


37/37

Financial

Authorizatio Objects

Master 8ata@ )@ ustomer@ &edor@ $a3

8ocumets$alace !heetsredit otrol 8ataPa/met Rus

8ui# Rus

Example:

Object < ompa/ odes

Fields (alues

ompa/ codes 51 reate52 ha#e5% 8ispla/5= $loc3;Ubloc3 5D 8elete5H 8ispla/ cha#e documets

%G

Documents

SAP Audit Information Approach