Embed Size (px)
Citation preview
SAP Authorizations: Is it now difficult or easy?
Johan [email protected]
SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
© C
SI
tools
. All R
ights
Reserv
ed
.
2
Johan Hermans
Licentiate commercial and financial sciences, 1992, EHSAL, specialization accountancy
Certified Information Systems Auditor (CISA), 1997
Certified BBP mySAP.com Consultant, 2000
Certified SAP NetWeaver Security Consultant, 2004
Certified Information Security Manager (CISM), 2005
Certified in Risk and Information System Control (CRISC) 2011
Founder of CSI tools in 1997
Assisted over 400 companies and organizations to improve the access rights in SAP environments
© C
SI
tools
. All R
ights
Reserv
ed
.
3
SAP authorizations
The basics of SAP authorizations are not understood
People make it way to complex
Let us start with some eye-openers
© C
SI
tools
. All R
ights
Reserv
ed
.
4
Demonstration in SAP R/3 Parameter Transactions
© C
SI
tools
. All R
ights
Reserv
ed
.
5
Demonstration in SAP R/3
You can post an A/P document with an A/R transaction
© C
SI
tools
. All R
ights
Reserv
ed
.
6
Also with Enjoy transactions
You can post an A/P document with an A/R transaction
© C
SI
tools
. All R
ights
Reserv
ed
.
7
Report Tree Transactions Give Access
OB52: C FI Maintain Table T001B
S_ALR_87003642: IMG Activity: SIMG_CFMENUORFBOB52
PFCG: Role Maintenance
S_ALR_87003541: IMG Activity: ORIP_SU01
S_ALR_87003755: IMG Activity: SIMG_CFMENUORK1PFCG
S_ALR_87005766: IMG Activity: SIMG_CFMENUORKEPFCG
S_BCE_68000373: IMG Activity: PROF_GEN_PFCG
…
© C
SI
tools
. All R
ights
Reserv
ed
.
8
Start transaction code SE37
Execute function module ‘SUPRN_INS_OR_DEL_PROFILE ‘
Enter user-id, profile (here SAP_ALL) to add and action
Required Authorizations or
S_TCODE = SE37
S_DEVELOP
ACTVT = 03, 16
OBJTYPE = FUGR
OBJNAME = SUPRN
Demonstration in SAP R/3
© C
SI
tools
. All R
ights
Reserv
ed
.
9
Execute any ABAP, function module, … via SM37
Start transaction SM37
Select a Job
Select a Step
Select a Program
GoTo Program
Other Object (Shift + F5)
Test (F8)
© C
SI
tools
. All R
ights
Reserv
ed
.
10
Demonstration in SAP R/3using RFC you can download all table content without SE16
© C
SI
tools
. All R
ights
Reserv
ed
.
11
Two Core Elements in SAP Application Security
Key questions: Transaction codes Authorization Objects
How many … exist in an SAP ECC 6.0 system?
Purpose?
Transaction codes Authorization Objects
Typical reply by security administrators
20.000 A multiple of 20k
Purpose? To manage access rights To restrict on organizational levels
Transaction codes Authorization Objects
Reality + 150.000 1.000 for “R/3” functionality
Purpose! Only first line of defense To manage access rights
© C
SI
tools
. All R
ights
Reserv
ed
.
12
Manage with +1 000 SAP authorization objects and not +150.000 transactions
9 for posting FI documents � F_BKPF_...
9 for vendor master data � F_LFA1_...
9 for customer master data � F_KNA1_...
24 for material master data � M_MATE_...
2 for payments � F_REGU_...
_____________________________________________
1.000 objects are grouped into � 300
example: company code: BUKRS
your authorizations requirementscan be simplified into 300 one-liners
© C
SI
tools
. All R
ights
Reserv
ed
.
13
+ 150 000 transaction codes: nobody can know them all, which is THE risk
TSTCA check
S_TCODE: transaction code check!! only once !!
authority check on authorization objects
commandfield
SE38SA38
other transactioncodes
reporting trees
parameter transactioncodes
SE16/SE17SM30/SM31RFC DATA
tables
SERPSARP
transactioncode
menu
customtransactionsABAP programs
ABAPprograms
© C
SI
tools
. All R
ights
Reserv
ed
.
14
Most applications audit only on +500 transaction codes with a path defined
Data to be protected
User interface
Database server
Application ServerF-22
Program SAPMF05A
Authority Check F_BKPF_ ACTVT = 01 !
FB01
Program SAPMF05ATOP
150.000 possible entries
300 kind ofobjects
Million combinations
© C
SI
tools
. All R
ights
Reserv
ed
.
15
Authority checks are sequential: you cannot tell which path will be followed!
© C
SI
tools
. All R
ights
Reserv
ed
.
16
reveal inconsistencies: who has access to the data, who can start transaction
Data to be protected
User interface
Database server
Application ServerF-22
Program SAPMF05A
Authority Check F_BKPF_ ACTVT = 01 !
FB01
Program SAPMF05ATOP
150.000 possible entries
300 kind ofobjects
Million combinations
© C
SI
tools
. All R
ights
Reserv
ed
.
17
find inconsistencies in what people can do, did and can almost do
commandfield
SE38SA38
other transactioncodes
reporting trees
parameter transactioncodes
SE16/SE17SM30/SM31RFC DATA
tables
SERPSARP
transactioncode
menu
customtransactionsABAP programs
ABAPprograms
ConfidentialityIntegrityAvailability
Authorizations ?F_BKPF_*
FB01
F-22
ABAD
F-91
F.43F.18
FB60FB75
…
……
© C
SI
tools
. All R
ights
Reserv
ed
.
18
Role Concept Challenges
Multiple
Users need
Multiple Transactions
Users need only
access to
Specific Data in
Display or
Maintenance
mode.
They use
Transactions to
get there.
SAP has some
100.000
Transactions
The Number of
Users can Vary
from 20
to 1.000.000
Average number of
Used Transactions
within a Company
Can Vary Over
Time from 2000
to 8000
600 users
3000 tcodes
Let’s make a case …
© C
SI
tools
. All R
ights
Reserv
ed
.
19
Possible Scenarios : Extreme Cases
600 Users 3000 Transactions
Organizational Technical
600 Roles
3000 Roles
what where
12000 Roles
what where
what
1 role / transaction
© C
SI
tools
. All R
ights
Reserv
ed
.
20
Possible Scenarios : 1 Role per User
Advantages Disadvantages
TechnicalEasy to Build : Group Transactions and Create Role
Cannot Separate “create for company code 1000” and “display for company code 3000” without breaking PFCG best practices
FunctionalNice Overview of all Transactions per User
• Complex and often long interviewingcycles
• Nightmare from change management perspective
• unclear ownership (access to multiple (sub)processes and organizational data in one the role)
• SoD Rules Changes have major impact on the roles
600 Users 600 Roles
© C
SI
tools
. All R
ights
Reserv
ed
.
21
Possible Scenarios : 1 Role per Transaction
Advantage Disadvantage
TechnicalVery Easy to build: put each transaction in separate role
• Huge Amount of Roles to initially create and to maintain after data restriction changes
• User cannot have not more than 300 assigned roles (*)
FunctionalVery Transparent ; all is at user assignment level
• Heavy User Request Procedure: user needs to request 300 to 400 roles and does not have this knowledge
(*) Simplified: real limit is 312 profiles in user-id
3000 Transactions 3000 Master Roles
© C
SI
tools
. All R
ights
Reserv
ed
.
22
Possible Scenarios : Solution in Between
600 Users 3000 Transactions
Organizational Technical
600 Roles
3000 Roles
what where
12000 Roles
what where
what
1 role / transaction
what where
© C
SI
tools
. All R
ights
Reserv
ed
.
23
Possible Scenarios : Intermediate Conclusion
A SAP role concept is built based on the technical view
Grouping of transactions is needed
A SAP role concept is built based on the organizational view
Roles should be transparent for
business, easy-to-manage and
flexible
Intelligent grouping of transactionsand authorizations is needed
© C
SI
tools
. All R
ights
Reserv
ed
.
24
Try to Group 2 Transaction Codes in 1 Role
FK01 FB03F_LFA1_APP ACTVT 01F_LFA1_APP APPKZ FF_LFA1_BUK ACTVT 01F_LFA1_BUK BUKRS $BUKRSF_LFA1_GEN ACTVT 01F_LFA1_GRP ACTVT 01F_LFA1_GRP
F_BKPF_BUK ACTVT 03F_BKPF_BUK BUKRS $BUKRSF_BKPF_KOA ACTVT 03F_BKPF_KOA KOART K
F_LFA1_APP ACTVT 01F_LFA1_APP APPKZ FF_LFA1_BUK ACTVT 01F_LFA1_BUK BUKRS $BUKRSF_LFA1_GEN ACTVT 01F_LFA1_GRP ACTVT 01F_LFA1_GRP
F_BKPF_BUK ACTVT 03F_BKPF_BUK BUKRS $BUKRSF_BKPF_KOA ACTVT 03F_BKPF_KOA KOART K
FK01 and FB03
$BUKRS = 1000 $BUKRS = *
$BUKRS = ????
technical issue: * vs 1000
create vendor for company code 1000 display all A/P postings
create vendor for company code 1000 and display all A/P postings
what
where
Different Business Processesuse Same Master Data: so process based grouping is NOT the Solution
© C
SI
tools
. All R
ights
Reserv
ed
.
25
Possible Scenarios : Data Level Based !
9 for posting FI documents � F_BKPF_...
9 for vendor master data � F_LFA1_...
9 for customer master data � F_KNA1_...
24 for material master data � M_MATE_...
2 for payments � F_REGU_...
_____________________________________________
1.000 objects are grouped into � 300
example: company code BUKRS
your authorizations requirementsneed to be simplified into 300 one-liners
© C
SI
tools
. All R
ights
Reserv
ed
.
26
Possible Scenarios : Data Level Based ?
post FI docs: FB01
F_BKPF_... ACTVT 01BUKRS 1000
display vendor master data
F_LFA1_... ACTVT 03BUKRS *
update customer master data
F_KNA1_... ACTVT 02BUKRS 2000
display material master
M_MATE_... ACTVT 03WERKS 3000
Full Flexibility on and and what where
© C
SI
tools
. All R
ights
Reserv
ed
.
27
Conclusion
Identify who can do what is extremely difficult:
Million ABAPs, +150k transaction codes, RFC and web dynpro’s … nobody knows all possibilities!
SAP authorizations is extremely easy:
If you have the core authorization, you have potential access
If you should not have access, remove the core authorization
And do not forget that authority checks is a complete different story !
Use applications that focus on authorizations and not on transaction codes
© C
SI
tools
. All R
ights
Reserv
ed
.
28
Small last remark
Do not forget that you can disable authority checks!
