Upload
s2b7
View
289
Download
8
Embed Size (px)
Citation preview
8/10/2019 Sap Security Concept
http://slidepdf.com/reader/full/sap-security-concept 1/33
A Guide to Securing Your SAPECC SystemRaymond Mastre, CISA, CRISC
Director SAP Security/GRC
PwC
8/10/2019 Sap Security Concept
http://slidepdf.com/reader/full/sap-security-concept 2/33
Agenda
• Introduction• Basic SAP ECC Security Concepts
• Securing your SAP ECC System
• Choosing Your Role Design Methodology
• Audit Compliance Topics (SoD and SA) andSecurity Design Monitoring
• Case Study
• Wrap-up
8/10/2019 Sap Security Concept
http://slidepdf.com/reader/full/sap-security-concept 3/33
Introduction
• Over 10 years of SAP Securityand SAP GRC Experience
• Completed 10-15 Global SAP
Security Design/Redesigns
• Experience working in Beauty,
Pharma, Public, Defense and
Chemicals Industries
• CRISC and CISA certified
Raymond Mastre,
Director SAP Security/GRC
PwC
8/10/2019 Sap Security Concept
http://slidepdf.com/reader/full/sap-security-concept 4/33
Agenda
• Introduction• Basic SAP ECC Security Concepts
• Securing your SAP ECC System
• Choosing Your Role Design Methodology
• Audit Compliance Topics (SoD and SA) andSecurity Design Monitoring
• Case Study
• Wrap-up
8/10/2019 Sap Security Concept
http://slidepdf.com/reader/full/sap-security-concept 5/33
Basics SAP ECC Security Concepts
1
User master record
User requires valid user
ID and password
Authority check
User requires an
authorization for
business objects
T-code check
User requires an
authorization
for transactions
2
3
8/10/2019 Sap Security Concept
http://slidepdf.com/reader/full/sap-security-concept 6/33
Authorization Analogy
The proper key must be cut specifically for a certain lock
8/10/2019 Sap Security Concept
http://slidepdf.com/reader/full/sap-security-concept 7/33
Authorization Analogy
Profile
AuthorizationAuthorization
Object
Authorization
Field values
Authorization
Object Fields
User
The proper authorization is needed to unlock the SAP program
SAP Program
8/10/2019 Sap Security Concept
http://slidepdf.com/reader/full/sap-security-concept 8/33
SAP Security Key Components
• Authorization (fields and values)• Profiles
• Users
• Roles
8/10/2019 Sap Security Concept
http://slidepdf.com/reader/full/sap-security-concept 9/33
Authorizations and Profiles
AuthorizationAuthorization
Object
Authorization
Field values
Authorization
Object Fields
Profile
SAP Authorization
Structure
SAP Program
Access Element
There are also
composite profiles thatcan have other assigned
single or composite
profiles. For example,
SAP_ALL or SAP_NEW
are composite profiles.
8/10/2019 Sap Security Concept
http://slidepdf.com/reader/full/sap-security-concept 10/33
Users
Profile
SAP Authorization
Structure
SAP Program
Access Element
AuthorizationAuthorization
Object
Authorization
Field values
Authorization
Object Fields
User
8/10/2019 Sap Security Concept
http://slidepdf.com/reader/full/sap-security-concept 11/33
Profile Generator
Profile
SAP Authorization
Structure
SAP Program
Access Element
AuthorizationAuthorization
Object
Authorization
Field values
Authorization
Object Fields
SAP ProfileGenerator
Menu
Items
Authorization
Data
USOBT_C
USOBX_C(SU24)
Roles
User
•Security Admin
creates role and
assigns T-code
menu item(s)
•SAP generates
Authorization Data
based on the menuitems and
corresponding
USOBT_C tables
8/10/2019 Sap Security Concept
http://slidepdf.com/reader/full/sap-security-concept 12/33
Relevant Security Tables
• T-code to Role Mapping• Role to User Mapping
• Role to Role Name
• Roles Within a Composite
• Authorizations in a Role
• Organization Values in a
Role
• Fields Within an Object
• AGR_TCODES• AGR_USER
• AGR_DEFINE
• AGR_AGRS
• AGR_1251
• AGR_1252
• TOBJ
8/10/2019 Sap Security Concept
http://slidepdf.com/reader/full/sap-security-concept 13/33
Agenda
• Introduction• Basic SAP ECC Security Concepts
• Securing your SAP ECC System
• Choosing Your Role Design Methodology
• Audit Compliance Topics (SoD and SA) andSecurity Design Monitoring
• Case Study
• Wrap-up
8/10/2019 Sap Security Concept
http://slidepdf.com/reader/full/sap-security-concept 14/33
Leading Practice Security Designs
Job Based Methodology Task Based Methodology
User General
FI CommonDisplay
FIDocumentReversal FI
DocumentProcessing
AP Clerk
APManager
AP
Processor
Redundant Access
8/10/2019 Sap Security Concept
http://slidepdf.com/reader/full/sap-security-concept 15/33
What is Job Based?
AP
Supervisor
AP
Clerk
AP Manager
Security roles are built based on positions/jobs for a group of users (e.g.
Accounts Receivable Manager) A single role contains all of the access to perform a job
Transaction codes and authorizations typically duplicated in many roles
8/10/2019 Sap Security Concept
http://slidepdf.com/reader/full/sap-security-concept 16/33
What is Task Based?
Security is built based on small, definable tasks executed by a user (e.g. Process
Cash Receipts)
Multiple roles are assigned to the user for them to perform their day to day tasks
Transaction codes exist in a single role, with minimal exceptions
User General
SU53
SBWP
FBV3
FB03
F.81
F.80
FB02
FB01
FI Document
Reversing
FI Document Processing
FI Common Display
8/10/2019 Sap Security Concept
http://slidepdf.com/reader/full/sap-security-concept 17/33
Job vs. Task
1-3
25-40
Significant
Role Content Change
Limited
High number of roles with SOD’s and SOD
remediation is difficult
8-10
6-10
Minimal
Role Assignment Change
Highly Scalable
Low or no roles with SOD’s and remediation is
easy
Job Based Task Based
Number of roles
assigned to users
Tcodes per Role
T- code
Duplication
On-going change
management
Scalability
SOD
8/10/2019 Sap Security Concept
http://slidepdf.com/reader/full/sap-security-concept 18/33
Common Challenges with ECC Security
• Introduction• Basic SAP ECC Security Concepts
• Securing your SAP ECC System
• Choosing Your Role Design Methodology
• Audit Compliance Topics (SoD and SA) andSecurity Design Monitoring
• Case Study
• Wrap-up
8/10/2019 Sap Security Concept
http://slidepdf.com/reader/full/sap-security-concept 19/33
Key Areas to Review
The following are key areas to consider when reviewing SAPsecurity:
– SoD and sensitive access
– Monitoring of sensitive objects
– Security strategy assessment
8/10/2019 Sap Security Concept
http://slidepdf.com/reader/full/sap-security-concept 20/33
What are SoD’s and SAs?
• Segregation of Duties (SoD)
Helps to establish adequate division of responsibilities
between those that create master data and perform
transactional data
Example: “Create G/L Account” and “Post to G/L”
• Sensitive Access (SA)
Helps to establish that critical functions in a system are
restricted to authorized individuals Example: “Post to G/L”
8/10/2019 Sap Security Concept
http://slidepdf.com/reader/full/sap-security-concept 21/33
How to Monitor SoDs/SAs
Companies have many different ways to monitor SoDs/SAs – SAP GRC Access Control
– Other access control systems (Bizrights, ControlPanel, etc.) or
“homegrown” monitoring tools
– Transaction “SUIM”
8/10/2019 Sap Security Concept
http://slidepdf.com/reader/full/sap-security-concept 22/33
SUIM
Use transaction SUIM to check for users with sensitive
transactions, objects, or SoDs
8/10/2019 Sap Security Concept
http://slidepdf.com/reader/full/sap-security-concept 23/33
Monitor Sensitive Security Objects
S_DEVELOP
S_RFC
S_TABU_DIS
S_PROGRAM
Controls “debug” access inSAP. Value 01 and 02 shouldgenerally not be given inproduction.
Allows a user to potentially
perform remote calls to othersystems
Controls the ability to view orchange tables in SAP. Star
values should be avoided.
Controls program calls in SAP.As with S_TABU_DIS, avoidstars.
8/10/2019 Sap Security Concept
http://slidepdf.com/reader/full/sap-security-concept 24/33
Security Design Assessment
A security design assessment benchmarks several keyperformance indicators against a successful security design
Is less concerned with the access a user has and more
concerned with how they got it
Is completed by performing a statistical analysis of the SAP
Security Environment
8/10/2019 Sap Security Concept
http://slidepdf.com/reader/full/sap-security-concept 25/33
Statistical Analysis of SAP Security
Environment
Below are example benchmarks for examining an SAPsecurity design:
Number of duplicated transaction codes in roles
Number of authorization objects in assigned roles
Number of changed and manually-inserted authorization objects
Number of roles
Number of roles with transaction code ranges or wildcards
Number of changed authorizations
8/10/2019 Sap Security Concept
http://slidepdf.com/reader/full/sap-security-concept 26/33
Example: Duplicated Transaction
Duplication of transaction codes complicates the provisioningprocess
Example: User needs access to transaction code VD01. If thistransaction code sits in seven different roles, which one canwe assign?
SAP tables to query
AGR_1251
AGR_TEXTS
TSTCT
Expected query result: 5%-8% transaction codes should beduplicated
Exceptions are transaction codes with different functionality; forexample, F110 (create payment proposal, run payment proposal)
8/10/2019 Sap Security Concept
http://slidepdf.com/reader/full/sap-security-concept 27/33
Assessing SAP Security Design
8/10/2019 Sap Security Concept
http://slidepdf.com/reader/full/sap-security-concept 28/33
Agenda
• Introduction• Basic SAP ECC Security Concepts
• Securing your SAP ECC System
• Choosing Your Role Design Methodology
• Audit Compliance Topics (SoD and SA) andSecurity Design Monitoring
• Case Study
• Wrap-up
8/10/2019 Sap Security Concept
http://slidepdf.com/reader/full/sap-security-concept 29/33
Case Study Profile
Company Profile
Consumer Products (Beauty)
Original SAP Implementation: Completed in early 2000’s
Total User Count: ~5,000 SAP User IDs
SAP GRC 5.3 Installed at time of project start
8/10/2019 Sap Security Concept
http://slidepdf.com/reader/full/sap-security-concept 30/33
Before
Prior to Project
Role Count: 18,000+
Users: 5,000 (3,000 user with more than just T&E)
Firefighter Usage: 3,000,000 transactions in first six months
Business ownership: Limited
SAP GRC Version: 5.3
8/10/2019 Sap Security Concept
http://slidepdf.com/reader/full/sap-security-concept 31/33
After
Prior to Project
Role Count: 300 task roles (350 enabler roles)
Users: 5,000 (3,000 user with more than just T&E)
Firefighter Usage: 150,000 transactions in first six months
Business ownership: Significant
SAP GRC version 10
8/10/2019 Sap Security Concept
http://slidepdf.com/reader/full/sap-security-concept 32/33
Wrap Up
Top Points to Remember:
Core elements of SAP security are authorizations, profiles,
users, and roles
There are two main methodologies for designing SAP security:
Job and task Transaction “SUIM” and/or SAP GRC can be used to test for
Segregation of Duties and Sensitive Access
Sensitive SAP security objects should be restricted
appropriately
An assessment of SAP security design is one indicator on howsuccessful your security will be long term
8/10/2019 Sap Security Concept
http://slidepdf.com/reader/full/sap-security-concept 33/33
Questions?
Contact me:
This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.
© 2014 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the US member firm, and may sometimes refer to the
PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.