Embed Size (px)
DESCRIPTION
Citation preview
1.what needs to be secured in the company??
Material MasterVendor MasterEmployee MasterAsset MasterProfit & Loss ReportsFinancial Information.
2.From Whom????
The AUthenticated Users who are created in SAP.
3. How to Protect???????????????1.who does what and upto what level and which jurisdiction......
Example: A Purchasing Officer Creates and Approves Purchase Order for value not more then 10,000(ten thousand only)for his division(028)
2.Define the SOD(Seggregation of Duties/Separation of Duties)
SOD is a Matrix which is used to specify the position along with Roles and Responsibilities.
4. what tools are Used???????????1.VIRSA tool a third party tool owned by SAP2.Approva tool
From SAP SU01,Su10,Su20,Su21,Su22,Su23,Su24,Su25,Su53,Su56SUIM,SU99,PFCG,PFUD,SU02,SU3,Sm30,Se38,SE54,SA38,sE12St01
_____________________________________________________SOX (Sarbanes Oxley Act-404).it specifies that a Single Business transaction Should not be assigned to a Single User to avoid the malpractices and misutilization if public Funds.
Example:1.Hire Requisition2.Hiring(Recruiting)3.Job Assignment4.Time Recording5.Pay Roll Processing6.Salary Disbursement.
1.Purchase Requisition2.Purchase Approval and Release3.Invoice and Billing4.Goods Delivery5.Goods Receipt 6.Payment to the vendor7.Reconciliation
All the above activities should not be assigned to a single User.
They need to spread across the users.
Role Matrix/SOD
It is a matrix which contains positions/jobs along with assigned transactions.The Roles are assigned to Users to get authorizations to transactions.
Authentication:it is a process of Providing UserID and Password to Login.
Authorization:it is the process of assigning roles to user to perform certain activity.
There is no role to restrict authorizations.if a user is authorised means he is allowed to perform certain activities.
Designing Security:it is also implemented in similar and parallel to SAP Implementation.i.e ASAP Methodology is used to design,develop,tranport,test and production use.
1.Analysis and Conception Phase:2.Desiging Phase3.Implementation 4.Testing 5.Cutover Phase
1.Analysis and Conception Phase:Understand the Security Requirements of the Customer.Assemble the Project Implementation Team and gather the Requirements related to security.Identify the Assests,Materials,Financial Structure(Account Receivables,Account Payables)
Identify the Actions(activities that needs to be protected) on a Specific Field,Area,Object
Create,modify,display,reverse,approve,print,upload,download etc are the actions on an Object PO for Field(purchasing Area)(02)* means all the possible areas.
Do not Specify Asterick(*) for any Open Field.
Get the Requirements and Design a Role Matrix for Each Module.
Identify the jobs/positions and Responsibilities and Define the matrix.*************************************************************Desiging Phase:Define the Role Matrix/SOD Blue Print and refine till it gets approved/sign-of.
*************************************************************Development/Implementation/Realization Phase:Develop the Roles in the Cust Client and Transport them to TEST Client for Testing.
Assign the roles to Business Process Owners and Test Them.
*************************************************************Testing/Quality Assurance/Final Prep
release the roles in Developement for transportation.Import the Same in QTST Client in QAS System.
After Sucessfull Testing Import them to TRNG Client(where END Users are trained on the system Roles
___________________________________________________________Cutover Phase/Go-live PhaseTransport them to Production System _____________________________________________________
Initializing Profile Generator:
SU25: initially fill the customer tables
This is the first step to be executed before starting to work on Security.
USOBT and USOBX are the SAP Standard Tables
USOBT--------Transaction vs Authorization ObjectUSOBX--------Check Indicators Table
when you execute above transaction(SU25 initial fill) it copies the entries from USOBT and USOBX to Customer Tables USOBT_C and USOBX_C.Then Customer can modify accordingly.if this is run after certain settings all the customer settings will be lost.
How Security Works??????????????????????????????????????
1.User ID and Password(authentication of User)To stop misusing system credentials or impersonation by others variuos security parameters for UID and password are set.(30 Days expiry,alpa numeric passwords,min length,disallow multiple logons)
2.when a user executes a Transaction it checks whether it is locked or not in SM01
3.it checks whether transaction is allowed to execute in Authorization Object S_TCODE
4.it checks the table TSTCA to check for minimum authorizations that are required to execute the transaction.
5.it checks all the Authorization objects assigned to transaction in Su24 are avaialble in the User Context.6.it also checks for Authorization Objects which are included in the program using command AUTHORITY-CHECK
Each Transaction is checked under Object S_TCODE field name is TCD
SU24:
it gets the values from tables USOBT and USOBX
USOBT contains the List of Authorization Objects assigned to a Transaction which can be checked when a transaction is executed.
USOBX Contains the list of Authorization Objects that needs to be (checked,not checked,check and Maintain,unmaintained4)
There are certain Objects which needs security but may not require to be checked.So they can set to CHECK-NO in SU24.Each Change is Client Independent(Repository) and requires a Work bench Request.
Programming Authorizations
Each Program that needs to be secured Uses CommandAUTHORITY-CHECK followed by Authorization Object,Field,Value and Activity.
The Authorization is controlled at field level and based on activity.These are used in the programs and checked by using Authority-check command.
it is recommended to advice developers to use this command in their programs to secure programs.
Authorizations:
Authorization Field:The Lowest granular field that needs to protected is known as authorization field.
These are defined in Transaction SU20.These are performed at repository level so,they are at cross-client level.each New field requires naming convention(Y,Z).
These are also referred as database table Fields.(PO,SO,Salary)
Authorization Activity:The Type of action that will be performed on the Field.Create,Modify/Update,Display,Delete,Approve etcThese Activities are defined in table "TACT". it is editable in SM30.Activities are identified by using two alpa numeric letters.
Authorization
The Field with activity or value is referred as an Authorization.
PO--Create(01),Display(03).Modify(03)PO--Purchasing org(0001),Area(002),Plant(SRN)
The Group of not more then 150 Authorizations are called as an Authorization Profile.
if the authorizations exceed ie. more then 150,then another prfoile is created with name_1 and grouped into a composite Profile.
Authorization Object:
The Group of not more then 10 Relative Authorization Fields is known as Authorization Object.
These are defined in SU21 .Each Authorization Object is assigned with predefined Activities that are stored in the table "TACTZ"
Authorization Classes:
The Group of relative Authorization Objects are called as Authorization/object Class which are defined in Su22This Authorization Object is assigned to Transaction in SU24 and marked to check/uncheck to maintain in PFCG.
Authorization Role: These are referred as Activity Groups until version 46B.from 46C Activity Groups are named as Roles.Role is a synonym which contains Profile,Menus,URL,Reports etc..Role is only a Name but Authorizations are available through Profiles only.Roles are created in Transaction PFCG(Profile Create and Generate)_____________________________________________________
1.Su01
2.Sm01
3.S_TCODE
4.TSTCA
5.SU24
6.Authority-check_____________________________________________________User Context:it is a part of roll area(roll file) where User Related information is stored.it is like a Cookie on the Browser.it is available till the user is logged-in.User Context is lost when the log-of
SU56 is used to display the User Context Information.User Context Contains Authorizations,screens etc-----------------------------------------------------Missing Authorizations:1.user Executes a Transaction2.it checks in the USer Context i.e Su56 for availability3.if it is not available it records in SU53.
IT CHECKS FOR MISSING Authorization Object,Authorization Field,TCODE,Field Value,Activitity, and Ora\ganization Value and records then in SU53SU53 records only the last missing Authorization.
Su53 Could not log missing authorizations for the earlier sessions except the current Session.So ST01 is used to trace the authorizations.----------------------------------------------------Role:Roles are defined in PFCG and Roles Contains Authorization Fields,Values,activities,Authorization Objects,Profiles,Composite Profiles,Authorization Classes,Transactions,Menus,URLS,Reports etc.
Execute PFCG and Create Role1.Define the Roles as per naming conventions2.Create Roles in one Client(Golden Client) and Transport them to other clients and Systems in the Landscape3.Role can be uploaded and Downloaded into the System4.Roles can be transported using transports massively5.Ensure that roles does not contain Duplicate Authorizations.6.ASSIGN ONLY THE ROLES THAT ARE APPROVED/REQUIRED as per SOD****************************************************************PFCG is used for the following:1.Create/Modify/Display/Delete a role.2.Role can be download to File System.(Download)3.Role can be Uploaded into SAP System(Upload)
Specify the Role Name and Click on Create:(you can also copy a Role from the existing Role)Describe the Role with short DescriptionDescribe the Role with Description Tab(This Role is Created for Plant Maintenance(Planning Division)this Role contains the Following Transactions
(specify the list of Transactions along with Role Owner)
DEscirption is used to identify the role Creater/Modifier/Owner of the RoleFurther chnages to the role should be performed by obtaining approval from role owner
Click on menu Tab
it is used to include Transactions,Reports,Menus,URL and Other Applications
Menu:Menus are used to provide user freindly navigational Elements.These are defined in SE43.
SAP provides SAP Easy Access Menu which can be overwritten by User Menu.
we can create our own menus in Se43.we can include authorizations based on Menus.we can copy transactions from SAPmenu/UserMenu/Area Menus(SE43)
Note:when custom Programs/Reports are included they are automatically created/assigned with a TransactionCode that starts with "Y"
menus are only used to include a Transaction but The authorizations are required to be maintained as per SU24 Check and Maintain Options (Yes/NO)
Click on Authorizations TAB
Click on Change Authorization Data to maintain the Open Fields and Activities.
Example Su01 is assigned to the role.The User Who is assigned with the role can create USer but with certain Restrictions(Only to a client,group,role,profile etc)
Change authorization Data provides the List of Open Fileds(for Authorization Objects that are checked in Su24)
The Auth Classes,objects,profiles,Fileds are displayed in Traffic Light Colours
YELLOW---------Activity or Field Value is Missing
RED------------Organizational Value is Missing(SALES Organisation,sales Area,Distribution Channel,Plant,storage location etc)
Green---------all the values are maintained.
Click on Organizational values and Provide the details as per SOD to ensure that all the red lights are turned off.
For Yellow Lights we need to open manually and Mainain the fields and Activities.
we can also include objects manually(it is not recommended,inturn assign them to Transaction in Su24 for automatic availability in PFCG)
save the Role,Generate Profile(Profile contains Authorizations).The Role is effective only after generation of Profiles
for each change in a role profile generation is Required.
Assign the Role to the User and perform USER COMPARISON so,that role is effective immediatly.miniAPps are no more Use which are used upto 46C
Personalization:
it is used to restrict the out put of a report/program
during time recording-it should display last one week and future one week
salary last month
These Personalization objects are recorded using transaction "PERSREG"
Profiles are widely used upto 46B with the combination of Activity Groups.Activity Groups are renamed as Roles in 46C.So while working with system versions less then 46C AG,CAG(composite),DAG(derived) are widely discussed
Earlier Profiles are created in Su02 like SAP_ALL and SAP_new.SAP Discontinued the Usage of Profiles and Introduced the Roles since 46C.
but the Profile tab is till available in Su01 Transaction.SAp_ALL and SAP_new are only the Composite profiles that are still available in the systems(Current Versions)Profiles are no more Created only Generated while creating a Role.
Profiles can be massivley generated(after a Role Upload,Role Tranport)using SUPC.During the Transport only Roles are transported(i.e no profiles are transported along with Roles)So it is required to generate the Profiles using SUPCDepending up on the Number of Authorizations in the role Composite Profiles are created automatically.
it is not recommended to assign profiles in the current systems based on Netweaver,instead assign Roles which contains Profiles.
SAP_ALL and SAP_NEW are only assigned in TEST/SAND/QTST/TRNG systems,but not on CUST/PROD Systems.
Single Role:The Role That is created in PFCG in the Customer naming Convention. it provides certain authorizations when assigned to a user.
Single Role can be Referencing Role which will be a base to create other Roles(Copy Role).Single Role Can be a Parent Role to create child Roles.Single Roles can be grouped to create Composite Roles.
These Roles cannot be differentiated physically but only identified by using naming Conventions.
WILL_COMP_MM_DIV_10WILL_DER_SD_SAREA_345WILL_PARENT_SD_SAREA
_______________________________________________________
cOMPOSITE rOLES: The Group of Roles for Administrative Convenience or for easy maintenance.Example;A Zonal Manager Belongs to a Distribution Channel like Vishakapatnam(Srikakulam,VZNAGRAM,EG,WG)Each District has a District Manager where he can work only on his allocated district.The Four Distrcit Manager Roles are grouped and assigned to Zonal Manager. The Role Enhancement(assign,reassign,delete)for all the roles automatically Result in Zonal Manager Role.
go to pfcgspecify a role name Company Code,Contr Area,DIV,Sales org,DC1.00101 0001 01,02,0001,01,12,14,10-----------------------------
Creeate a Composite Role
Authorization TAB is missing because we cannot assign any additional Authorizations only we can include Roles.No Profiles are generated(only the profiles in the included Roles are used).
Menus can be Compressed by avoiding duplicates
what ever the Changes in the Roles will be effected in the Composite Role.
we can only Composite compress menus in Composite Rolesand Include Roles.
Profiles are transported along with Composite Roles.
----------------------------------------------------Parent Role:it is a Single Role which will be referenced to create child roles.in most of the scenarios the parent role is not assigned to any user.it is considered as a Template to create other roles.
The major advantage is the changes in Parent roles are automatically adjusted to child/derived roles. but it is not possible while copying roles.copying is only one time activity.where as parent-child reationship is life long until relation is broken/deleted.
Creating a Child Role/Derived Role:
1.go to pfcg2.specify Role name that should identify the Derived Role.3.Click on Create4.go to description TAB Specify the Parent Role Name in derived from Role and save....5.menu TAB is missing i.e you cannot add any object through Menu TAB and we can say MENUS are FIXED6. while modifying parent role derived roles cannot be modified.7.Maintain the Open Fields(Org levels,field values,actvts)8.save and generate the profile
Updating or Enhancing a Parent Role:
go to PFCg
Select the parent Role
Include or exclude in the menusclick on change authorization datamaintain the open Fileds.save and generate the Profile for parent Role
Click on Adjust Derived Roles.It automatically adjust all the derived Roles except the org values.
parent Role Impart all the authorizations to Child/derived roles but not the ORG VALUES.
Parent Role and Child Roles are differed by Organization values
These are used to create a PLANT Manager,warehouse Incharge,Division Manager,DEpot manager etc roles which are similar in all the activities but only differed by ORG Values.
The parent role impart all the properties to the child roles.the child inherits all the roles except organizational values which needs to be maintained in the child Roles.
Delete InheritanceThe Child Role can break the relationship with parent,since then no updates/inheritance/imparting applies.
go to pfcgselect the rolego to description tabclick on delete inheritance
***************************************************************Profile Update/User Comparisonwhen ever there is a change in role assignment in the User Master Records it may not effective immediatly.
1.Transaction PFUD should be executed to to update the profiles in User Master Records.2.Use Option User Comaparison in PFCG(User TAB) to update UMR.3.Run a Report PFCG_TIME_DEPENDENCY in SA38 or schedule periodically in SM36.it is also referred as User Master Reconciliation.it is recommended to use the 3 option because it is scheduled in the background mode during off peak hours.remaining two options may consume more time in the dialog mode and hence may congest the system as well.
***************************************************************User AdministrationThe User Administration can be controlled in the Following ways
1.Single Control----small oraganizations,partnership firms,individual companies
2. Principle of Dual Control----The User administration is performed by an administrator and role assignment,authorization changes are performed by another administrator
3.Principle of TRIPLET Control:a.User Administrator can be scattered based on Groupsb.Role Assignerc.Authorization Administrator
1.User Administrator: who works with SU01,Su10 but only based on his User Group.He may/may not be be allowed to assign roles and profiles.
2.Role Assigner: User ADMinistrator or Business Process Owner is authorized to assign Roles/profiles to the users.
3.Authorization Administrartor; Creation/Modification/Deletion of Roles are Performed by an Authorization Administrator who can generate Profiles.(also called as Profile Administrator).
The User administration is restricted by Using User Groups,Roles,Clients,Authorizations and Profiles.----------------------------------------------------------------User Groups:User Groups are created in SUGR These are used to maintain the users massively in SU10 while assigning Roles to the users.
User Group for Authorization Check:This is used to facilitate the Usermanagement to manage the users those who are assigned with the user group in their Role(S_USER_GRP)
Similarly the Roles also can be controlled by using S_USER_AGR,S_USER_AUT (ZMM*-------ZMZ*)(ZSD*------ZSZ*)________________________________________________________________User ManagementUsers are created in Su01 and or maintained massively in Su10.Some companies opt to use third party tools like LDAP,Custom Programs,IDM Tools to poulate users into SAP Systems.
1.Su012.Su103.LDAP
4.Z Programs to create Users based on HR Excel Sheet with different roles,profiles and parameters.5.SECATT6.SCUA_____________---------------___________________________Su01 is used to create,modify,delete,display,lock,unlock,change password,copy user etc but only a single user.Su10 is used to create users massivley but with same details.SU01/Su10Address TABit is used to maintain the details of the users like first name,lastname,title,language,department and location.Logon Data:
Alias it is used for internet Users for additional Authorizationit is mostly used in CRM
User type: There are 5 types of Users1.Dialog ;is the only user who can communicate with the system interactively .Each of the session can be logged/traced and responsible for the actions during audit.Multiple logons are allowed.but we can restrcit them.SAP recommends not to allow multiple logons for Sensitive areas like P&L,Finance and HR divisions.
2.Service User is also similar to Dialog but not eligible for tracing,logging.it is an anonymous user used for reporting and other general activities.Multiple logons are allowed
3.System User: no Dialog is allowed.only to login in the background mode.This user is used to communicate with in the System(example: CUA,ALE,IDOC,standard background jobs etc)
4.Communication: no Dialog is allowed.only to login in the background mode.This user is used to communicate between the Systems(example: SCC9(remote Client Copy),CUA,ALE IDOC)
5.Reference user: this is used to provide additional authorizations to the exisiting users.it is used only when a user goes on leave/vacation etc.The Exisiting User is marked as Reference user so that logon is disabled.The USer id is specified in the delegated User Role(Reference user for additional Rights).The User is responsible for complete activities and may be logged and traced..
Note: tracing should only be allowed under exceptional circumstances.Tracing writes enormous log files on the system.
Default:
Specify Printer ,Decimal Notation,Date Format,time zone etc
These are used by default when not specified.They are overridden by program values.
Parameters:
These are used to provide default values to the input fileds.
The Frequently keyed inputs can be configured as parameters.example(companycode,sales organization,sales areas,sales divisions etc ).it is used to reduce the dialog steps.
Process:1.go to the input field2.press F13.go to technical properties4.select parameter id5.specify paramter id and value in su01
Roles:These are defined in PFCg
Profiles:These are generated in PFCG.Do not assign any profiles,They are automatically assigned based on the role,
Groups;These are used for mass maintenance for a group of users
Personalization:it is used to restrict the user selection criteria and out putmostly the output is restricted in terms of 20 lines per page.current month,last week(today-7)
License data:Need to Specify the USer type to calculate the Licenses used.however this is maintained in USMM during year end SAP Auditing.SAP Calculates Users based on this information.
______________________________________
Calling Transactions:
when one transaction is assigned the user may be able to call one more transactions example SM51.Sm50 etc
Table TCDCOUPLES stores the details of calling and called transactions.Use Transaction Se97 to check the Indicator to Yes if they need to be checked _____________________________________________________________List of Critical Transactions that should not be assigned together :::::::
SU99 transaction is used to provide the list of transactions that are critical for security..Customer can maintain their exception listThese details are stored in Table SUKRI.**************************************************************Restricting Access to tables and Programs:
if SA38 is assigned to a user he can execute all the programs.if SM30 is assigned to a user he can maintain all the tables.
Restricting Programs:SAP Recommends to use AUTHORITY-CHECK to program internally to secure the programs. but due to lack of programming skills most of the programmers does not use above commands.
So, SAP Recommends to use Authorization Groups to bind the programs externally.
go to SE54 to define Authorization Groups
*************************************************************Handling Missing AuthorizationsCUALDAPGRCSAP Security parameters******************************************Handling Missing Authorizations:
1.user creates a ticket that while accessing certain transactions it is displayed with a pop message that "you are not authorized".example Va01 transaction.
it can be due to following reasons:
a.)transaction is not assigned to the user
resol: Assign the transaction to the user based on approval
b.)Transaction is assigned in UMR but user could not access. resol: User Master reconciliation-----PFCG User Comparison,PFUD or schedule PFCG_TIME_DEPENDENCY in BTC
c.)user can access the transaction but could not create sales document,PO for specific Field(Company,sales Organization,Division,plant,etc)Identify the Missing Field through SU53 and assign them
D.)User is able to access the role until yesterday.today morning he could not access.......Role Expired or Role is Updated,or the user is assigned roles temporarliy for 30days or role is assigned through a reference user.
e.)User is an RFC User and could not communicate using RFC.
resol:The User is Locked in the Source/Target System. The details are buffered in the system and could not take new values(/$sync,/$tab--------refresh the buffer).it is not recommended in PRD Systems which dramatically shoots up reponse time.User Encounters high response times.Clear hostname buffer in SM51)
Note: it is not recommended to assign the roles/modify/create the roles without any B&W document(email,Fax,Print Form) along with Necessary Approvals.
f.)BTC jobs failed to due to logon failure/logon denied.This is displayed in SM37 logs.when a user leaves the company his user account is locked for 3 months- 6months and later scheduled for deletion.Mean while all the jobs scheduled by him are cancelled.So,delete all the jobs(if permitted) and reschedule the jobs with a BTC User.Note: Do not activate the Users who are scheduled for deletion.
g.)Transports stopped due to the user TMSADM(Reset the password in STMS)
Process:1.User Complained of Missing Authorizations through a ticket.
2.Communicate via email or call the user to send an immediate SU53 screen after transaction failure.
(Some times we may not get authorization failure for runtime objecs).Then Trace the user using ST01
3.The User is not assigned with a Transaction,Authorization Field,Value or organizational Field.
4.Execute SUIM and Identify the Role With the Above missing Authorizations.Ensure that role does not have more authorization then required.Run a Mitigation Control and identify the risks involved and send all the details to the Approver/Business Process Owner/Role Owner
Based on Mitigation/Risks the Approver May allow to assign or reject.
Approver may suggest to modify the Role,but after running mitigation if role is modified it will effect "XY" USers who are assigned with that role. (which is not allowed as per SOX)Note: Do not Provide any excessive authorizations to users
Identify the Least effected Role,or define a Temp Roleand assign the authorizations to the Users(based on approval from Role Owner---mail,ticket,case,Request,fax,print).
ST01Authorization Trace:When missing authorization could not be traced in Su53 then run ST01 .specify the Username and switch on the trace and ask the user to run the transaction.Switch of the trace.*************************************************************SAP Security Parameters:Login/System_client=<Client-Number>to set the default client for login.
login/accept_sso2_ticketlogin/create_sso2_ticket
login/disable_multi_gui_login--to disable multiple logins with same user.
login/disable_password_logon --deactivate password logonlogin/failed_user_auto_unlock--Enable automatic unlock off locked user at midnight
login/fails_to_session_end----login/fails_to_user_locklogin/min_password_difflogin/min_password_digitslogin/min_password_letterslogin/min_password_lnglogin/min_password_lowercaselogin/min_password_specialslogin/min_password_uppercaselogin/multi_login_users---login/password_change_for_SSOlogin/password_change_waittimelogin/password_charsetlogin/password_expiration_timelogin/password_history_sizelogin/password_logon_usergrouplogin/system_clientlogin/ticketcache_entries_maxlogin/ticketcache_offlogin/ticket_expiration_timelogin/ticket_only_by_httpslogin/ticket_only_to_hostlogin/update_logon_timestamplogin/password_max_idle_productivelogin/no_automatic_user_sapstar=0login/password_max_idle_initiallogin/password_downwards_compatibility
Documentation is available in Rz11.Restart is required when the parameters are chnaged
Most of the parameters are set by default when SAP is installed.you can customise them as per security policy.`
set them in default profileso that they are effective in all the application servers.***********************************************LDAPLightweight Directory Access Protocolit is a protocol which is used to transfer the users or access the users from Directory Server.
Directory Server(Lotus from IBM,Microsoft Active Directory Server,Sun IPlanet ) are some of the servers which are used to maintain the Users in the Company.
The Users are required in the Following scenario.1.Login to Domain Server2.Login to Mail Server3.Login to Web Server4.Login to Print and File Servers.5.Login to SAP Systems.(ERP,SCM,SRM,BI and XI)
Too Many Systems,too many users,too many passwords,
SAP Recommends to configure CUA between the clients and systems.
SAP also Supports LDAP,so that Users are created in Directory Server and populated to other Systems Using LDAP Protocol.i,e Users are created in DirectoryServer and pouplated to other systems.(1-5)
Configuring DS in SAP.
1.Use Transaction LDAP to define connection to Directory Server.
2.Define RFC Connection of type 'T' in SM59 pointing to Directory Server i.e using Program ID 3.Create a System User(not in Su01).Create User in LDAP Transaction.
4.Distinguished Name:
it is specifies the User Attributesc= companycn=common namesn=suernameo= organizationThese details are provided by System Admin.
5.Server--Name of the LDAP Server Connector-----RFC Connection Defined in SM59
6.USer---User Defined in LDAPUSER Table
7.DEfine the Mapping between Fields in LDAPMAP
8.schedule a Report RSLDAPSYNC_User to synchronise between Directory Server and SAP System.9.Use report RSLDAPTEST to check LDAP
Defining LDAP Server
Click on LDAP ServerProvide Server nameHostname-----name of the DSPornumber----389Product-----MS ADSProtocol---LDAP Version3System Logon -Specify User***********************************************SOX(sarbanes Oxley Act 404)
After Enron Scandal US govt passed an ACT(SOX 404 to protect the interest of all the stake holder/share holders of the company.Each public limited Company has to ensure that their share holders interests are protected by using Internal Controls.
SAP provided PFCG to create Roles and assign them to the Users.it is not intelligent in the following areas.
1.why,when and how a role is created and assigned.
2.what is the change history of the role(modification History)
3.What are risks involved in modifying the role and assiging the role.
4.How to identify the Risks in the system
5.How to ensure that all the security compliances are met.
SAP Could not address all the above using SAP Security.SAP certified third party tools like VIRSA,APPROVA,security weaver perform most of the above tasksThese Tools has their own programs ,Tables,Reports.
SAP Procured VIRSA and released a Product SAP GRCGovernance,risks and Compliance with the Following Tools1.Virsa Role Expert2.Virsa Compliance Calibrator3.Virsa Access Enforcer4.Virsa Fire Fighter
