Upload
symmetry
View
74.035
Download
3
Embed Size (px)
DESCRIPTION
Is a lack of SAP security knowledge putting your organization at risk?For many SAP professionals the complex world of SAP application security is frustrating, and sometimes overwhelming. Unfortunately, after the initial go-live the rush of day-to-day activities means that SAP security is often just an after thought. However this puts organizations at increased risk from fraud, excessive access to confidential information, and even unintentional errors.In this archived presentation Symmetry security expert Kyle Balcerzak gives an overview of SAP application security basics:•Not publicly traded or regulated? Why you still need security.•SOX, HIPAA, ITAR – how are controls implemented in SAP?•Security architecture concepts and definitions you need to know – authorization objects, roles, derived roles, composite roles, profiles, and many other security concepts. •How you should manage your security environment - role matrix, role owners, task based vs. position based roles.•Who should be involved in security management?•What tools are available?
Citation preview
Introduction to SAP Security
Kyle BalcerzakSAP Security Consultant
Wednesday March 31, 2010
Download the presentation recording with audio from the Symmetry Knowledge Center
www.sym-corp.com/knowledge-center
Upgrade & Project Support
Security Design & Administration
SAP NetWeaver / Basis administration
SAP Certified Hosting
Implementation Support
Lifecycle Support for any SAP application on any platform combination
Symmetry Corporation
QualityProactive support delivered by US-based experts
Accessibility24x7 direct access to your support team
AffordabilityHighly competitive fixed-price contracts
Symmetry’s 21st Century Approach to Managed Services
Introducing
Kyle BalcerzakSAP Security Consultant
What We’ll CoverIntroduction – Why is Security Important?Legal Requirements
SOX, HIPAA, ITARRisks & ControlsWhy Unregulated Companies Should Care
Security ArchitectureUser Master RecordRoles ProfilesAuthorization ObjectsUser Buffer4 Doors to SAP Security
Managing SecuritySecurity TeamRole owners and the approval processPeriodic Access ValidationTroubleshooting and informationSecurity Tools
Why is Security Important?Security is the doorway to the SAP system.Security is a way of protecting information from unauthorized use.Security can unlock the flexibility of the system and customize it for each user.Information stored in SAP is one of your company’s most valuable business assets.
What is SAP Security?SAP application security controls who can do what in SAP.
Examples:Who can approve purchase requisitions over $10,000 (ME54N)?
Who can view other employees’ social security numbers in the system (PA20)?
Who can update vendor bank information (XK02)?
Who can create or modify users (SU01)?
Security ObjectivesConfidentiality - prevent users from viewing and disclosing confidential information.Integrity - ensure the accuracy of the information in your company’s system.Availability - prevent the accidental or deliberate loss or damage of your company’s information resources.
Security Against Whom?When people think about system security, they usually think about people outside the company
business espionagepolitical rivals
In reality, you need to protect against your own people CuriosityAccidental accessIntentional access
Factors to ConsiderHow important is your SAP system and the data stored in it to your business?
Do you have a policy requiring certain levels of security?
Do your internal or external auditors require a certain level of security for the information stored in your system?
Will you need some degree of security in the foreseeable future?
Legal RequirementsSOX, HIPAA, ITARSegregation of Duties vs. Excessive AccessControls – Preventive vs. DetectiveWhy Smaller Companies Should Care
Sarbanes-Oxley (SOX) Act
Executives are ultimately responsible for confirming the design and effectiveness of internal controls
Excessive access and Segregation of Duties issues are key points
Ultimately – data integrity is key
SOX Continued
Segregation of DutiesOne user can perform two or more conflicting actions that causes a risk.Example:
Activities: Someone can create vendor master records and then process accounts payable paymentsRisk: Gives someone the access to create a fictitious vendor and generate fraudulent payments to that vendor
Excessive AccessOne action that a user can perform that is outside their area of expertise, jurisdiction, or allows critical accessExample:
Activity: End user can use SP01 to see the spool request for all usersRisk: Users may view sensitive financial documents or payroll information for example.
HIPAA and ITARHealth Insurance Portability and Accountability Act
Personal health information can be shared with appropriate people for patient care.Typically comes into play in SAP HR systems.Data privacy concerns
If an employee has a potentially embarrassing injury at work, these details are stored in the system and should only be viewed by authorized personnel.
International Traffic in Arms RegulationsControls the import/export of defense related articles and information.Data privacy concerns
Information and material specifically about defense and military technologies must only be shared with US Persons or those who are approved.
Shipping concernsUnauthorized users should not have access to change shipping information of customer.
Controls – Preventive vs. DetectiveIn order to prevent fraud, accidental errors, and protect sensitive information we must have controls.
There are two main categories of controls:
Preventive controls: prohibit inappropriate access Authorizations, configuration, User-Exits, and so on
Detective controls: rely on other processes to identify inconsistenciesAlerts, periodic reporting, system monitoring
Why Unregulated Companies Should CareWhy should we care about segregating duties, excessive access or documenting our business processes if we are not publicly traded or subject to legal requirements?
DocumentationReduction in errorsCost of errorsLoss of customersFraud happensProtection of trade secretsPreserve confidential information
Security ArchitectureAuthorization Objects IntroUser Master RecordRoles – Single, Derived, CompositeTask-based vs. Job-based RolesProfilesAuthorization ObjectsUser Buffer4 Doors to SAP Security
Authorization Concept
UserUser Master
Record
Roles
Profiles
Authorization Objects
SAP Functionality
Authorization ObjectsAuthorization Objects are the keys to SAP security When you attempt actions in SAP the system checks to see whether you have the appropriate AuthorizationsThe same Authorization Objects can be used by different Transactions
Example – in order to display a table, a user must have the Authorization Object S_TABU_DIS with the appropriate values
User Master RecordsRequired to establish access for Users.
Created when a User is created.
User Master Records are client-dependent!
User Master RecordsUser Master Record information includes:
Name, Password, Address, Company informationUser Group (used for security administration or searching capabilities)Reference to Roles and Profiles (access capabilities are not stored directly in user master records)User type
Dialog – typical for most usersSystem – cannot be used for dialog login, can communicate between systems and start background jobsCommunications Data – cannot be used for dialog login, can communicate between systems but cannot start background jobsReference – cannot log in, used to assign additional Authorizations to UsersService – can log in but is excluded from password rules, etc. Used for Support users and Internet services
Validity dates (from/to)User defaults (logon language, default printer, date/decimal formats)
User Master Record
Roles and Profiles
Profiles contain Authorization Objects
Roles contain Profiles
Profiles that come delivered with the system or were created from scratch can be assigned directly to users
Profiles that were created for a Role are attached to that Role cannot be assigned directly. You must assign the Role and the system will then assign the user the correct Profile
UserUser Master
Record
Roles
Profiles
Authorization Objects
SAP Functionality
Users are assigned Roles and Profiles which contain Authorization Objects
RolesRoles are ‘built on top’ of Profiles and include additional components such as:
User menusPersonalizationWorkflow
In modern SAP systems, users are typically assigned the appropriate Roles by the security teamThe system will automatically add the appropriate Profile(s) for each Role assigned
****Authorization Objects only exist in Profiles (either on their own or when “nested” in roles)
A Role has several parts, including:
Description Documentation
Menu Profile
Tips for Managing Roles Roles typically do not change often It is strongly recommended that they be created in a Development client, then transported to Quality (tested, hopefully) and finally promoted to Production.Roles should originate from the same client (pick one to be your “security development” client).It is much easier to assign an existing Role to a User than to create or modify a Role.SAP’s template Roles are intended only for example.
Best practice is to have Users tell you the exact Transactions they require and build Roles from scratch.At the very least, copy them into your own namespaceBe aware that many of them contain too much access so be careful!
Roles
RolesProfile for a Role:
Roles – TypesThere are 3 types of Roles:
Single – an independent RoleDerived – has a parent and differs only in Organization Levels. Maintain Transactions, Menu, Authorizations only at the parent levelComposite – container that contains one or more Single or Derived Roles
Derived Role example:Purchaser Parent
ME21N, ME22N for all or no Purchasing Organizations
Purchaser Child 1ME21N, ME22N for Purchasing Organization 0001
Purchaser Child 2ME21N, ME22N for Purchasing Organization 0002
Roles – TypesComposite Role example:
Task-based vs. Job-based RolesTask-based
Each Role can performs one function (usually one or only a few Transactions)
Vendor master creationCreate sales order
Job-basedEach Role contains most functions that a user will need for their job in the organization
A/P ClerkBuyerWarehouse Manager
Hybrid approach
ProfilesAuthorization Objects are stored in ProfilesProfiles are the original SAP Authorization infrastructureUltimately – a user’s Authorization comes from the Profile/s that they have assignedProfiles are different from Roles.
UserUser Master
Record
Roles
Profiles
Authorization Objects
SAP Functionality
Examples of Delivered ProfilesSAP_ALL
Delivered with the systemContains almost all Authorization Objects
SAP_NEWContains the new objects in the current release that are required to keep old transactions functioning.It does NOT contain all new Authorization Objects for that release
S_A.xxxxxxxStandard BASIS Profiles for various job functions (i.e. customizing, development, administration, etc.)
Authorization ObjectsAuthorization Objects are the keys to SAP Security When you attempt actions in SAP, the system checks to see whether you have the appropriate AuthorizationsThe same Authorization Objects can be used by different Transactions
Example – in order to display a table, a user must have the Authorization Object S_TABU_DIS with the appropriate values
User BufferWhen a User logs into the system, all of the Authorizations that the User has are loaded into a special place in memory called the User Buffer As the User attempts to perform activities, the system checks whether the user has the appropriate Authorization Objects in the User Buffer.
You can see the buffer in Transaction SU56
Example of Authorization CheckWhen attempting to execute a Transaction, each instance of a required Authorization Object that a user has is checked by the system until the system finds a match.
Example: User would like to create a Sales Order of the Document Type “Standard Order” (OR). One of the Authorization Objects that the system looks for is:
V_VBAK_AATThere are two fields – Activity and Order TypeTo create a sales order for this type, the user will need:
V_VBAK_AAT with:Activity – 01 (Create)Order Type – OR (Standard Order)
Example of Authorization CheckTo create a sales order for the Standard Order type, the user will need:
V_VBAK_AAT with:Activity – 01 (Create)Order Type – OR (Standard Order)
The user might have this Object several times from several Roles. The system keeps checking until it finds a match:
Role 1V_VBAK_AAT
Activity – 03 (Display)Order Type – * (All Order Types)
V_VBAK_AATActivity – 01 (Create)Order Type – B1, B2, CS
Role 2V_VBAK_AAT
Activity – 01 (Create)Order Type – OR, RE
Authorization ChecksHow does SAP test whether the user has Authorization to execute functions? What happens when I try to start and run a Transaction?
Authorization Checks – Executing a Transaction
1. Does the Transaction Exist?
Authorization Checks – Executing a Transaction
1. Does the Transaction Exist?
2. Is the Transaction locked?
Authorization Checks – Executing a Transaction
1. Does the Transaction Exist?
2. Is the Transaction locked?
3. Can the User start the Transaction?
Authorization Checks – Executing a Transaction4. What can the User do in the Transaction?
1. Does the Transaction Exist?
2. Is the Transaction locked?
3. Can the User start the Transaction?
Authorization Checks – Executing a Transaction1) Does the Transaction exist?
All Transactions have an entry in table TSTC2) Is the Transaction locked?
Transactions are locked using Transaction SM01Once locked, they cannot be used in any client
3) Can the User start the Transaction?Every Transaction requires that the user have the Object S_TCODE=Transaction NameSome Transactions also require another Authorization Object to start (varies depending on the Transaction)
4) What can the User do in the Transaction?The system will check to see if the user has additional Authorization Objects as necessary
Managing SecuritySecurity TeamRole Owners and the Approval ProcessPeriodic Access ValidationTroubleshooting and Information
User Information System (SUIM)SU53Authorization Trace (ST01)Security Audit log (SM19/SM20)
Security ToolsCentral User AdministrationSAP NetWeaver Identity ManagementSAP GRC Access Control SuiteSymsoft ControlPanelGRC
SAP is a Complex EcosystemThere are many different SAP applications with different areas of expertise requiredSome of these require specialized security knowledge, e.g. HCM and BI/BWExamples:
ECC (Sales and Distribution (SD), Materials Management (MM), Financial and Cost Accounting (FICO), Warehouse Management (WM), Quality Management (QM), Plant Maintenance (PM), Human Capital Management (HCM))Business Information Warehouse (BI/BW)Customer Relationship Management (CRM)Supplier Relationship Management (SRM)Advanced Planner and Optimizer/Supply Chain Management (SCM/APO)Portal…And whatever else SAP dreams up!
Security TeamImportant to select an appropriate security team.Size consideration based on your organization
Auditing requirementsAmount of changesSecurity staff knowledge
Role changes should be done by the security teamUser assignments can be processed by the security team or the basis teamUnlocking Users/resetting passwords of Users can be done by the helpdesk
Security TeamOutsourcing is a good option for many companies.
Key reasons to outsourceExpert help available – it’s hard for part-time security staff to understand all of the complexities of SAP SecurityInternal staff may get overloaded and need extra help.Project workProvide coverage during vacations/sick days
Key considerations in choosing an outsourcing providerOngoing access to a team vs. consultant randomly assigned by a help desk24x7 access to supportFixed rate support vs. charge by the hour
Role Owners and the Approval ProcessThe security team may know how to make changes to access, but will need to work with the business to determine what changes should be made.Changes include making changes to Roles (modifying Authorizations, adding/removing Transactions) and assigning those Roles to users.
Have Role changes approved by the Role owner
Have User assignment changes approved by both a manager and the Role owner.
The business is often not aware of the implications of changes that are requested. Your security team should be able to point out potential risks when access is requested.
Periodic Access ValidationIt’s a good idea to have Role matrix reports generated and reviewed periodically by Role ownersEnsures that inappropriate changes were not madeAccountabilityConsider doing this quarterly or at least yearly
Periodic Access ValidationExample output of a report that was generated by ControlPanelGRC:
User Information SystemTransaction SUIMGreat place to get information about Users/Roles
TIP – has had bugs over the years. If something seems incorrect, query the appropriate table directly.
SU53Last Authorization check that failed.May or may not be the Authorization that the User actually needs. Look at context clues to determine if it is appropriate.User may need more Authorization Objects after this one is added.
Authorization TraceTransaction ST01Records all Authorization Checks performed while a User is in the system.Does not include Structural Authorizations in HR Security.
ControlPanelGRC Security Troubleshooter makes this process easier by recording the steps to recreate the issue, the Authorization Trace, and sending the output the Security Team.
Security Audit LogRecords information about what Users are doing
Logon/logoffTransactions/reports started or attempted to startPassword changesWorkstation name of UserIs not on by default.
Transactions SM19/SM20.Does not record what data was changed by the User.
Central User Administration (CUA)Manage Users from one SAP clientSimplifies User administration and can save a lot of time – especially for large environmentsIf you own SAP, you already own this. All you need is someone to configure itThere are several “gotchas” that frequently come up when installing. We recommend contacting a consultant who is CUA savvyAsynchronous! Ultimately, the Users and Roles exist in each client. CUA is only the place you log in to make changes!
SOL-100CUA Central
System
DEV-100
PRD-100
QAS-100
SAP Netweaver Identity ManagementSAP’s Identity Management SolutionCross system/cross vendor integrationSeparate landscape/installationHighly configurable, contact someone who specializes in this product.
SAP GRC Access ControlsRisk Analysis and Remediation
Find SoDs, excessive access for both Roles and UsersAlert Monitoring
Compliant User ProvisioningWorkflow for User creations/modificationsIncorporates SoD checks
Superuser Privilege ManagementEmergency, temporary accessLogs some of the user’s actions, notifies managers when used
Enterprise Role ManagementWorkflow for Role creations/modificationsIncorporates SoD checks
SymSoft ControlPanelGRC2nd generation compliance automation solution
User & Role ManagerAccelerates User and Role change management
Risk AnalyzerReal time risk analysis and mitigation of Segregation of Duties and Sensitive Authorization risks
Usage AnalyzerMonitors Transaction executions to provide
Notification of executed risksReverse Business Engineering (RBE) toolLicense Optimization tool
Transport ManagerAutomates processing of change requests with auditable workflow
Batch ManagerCross system infrastructure for compliant scheduling, monitoring and tracking of batch jobs
Emergency Access ManagerManages temporary access – access is tracked by User and reports are routed for review
AutoAuditorAllows compliance reports to be scheduled and sent to Users for documented review
Key PointsSecurity is the doorway to the SAP system
Security is a way of protecting information from unauthorized use
Security can unlock the flexibility of the system and customize it for each user
Information stored in SAP is one of your company’s most valuable business
assets.
SAP Security is complex and often difficult to manage and understand
There are legal requirements that influence SAP Security
Not all companies are required to comply with these regulations
All businesses benefit from having well defined processes
There are tools available to help manage security – but ultimately a good
security team is key
Download the presentation recording with audio from the Symmetry Knowledge Center
www.sym-corp.com/knowledge-center
Kyle [email protected]