Authorization Checks


Authorization Checks Starting SAP Transactions:

When a user starts a transaction, the system performs the following checks:
  • The system checks in table TSTC whether the transaction code is valid and whether the system administrator has locked the transaction.
  • The system then checks whether the user has authorization to start the transaction. The SAP system performs the authorization checks every time a user starts a transaction from the menu or by entering a command. Indirectly called transactions are not included in this authorization check. For more complex transactions, which call other transactions, there are additional authorization checks.
  • The authorization object S_TCODE (transaction start) contains the field TCD (transaction code). The user must have an authorization with a value for the selected transaction code.
  • If an additional authorization is entered using transaction SE93 for the transaction to be started, the user also requires the suitable defined authorization object (TSTA, table TSTCA).
  • If you create a transaction in transaction SE93, you can assign an additional authorization to this transaction. This is useful, if you want to be able to protect a transaction with a separate authorization. If this is not the case, you should consider using other methods to protect the transaction (such as AUTHORITY-CHECK at program level).
  • The system checks whether the transaction code is assigned an authorization object. If so, a check is made that the user has authorization for this authorization object.
  • The check is not performed in the following cases:
  • You have deactivated the check of the authorization objects for the transaction (with transaction SU24) using check indicators, that is, you have removed an authorization object entered using transaction SE93. You cannot deactivate the check for objects from the SAP NetWeaver and HR areas.
  • This can be useful, as a large number of authorization objects are often checked when transactions are executed, since the transaction calls other work areas in the background. In order for these checks to be executed successfully, the user in question must have the appropriate authorizations. This results in some users having more authorization than they strictly need. It also leads to an increased maintenance workload. You can therefore deactivate authorization checks of this type in a targeted manner using transaction SU24.
  • You have globally deactivated authorization objects for all transactions with transaction SU24 or transaction SU25.
  • So that the entries that you have made with transactions SU24 and SU25 become effective, you must set the profile parameter AUTH/NO_CHECK_IN_SOME_CASES to “Y” (using transaction RZ10).
  • All of the above checks must be successful so that the user can start the transaction. Otherwise, the transaction is not called and the system displays an appropriate message.
  • Checking Assignment of Authorization Groups to Tables
  • You can also assign authorization groups to tables to avoid users accessing tables using general access tools (such as transaction SE16). A user requires not only authorization to execute the tool, but must also have authorization to be permitted to access tables with the relevant group assignments. For this case, we deliver tables with predefined assignments to authorization groups. The assignments are defined in table TDDAT; the checked authorization object is S_TABU_DIS.     
 For more information visit www.keylabstraining.com

    Profile Parameters for Logon


    To make the parameters globally effective in an SAP System (system profile parameters), set them in the default system profile DEFAULT.PFL. However, to make them instance-specific, you must set them in the profiles of each application server in your SAP System.
    To display the documentation for one of the parameters, choose Tools >> CCMS>> Configuration >> Profile Maintenance (transaction RZ10), specify the parameter name and choose Display.
    Password Checks
    Parameters
    Explanation
    login/min_password_lng
    Defines the minimum length of the password.
    Default value: 3; permissible values: 3 – 8
    login/min_password_digits
    Defines the minimum number of digits (0-9) in passwords.
    Default value: 0; permissible values: 0 – 8
    Available as of SAP Web AS 6.10
    login/min_password_letters
    Defines the minimum number of letters (A-Z) in passwords.
    Default value: 0; permissible values: 0 – 8
    Available as of SAP Web AS 6.10
    login/min_password_specials
    Defines the minimum number of special characters  in the password Permissible special characters are ()!\"@ $%&/()=?'`*+~#-_.,;:{[]}\\<>
    Default value: 0; permissible values: 0 – 8
    Available as of SAP Web AS 6.10
    login/min_password_diff
    Defines the minimum number of characters that must be different in the new password compared to the old password.
    Default value: 1; permissible values: 1 – 8
    Available as of SAP Web AS 6.10
    login/password_expiration_time
    Defines the validity period of passwords in days.
    Default value: 0; permissible values: any numerical value
    login/password_change_for_SSO
    If the user logs on with Single Sign-On, checks whether the user must change his or her password.
    Available as of SAP Web AS 6.10, as of SAP Basis 4.6 by Support Package
    login/disable_password_logon
    Controls the deactivation of password-based logon
    Available as of SAP Web AS 6.10, as of SAP Basis 4.6 by Support Package
    login/password_logon_usergroup
    Controls the deactivation of password-based logon for user groups
    Available as of SAP Web AS 6.10, as of SAP Basis 4.6 by Support Package
    Multiple Logon
    Parameters
    Explanation
    login/disable_multi_gui_login
    Controls the deactivation of multiple dialog logons
    Available as of SAP Basis 4.6
    login/multi_login_users
    List of excepted users (multiple logon)
    Available as of SAP Basis 4.6
    Incorrect Logon
    Parameters
    Explanation
    login/fails_to_session_end
    Defines the number of unsuccessful logon attempts before the system does not allow any more logon attempts. The parameter is to be set to a value lower than the value of parameter login/fails_to_user_lock.
    Default value: 3; permissible values: 1 -99
    login/fails_to_user_lock
    Defines the number of unsuccessful logon attempts before the system locks the user. By default, the lock applies until midnight.
    Default value: 12; permissible values: 1 -99
    login/failed_user_auto_unlock
    Defines whether user locks due to unsuccessful logon attempts should be automatically removed at midnight.
    Default value: 1 (Lock applies only on same day); permissible values: 0, 1
    Initial Password: Limited Validity
    Parameters
    Explanation
    login/password_max_new_valid
    Defines the validity period of passwords for newly created users.
    Available as of SAP Web AS 6.10, as of SAP Basis 4.6 by Support Package
    login/password_max_reset_valid
    Defines the validity period of reset passwords.
    Available as of SAP Web AS 6.10, as of SAP Basis 4.6 by Support Package
    SSO Logon Ticket
    Parameters
    Explanation
    login/accept_sso2_ticket
    Allows or locks the logon using SSO ticket.
    Available as of SAP Basis 4.6D, as of SAP Basis 4.0 by Support Package
    login/create_sso2_ticket
    Allows the creation of SSO tickets.
    Available as of SAP Basis 4.6D
    login/ticket_expiration_time
    Defines the validity period of an SSO ticket.
    Available as of SAP Basis 4.6D
    login/ticket_only_by_https
    The logon ticket is only transferred using HTTP(S).
    Available as of SAP Basis 4.6D
    login/ticket_only_to_host
    When logging on over HTTP(S), sends the ticket only to the server that created the ticket.
    Available as of SAP Basis 4.6D
    Other Login Parameters:
    Parameters
    Explanation
    login/disable_cpic
    Refuse incoming connections of type CPIC
    login/no_automatic_user_sapstar
    Controls the emergency user SAP* (SAP Notes 2383 and 68048)
    login/system_client
    Specifies the default client. This client is automatically filled in on the system logon screen. Users can type in a different client.
    login/update_logon_timestamp
    Specifies the exactness of the logon timestamp.
    Available as of SAP Basis 4.6
    Other User Parameters
    Parameters
    Explanation
    rdisp/gui_auto_logout
    Defines the maximum idle time for a user in seconds (applies only for SAP GUI connections).
    Default value: 0 (no restriction); permissible values: any numerical value
    Learn more about this effects different user type  
    For more information visit www.keylabstraining.com

    SAP Security,Authorizations


    §         An authorization is a permission to perform a certain action in the SAP System.
    §         Authorizations are used to control access at the application level..
    §         SAP Authorization concept is basically used for SAP Security.
    §         Security: Security means protecting your data and your business.

    SAP Authorization Architecture


    Structure of Authorization is as follows

    Field: Smallest unit against which a check should be run. It is a least granular element/data element to secure the data/information.

    Authorizations: Authorizations are used to control access at the application level.

    Authorization Object: Groups 1 to 10 authorization fields together. These fields are then checked simultaneously.

    Authorization Object Class: Logical grouping of authorization objects.

    Profile: Profiles is to provide Authorization based on provided Authorizations and Authorization Objects. We used to create profiles up to 4.6C version in SU02 Transaction Code, after 4.6C version these profiles will create automatically while modifying/creating roles or generation roles.

    Role: Its is a combination of Menu’s, Authorizations, Profiles and personalization. A role is a group of activities performed within business scenarios. Or Activities assigned to the user. Or a role is a set of functions describing a specific work area. Roles consist of Menu, Authorizations, Organizational values.
     For more information visit www.keylabstraining.com

    What is SAP?


    SAP stands for "Systems Applications and Products in Data Processing." It was founded in 1972 by five former IBM employees in Germany.
    The great advantage of SAP is, it creates a common centralized database for all the applications running in an organization. The application has been assembled in such a versatile way that it handles the entire functional department within an organization. Today major companies including Microsoft and IBM are using SAP's Products to run their own businesses.
    R/2, which ran on Mainframe architecture, was the first SAP version. Sap's products are generally focused on Enterprise Resource Planning (ERP). Sap's applications are built around R/3 system which provides the functionality to manage product operations, cost accounting, assets, materials and personnel. The R/3 system of SAP runs on majority of platforms including windows 2000 and it uses the client/sever model.
     For more information visit www.keylabstraining.com

    What is ERP?

    ERP is a package with the techniques and concepts for the integrated management of business as a whole, for effective use of management resources, to improve the efficiency of an enterprise. Initially, ERP was targeted for manufacturing industry mainly for planning and managing core business like production and financial market. As the growth and merits of ERP package ERP software is designed for basic process of a company from manufacturing to small shops with a target of integrating information across the company.

          Some of the important ERP packages are  SAP, PEOPLE SOFT, ORACLE APPS,JD EDWARDS, RAMCO Etc...
        But the ERP package should suit your organizational needs. So, accordingly it is decided either by 
    1) best in technology and what ever the price may be, 
    2) good in technology and competitive in price. 
          The ERP package should also be able for data migration from your existing organization to it. Based on all these factors the best is choosen.It is done only by SAP so now a days most of the organizations using SAP
    For more information visit www.keylabstraining.com
      

    SU25-Profile upgradation


    Security Controlling System


    • Ø  Single Control
    • Ø Dual Control
    • Ø Triplet Control 
    Principle of Single Control 
    • User administration , Role administration and Profile generation will be performed by a single team.
    Principle of dual control  
    • §The Authorization data and profile administrator creates roles, selects transactions and maintains the authorization data. He/she also generates the profile for the roles. But he/she shouldn’t maintain users.
    • § The user administrator assigns the role to a user. But he/she shouldn’t change the data for authorizations and shouldn’t generate profiles. 
     Principle of triplet control
    • §The authorization data administrator creates roles, selects transactions and maintain the authorization data. He or she cant generate the profile and also may not change the users.
    • §
    • § The authorization profile administrator generates the profile (exception profiles containing authorization objects beginning with S_USER*). He or she may not change users, change the data for roles.
    • §
    • § The User administrator assigns roles to the user. He or she may not change the data for roles , nor change or generate profiles.
     
    For more information visit www.keylabstraining.com


    User Master Record


    The concept of user master records User master records defines the user accounts for enabling access to the SAP system. The user master record is mainly used for user administrative and Authorization management (Role Administration). Normally, the user master record contains the user id as well as a wealth of other information which can be used by SAP system administrators in managing users effectively.
    For example, the user master record contains information which validates a user log on session. User master record  stores important information like users access rights to SAP, user's passwords, the authorization profiles and so on. User master records can be accessed using the Transaction T Code SU01. In t-code SU01, users can be displayed by user id or in case one does not know the user id, users can be displayed using all possible entries.
    You need authorizations to create or maintain user master records:
    • Authorization to create and/or maintain user master records and to assign a user group (Auth.object S_USER_GRP).
    • Authorization for the authorization profiles you want to assign to users (Auth.object S_USER_PRO).
    • Authorization to create and maintain authorizations (object S_USER_AUTH).
    • Authorization to protect roles. You can use this authorization object to determine which roles may be processed and which activities (Create, Display, Change and so on) are available for the role(s) (object S_USER_AGR).
    • Authorization for transactions that you may assign to the role and for which you can assign authorization at the start of the transaction in the Profile Generator (object S_USER_TCD).
    • Authorization to restrict the values which a system administrator can insert or change in a role in the Profile generator (S_USER_VAL)
     For more information visit www.keylabstraining.com

      Sarbane's Oxley(SOX) Act



      SAP R/3 Security in the Sarbanes Oxley Era - 7 Steps for Better SOX Compliance
      • 1.Provide users access on a need to know and need to do basis.
      • 2.Adequately secure programs, transactions and tables.
      • 3.All user accesses to SAP R/3 are properly authorized and approved.
      • 4.Segregation of duties is maintained for all sensitive business transactions.
      • 5.All controls and business processes are documented.
      • 6.Anti-fraud preventive controls are in place to prevent & detect fraud before an audit.
      • 7.User profiles and roles in SAP are secured and designed to meet business requirements. 
       For more information visit www.keylabstraining.com

        Segregation of Duties(SOD)


         
        Divide  the responsibility among the different individuals, which can prevent potential fraud in an organization. SOD improves the system security or you can say data security. But on the other hand it increases the cost of the organization.

        But for a small organization it is not always possible to implement SOD completely. But it should follow the organization security policies. But The level of security is very low.

        • §The concept of Segregation of Duty
        • § The  SOD in Role/ User Administration
        • § Principle of Dual Control
        • § Principle of Triplet Control.
          • §Principle of dual control
          • § User Administration
          • § Authorization maintenance and generation
          • §
          • §Principle of treble control
          • § User Administration
          • § Authorization maintenance
          • § Authorization generation
          §
           

                SOD is primary internal control to prevent the risk, identify problem and take corrective action.
                Achieved by assuring no single individual has control over all phases of business transactions.
                Covers 4 general categories of duties:
                 Authorization
                 Custody
                 Record Keeping
                 Reconciliation 

        For more information visit www.keylabstraining.com