SAP Audit Information and Approach

Authorization Example 1. User Master Record User: Frank W. Lyons Profile: Example 2. Profile: Example Object: Authorizations: S_Program ABAP: 3. Authorization: ABAP: Values: * SUBMIT, VARIANT Object: S_Program Fields: Program Group Activity

Authorization System: 1. 2. 3. 4. Profiles Objects fields Fields Authorizations Contain values for authority checking Can have the same names as they are physically and physically linked to an object One or more assigned to a user Must be unique names with one or more

Field group for an object has multiple values and can be shared across objects Initial Defaults 1. Initial Clients 2. Client 000 Client 001 Standard model Model for user defined clients. (template)

Initial User Ids SAP* Default super user. A user master record is created during installation but it is not needed by SAP* to access the complete system. If the SAP* master record is deleted, the SAP* account has the following special privileges: It is not subject to authorization checks and therefore has all authorizations It has the password PASS, which can not be changed without creating a new user master record. To prevent deletion, assign SAP* user to a group called SUPER and only super user should be able to maintain user group SUPER. Initial Security Parameters Parameters for user logon login/min_password/lng Minimum password length default is (3) login/password_expiration_time Number of days after which a password must be changed. The default is zero, which does not enforce password changes. Recommended value = 45. login/fails_to_session_end Number of times a user can enter an incorrect password before the system ends the login attempt. The default is (3). login/fails_to_user_lock Number of times a user can enter an incorrect password before the system locks the user against further logon attempts. The default is (12). Recommend (3). When a password is locked in this manner, it is automatically unlocked by the system at the start of the next day (midnight).

3.

Adding Users 1. Each user must have a master record. the access rights for

2. Each user master record refers to one or more profiles that determine the user.

3.

Master record contains: User ID Password User groups User type Period of validity references to authorization profiles

Master records can be deleted but it will affect the audit trail. Better to lock the users master record Menu Path: Tools - Administration - User Maintenance - User - Lock/Unlock. 4. User Group If a person is assigned to a user group, only the administrators who are authorized for that user group can alter user master records. If a user is not assigned to a group then any user administrator can alter the user master record.

Adding Profiles Profiles and Authorizations exist in both maintenance and active versions. Allows for updates to maintenance before it is activated. Separation of maintenance and activation functions. 1. System Profiles Unlimited access to all users, profiles, and authorizations Authorizations for SAP system administration. This includes all authorizations except for: Maintenance of users in user group SUPER Maintenance of profiles and authorizations with names beginning S_A. Authorizations for use in the SAP Customizing system Authorizations for use in the SAP Development environment (excludes any user or profile authorizations) Basis system authorizations for end-users (e.g., S_Program, S_DBC_MONI, etc.

SAP Standard and Super User Profiles S_A.SYSTEM S_A.ADMIN

S_A.CUSTOMIZ S_A.DEVELOP S_A.USER 2. Startup Profiles

Profile Name S_ABAP_ALL S_ADMI_ALL S_BDC_ALL S_BTCH_ALL S_DDIC_ALL S_DDIC_SU S_NUMBER S_SCD0_ALL S_SCRP_ALL S_SPOOL_ALL S_SYST_ALL S_TABU_ALL S_TSKH_ALL S_USER_ALL

Description All ABAP/4 authorizations All system administration functions All batch input activities All batch processing authorizations DDIC: All authorizations Data Dictionary: All authorizations Number range maintenance: All authorizations Change documents: All authorizations All SAPscript text, styles, layout sets maintenance All spool authorizations All system authorizations Standard table maintenance: All authorizations All system administration authorizations User maintenance: All authorizations

SAP_ALL

SAP_ANWEND SAP_NEW Z_ANWEND 3.

Provides unlimited access to maintain all SAP R/3 system authorizations, with the following exceptions: Maintenance of users in user group SUPER Maintenance of profiles and authorizations with names beginning S_USER All SAP R/3 (excluding system) application authorizations Provides unlimited access to all authorizations added with new releases of SAP R/3. All user authorizations (excluding BC system) USRxx tables.

Profiles and their associated authorization value sets are stored in

Adding Authorizations Authorization objects are used to check a users authority to perform actions and access data in R/3. A users action is approved only if the user passes the authorization test for each field listed in an object. 1. Authorization Objects SAP contains a number of authorization objects that are used to restrict the ability of users to perform certain functions and access information. Authorization objects can contain up to ten authorization IDs representing such system elements as transactions, tables, fields, or programs. A user is allowed access if the their master record lists the object for which the authorization is being tested and the user passes the authorization test for each authorization ID. An authorization value set is required for access 02 = change Authorization Profiles are used to grant the authorization value sets to a user. The user master record refers to profiles and the profiles, in turn, refer, to value sets that determine the access capabilities of the user. New authorization objects can be created by Menu Path: System - Services - Table Maintenance. Merely creating a new object does not initiate any authorization checking. Either ABAPs need to be modified to test the new objects, or additional authorization checks need to be defined. First assign a object class for the new object. Next use AUTHORITY-CHECK for ABAP/4 programs Or add additional authorization checks to the TSTC (transaction table) Menu Path: System - Services - Table Maintenance. Objects 3. Objects are defined in the system and contain one or more fields that are used to test user access.

2.

Authorization Value Sets Are lists of all values (for each field) for which a user is authorized. Usually used to define tasks Profile allocate the tasks (authorization value set) to logical functions. These profiles are assigned to a physical user (master record).

4.

Basis System Authorization Objects Fields Program group Activity Program group Activity Activity Uses ABAP/4 programs that may be run. ABAP/4 programs that may be displayed or edited Whether a user can run queries and whether the user can maintain ABAP/4 Query user groups A variety of system functions such as: 1. Whether a user may enter a value interactively to pass an authorization test that he does not have authorization for in his user master record 2. Access to the ABAP/4 Dictionary 3. Access to the interface painter 4. System trace authority 5. Ability to add or delete additional authorization tests in the TSTC table 6. Execute host operating system commands

Object S-PROGRAM S_EDITOR ABAP/4 Query S_QUERY System Administration Functions

Administration Functions

Central Field Selection Table Maintenance Batch Processing: Batch Administrator Batch Processing: Batch User Name Batch Processing: Operations on Batch Jobs Batch Input Authorizations Queue Management Authorizations Authorization Check for SM04, SM50 Authorization for Update Administration Enqueue: Displaying and Deleting Lock Entries Spool: Device Authorization

Activity Authorization group Authorization class Activity Administrator Authorized user Operations Job Group Queue group name Activity Queue group name Activity Administration

Administration Activities Output Device

Which ABAP/4 programs a user can use to dynamically alter attributes of fields Authorize users to view and/or modify table contents Give user administrator authorization over background processing Specify user Ids that a user may specify as the authorization for running background jobs Specify the operations that users may perform on background jobs (Release, delete, etc.) Authorize a user to work with batch input sessions Management of queues for trouble-shooting or problem analysis To authorized users to lock or unlock transactions and to manage user sessions other than their own. Authorization to manage update records for other users Authorize users to maintain lock entries of other users Authorizes users to use particular printers

Spool Actions Public Holiday and Calendar Access Privileges Number Range Maintenance Change Documents Tools Performance Monitor

Spool action Value Activity Activity Number range object Activity Authorization name

Authorizes an administrator to perform specified actions on the spool system Authorization to display and/or maintain calendars Authorize users to maintain number ranges Authorization to display, maintain, and/or delete change documents Authorization to use sensitive functions of the performance monitor

Objects - Authorizations Fields P_GROUP P_ACTION S_TOOLS_EX S_PROGRAM Access to view logon parameters ABAP program access

Values Comments * Program group SUBMIT Execute program EDIT Maintain program attributes and texts VARIANT Start and maintain variants BTCSUBMIT Submit programs for background execution ABAP program access

Fields

S_EDITOR Values Comments

P_GROUP * Program group EDIT_ACTION SHOW Display program source EDIT Amend program source Fields S_BDC_MONI Batch input session

Values Comments Name of batch session for which a user is authorized (e.g. FRANK) ABTC Submit sessions for execution AONL Run sessions in interactive mode ANAL Analyze sessions, log and queue FREE Release sessions LOCK Lock/unlock sessions DELE Delete sessions Number range authorization

BDCGROUPID * BDCAKTI

Fields NROBJ ACTVT

S_NUMBER

Values Comments * 02 03 11 Number range object name for a vendor Change Display Change the last-used number in a number range interval

13 17 Fields ACTVT S_SCDO Values Comments 02 06 08 12 Processes 1. Batch

Initialize the last-used number when transporting ranges between clients Maintain number range object (pre 3.0) Change document authorization

Maintain and display change documents Delete change documents Display change documents Maintain change document objects

Number of transactions entered into the system as a batch. Batch inputs can take place in the background where no changes can be made or in the foreground where transactions containing errors can be interactively corrected.

Restricting Access The Batch Input object restricts user activities in different batch input sessions. ANAL Analyze sessions. Display session, log, and queue dump DELE Delete sessions LOCK Lock and unlock sessions FREE Release sessions ABTC Submit sessions for background execution AONL Run sessions in interactive modes On-Line Background Program executes on a background processing server without interactive user input. To run it must be scheduled.

2. 3.

This can be done two ways: Menu Path: ABAP/4 - System Services - Reporting - Batch Request function From background processing menu by selecting goto - Batch Request In either case the user must have a User ID to run the job. Users could be authorized to run background jobs but not foreground jobs. Before a background job can run, it must be released. The releasing of jobs is usually restricted to Batch Administrators. Restricting Access The field Admin in the Batch Admin object is used to give a user administration authorizations. If this field contains a Y, the user has access to all background jobs in a SAP system and can perform any operation on any job. The field Activity in the S_PROGRAM object determines activities users are able to perform on an ABAP. A value of BTCSUBMIT allows a user to schedule the ABAP/4 program for background execution. The Auth user field of the Batch User Name object is used to restrict user-IDs specified as the authorized user for running a job.

The Operation field of the Operations on Batch Jobs object is used to specify the operations that a user can perform on their own jobs. This is used to restrict users from deleting or releasing jobs.

4.

Services Can run on different servers. Dialog Update Enqueue Background Message Server CPI-C Gateway Server Spool

5.

Work Processes TSKH Task Handler DYNP Screen Processor ABAP Program Processor DB-SS Database interface that converts ABAP/4 SQL into DBMS SQL.

Transactions SAP transactions allow different functions to be performed within R/3. Menu selection also generates transactions. To see which transaction is currently executing select Menu Path: System - Status. System transactions are applicable to the basis system and application transactions are specific to a certain module. Transactions can be locked and unlocked using Menu Path: Administration - Tcode Administration. When a transaction is locked, users can not execute that transaction. To perform this function, a user requires the authorization object Authorization check for SM04, SM05 with a value of S in the Admin field. 1. Controlled by DYNP processor 2. Checks whether additional authorization checks are required to run the transaction (in TSTC Table). Interprets the Dynpros, which involves creating the screens and applying the logic defined in the dynpro (field checks, etc.).

All transactions are listed in the TSTC Table. This table includes: An indicator that the transaction has been locked or is available to be used. The ability to lock and unlock transactions is controlled using authorization object Authorization Check for SM04, SM50. Additional authorization checks to be performed. Only users with the value TCOD in the field, Admin Functions in object, System Admin Functions have the ability to add, alter, or delete these additional authorization tests. If a transaction is not marked as requiring authorization checks then any user can run the transaction.

Transaction types: SU93 and SU91 SE30 SU53 SU02 SU03 SU0 SU01 SU10 SU12 TU02 SM52 SU21 Displays changes master records and profiles Trace function Authorization check failures Activation of profiles Activation of authorizations Assignment of user ID Assignment of users to profiles and alter the password of any user Assignment of profiles for a range of users Delete all users View logon parameters Unix command line prompt Grouping of objects into object classes (example is Basis Administration, Financial Accounting)

Tables SAP is characterized by the use of thousands of application and control tables. The setup of the control tables, to a large extent, determines in which way a SAP installation functions. Logical views provided by the ABAP/4 Dictionary of all data (control data, master data, and transaction data) stored in SAP system. All control tables start with the letter T. Control tables can be displayed and maintained on-line. Menu Path: System - Services - Table Maintenance. In order to restrict tables a number of table authorization classes should be defined. All standard tables have been assigned to authorization classes. Authorization object, Table Maintenance is used to maintain the tables in each authorization class. Two levels of access are allowed value = 02 (add, change, or delete) and 03 (display only). To modify a table structure Menu Path: Tools - CASE - Development - Data Dictionary - Maintenance. Logging of changes can be accomplished by using change document objects to specify which tables are logged and the level of logging performed on each table. 1. 2. 3. 4. 5. 6. 7. 8. 9. TSTC MAC T001 Transactions Matchcodes Details about a company

T001B Defines accounting periods for company T001. USRxx Profiles TUSR04Authorization Profiles TUSR01User master record TUSR02User ID and password TUSR03Extended information about the user.

10. 11. 12. 13.

TUSR05Field defaults for each R/3 user and field. TOBJ Pre-defined authorization objects and fields

TOBJT Descriptive text of the authorization objects. TUSR10Authorization Profiles and Descriptions and TUSR11 T055 Field group fields

14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. Logs

T055G Field groups T055T Field Group descriptions AUTH Internal table - Financial objects TACT Activity codes

TACTT Activity codes descriptions TACTZ Valid activity codes for each authorization object USR40 Custom password checks TDDAT Defines the link between tables and their authorization classes T000 T001 TGSB SAP Clients SAP companies Business Areas and Plants

Errors and important events are logged in the system logs. These logs should be reviewed daily. The servers in an SAP system record events and problems in a set of local and central system logs. These logs may be displayed and maintained on-line from the Menu Path: Tools - Administration Monitoring - System log. Local logs keep only messages issued by the local application server. Each application server has a local log file. System logs are configured by setting parameters in the system profile. Transaction SU93 and SU91 display changes made to a users master record or profiles. Logging of Changes to Authorizations: All changes to user master records, profiles, and authorization value sets. For example, user master records will display added or deleted from the list in the user master records. It will not display modified profiles rather, the log of changes to profiles could be used to identified changed profiles. Changes to a users password, user type, user group, period of validity, and account number.

For each item in the log, the system reports both the old and new version of any lines that have changed. This log is a valuable control over unauthorized changes to users access capabilities and needs to be reviewed daily.

Reports for Auditing Security Menu Path: Information - Current Information Displays detailed information on user master records, authorization profiles, authorization objects, and authorization value sets. With this facility, it is possible to display all user master records and/or profiles that contain a specific object. Modules SAP application modules. 1. 2. 3. 4. BC SAP Basis module Logistics: Human Resources: Financial and Administration: SD, MM, PP, QM, PM HR FI, CO, AM, PS, OC

Change Management Backup and Recovery Daily backups are necessary to ensure the recoverability of data, in the event of a disaster. SAP includes SAPDBA program that is used to perform database administration tasks. SAP can be backed up on-line. Redo logs (Oracle) should also be archived daily. Security Administration Users who are able to change user master records, profiles and/or authorization value sets need to be tightly controlled. The system provides a number of standard authorization objects that can be used. User Groups S_USER_GRP Fields User group Values Names of the user groups for which an administrator is authorized. 01: Create user master records add profiles to new or existing records 02: Edit 03: Display 05: Lock or unlock user 06: Delete a user master record 08: Display user change records

Administrator actions

Authorization Profile S_USER_PRO Fields Profile name Values The profile names for which an administrator is authorized.

Administrator

01: Create profiles and enter actions authorizations into them 02: Edit 03: Display 06: Delete a profile 08: Display change records 22: Add profiles to user master record Authorizations Value Sets S_USER_AUT Fields Object name Values The names of the authorization objects for which an administrator is authorized. The names of the authorization value sets for which an administrator is authorized 01: Create authorization value actions 02: Edit 03: Display 06: Delete 07: Activate 08: Display change records 22: Enter authorizations into a profile

Authorization name

Administrator set

Table Maintenance S_TABU_DIS Fields DICBERCLS ACTVT Values Table classes for which a user access is authorized Activity code

Table Maintenance Across Clients S_TABU_CLI Fields CLIDMAINT Values Access indicator

Object S_USER_GRP Determines which user groups can be administered and consequently all users who are assigned to those groups.

Object S_ADMI_FCD Systems Administration Functions provides powerful systems administration functions, including the following (field = Systems Administration Functions): NADM Network Administration (SM54, 55, 59) UADM Update Administration (SM13) T000 Create New Client TLCK Lock/Unlock Transactions SPAD Authorization for spool administration in all clients SPAR Authorization for client-dependent spool administration SP01 Authorization for administration of spool requests in spool output control (all users and clients) SPOR Spool administration BTCH Test environment, batch UNIX Execute UNIX commands from

SAPMSOS0 RSET SYNC Reset/delete data without archiving Reset buffers

ABAP/4 Dictionary R/3 uses an external database (Oracle in most cases) to hold application data, but it makes use of its own ABAP/4 Dictionary. This Dictionary gives R/3 the functionality to control the environment. 1. Each field in the ABAP/4 Dictionary is described by a domain. When any input is not valid in terms of the domain, it will not be accepted and the user will have to correct the entry in the DYNPRO screen before continuing. The ABAP/4 Dictionary provides the following domain checks: The format of the field must match the definition in the ABAP/4 Dictionary (character, numeric, date, etc.) A number of discrete values may be contained in the domain that are valid for the field. A table can be specified that contains all the values allowed for a particular field. If a table is specified, there must be procedures for ensuring that the tables contents are kept up-to-date.

Restricting Access Controlled by the authorization object System Admin Functions. Only users with the value = DDIC in the Admin Function fields can make changes to the ABAP/4 Dictionary or use the database table utility. It is not possible to further restrict access to alterable tables. Changes are logged by the system and can be queried using the ABAP/4 Dictionary Information System Menu Path: Development - ABAP/4 Dictionary - Info System Dictionary changes should be reviewed daily.

ABAP/4 Programming ABAP/4 is the fourth generation interpretative language in which all R/3 applications are written. The Basis System is written in C. ABAP/4 is a comprehensive programming language. ABAP statements can be written that will read and update data, create new records, etc. ABAP also can contain SQL statements allowing almost unrestricted access to the database. ABAP/4 must be tightly controlled. No ABAP statement changes should be allowed in the production systems environment. 1. Location On Application Server

Restricting Access

Each ABAP needs to be assigned to an authorization group in the report attributes set when creating an ABAP report. Any ABAP that has not been assigned to an authorization group may be run by any user with authorization for object S_PROGRAM. ABAP that have been assigned to a program group can only be run by users who are authorized to that program group using object S_PROGRAM. This object further restricts the manner in which a user is able to run an ABAP. SUBMIT The user may start programs interactively BTCSUBMIT The user may submit programs for execution in the background partition. EDIT The user can maintain attributes and text elements and use utilities for copying and deleting reports ( This does not allow the user to edit ABAP/4 programs). VARIANT The user may maintain variants. Variants are parameters that are passed to an ABAP program.

In the standard system, none of the ABAPs are assigned to authorization groups. Therefore any user that can run transaction SA38 (or SE38 to develop ABAP/4 programs), can run any of the standard ABAPs. It is recommended that all ABAPs be placed in authorization classes and that users should only have authorization for authorization classes (ABAPs) that are required for their job functions. No matter what, the database interface checks are still in play for all ABAPs and the user will not be able to act on data for which they have no authority. ABAPs may be developed on-line using the SAP ABAP editor. The ABAP programs can be assigned to authorization groups. The S_EDITOR authorization object is used to restrict authorization groups a user is able to edit. Any user with S_EDITOR authorization object is able to edit any ABAP program that has not been assigned to an authorization group.

No users should have S_EDITOR. Otherwise they may write a dynamic SQL that allows complete access to all clients data.

ABAP/4 Query

ABAP/4 Query is the report writing software that allows users to generate reports quickly and easily without programming knowledge. It generates an ABAP program. Users cannot access any information to which the user would otherwise not have access. Restricting Access Must be assigned to a user group before they can be run User group contains the functional areas and the names of all people authorized to run queries. Ensure that procedures are in effect to update the user groups when job assignments change. Any user can run any queries defined for a user group of which he/she is a member, regardless of who wrote the query. In order to create or maintain ABAP/4 Queries, a user must be a member of one or more user groups and have a value = 02 (change) in the activity field of the ABAP/4 Query authorization object. In order to maintain the ABAP/4 Query user groups, a user needs the value = 23 (Maintain Environment) in the activity field of the ABAP/4 Query authorization object. This should be restricted to administrators.

Operating Systems 1. Unix 2. NT Start-Up Profiles are stored in /usr/sap<SAP System Name>/sys/profile

Database Management Systems 1. Oracle

Dynpros Screen Generator Dynpros are the input screens used when processing SAP transactions. They include details of the processing logic to be performed on the fields. 1. Dynpros can be developed on-line using the standard SAP Dynpro Path: Tools - Case - Development - Screen Painter. 2. Controls need to be in place to ensure that changes to Dynpros are approved. Screen Painter Menu authorized, tested, and

Number Ranges SAP provides an internal and external numbering mechanism 1. Internal numbers are sequential codes given by the system for documents, article numbers, personnel numbers, etc. 2. Both internal and external numbers are stored in a file SYSV.

Matchcodes These are secondary indexes to enable users to find specific records when the primary key is unknown. 1. Stored in Table MAC

2. Table MAC can be edited on-line using transaction SM31 and accessible through the Menu Path: System - Services - Table Maintenance. Weaknesses 1. In the standard system, none of the ABAPs are assigned to authorization groups.

2. Do not use native SQL calls in ABAPs as they will bypass the dictionary consistency checks. Use open SQL statements. Unlike normal ABAP statements, native SQL and open SQL do not trigger any authorization checks at run time. But using ABAPs with AUTHORITY-CHECK statement, the users authority can be checked at run time for specified objects. 3. 4. 5. SAP* is the default user ID and it has unlimited access capabilities. It should only be given to the system administrators (SUPERUSER). Default system profiles may provide too much authority. Default logon Ids SAP* SAP* DDIC Oracle SAPDBA password = 06071992 password = PASS password = 19920706 Sys System Sapr3 SAP/R3 password = change_on_install password = manager password = sapr3 application ID

Front-end to SQL*DBA Can perform all DBA functions within SAP Authentication is completed in UNIX

6.

Ad-hoc Queries SQL*Plus ODBC

7.

Oracle Tables User02 Table contains all SAP user IDs and passwords

Standard Reports RSAVGL00 RSDECOMP RSDELSAP RSKEYS00 RSTABL00 RSSTAT92 RSSTAT95 RSPARAM RSUSER01 RSUSR000 Financial Authorization Objects Master Data - GL - Customer - Vendor - Bank Documents Balance Sheets Credit Control Data Payment Runs Dunning Runs Example: Object = Company Codes Fields Company codes Values 01 02 03 05 06 08 Create Change Display Block/Unblock Delete Display change documents Table comparison across clients Comparing tables across two systems Delete SAP* from client 066 (EarlyWatch client) Tables comparison: system versus sequential file As for RSKEYS00 Table changes for a selected month Table access statistics Display system parameters settings Test SAP_ALL List all active users