Upload
sreenivas-nair
View
588
Download
14
Embed Size (px)
Citation preview
Security Guide
Virsa Compliance Calibrator™ Version 5.2for SAP ERP Systems
COPYRIGHT
© Copyright 2006 SAP AG. All rights reserved.
SAP Library document classification: PUBLIC
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML, and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.
MaxDB is a trademark of MySQL AB, Sweden.
Virsa, Virsa Systems, Access Enforcer, ComplianceOne, Compliance Calibrator, Confident Compliance, Continuous Compliance, Firefighter, Risk Terminator, Role Expert, the respective taglines, logos and service marks are trademarks of SAP Governance, Risk and Compliance, Inc., which may be registered in certain jurisdictions.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves information purposes only. National product specifications may vary.
These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies (“SAP Group”) for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
2
SAP—Important Disclaimers
SAP Library document classification: PUBLIC
This document is for informational purposes only. Its content is subject to change without notice, and SAP does not warrant that it is error‐free. SAP MAKES NO WARRANTIES, EXPRESS OR IMPLIED, OR OF MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE.
Coding Samples
Any software coding and/or code lines/strings (“Code”) included in this documentation are only examples and are not intended to be used in a productive system environment. The Code is only intended to better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, except if such damages were caused by SAP intentionally or were grossly negligent.
Internet Hyperlinks
The SAP documentation may contain hyperlinks to the Internet. These hyperlinks are intended to serve as a hint where to find supplementary documentation. SAP does not warrant the availability and correctness of such supplementary documentation or the ability to serve for a particular purpose. SAP shall not be liable for any damages caused by the use of such documentation unless such damages have been caused by SAP’s gross negligence or willful misconduct.
Accessibility
The information contained in the SAP Library documentation represents SAP’s current view of accessibility criteria as of the date of publication; it is in no way intended to be a binding guideline on how to ensure accessibility of software products. SAP specifically disclaims any liability with respect to this document and no contractual obligations or commitments are formed either directly or indirectly by this document. This document is for internal use only and may not be circulated or distributed outside your organization without SAP’s prior written authorization.
3
4
CONTENTS
Preface
About this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Alert Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Product Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9Documentation Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
Installation Guide, Configuration Guide, User Guide, and Release Notes . . . . . . . . . . . . . . . . . . . . .9
Online Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
Contacting SAP GRC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
1 Role Definitions
/VIRSA/Z_CC_ADMINISTRATOR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12/VIRSA/Z_CC_SECURITY_ADMIN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13/VIRSA/Z_CC_USER_ADMIN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16/VIRSA/Z_CC_BUSINESS_OWNER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17/VIRSA/Z_CC_REPORTING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
2 Authorization Object Definitions
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24ZVRAT_0001—Table Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24ZVRAT_0002—Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26ZVRAT_0003—User Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26ZVRAT_0004—Organizational Rule ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26ZVRAT_0005—Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27ZVRAT_0006—Mitigation by Business Unit ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27ZVRAT_0007—Mitigation by Risk ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27ZVRAT_0008—Mitigation by Role Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27ZVRAT_0009—Mitigation by HR Object ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28ZVRAT_0010—Function Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28ZVRAT_0011—Risk Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28ZVRAT_0012—Rules Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28ZVRAT_0013—Business Process Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
5
Virsa Compliance Calibrator Version 5.2Security Guide
3 Table Maintenance Authorization Groups
S_TABU_DIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
4 Virsa Tool Box Reports and Utilities Authorization Groups
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
5 Line-Oriented Authorizations
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
Design Organization Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
Define Organization Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
Define Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
Assign Attributes to Table Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
Include Authorizations for S_TABU_LIN in Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
Activate Organization Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
Cross‐Table Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
S_TABU_LIN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
6 Authorization Check Flowchart
Authorization Check Flowchart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
7 Actions Required for NetWeaver
Actions and Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54
8 RFC Authorizations
RFC Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
6
PREFACE
TOPICS COVERED IN THIS PREFACE
About this Guide
Conventions
Alert Statements
Product Documentation
Documentation Formats
Installation Guide, Configuration Guide, User Guide, and Release Notes
Online Help
Contacting SAP GRC
7
Virsa Compliance Calibrator Version 5.2Security Guide
About this Guide
Conventions
The following conventions are observed throughout this document:
• Bold sans‐serif text is used to designate file and folder names, dialog titles, names of buttons, icons, and menus, and terms that are objects of a user selection.
• Bold text is used to indicate defined terms and word emphasis.
• Italic text is used to indicate user‐specified text, document titles, and word emphasis.
• Monospace text (Courier) is used to show literal text as you would enter it, or as it would appear onscreen.
Alert Statements
The alert statements—Note, Important, and Warning—are formatted in the following styles:
Note Information that is related to the main text flow, or a point or tip provided in addition to the previous statement or instruction.
Important Advises of important information, such machine or data error that could occur should the user fail to take or avoid a specified action.
Warning Requires immediate action by the user to prevent actual loss of data or where an action is irreversible, or when physical damage to the machine or devices is possible.
8
Product DocumentationPreface
Product Documentation
Documentation Formats
Documentation is provided in the following electronic formats:
• Adobe® Acrobat® PDF files
• Online help
You must have Adobe® Reader® installed to read the PDF files. Adobe Reader installation programs for common operating systems are available for free download from the Adobe Web site at www.adobe.com.
Installation Guide, Configuration Guide, User Guide, and Release Notes
You can download the Installation Guide, Configuration Guide, User Guide, and Release Notes in PDF format.
Online Help
You can access online help by clicking the Help link from within the application.
9
Virsa Compliance Calibrator Version 5.2Security Guide
Contacting SAP GRC
For information on contacting SAP Governance, Risks, and Compliance (SAP GRC), go to the SAP Support Portal which can be found on the SAP Service Marketplace at: service.sap.com.
In order to use the SAP Support Portal you will need to log in using your SAP user account. If you do not already have an existing SAP user account, you must first create a new account. At the bottom right area of the SAP Service Marketplace page, under the “Questions Regarding Login?” heading, click the “New User? Register here!” link. You will be prompted for a Customer Number or Installation Number which you can get from your SAP Basis Administrator. (In an SAP system you can find your installation number under System ‐> Status ‐> SAP System data.)
To submit your support request(s) from the SAP Support Portal, use the quick‐link “Messages” and follow the “SAP Message Wizard” procedure. All support requests should be logged under the following SAP GRC support components:
• GRC‐SAE Virsa Access Enforcer for SAP
• GRC‐SCC Virsa Compliance Calibrator for SAP
• GRC‐SFF Virsa Firefighter for SAP
• GRC‐SRE Virsa Role Expert for SAP
For more information on the SAP Support Portal, use the quick‐links provided below:
• SAP Notes Search Here you can search for reference material and possible solutions for any questions regarding the GRC components.
• Messages Here you can create Support Messages for the GRC components.
• Software Download Here you can download installations, upgrades, and support packages.
• SAP Service Channel ‐ Your Inbox Here you can monitor the status of your open messages.
10
1ROLE DEFINITIONS
TOPICS COVERED IN THIS CHAPTER
/VIRSA/Z_CC_ADMINISTRATOR
/VIRSA/Z_CC_SECURITY_ADMIN
/VIRSA/Z_CC_USER_ADMIN
/VIRSA/Z_CC_BUSINESS_OWNER
/VIRSA/Z_CC_REPORTING
11
Virsa Compliance Calibrator Version 5.2Security Guide
/VIRSA/Z_CC_ADMINISTRATOR
The SAP Compliance Calibrator Administrator role has complete access to all programs and tables. Users assigned to this role can access Rule Architect, Mitigation Controls, Alerts, Configuration Options, the Compliance Calibrator Tool Box reports and Utilities, and all Risk Analysis reports and simulations running in the foreground or background.
Table 1 Authorization Objects
Authorization Object
Field Name Field Value
ZVRAT_0001 Action *
ZVRAT_0002 Activity *
ZVRAT_0003 User group in user master main *
ZVRAT_0004 Org. Rule ID *
ZVRAT_0005 Mitigating Control ID *
Risk ID *
ZVRAT_0006 Business Unit ID *
ZVRAT_0007 Risk ID *
ZVRAT_0008 Role Name *
ZVRAT_0009 Object ID *
ZVRAT_0010 Activity *
Function *
ZVRAT_0011 Activity *
ID *
ZVRAT_0012 Risk ID *
ZVRAT_0013 Activity *
ID *
12
/VIRSA/Z_CC_SECURITY_ADMINChapter 1 Role Definitions
/VIRSA/Z_CC_SECURITY_ADMIN
Security administrators assigned to the Compliance Calibrator Security_Admin role have the following abilities and access:
• Access to perform user and role analysis
• Access to perform rule maintenance
• Ability to display alerts
• Ability to maintain mitigating control references & approvers
• Ability to assign mitigation controls to roles and profiles
• Ability to execute Tool Box utilities
• Ability to display all tables in authorization groups ZC* and ZV* [S_TABU_DIS]
• Ability to maintain select tables in authorization groups ZC* and ZV* [S_TABU_DIS]
• Read/write access to /VIRSA/* ABAP programs [S_DATASET]
• Execute programs in authorization group ZVRAT* [S_PROGRAM]
Table 2 Additional Authorization Objects
Authorization Object
Field Name Field Value
S_TCODE Transaction /VIRSA/ZVRAT, /VIRSA/ZVRAT*, /VIRSA/ALERTGEN, /VIRSA/ORG*
S_DATASET Activity 33, 34
Physical file name *
ABAP program name /VIRSA/*
S_TABU_DIS Activity *
Authorization Group ZC*, ZV*
S_DEVELOP Activity 03
Package /VIRSA/*
Object Name /VIRSA/ZVRAT_TOOLS
Object Type MENU
Auth Group ABAP/4 program *
S_Program User Action ABAP/4 program *
Auth Group ABAP/4 program ZVRAT*
13
Virsa Compliance Calibrator Version 5.2Security Guide
Table 3 Virsa Authorization Objects
Authorization Object
Field Name Field Value
ZVRAT_0001 Action AOBJ, ATCD, CAUT, CPAR, CPRF, CROL, CTCD, MBUA, MBUS, MHRO, MMAP, MMON, MPRO, MREF, MREP, MRIS, MROL, OBJT, ORGR, TCOD, V*
ZVRAT_0002 Activity 16, 37, 48
ZVRAT_0003 User group in user master main *
ZVRAT_0004 Org. Rule ID *
ZVRAT_0005 Mitigating Control ID Inactive
Risk ID Inactive
ZVRAT_0006 Business Unit ID *
ZVRAT_0007 Risk ID *
ZVRAT_0008 Role Name *
ZVRAT_0009 Object ID *
ZVRAT_0010 Activity *
Function *
ZVRAT_0011 Activity *
ID *
ZVRAT_0012 Risk ID *
ZVRAT_0013 Activity Inactive
Business Process ID *
14
/VIRSA/Z_CC_SECURITY_ADMINChapter 1 Role Definitions
Table 4 Additional Authorization Objects
Authorization Object
Field Name Field Value
S_TCODE Transaction Pre‐existing:/VIRSA/ALERTGEN, /VIRSA/ORGRULES, /VIRSA/ORGUSERS, /VIRSA/ORGUSRMAPPING, /VIRSA/ZVRAT, /VIRSA/ZVRAT_C01, /VIRSA/ZVRAT_M01, /VIRSA/ZVRAT_M02 /VIRSA/ZVRAT_M03, /VIRSA/ZVRAT_M04, /VIRSA/ZVRAT_P01, /VIRSA/ZVRAT_R01, /VIRSA/ZVRAT_RB3, /VIRSA/ZVRAT_S01, /VIRSA/ZVRAT_S05, /VIRSA/ZVRAT_S06, /VIRSA/ZVRAT_S07, /VIRSA/ZVRAT_S08, /VIRSA/ZVRAT_S09, /VIRSA/ZVRAT_S10, /VIRSA/ZVRAT_S11, /VIRSA/ZVRAT_S13, /VIRSA/ZVRAT_S14, /VIRSA/ZVRAT_S15, /VIRSA/ZVRAT_S16, /VIRSA/ZVRAT_U01 /VIRSA/ZVRATU02, /VIRSA/ZVRAT_U03, /VIRSA/ZVRAT_UO5
New for SP2:/VIRSA/ZVRAT_M05/VIRSA/ZVRAT_MG1
S_DATASET Activity 33, 34
Physical file name *
ABAP program name /VIRSA/*
S_TABU_DIS Activity 03
Authorization Group ZC&*, ZV&*
Activity 02
Authorization Group ZC&A, ZC&B, ZC&C, ZC&D, ZC&E, ZC&F, ZC&G, ZC&H, ZC&I, ZC&J, ZC&K, ZC&L, ZC&M, ZM&O, ZV&A, ZV&B, ZV&C, ZV&D, ZV&E, ZV&G, ZV&I, ZV&J, ZV&K, ZV&L, ZV&M, ZV&N, ZV&Q, ZV&R, ZV&S
S_DEVELOP Activity 03
Package /VIRSA/*
Object Name /VIRSA/ZVRAT_TOOLS
Object Type MENU
Auth Group ABAP/4 program *
15
Virsa Compliance Calibrator Version 5.2Security Guide
/VIRSA/Z_CC_USER_ADMIN
User administrators assigned to the Compliance Calibrator User_Admin role have the following abilities and access:
• Ability to perform user and role analysis
• Ability to assign mitigation controls to users
• Ability to perform simulations and role assignment from simulation
• Ability to maintain tables in authorization groups ZV&H [S_TABU_DIS]
• Access to display all tables in authorization groups ZC* and ZV* [S_TABU_DIS]
• Execute programs in authorization groups ZVRAT* [S_PROGRAM]
S_Program User Action ABAP/4 program *
Auth Group ABAP/4 program ZVRAT*
Table 4 Additional Authorization Objects (Continued)
Authorization Object
Field Name Field Value
Table 5 Virsa Authorization Objects
Authorization Object
Field Name Field Value
ZVRAT_0001 Action MUSR, UASG, V*
ZVRAT_0002 Activity 16, 37, 48
ZVRAT_0003 User group in user master main *
ZVRAT_0004 Org. Rule ID Inactive
ZVRAT_0005 Mitigating Control ID Inactive
Risk ID Inactive
ZVRAT_0006 Business Unit ID *
ZVRAT_0007 Risk ID *
ZVRAT_0008 Role Name *
ZVRAT_0009 Object ID *
ZVRAT_0010 Activity Inactive
Function Inactive
ZVRAT_0011 Activity Inactive
ID Inactive
ZVRAT_0012 Risk ID Inactive
16
/VIRSA/Z_CC_BUSINESS_OWNERChapter 1 Role Definitions
/VIRSA/Z_CC_BUSINESS_OWNER
Business owners assigned to the Compliance Calibrator Business_Owner role have the following abilities and access:
• Ability to perform user and role analysis
• Ability to execute select reports in the Tool Box
• Access to display Rule Architect and Mitigation Controls modules
• Access to display all Compliance Calibrator tables
• Access to display select tables in authorization groups ZC* and ZV* [S_TABU_DIS]
• Execute programs in authorization group ZVRA* [S_PROGRAM]
ZVRAT_0013 Activity Inactive
Business Process ID *
Table 6 Additional Authorization Objects
Authorization Object
Field Name Field Value
S_TCODE Transaction /VIRSA/ZVRAT
S_TABU_DIS Activity 03
Authorization Group ZC&*, ZV&*
Activity 02
Authorization Group ZV&H
S_DEVELOP Activity 03
Package /VIRSA/*
Object Name /VIRSA/ZVRAT_TOOLS
Object Type MENU
Auth Group ABAP/4 program *
S_Program User Action ABAP/4 program *
Auth Group ABAP/4 program ZVRAT*
Table 5 Virsa Authorization Objects
Authorization Object
Field Name Field Value
Note If business owners should have authorization to clear alerts, the Business_Owner role needs to include object ZVRAT_0005. This object is not included by default.
17
Virsa Compliance Calibrator Version 5.2Security Guide
Table 7 Virsa Authorization Objects
Authorization Object
Field Name Field Value
ZVRAT_0001 Action V*
ZVRAT_0002 Activity 16, 37, 48
ZVRAT_0003 User group in user master main *
ZVRAT_0004 Org. Rule ID Inactive
ZVRAT_0005 Mitigating Control ID Inactive
Risk ID Inactive
ZVRAT_0006 Business Unit ID Inactive
ZVRAT_0007 Risk ID Inactive
ZVRAT_0008 Role Name Inactive
ZVRAT_0009 Object ID Inactive
ZVRAT_0010 Activity Inactive
Function Inactive
ZVRAT_0011 Activity Inactive
ID Inactive
ZVRAT_0012 Risk ID Inactive
ZVRAT_0013 Activity Inactive
Business Process ID *
Table 8 Additional Authorization Objects
Authorization Object
Field Name Field Value
S_TCODE Transaction /VIRSA/ZVRAT, /VIRSA/ZVRAT_C01, /VIRSA/ZVRAT_D01, /VIRSA/ZVRAT_M02, /VIRSA/ZVRAT_P01, /VIRSA/ZVRAT_R01, /VIRSA/ZVRAT_S01, /VIRSA/ZVRAT_S08, /VIRSA/ZVRAT_U01, /VIRSA/ZVRAT_U03, /VIRSA/ZVRAT_U05
S_TABU_DIS Activity 03
Authorization Group ZC*, ZV*
S_DEVELOP Activity 03
18
/VIRSA/Z_CC_REPORTINGChapter 1 Role Definitions
/VIRSA/Z_CC_REPORTING
Business owners assigned to the Compliance Calibrator Business_Owner role have the following abilities and access permissions:
• Ability to perform user and role analysis
• Ability to display Rule Architect, Mitigation Controls, and Alerts modules
• Ability to execute select reports in the Tool Box
• Access to display select tables in authorization groups ZC* and ZV* [S_TABU_DIS]
• Execute programs in authorization groups ZVRAT* [S_PROGRAM]
Package /VIRSA/*
Object Name /VIRSA/ZVRAT_TOOLS
Object Type MENU
Auth Group ABAP/4 program *
S_Program User Action ABAP/4 program *
Auth Group ABAP/4 program ZVRA*
Table 8 Additional Authorization Objects (Continued)
Authorization Object
Field Name Field Value
Note There are no security restrictions for creating business processes. All other Rule Architect features are limited to display only.
19
Virsa Compliance Calibrator Version 5.2Security Guide
Table 9 Virsa Authorization Objects
Authorization Object
Field Name Field Value
ZVRAT_0001 Action V*
ZVRAT_0002 Activity 16, 37, 48
ZVRAT_0003 User group in user master main *
ZVRAT_0004 Org. Rule ID Inactive
ZVRAT_0005 Mitigating Control ID Inactive
Risk ID Inactive
ZVRAT_0006 Business Unit ID Inactive
ZVRAT_0007 Risk ID Inactive
ZVRAT_0008 Role Name Inactive
ZVRAT_0009 Object ID Inactive
ZVRAT_0010 Activity Inactive
Function Inactive
ZVRAT_0011 Activity Inactive
ID Inactive
ZVRAT_0012 Risk ID Inactive
ZVRAT_0013 Activity Inactive
Business Process ID *
Table 10 Additional Authorization Objects
Authorization Object
Field Name Field Value
S_TCODE Transaction /VIRSA/ZVRAT, /VIRSA/ZVRAT_D01, /VIRSA/ZVRAT_M02, /VIRSA/ZVRAT_P01, /VIRSA/ZVRAT_R01, /VIRSA/ZVRAT_S01, /VIRSA/ZVRAT_S08, /VIRSA/ZVRAT_U01, /VIRSA/ZVRAT_U03, /VIRSA/ZVRAT_U05
S_TABU_DIS Activity 03
Authorization Group ZC*, ZV*
S_DEVELOP Activity 03
Package /VIRSA/*
20
/VIRSA/Z_CC_REPORTINGChapter 1 Role Definitions
Object Name /VIRSA/ZVRAT_TOOLS
Object Type MENU
Auth Group ABAP/4 program *
S_Program User Action ABAP/4 program *
Auth Group ABAP/4 program ZVRA*
Table 10 Additional Authorization Objects
Authorization Object
Field Name Field Value
21
Virsa Compliance Calibrator Version 5.2Security Guide
22
2AUTHORIZATION
OBJECT DEFINITIONS
TOPICS COVERED IN THIS CHAPTER
Introduction
ZVRAT_0001—Table Maintenance
ZVRAT_0002—Execution
ZVRAT_0003—User Groups
ZVRAT_0004—Organizational Rule ID
ZVRAT_0005—Alerts
ZVRAT_0006—Mitigation by Business Unit ID
ZVRAT_0007—Mitigation by Risk ID
ZVRAT_0008—Mitigation by Role Name
ZVRAT_0009—Mitigation by HR Object ID
ZVRAT_0010—Function Maintenance
ZVRAT_0011—Risk Maintenance
ZVRAT_0012—Rules Display
ZVRAT_0013—Business Process Maintenance
23
Virsa Compliance Calibrator Version 5.2Security Guide
Introduction
All object field actions employ the following naming convention. Object field action names begin with “/VIRSA/” and are followed by the name of the field action.
ZVRAT_0001—Table Maintenance
Authorization object ZVRAT_0001 controls the maintenance of Compliance Calibrator tables.
The object has only one field, /VIRSA/ATN (Action). Table maintenance is controlled by the action values of authorization object ZVRAT_0001.
This authorization object also controls the type of analysis that can be performed using Compliance Calibrator. The action codes shaded gray control analysis types.
Defined Field
/VIRSA/ATN (Action)
Table 11 Object Values
Action Code
Description Table
* All activities (complete access)
TCOD SoD Transaction Code Table /VIRSA/ZSODTC
CTCD Critical Transactions Table /VIRSA/ZCRTRAN
OBJT SoD Authorization Object Level Table /VIRSA/ZCRAUTH
CROL Critical Roles Table /VIRSA/ZCRROLES
CPRF Critical Profiles Table /VIRSA/ZCRPROF
CNFG Configuration Table /VIRSA/ZVRATCNFG
MUSR Mitigating Control User Table /VIRSA/ZMITCNTL
MREF Mitigating Controls Table /VIRSA/ZMITREF
MROL Mitigating Control Role Table /VIRSA/ZMITROLE
MPRO Mitigating Control Profile Table /VIRSA/ZMITPROF
MHRO Mitigating Control HR Object Table /VIRSA/ZMITHROBJ
MMON Mitigating Control Monitor Table /VIRSA/ZMITAPVR
MBUA Business Unit Approvers /VIRSA/BUAPPVR
MBUS Mitigating Business Units /VIRSA/ZBUSUNIT
MMAP Monitors and Approvers /VIRSA/ZMITMON
MREP Mitigating Reports /VIRSA/MITREPORT
24
ZVRAT_0001—Table MaintenanceChapter 2 Authorization Object Definitions
MRIS Associated Risks /VIRSA/ZMITRISKS
CCTC Custom Critical Transactions Table (Custom Utilities Restricted Transactions)
/VIRSA/ZCRTRANC1
CCSO Custom SoD Object Table (Custom Utilities Restricted Objects)
/VIRSA/ZCRAUTHC1
CPAR SoD (Object) level Supp. Table /VIRSA/ZCRPARAM
CCST Custom SoD TCode Table (Custom Utilities SoD Summary)
/VIRSA/ZSODTCC1
CAUT Critical Authorization Objects /VIRSA/ZCRAUTHOB
ATCD Analyzed Transactions /VIRSA/ZANALTRAN
AOBJ Analyzed Authorization Objects /VIRSA/ZANALOBJT
ORGR Organizational Rule ID /VIRSA/ORGRULES
VJOB Job Level Execution
VORG Organization Level Execution
VPOS Position Level Execution
VPRF Profile Level Execution
VROL Role Level Execution
VUGP User Group Level Execution
VUSR User Level Execution
UASG Role Assignment to Users
BMON Business Unit Monitors /VIRSA/BUMONITOR
FSCM Forceful Scan
MGUP Update Management Report
Table 11 Object Values (Continued)
Action Code
Description Table
25
Virsa Compliance Calibrator Version 5.2Security Guide
ZVRAT_0002—Execution
Authorization object ZVRAT_0002 restricts the execution of the Compliance Calibrator transaction and the ability to upload and download Compliance Calibrator tables.
This object has one field, /VIRSA/ACT (Activity).
Defined Field
/VIRSA/ACT (Activity)
ZVRAT_0003—User Groups
Authorization object ZVRAT_0003 is used to restrict Compliance Calibrator users to certain user groups.
This object has only one field, CLASS.
Defined Field
CLASS—User group in user master maintenance
ZVRAT_0004—Organizational Rule ID
Authorization object ZVRAT_0004 is used to restrict Compliance Calibrator analysis by Organizational Rule ID.
This object has only one field, /VIRSA/ORG.
Defined Field
/VIRSA/ORG—Organizational Rule ID values defined in the /VIRSA/ORGRULES table
Table 12 Object Values
Activity Code
Description
16 Execute (foreground)
37 Schedule in background
48 Simulation
DL Download
UL Upload
26
ZVRAT_0005—AlertsChapter 2 Authorization Object Definitions
ZVRAT_0005—Alerts
Authorization object ZVRAT_0005 is used to restrict clearing alerts.
This object has two fields, /VIRSA/MIT and /VIRSA/RSD.
Defined Fields
/VIRSA/MIT—Mitigating Control ID—Mitigation Control ID values stored in the /VIRSA/ZMITREF table
/VIRSA/RSD—Risk ID—Risk ID values defined in the /VIRSA/ZCRTRAN table (critical transactions) and Risk ID values stored in the /VIRSA/RISKS table
ZVRAT_0006—Mitigation by Business Unit ID
Authorization object ZVRAT_0006 is used to restrict mitigation by Business Unit ID.
This object has one field, /VIRSA/BUS.
Defined Field
/VIRSA/BUS—Business Unit ID values stored in the /VIRSA/ZBUSUNIT table
ZVRAT_0007—Mitigation by Risk ID
Authorization object ZVRAT_0007 is used to restrict mitigation by Risk ID.
This object has one field, /VIRSA/RSD.
Defined Field
/VIRSA/RSD—Risk ID values stored in the /VIRSA/ZMITRISKS table
ZVRAT_0008—Mitigation by Role Name
Authorization object ZVRAT_0008 is used to restrict mitigation by Role Name.
This object has one field, /VIRSA/ROL.
Defined Field
/VIRSA/ROL—Role Name
27
Virsa Compliance Calibrator Version 5.2Security Guide
ZVRAT_0009—Mitigation by HR Object ID
Authorization object ZVRAT_0009 is used to restrict mitigation by HR Object ID.
This object has one field, /VIRSA/OBJ.
Defined Field
/VIRSA/OBJ—HR Object ID
ZVRAT_0010—Function Maintenance
Authorization object ZVRAT_0010 is used to restrict function maintenance by Function ID.
This object has two fields, ACTVT and /VIRSA/FUN.
Defined Fields
ACTVT—Activity
/VIRSA/FUN—Function ID values stored in the /VIRSA/FUNCTION table
ZVRAT_0011—Risk Maintenance
Authorization object ZVRAT_0011 is used to restrict Risk maintenance by Risk ID.
This object has two fields, ACTVT and /VIRSA/RSK.
Defined Fields
ACTVT—Activity
/VIRSA/RSK—Risk ID values stored in the /VIRSA/RISKS table
ZVRAT_0012—Rules Display
Authorization object ZVRAT_0012 is used to restrict rules display by Rule ID.
This object has one field, /VIRSA/RSD.
Defined Fields
/VIRSA/RSD—Risk ID values stored in the /VIRSA/RISKS table
28
ZVRAT_0013—Business Process MaintenanceChapter 2 Authorization Object Definitions
ZVRAT_0013—Business Process Maintenance
Authorization object ZVRAT_0013 is used to restrict business process maintenance by Business Process ID.
This object has two fields, ACTVT and /VIRSA/V01.
Defined Fields
ACTVT—Activity
/VIRSA/V01—Business Process ID values stored in the /VIRSA/BUSSPROC table
29
Virsa Compliance Calibrator Version 5.2Security Guide
30
3TABLE MAINTENANCE
AUTHORIZATION GROUPS
TOPICS COVERED IN THIS CHAPTER
S_TABU_DIS
31
Virsa Compliance Calibrator Version 5.2Security Guide
S_TABU_DIS
S_TABU_DIS is checked when maintaining tables. Each table is protected with a unique authorization group. The mapping of authorization groups to the tables is shown in Table 13.
Note If you are implementing additional customer-specific functionality, you need access to the highlighted tables.
Table 13 Table Authorization Groups
Table Name Description Auth. Group
/VIRSA/ALMAILIDS Compliance Calibrator Alert Email IDs ZC&N
/VIRSA/BUAPPVR Business Unit Approver ZC&M
/VIRSA/ORGRULES Organizational values ZC&I
/VIRSA/ORGUSERS Mapping between users and the organizational values ZC&J
/VIRSA/ZANALOBJT Analyzed authorization objects ZV&Q
/VIRSA/ZANALTRAN Analyzed transactions ZV&I
/VIRSA/ZBUSUNIT Business Units ZC&L
/VIRSA/ZCRAUTH Authorization Objects ZV&C
/VIRSA/ZCRAUTHC1 Restricted Critical Authorizations ZV&M
/VIRSA/ZCRAUTHL1 SoD Authorization Object ZC&C
/VIRSA/ZCRAUTHL2 SoD Authorization Object ZC&D
/VIRSA/ZCRAUTHL3 SoD Authorization Object ZC&E
/VIRSA/ZCRAUTHL4 SoD Authorization Object ZC&F
/VIRSA/ZCRAUTHL5 SoD Authorization Object ZC&G
/VIRSA/ZCRAUTHOB Critical Authorization Objects ZV&J
/VIRSA/ZCRPARAM SoD (Object Level) Supp.Table ZV&O
/VIRSA/ZCRPROF Critical Profiles ZV&D
/VIRSA/ZCRROLES Critical Roles ZV&E
/VIRSA/ZCRTRAN Critical Transactions ZV&B
/VIRSA/ZCRTRANC1 Restricted Transactions ZV&L
/VIRSA/ZMITAPVR Mitigating Control Monitors ZV&N
/VIRSA/ZMITCNTL Mitigating Control—Users ZV&H
/VIRSA/ZMITHROBJ Mitigating Control—HR Object ZC&H
/VIRSA/ZMITMON Mitigating Monitors and Approvers ZV&S
/VIRSA/ZMITPROF Mitigating Control—Profile ZC&B
/VIRSA/ZMITREF Mitigating Controls ZV&G
32
S_TABU_DISChapter 3 Table Maintenance Authorization Groups
/VIRSA/ZMITRISKS Mitigating Risks ZV&R
/VIRSA/ZMITROLE Mitigating Control—Role ZV&K
/VIRSA/ZSODMIT SoD Group Id and Mitigating Reference Number Relationship
ZC&K
/VIRSA/ZSODTC SoD (TCode) ZV&A
/VIRSA/ZSODTCC1 Restricted SoD at TCode Level ZV&P
/VIRSA/ZVRATCNFG Compliance Calibrator Configuration ZV&F
/VIRSA/BUMONITOR Business unit monitors ZC&O
Table 13 Table Authorization Groups
Table Name Description Auth. Group
33
Virsa Compliance Calibrator Version 5.2Security Guide
34
4VIRSA TOOL BOX REPORTS
AND UTILITIES
AUTHORIZATION GROUPS
TOPICS COVERED IN THIS CHAPTER
Introduction
Example
35
Virsa Compliance Calibrator Version 5.2Security Guide
Introduction
All reports and utilities in the Virsa Tool Box are assigned authorization groups. This means that a user needs authorization for object S_PROGRAM to execute a report. The following authorization groups have been assigned to the reports/utilities in the Tool Box:
Table 14 Program Authorization Groups
Program Name Description Auth. Group
/VIRSA/ALERTGEN Activity Monitoring ZVRATAL
/VIRSA/ORGUSRMAPPING Program to maintain ORGUSERS table ZVRATOR
/VIRSA/ZVRAT Compliance Calibrator ZVRAT
/VIRSA/ZVRATBAK Compliance Calibrator ZVRAT
/VIRSA/ZVRATBAKC1 Custom Reports ZVRAT
/VIRSA/ZVRAT_C01 Security & Controls Policies and Procedures
ZVRATC01
/VIRSA/ZVRAT_D01 Download Spool Requests by Job Name ZVRATD01
/VIRSA/ZVRAT_DOWNLOAD Download a table ZVRATUPL
/VIRSA/ZVRAT_M01 Upload/Download Compliance Calibrator Tables
ZVRATM01
/VIRSA/ZVRAT_M02 Where used list for Mitigating Control Id/Monitor
ZVRATM02
/VIRSA/ZVRAT_M03 Analyze disabled SoD TCodes and objects ZVRATM02
/VIRSA/ZVRAT_M04 Optimizer for SoD Data Table ZVRATM03
/VIRSA/ZVRAT_M05 Where used list for Control ID Monitor ZVRATM05
/VIRSA/ZVRAT_P01 Display changes to Profiles ZVRATP01
/VIRSA/ZVRAT_R01 Count authorizations in roles ZVRATR01
/VIRSA/ZVRAT_RB2 Rule Architect Wizard ZVRATS05
/VIRSA/ZVRAT_RB3 SoD Rule Builder Wizard ZVRATS05
/VIRSA/ZVRAT_S01 Monitor actual usage of Conflicting & Critical Transactions
ZVRATS01
/VIRSA/ZVRAT_S02 Identify Transactions executed by User(s) ZVRATS02
/VIRSA/ZVRAT_S03 Download Authorization Objects for the SoD Transaction Codes
ZVRATS03
/VIRSA/ZVRAT_S04 Build SoD Object Level Rules from SoD TCodes & Auth. Objects
ZVRATS04
/VIRSA/ZVRAT_S05 SoD Rule Builder Wizard ZVRATS05
/VIRSA/ZVRAT_S06 SoD Rule Validation Tool ZVRATS06
/VIRSA/ZVRAT_S07 Non Reference Report—TCodes by Roles/Profiles, not in SoD tables
ZVRATS07
36
IntroductionChapter 4 Virsa Tool Box Reports and Utilities Authorization Groups
Example
To execute report ‘Upload/Download Compliance Calibrator tables’, a user needs the following authorizations:
Object: S_PROGRAM
Field: User Action
Value: SUBMIT
Field: Auth Group
Value: ZVRATM01
/VIRSA/ZVRAT_S08 User Access Report ZVRATS08
/VIRSA/ZVRAT_S09 Comparing different SoD Matrices ZVRATS09
/VIRSA/ZVRAT_S10 TCodes by Roles/Profiles, never executed in a specific time period
ZVRATS10
/VIRSA/ZVRAT_S11 Authorization Object by Roles/Profiles Report (not in SoD Tables)
ZVRATS11
/VIRSA/ZVRAT_S13 Comparing Critical Transaction Matrices ZVRATS13
/VIRSA/ZVRAT_S14 Comparing SoD Authorization Objects ZVRATS14
/VIRSA/ZVRAT_S15 Compare SoD TCode Matrix with SoD Authorization Object TCodes
ZVRATS15
/VIRSA/ZVRAT_S16 Compliance Calibrator Data Maintenance ZVRATS16
/VIRSA/ZVRAT_U01 Count authorizations for Users ZVRATU01
/VIRSA/ZVRAT_U02 Analysis of called transactions in Custom Code
ZVRATU02
/VIRSA/ZVRAT_U03 Management Report for SoD Remediation ZVRATU03
/VIRSA/ZVRAT_U05 List Expired and Expiring Roles for Users ZVRATU05
/VIRSA/ZVRAT_UPDWNLOAD Program for Upload and Download of data ZVRATUD
/VIRSA/ZVRAT_UPLOAD Upload a table ZVRATUPL
/VIRSA/ZVRAT_CONV Conversion of Compliance Calibrator tables, old to new
ZVRATCN
Table 14 Program Authorization Groups (Continued)
Program Name Description Auth. Group
37
Virsa Compliance Calibrator Version 5.2Security Guide
38
5LINE-ORIENTED
AUTHORIZATIONS
TOPICS COVERED IN THIS CHAPTER
Introduction
Use
Implementation
Design Organization Criteria
Define Organization Criteria
Define Attributes
Assign Attributes to Table Fields
Include Authorizations for S_TABU_LIN in Roles
Activate Organization Criteria
Cross-Table Check
S_TABU_LIN
Test
39
Virsa Compliance Calibrator Version 5.2Security Guide
Introduction
This chapter discusses the use and implementation of line‐oriented authorizations in SAP. Line‐oriented authorizations are used to restrict users in the modification of SoD Object and Mitigation controls at line level.
Use
Access to customizing tables can be controlled at the row level for display or maintenance using line‐oriented authorizations. Previously, this access can only be controlled at the table level. The user can either have access or not have access to the entire table. Now, authorization object S_TABU_LIN is used to control access at the row level. This check is carried out in addition to authorization objects S_TABU_DIS and S_TABU_CLI. The use of line‐oriented authorization is optional.
In addition to the existing authorization concept, the new authorization object S_TABU_LIN now allows client‐specific assignment of authorizations for business entities. Organizational criterion in a cross‐client table, which only allows a user to display and change table contents for one work area, for example a country, can also be defined. The organizational criterion enables a business concept to be mapped to table key fields.
Implementation
The following procedures are executed to implement line‐oriented authorization:
• Design Organization Criteria
• Define Organization Criteria
• Define Attributes
• Assign Attributes to Table Fields
• Include Authorizations for S_TABU_LIN in Roles
• Activate Organization Criteria
The following sections describe these procedures in more detail.
Note These line-oriented authorizations only work for data display customization and maintenance transactions. At this point, they do not work for data browser transactions such as SE16 and SE17.
40
ImplementationChapter 5 Line-Oriented Authorizations
Design Organization Criteria
• Analyze requirements.
• Identify tables and fields to be protected.
• Identify users and roles to be impacted.
• Review design.
Define Organization Criteria
1 Execute transaction SPRO and navigate to Basis Components > Users and Authorizations > Line-oriented Authorizations > Define Organizational Criteria.
2 Click New Entries.
Figure 1 Change View Organization Criteria Overview
3 Enter the technical name and description of the organization criteria.
Figure 2 Overview of Added Entries
41
Virsa Compliance Calibrator Version 5.2Security Guide
Define Attributes
1 Select the organization criteria and double‐click Attributes.
2 Click New Entries.
3 Enter the attribute name, assign the field to the authorization field, and enter the description for the field.
4 Click Save when finished.
Figure 3 Overview of Added Entries—Table Fields
Assign Attributes to Table Fields
1 Select the attribute and double‐click Table Fields.
2 Click New Entries.
3 Enter the table name and field name to be protected.
Figure 4 Details of Added Entries
42
ImplementationChapter 5 Line-Oriented Authorizations
Include Authorizations for S_TABU_LIN in Roles
1 Enter the authorizations for S_TABU_LIN in the appropriate roles.
2 Insert the object manually, click on any field, and select the organization criteria.
Figure 5 Change Roles: Restrict Values Range
3 Enter the allowed values for authorizations fields and click Transfer.
Figure 6 Change Role: Organizational Criterion Values
4 Generate authorizations and assign authorized users to the role.
43
Virsa Compliance Calibrator Version 5.2Security Guide
Activate Organization Criteria
1 Execute transaction SPRO and navigate to Basis Components > Users and Authorizations > Line-oriented Authorizations > Activate Organizational Criteria.
2 Select the Activ check box to activate the organization criteria.
Figure 7 Change View: Organization Criteria Activation
Cross-Table Check
To check for a field for all tables, select the table-ind check box in the Org Criteria page.
Figure 8 Change View: Organization Criteria Overview
44
ImplementationChapter 5 Line-Oriented Authorizations
S_TABU_LIN
This object has the following fields:
• Activity—02, 03
Organization Criterion—Link to table key fields
Org Criterion Attribute1
Org Criterion Attribute2
Org Criterion Attribute3 ←Field Values of (?)
Org Criterion Attribute4 tables (?)
Org Criterion Attribute5
Org Criterion Attribute6
Org Criterion Attribute7
Org Criterion Attribute8
Test
• User is only allowed to maintain/display table T77UA for Work Center Profile Y^WORKCNTR only.
Figure 9 Change View: User Authorizations
Note Security needs to protect the tables that store the configuration of line-oriented authorizations. Only the Security team should have maintenance authorizations to these tables.
45
Virsa Compliance Calibrator Version 5.2Security Guide
46
6AUTHORIZATION CHECK
FLOWCHART
TOPICS COVERED IN THIS CHAPTER
Authorization Check Flowchart
47
Virsa Compliance Calibrator Version 5.2Security Guide
Authorization Check Flowchart
Figure 10 Flowchart of Authorization Check
48
Authorization Check FlowchartChapter 6 Authorization Check Flowchart
49
Virsa Compliance Calibrator Version 5.2Security Guide
50
7ACTIONS REQUIRED FOR
NETWEAVER
TOPICS COVERED IN THIS CHAPTER
Actions and Descriptions
51
Virsa Compliance Calibrator Version 5.2Security Guide
Actions and Descriptions
Virsa Compliance Calibrator uses the following actions when connecting to a NetWeaver server. The system account used for the Compliance Calibrator connection to the NetWeaver server must be authorized to perform these actions.
Table 15 Defined Actions—/VIRSA/ATN
Action Name Description
com.virsa.cc.CreateRuleSet Permission to create rule sets
com.virsa.cc.ChangeRuleSet Permission to change rule sets
com.virsa.cc.DeleteRuleSet Permission to delete rule sets
com.virsa.cc.ViewInformer Permission to view Informer
com.virsa.cc.ViewRuleArchitect Permission to view Rule Architect
com.virsa.cc.ViewMitigation Permission to view Mitigation
com.virsa.cc.ViewAlertMonitor Permission to view Alert Monitor
com.virsa.cc.ViewConfiguration Permission to view Configuration
com.virsa.cc.ViewMgmtReport Permission to view Management Reports
com.virsa.cc.RunRiskAnalysis Permission to run Risk Analysis
com.virsa.cc.RunAuditReports Permission to run Audit Reports
com.virsa.cc.RunSecurityReports Permission to run Security Reports
com.virsa.cc.CreateBP Permission to create Business Processes
com.virsa.cc.ChangeBP Permission to change Business Processes
com.virsa.cc.DeleteBP Permission to delete Business Processes
com.virsa.cc.CreateFunction Permission to create Functions
com.virsa.cc.ChangeFunction Permission to change Functions
com.virsa.cc.DeleteFunction Permission to delete Functions
com.virsa.cc.MassFuncMaint Permission for mass maintenance of Functions
com.virsa.cc.CreateRisks Permission to create Risks
com.virsa.cc.ChangeRisks Permission to change Risks
com.virsa.cc.DeleteRisks Permission to delete Risks
com.virsa.cc.CreateCrActions Permission to create Critical Actions
com.virsa.cc.ChangeCrActions Permission to change Critical Actions
com.virsa.cc.DeleteCrActions Permission to delete Critical Actions
com.virsa.cc.CreateCrRoles Permission to create Critical Roles
com.virsa.cc.ChangeCrRoles Permission to change Critical Roles
com.virsa.cc.DeleteCrRoles Permission to delete Critical Roles
52
Actions and DescriptionsChapter 7 Actions Required for NetWeaver
com.virsa.cc.CreateCrProfiles Permission to create Critical Profiles
com.virsa.cc.ChangeCrProfiles Permission to change Critical Profiles
com.virsa.cc.DeleteCrProfiles Permission to delete Critical Profiles
com.virsa.cc.CreateOrgRules Permission to create Organizational Rules
com.virsa.cc.ChangeOrgRules Permission to change Organizational Rules
com.virsa.cc.DeleteOrgRules Permission to delete Organizational Rules
com.virsa.cc.CreateAdmins Permission to create Administrators
com.virsa.cc.ChangeAdmins Permission to change Administrators
com.virsa.cc.DeleteAdmins Permission to delete Administrators
com.virsa.cc.CreateBUnit Permission to create Business Units
com.virsa.cc.ChangeBUnit Permission to change Business Units
com.virsa.cc.DeleteBUnit Permission to delete Business Units
com.virsa.cc.CreateMitCntl Permission to create Mitigating Controls
com.virsa.cc.ChangeMitCntl Permission to change Mitigating Controls
com.virsa.cc.DeleteMitCntl Permission to delete Mitigating Controls
com.virsa.cc.CreateMitUser Permission to create Mitigating Users
com.virsa.cc.ChangeMitUser Permission to change Mitigating Users
com.virsa.cc.DeleteMitUser Permission to delete Mitigating Users
com.virsa.cc.CreateMitRole Permission to create Mitigating Roles
com.virsa.cc.ChangeMitRole Permission to change Mitigating Roles
com.virsa.cc.DeleteMitRole Permission to delete Mitigating Roles
com.virsa.cc.CreateMitProfile Permission to create Mitigating Profiles
com.virsa.cc.ChangeMitProfile Permission to change Mitigating Profiles
com.virsa.cc.DeleteMitProfile Permission to delete Mitigating Profiles
com.virsa.cc.CreateMitHRObject Permission to create Mitigating HR Objects
com.virsa.cc.ChangeMitHRObject Permission to change Mitigating HR Objects
com.virsa.cc.DeleteMitHRsObject Permission to delete Mitigating HR Objects
com.virsa.cc.GenerateAlert Permission to generate alerts
com.virsa.cc.DeleteAlert Permission to delete Alerts
com.virsa.cc.ClearAlert Permission to clear Alerts
com.virsa.cc.CreateSupplementRule Permission to create a Supplement Rule
com.virsa.cc.ChangeSupplementRule Permission to change a Supplement Rule
com.virsa.cc.DeleteSupplementRule Permission to delete a Supplement Rule
Table 15 Defined Actions—/VIRSA/ATN
Action Name Description
53
Virsa Compliance Calibrator Version 5.2Security Guide
Roles
Virsa Compliance Calibrator includes the following roles, which you import after installation, during the initial setup operations described in the Configuration section of the Compliance Calibrator User and Administrator Guide. These predefined roles include permissions to perform Compliance Calibrator‐specific actions, grouped to provide built‐in support for some commonly performed tasks, such as generating reports and performing administrative activities.
Table 16 Defined Roles—/VIRSA/ATN
Role Name and Description Permissions for CC Actions (com.virsa.cc.)
VIRSA_CC_ADMINISTRATORVirsa Compliance Calibrator Administrator
CreateRuleSetChangeRuleSetDeleteRuleSetViewInformerViewRuleArchitectViewMitigationViewAlertMonitorViewConfigurationViewMgmtReport
RunRiskAnalysisRunAuditReportsRunSecurityReportsCreateBPChangeBPDeleteBPCreateFunctionChangeFunctionDeleteFunctionMassFuncMaintCreateRisksChangeRisksDeleteRisksCreateCrActionsChangeCrActionsDeleteCrActionsCreateCrRolesChangeCrRolesDeleteCrRoles
54
RolesChapter 7 Actions Required for NetWeaver
VIRSA_CC_ADMINISTRATORVirsa Compliance Calibrator Administrator
CreateCrProfilesChangeCrProfilesDeleteCrProfilesCreateOrgRulesChangeOrgRulesDeleteOrgRulesCreateSupplementRuleChangeSupplementRuleDeleteSupplementRuleCreateAdminsChangeAdminsDeleteAdminsCreateBUnitChangeBUnitDeleteBUnitCreateMitCntlChangeMitCntlDeleteMitCntlCreateMitUserChangeMitUserDeleteMitUserCreateMitRoleChangeMitRoleDeleteMitRoleCreateMitProfileChangeMitProfileDeleteMitProfileCreateMitHRObjectChangeMitHRObjectDeleteMitHRsObjectGenerateAlert DeleteAlertClearAlertExportRulesImportRulesViewBgJobLog
Table 16 Defined Roles—/VIRSA/ATN
Role Name and Description Permissions for CC Actions (com.virsa.cc.)
55
Virsa Compliance Calibrator Version 5.2Security Guide
Table 17 Defined Roles—/VIRSA/ATN
Role Name and Description Permissions for CC Actions (com.virsa.cc.)
VIRSA_CC_REPORTRole for Generating Virsa Compliance Calibrator Reports Only
ViewInformerViewMitigationViewAlertMonitorViewMgmtReportRunRiskAnalysisRunAuditReportsRunSecurityReports
56
RolesChapter 7 Actions Required for NetWeaver
Table 18 Defined Roles—/VIRSA/ATN
Role Name and Description Permissions for CC Actions (com.virsa.cc.)
VIRSA_CC_SECURITY_ADMINVirsa Compliance Calibrator Security Admininstrator
CreateRuleSetChangeRuleSetDeleteRuleSetViewInformerViewRuleArchitectViewMitigationViewAlertMonitorViewConfigurationViewMgmtReportRunRiskAnalysisRunAuditReportsRunSecurityReportsCreateBPChangeBPDeleteBPCreateFunctionChangeFunctionDeleteFunctionMassFuncMaintCreateRisksChangeRisksDeleteRisksCreateCrActionsChangeCrActionsDeleteCrActionsCreateCrRolesChangeCrRolesDeleteCrRolesCreateCrProfilesChangeCrProfilesDeleteCrProfilesCreateOrgRulesChangeOrgRulesDeleteOrgRules
57
Virsa Compliance Calibrator Version 5.2Security Guide
VIRSA_CC_SECURITY_ADMINVirsa Compliance Calibrator Admininstrator
CreateSupplementRuleChangeSupplementRuleDeleteSupplementRuleCreateBUnitChangeBUnitDeleteBUnitGenerateAlertDeleteAlertClearAlertExportRulesImportRulesViewBgJobLog
Table 18 Defined Roles—/VIRSA/ATN
Role Name and Description Permissions for CC Actions (com.virsa.cc.)
58
RolesChapter 7 Actions Required for NetWeaver
Table 19 Defined Roles—/VIRSA/ATN
Role Name and Description Permissions for CC Actions (com.virsa.cc.)
VIRSA_CC_BUSINESS_OWNERVirsa Compliance Calibrator Business Owner
ViewInformerViewRuleArchitectViewMitigationViewAlertMonitorViewConfigurationViewMgmtReportRunRiskAnalysisRunAuditReportsRunSecurityReportsCreateBUnitChangeBUnitDeleteBUnitCreateMitCntlChangeMitCntlDeleteMitCntlCreateMitUserChangeMitUserDeleteMitUserCreateMitRoleChangeMitRoleDeleteMitRoleCreateMitProfileChangeMitProfileDeleteMitProfileCreateMitHRObjectChangeMitHRObjectDeleteMitHRsObject
59
Virsa Compliance Calibrator Version 5.2Security Guide
VIRSA_CC_SECURITY_ADMINVirsa Compliance Calibrator Admininstrator
CreateSupplementRuleChangeSupplementRuleDeleteSupplementRuleCreateBUnitChangeBUnitDeleteBUnitGenerateAlertDeleteAlertClearAlertExportRulesImportRulesViewBgJobLog
Table 19 Defined Roles—/VIRSA/ATN
Role Name and Description Permissions for CC Actions (com.virsa.cc.)
60
8RFC AUTHORIZATIONS
TOPICS COVERED IN THIS CHAPTER
RFC Authorizations
61
Virsa Compliance Calibrator Version 5.2Security Guide
RFC Authorizations
The following objects and field values are required for the RFC user in SAP R/3 and SAP NetWeaver:
S_RFC
ACTVT = ʹ16ʹ
RFC_NAME = ʹ/VIRSA/*ʹ,ʹRFC*ʹ,ʹSDDOʹ,ʹSDIFʹ,ʹSDTXʹ,ʹSSCVʹ,ʹSYSTʹ
RFC_TYPE = ʹFUGRʹ
S_TABU_DIS
AVTVT = ʹ03ʹ
DICBERCLS = ʹ * ʹ
S_TABU_CLI
CLIIDMAINT = ʹXʹ
The objects and values listed above provide the following permissions, which are required by the SAP Compliance Calibrator when making RFC connections to back‐end systems:
• S_BTCH_JOB — Authorization to release background jobs
• S_GUI — Authorization to perform user interface‐related operations
• S_RFC — Authorization to make RFC connections
• S_TABU_DIS — Authorization to perform table maintenance
• S_TABU_CLI — Authorization to perform cross‐client table maintenance
62