Program and Table Security Securityredesign

8/10/2019 Program and Table Security Securityredesign

1/10

Table Security

Find the auth group of the Table. Use SE11 and Table Maintenancegenerator from utilities menu

TDDAT table has the link between Table and auth group

Table creation is controlled by S_DEVELOP ( SE11 and DeveloperKEY and Table entry is controlled be S_TABU_DIS andS_TABU_CLI ( Client Independent table) (SM30, SE16, SE16N,

SE17) S_TABU_DIS has Activity and Auth group fields

Create a T-code in SE93 using call transaction SM30

Update SU24 with S_TABU_DIS and particular auth group.

Add the T-code to the role and make sure the proper auth group isbrought into the role.

If SU24 is changed after the object is added do adjust derived inPFCG

SE54 to assign auth group to table


2/10

Project Requirement

Collect Requirement

Process Team member Contact

Develop Roles

Consult process team member for object

Values


3/10

Program Security

Find the auth group of the program. Use SE38 and display attribute

TRDIR table has the link between program and auth group

Program creation is controlled by S_DEVELOP (SE38 with Developer Key)and execution is controlled be S_PROGRAM ( SA38) High sensitive T-codes.

S_PROGRAM has Activity and Auth group fields

Create a T-code in SE93

Update SU24 with S_PROGRAM and particular auth group.

Add the T-code to the role and make sure the proper auth group is brought intothe role.

If SU24 is changed after the object is added do adjust derived from advancedmenu in PFCG

Transaction used for Creation SE38 and Execute SA38

RSCSAUTHUpdate TRDIR RSABAUTH- Update TPGP


4/10

Security redesign

Security Requirement Documentation describing the Role name t-

codes, Plant Derivations, Object Value restriction and any org value

restrictions

User access approval and change process Profile Naming Convention

Approval process for addition of T-code, removal T-codes, object

Value Changes and org level changes

Approval Process for Addition of Single role to composite role

Security Custom Program and Tables

User ID expiration and deletion process

System Security parameters

Securing Batch jobs, Batch jobs and Spool request


5/10

BatchSession Security SM35 to execute in Batch

Batch input sessions enter data non-interactively into an R/3 System. Batch

input is typically used to transfer data from non-R/3 Systems to R/3 Systems

or to transfer data between R/3 Systems.

Fields ValuesComments

BDCGROUPID * Name of batch session for which a user isauthorized (e.g. FRANK)

BDCAKTI ABTC Submit sessions for execution

AONL Run sessions in interactive mode

ANAL Analyze sessions, log and queue

FREE Release sessions

LOCK Lock/unlock sessions

DELE Delete sessions

SE38 SAPF120


6/10

Batch Job

You can define and schedule background jobs in two ways from theJob Overview:

Directly from Transaction SM36. This is best for users alreadyfamiliar with background job scheduling.

use the Job Wizard, start from Transaction SM36, and either select

Call Transaction SM36 or choose CCMS Jobs Definition. Assign a job name. Decide on a name for the job you are defining and

enter it in the Job Name field.

Set the jobs priority, or "Job Class": High priority: Class A

Medium priority: Class B

Low priority: Class C In the Target serverfield, indicate whether to use system load balancing

S_BTCH_ADM

S_BTCH_JOB

S_BTCH_NAM

Example Program: RFSKPL00
http://help.sap.com/saphelp_47x200/helpdata/en/c4/3a7f53505211d189550000e829fbbd/content.htmhttp://help.sap.com/saphelp_47x200/helpdata/en/c4/3a7f53505211d189550000e829fbbd/content.htm


7/10

Transports General Concept

Moving Development objects and Customizing Setting in orderly Manner

Development Class is grouping of objects belonging to same project

Any modification will trigger Transport request and can be transported as long as it is assigned

to a transport layer

Transport Requests are released from SE10 and SE09 transactions

Transport Layer defines the which path they will move ( Testing Path, Production Path)

Change request CUST ( system) and SYST ( Tables) SID K Number

Objects S_CTS_ADMI and S_TRANSPORT Version Management so they can compare

SID denotes different database server

DEV Test QAS and PRD system landscape

Dev Class is Table TDVEC and SE80 to create new class

Role can be transported or Downloaded

Single role transport and Composite role transport

Transport takes the Table entries


8/10

New Virsa Implementation

Scan all the Single Role for NO SOD

Remediate ( Fix objects values or Remove

Transaction or Mitigate with Mitigation Controls Scan all the composite Roles

Remediate ( Remove Roles ) or Mitigate

When Assign Role to users run Virsa on Users tomake sure they have no SOD

When Making Changes always Run virsa


9/10

Spool Request Security 2. Spool request authorizations

The spool request authorizations define which user is authorized to use which

operations on which spool requests, or which requests are displayed for the particular

user.

A distinction is made between:

a) Selection authorization

The selection authorization defines which user may see which spool requests. The

selection options of a user are limited in the SP01 display transaction if the relevant

authorizations are missing. S_ADMI_FCD is used as an authorization object for this

purpose.

b) Operation authorization

A user can only edit those spool requests that can be displayed using transaction SP01

and the selection authorizations given here. S_SPO_ACT is used as the authorization

object for this.

When dealing with spool requests, we distinguish the process of creating them and

editing them


10/10

Virsa Tool for Finding SOD /n/virsa/zvrat Compliance Calibrator

Predefined T-code combination Eg: Me21N ( Create PO and F-41 (

approve Invoice)

Confliction T-codes- SOD (Segregation of duties)

Mitigation Control- Oversight by process or system to monitor the usereven if the person has the conflicting transactions

Function: Grouping of Transaction = Role

Risk: Conflicting Functions

Documents

Program and Table Security Securityredesign