Upload
log2srini
View
78
Download
1
Tags:
Embed Size (px)
Citation preview
Presenter: Srini, Flow Slf Authorizations
4/6/2014H&M Internal v1.0 1
Introduction - Custom Security
Teams involved in Custom Security design
Different Project cycles of Custom Security design
Technical Tips for effective implementation
4/6/2014H&M Internal v1.0 2
4/6/2014H&M Internal v1.0 3
Additional control over SAP standard transactions/processes where the default
authorization controls provided by SAP is not sufficient
(or)
Control any newly created SAP development object
(eg: A custom report, transaction code or table, etc.,)
Implemented via ABAP code which invloves either standard/custom authorization
object
Custom authorization object (which involves standard/custom Auth. Object class
and Auth. Fields) is created by the Security team, while the ABAP code is done by
the Development team
4/6/2014H&M Internal v1.0 4
Role Design Requirements
Development
Unit testing
Integration testing
UserAcceptancetesting
PRD
4/6/2014H&M Internal v1.0 5
FA
Sec
Dev
Sec
FA
Sec, Dev
FA
Sec, Dev
4/6/2014H&M Internal v1.0 6
Acronyms for teams
• FA – Functional
Area
• Sec – Security
• Dev - Development- Create
RDD
- Unit test
- Unit test
- Move security
objects, ABAP code
to T, Q
- Integration testing
- Move role
changes, ABAP
code to P
- ABAP auth check code
- Finalize security design
Scenario: 1
Sec fully involved
FA
Dev
FA
Dev
FA
Sec
Dev
Sec
FA
Dev, Sec
FA
Dev, Sec
4/6/2014H&M Internal v1.0 7
Acronyms for teams
• FA – Functional
Area
• Sec – Security
• Dev - Development- Create FS
- Move ABAP
code to T
- ABAP Auth
check code
- Integration testing - Unit test
- ABAP
development
Scenario: 2
- Create
RDD
- Integration testing
- Finalize
security design- Unit test
- Unit test
- Move security
objects, ABAP code
to P
- Move security
objects, ABAP code
to T, Q
Sec involved very late
Impact:Sizeable
FA
Dev
FA
Dev
FA
Sec
Dev
Sec
FA
Dev, Sec
FA
Dev, Sec
4/6/2014H&M Internal v1.0 8
Acronyms for teams
• FA – Functional
Area
• Sec – Security
• Dev - Development- Create FS
- Move ABAP
code to T
- ABAP Auth
check code
- Integration testing - Unit test
- ABAP
development
Scenario: 2
- Create
RDD
- Integration testing
- Finalize
security design- Unit test
- Unit test
- Move security
objects, ABAP code
to P
- Move security
objects, ABAP code
to T, Q
- Dev to inform Sec team
at initial stage of any
custom devleopment
FA
Dev
FA
Dev
FA
Sec
Dev
Sec
FA
Dev, Sec
FA
Dev, Sec
4/6/2014H&M Internal v1.0 9
Acronyms for teams
• FA – Functional
Area
• Sec – Security
• Dev - Development- Create FS
- Move ABAP
code to T
- ABAP Auth
check code
- Integration testing - Unit test
- ABAP
development
Scenario: 2
- Create
RDD
- Integration testing
- Finalize
security design- Unit test
- Unit test
- Move security
objects, ABAP code
to P
- Move security
objects, ABAP code
to T, Q
- Dev to inform Sec team
at initial stage of any
custom devleopment
FA
Dev
FA
Dev
FA
Dev
4/6/2014H&M Internal v1.0 10
Acronyms for teams
• FA – Functional
Area
• Sec – Security
• Dev - Development- Create FS
- Unit test
- Move development
to T,Q
- Integration testing
- Move development to P- ABAP development
Scenario: 3
Sec not involved
Impact:Sizeable
4/6/2014H&M Internal v1.0 11
Avoid redundant code: Default authorization checks – S_TCODE, S_PROGRAM,
S_RFC, S_TABU_DIS
Report/Transaction authorizations:
• Avoid the possibility of provding backdoor access
• Place authorization code checks before calling other development objects like
program/transaction code
For eg. When statements like CALL TRANSACTION or SUBMIT PROGRAM are used
• Avoid using sy-uname in the development
• Avoid using any sort of hardcoded authorization values
• Use of Standard/Custom authorization objects?
If your custom development is completely a new solution and not related to any of the SAP
standard transaction/process, then use of custom authorization objects is recommended.
Else, the best practise is to use standard authorization objects.
Note: A good understanding of the business requirement and a wide knowledge on the
standard SAP authorization objects is required to decide the type of authorization object that
needs to be used in the custom development.
4/6/2014H&M Internal v1.0 12
Table Authorizations:
• Use Authorization groups for any newly created tables ; Avoid using &NC&
• Avoid using cross-client tables especially business users need to maintain the table entries
• Possible to control table line entries – based on organizational values
4/6/2014H&M Internal v1.0 13