Custom security effective implementation

Presenter: Srini, Flow Slf Authorizations

4/6/2014H&M Internal v1.0 1

Introduction - Custom Security

Teams involved in Custom Security design

Different Project cycles of Custom Security design

Technical Tips for effective implementation



Additional control over SAP standard transactions/processes where the default

authorization controls provided by SAP is not sufficient

(or)

Control any newly created SAP development object

(eg: A custom report, transaction code or table, etc.,)

Implemented via ABAP code which invloves either standard/custom authorization

object

Custom authorization object (which involves standard/custom Auth. Object class

and Auth. Fields) is created by the Security team, while the ABAP code is done by

the Development team


Role Design Requirements

Development

Unit testing

Integration testing

UserAcceptancetesting

PRD


FA

Sec

Dev

Sec

FA

Sec, Dev

FA

Sec, Dev


Acronyms for teams

• FA – Functional

Area

• Sec – Security

• Dev - Development- Create

RDD

- Unit test

- Unit test

- Move security

objects, ABAP code

to T, Q

- Integration testing

- Move role

changes, ABAP

code to P

- ABAP auth check code

- Finalize security design

Scenario: 1

Sec fully involved

FA

Dev

FA

Dev

FA

Sec

Dev

Sec

FA

Dev, Sec

FA

Dev, Sec


Acronyms for teams


Area


• Dev - Development- Create FS

- Move ABAP

code to T

- ABAP Auth

check code

- Integration testing - Unit test

- ABAP

development

Scenario: 2

- Create

RDD


- Finalize

security design- Unit test

- Unit test

- Move security

objects, ABAP code

to P

- Move security

objects, ABAP code

to T, Q

Sec involved very late

Impact:Sizeable

FA

Dev

FA

Dev

FA

Sec

Dev

Sec

FA

Dev, Sec

FA

Dev, Sec


Acronyms for teams


Area



- Move ABAP

code to T

- ABAP Auth

check code


- ABAP

development

Scenario: 2

- Create

RDD


- Finalize


- Unit test

- Move security

objects, ABAP code

to P

- Move security

objects, ABAP code

to T, Q

- Dev to inform Sec team

at initial stage of any

custom devleopment

FA

Dev

FA

Dev

FA

Sec

Dev

Sec

FA

Dev, Sec

FA

Dev, Sec


Acronyms for teams


Area



- Move ABAP

code to T

- ABAP Auth

check code


- ABAP

development

Scenario: 2

- Create

RDD


- Finalize


- Unit test

- Move security

objects, ABAP code

to P

- Move security

objects, ABAP code

to T, Q

- Dev to inform Sec team

at initial stage of any

custom devleopment

FA

Dev

FA

Dev

FA

Dev

4/6/2014H&M Internal v1.0 10

Acronyms for teams


Area



- Unit test

- Move development

to T,Q


- Move development to P- ABAP development

Scenario: 3

Sec not involved

Impact:Sizeable

4/6/2014H&M Internal v1.0 11

Avoid redundant code: Default authorization checks – S_TCODE, S_PROGRAM,

S_RFC, S_TABU_DIS

Report/Transaction authorizations:

• Avoid the possibility of provding backdoor access

• Place authorization code checks before calling other development objects like

program/transaction code

For eg. When statements like CALL TRANSACTION or SUBMIT PROGRAM are used

• Avoid using sy-uname in the development

• Avoid using any sort of hardcoded authorization values

• Use of Standard/Custom authorization objects?

If your custom development is completely a new solution and not related to any of the SAP

standard transaction/process, then use of custom authorization objects is recommended.

Else, the best practise is to use standard authorization objects.

Note: A good understanding of the business requirement and a wide knowledge on the

standard SAP authorization objects is required to decide the type of authorization object that

needs to be used in the custom development.

4/6/2014H&M Internal v1.0 12

Table Authorizations:

• Use Authorization groups for any newly created tables ; Avoid using &NC&

• Avoid using cross-client tables especially business users need to maintain the table entries

• Possible to control table line entries – based on organizational values

4/6/2014H&M Internal v1.0 13

Education

Custom security effective implementation