6/19/2019 Getting Started – Page 2 – Sap Security Pages

SAP SECURITY PAGES

Learn SAP Security & Authorizations Concepts

C AT EG O R Y: G E T T I N G S TA R T E D

Basic Security Concepts

O C TO B E R 3 0 , 2 0 1 0

Security Trace

The Security Trace Tool (transaction ST01) provides a way to trace the complete
sequence of security checks for transaction. Since all checks are displayed, this is a much
more foolproof way to investigating potential issues.

The trace needs to be set in the same application server as the user before transaction
start. We can check this through SM51 . From the initial screen of ST01, we enter
appropriate lter conditions for our trace, mostly this is the user for whom we are
checking access, and click the “trace on” button.

https://www.sapsecuritypages.com/category/getting-started-with-security/page/2/ 1/31
6/19/2019 Getting Started – Page 2 – Sap Security Pages

ST01 - Initial Screen

The user now executes the sequence of actions to replicate the error. At this point, we
click the analysis button, select appropriate lter criteria for the trace le and nally
display the trace le itself.

https://www.sapsecuritypages.com/category/getting-started-with-security/page/2/ 2/31
6/19/2019 Getting Started – Page 2 – Sap Security Pages

ST01 - Trace Analysis

https://www.sapsecuritypages.com/category/getting-started-with-security/page/2/ 3/31
6/19/2019 Getting Started – Page 2 – Sap Security Pages

ST01 - Trace Display

O C TO B E R 3 0 , 2 0 1 0

SU53 – Display Auth Data

Troubleshooting security issues is one of the daily tasks of any security administrator. The
rst method of investigating authorization failures is the ubiquitous SU53 transaction. It
involves us asking the affected user to run the step(s) to replicate the issue and
immediately on getting the error, execute /nsu53 through the command window. The
screen-shots below show the sequence of actions.
https://www.sapsecuritypages.com/category/getting-started-with-security/page/2/ 4/31
6/19/2019 Getting Started – Page 2 – Sap Security Pages

The user tries to create another user through SU01 and gets an authorization error

SU01- Create User

The user gets a pop with the message that he doesn’t have authorization to create user.

SU01 - Authorization Error

Many times clicking the help button can provide important information about the
background of the error.

https://www.sapsecuritypages.com/category/getting-started-with-security/page/2/ 5/31
6/19/2019 Getting Started – Page 2 – Sap Security Pages

SU01 Help Info

To get the SU53 screen, we execute /nsu53 from the command window immediately after
getting the error. The SU53 window shows the last check for an authorization which has
returned a non zero value (authorization failure) for the user.

https://www.sapsecuritypages.com/category/getting-started-with-security/page/2/ 6/31
6/19/2019 Getting Started – Page 2 – Sap Security Pages

SU53

The biggest limitation of SU53 is the fact that it only shows the last authorization failure
of an user. In a typical transaction, there can be an entire sequence of authorization
checks, any of which might fail. To view the entire sequence of authorization checks, we
use the authorization trace tool (transaction ST01).

O C TO B E R 2 6 , 2 0 1 0

Authority-Check
This post talks about the program level mechanism to implement a check for a particular
authorization object. SAP Business applications are coded in the SAP proprietary
language, ABAP. All transactions call ABAP programs at the back-end and it is this code
which is responsible for checking security.

The security check for an authorization object is through the standard ABAP construct
“AUTHORITY-CHECK”. The actual form of this statement is given below for checking
display access (ACTVT 03) to a table belonging to particular table authorization group
(DIBERCLS ‘SC’).

https://www.sapsecuritypages.com/category/getting-started-with-security/page/2/ 7/31
6/19/2019 Getting Started – Page 2 – Sap Security Pages

AUTHORITY-CHECK OBJECT ‘S_TABU_DIS’

ID ‘ACTVT’ FIELD ’03’
ID ‘DIBERCLS’ FIELD ‘SC’.

Copying a portion of the SAP code which is used to check for table access

Authority-Check for Tables

This statement checks the user buffer of the person executing the program/ tcode to see
if he has an authorization for S_TABU_DIS with actvt 03 and dibercls ‘sc’. Depending on
the contents of the user buffer, the statement might return different values (the values of
the sytem eld SY-SUBRC)

https://www.sapsecuritypages.com/category/getting-started-with-security/page/2/ 8/31
6/19/2019 Getting Started – Page 2 – Sap Security Pages

0 signi es a succesfull check, i.e. user has the correct authorization

4 denotes user has the authorization object in the buffer but not with the correct values
12 denotes that the user has no authorizations for the speci ed object

O C TO B E R 2 6 , 2 0 1 0

SU24 – Maintain Check Indicators

The SU24 transaction is one of the most important transactions in security. Its used to
maintain all the objects that are checked for the execution of a particular transaction.
The check indicators as maintained in SU24 are stored in two customer speci c tables
USOBT_C and USOBX_C. The customer speci c tables ensure that the values modi ed
by a customer are not over-written by the SAP proposed values during a future upgrade.
We can have a look at the SAP proposed values through the transaction SU22.

SU24 - Initial Screen

Each object can have three different status as given in the screenshot below

https://www.sapsecuritypages.com/category/getting-started-with-security/page/2/ 9/31
6/19/2019 Getting Started – Page 2 – Sap Security Pages

SU24 - check indicators

Do not check – These objects are not checked during transaction execution.
Authorization objects belong to Basis and HR components can not be marked as Do not
checked.
Check , Yes (Check/Maintain in previous releases) – These objects are checked during
transaction execution and also pulled into a role when the transaction is added to a role.
We also have an option of maintaining default values of the authorization elds for these
objects. For example, in the last post regarding role maintenance, we saw a number of
authorizations which were pulled into the role with default values. These authorizations
appear with status standard or maintained in role maintenance.
Check, No (Check in previous releases) – These objects are checked during transaction
execution but are not pulled into the role even if the transaction is added to the menu.

Its important to note that the primary check for an authorization object during program
execution happens at the code level. So adding a check in Su24 will have no impact to
security unless the code is modi ed as well to include a check for the authorization object.

https://www.sapsecuritypages.com/category/getting-started-with-security/page/2/ 10/31
6/19/2019 Getting Started – Page 2 – Sap Security Pages

We talk about the mechanism of the authorization check at program level in our next
article.

In the last two section, we have looked at both SU22 (SAP delivered check indicators) and
SU24 (customer maintenance of check indicators). We have also talked about how SU22
presents data from USOBT and USOBX tables, SU24 present data from the customer
tables USOBT_C and USOBX_C tables. The natural question that arises, “if SAP only
writes to former set of tables and we only modify the customer tables, how are the
customer tables initially lled with data?” Actually, SAP provides a standard
transaction SU25 for initially copying over SAP proposed values to the customer
tables. We discuss this transaction in our next section.

O C TO B E R 2 2 , 2 0 1 0

User Master Record

A valid user master record must exist for all users accessing the SAP system. The user
master is accessed through the transaction SU01 (there is a separate version of the tcode,
SU01D for display).

SU01 - User Maintenance

https://www.sapsecuritypages.com/category/getting-started-with-security/page/2/ 11/31
6/19/2019 Getting Started – Page 2 – Sap Security Pages

There are a number of tabs for maintainining different data for the users. Some of the
more important tabs with the data they contain are given below.

Address – First, Last Names, Department, Email, Telephone, Language

User Maintenance - Address Data

Logon Data – Password, User Group, User Type, Validity

https://www.sapsecuritypages.com/category/getting-started-with-security/page/2/ 12/31
6/19/2019 Getting Started – Page 2 – Sap Security Pages

User Maintenance - Logon Data

Parameters – User Parameters

https://www.sapsecuritypages.com/category/getting-started-with-security/page/2/ 13/31
6/19/2019 Getting Started – Page 2 – Sap Security Pages

User Maintenance - Parameters

Roles – These give access to the differenet function with the SAP system

User Maintenance - Roles

Pro les – Lists the pro les corresponding to the role entries
https://www.sapsecuritypages.com/category/getting-started-with-security/page/2/ 14/31
6/19/2019 Getting Started – Page 2 – Sap Security Pages

User Maintenance - Pro les

License Data – License type for user. This eld is evaluated as part of license audits.

User Maintenance - License Data

O C TO B E R 2 2 , 2 0 1 0

https://www.sapsecuritypages.com/category/getting-started-with-security/page/2/ 15/31
6/19/2019 Getting Started – Page 2 – Sap Security Pages

Roles & Authorizations

Access to SAP system are assigned to users through roles maintained in their user
master. In this article, we explore how access to the SAP system is extended to users
through roles. We also talk about the related concepts of authorization objects and
authorizations.

The transaction to create/maintain roles is PFCG. Lets create a role in PFCG and try to
understand the various options available to us therein. We name the new role
“ZTEST_HR_ACCESS” and click the “Single Role” button. (Note that you can follow any
naming convention for your roles as long as they do not begin with SAP or /).

Role Maintenance (PFCG) – initial screen

Inside, PFCG, there are again a number of tabs which need to be lled with data as part of
the role creation process. We start with maintaining role name and description. There is
also the option of specifying a parent role as shown in the diagram below. A child role
inherits all tcodes and authorizations from its parent except the organizational levels (we
will discuss org levels in a later article). The Long text eld might be used as an audit log to
track the background behind creating the new role.

https://www.sapsecuritypages.com/category/getting-started-with-security/page/2/ 16/31
6/19/2019 Getting Started – Page 2 – Sap Security Pages

PFCG – Role Description

In the menu tab, we maintain the tcodes that the role will have access to. In addition to
tcodes, we can also add reports, queries and URL. There are lots of options to build the
menu of a role. You can copy from an existing area menu de ned in SAP, copy from
another role or import from a text le.

https://www.sapsecuritypages.com/category/getting-started-with-security/page/2/ 17/31
6/19/2019 Getting Started – Page 2 – Sap Security Pages

PFCG – Menu

Once we have maintained the menu for the role, we go into the Authorization tab. We have
an option of generating a pro le name or following our own naming convention. I would
suggest following a naming conventions of our own (even though I have used the
generated pro le name in the example) as the pro le name can help in subsequent
reporting on authorizations. We save the new pro le and click either of the two
highlighted buttons, Change Authorization Data & Expert mode for pro le generation to
get into authorization data maintenance.

https://www.sapsecuritypages.com/category/getting-started-with-security/page/2/ 18/31
6/19/2019 Getting Started – Page 2 – Sap Security Pages

PFCG – Authorization Tab

The next screen is for maintenance of authorization data. The different color codes de ne
distinct security speci c objects/concepts. Lets discuss these below

Blue Line – Role – In our case its the new role which we have just created
“ZTEST_HR_ACCESS”.
Pink Line – Authorization Class – These group Authorization Objects which protect
similar application components.
Green Line – Authorization Object – Though called an object, an authorization object is
more akin to an OOP class. Its a template or structure with a number of elds each of
which needs to lled up with appropriate data to allow access.
Yellow Line -Authorization – This is an unique instance of an authorization object with
values speci ed for its different elds. Carrying the OOP analogy forward, an
authorization is actually similar to an object.
https://www.sapsecuritypages.com/category/getting-started-with-security/page/2/ 19/31
6/19/2019 Getting Started – Page 2 – Sap Security Pages

Off-white Line – Authorization Field – These are the unique elds within each
authorization object. Different authorization objects will have different sets of
authorization elds.

To understand how security works at the application level, we take the example of the
S_TCODE object. To start a transaction, a user needs this authorization object in his
user buffer with the the transaction maintained as a eld value. In the example below, a
user with the new role would be able to start transactions PA30, PA40 and SU53.
However, starting a transaction is only the rst level of check, any number of different
authorization objects can be checked at each step of the transaction. These checks are
for presence of individual authorizations in the user buffer.

During role maintenance, we maintain all the open eld values (marked by yellow
triangles) so all authorizations become green. Once nished we generate the role, by
clicking the button with the a circle and red and white quadrants. This nal step is the
most important step in the entire process as this creates one or more authorization
pro les for the role. It is actually the authorization pro les present the user buffer that
give access to SAP applications. The role is just helps in easier maintenance of
authorization pro le. Even now, its technically feasible to directly modify authorization
pro les but is strongly discouraged from SAP. Once generated, the role can be assigned
through PFCG itself or through SU01.

https://www.sapsecuritypages.com/category/getting-started-with-security/page/2/ 20/31
6/19/2019 Getting Started – Page 2 – Sap Security Pages

PFCG – Role Authorization Data

In the next article, we discuss the link between transactions and authorization objects.
This will in turn help us to understand how the authorization objects are pulled into the
role during maintenance.

O C TO B E R 2 2 , 2 0 1 0

Basic Concepts
The introductory article gave a glimpse of one of the thousands of SAP applications
delivered as part of a SAP standard package. This article follows on from there and starts
our journey on SAP security. It tries to answer three basic questions: What is security?
Why do we need security? and How does SAP implement security?

Q. What is Security?

https://www.sapsecuritypages.com/category/getting-started-with-security/page/2/ 21/31
6/19/2019 Getting Started – Page 2 – Sap Security Pages

A. Security in the context of IT denotes giving access to users to only those sytem
resources which they require to perform their jobs. in SAP, these resources generally take
the form of either business application or administation tools through transactions,
screens, tables, programs, reports, web services, etc.

Q. Why do we need Security?

A. SAP being an ERP solutions comes loaded with a huge number of applications which
can be con gured to map the business processes of an organization like procurement,
manufacturing, sales, nancial accounting, controlling and human resource mangement. It
is imperative that only actual employees/business partners get access to the SAP system
(Authentication). Further, each user using the SAP system should only have access to the
applications relevant to their jobs (Authorization). For example, we certainly do not want
an employee working on the shop oor to get access to see and update the bank details
for other employees, a job typically reserved for the HR department.

Q. How does SAP implement security?

A. Authentication

Authentication is ensured by having an unique user-id and password for each user
maintained as part of the user master record. Any user trying to access a SAP system
should have a valid User Master Record. In addition to the user id and password, a user
master record also lists the user’s name, email, telephone and the roles which allow
access to different applications.

Authorization

Auhtorizations are implement through roles (or the older term activity groups) and
typically assigned to users through their user master record. Each role also has one or
more corresponding authorization pro les with different authorizations. Its the
authorization pro les which actually give access to users.

O C TO B E R 2 2 , 2 0 1 0

Introduction to SAP

https://www.sapsecuritypages.com/category/getting-started-with-security/page/2/ 22/31
6/19/2019 Getting Started – Page 2 – Sap Security Pages

This site basically deals with SAP security. But before we get into the details of security it
would be probably bene cial for the absolute newbies among us to rst get a basic idea of
ERP software in general and SAP in particular. This beginning article tries to do just that.
So experienced ones……..please feel free to skip ahead to the next posts.

SAP (Systems, Applications and Products in Data Processing) is an example of ERP

(Enterprise Resources Planing) software. An ERP system a computer based system to
manage the internal and external resources for an enterprise. It might have various
components to help in business processes like procurement, sales, accounting, human
resources. Some of the major vendors for ERP software are SAP, Oracle, PeopleSoft, JD
Edwards.

Since these pages deal with SAP security, let us consider a business process
implemented in SAP. A user typically uses the SAP GUI/Logon pad to launch the login
screen for a particluar SAP instance.

SAP Logonpad

At the next screen, the user logs in to the SAP system using his unique user id and
password

https://www.sapsecuritypages.com/category/getting-started-with-security/page/2/ 23/31
6/19/2019 Getting Started – Page 2 – Sap Security Pages

Log-on Screen

Each business process in SAP is typically started using a transaction code (tcode) or by
following a menu path. We consider the HR transaction PA40 (Personnel Actions) which is
used to hire a personl into a position into the enterprise.

Starting a transaction through its tcode

On the initial PA40 screen we enter the date from which we want to hire our new
employee, select the hiring actiona nd click the clock icon (execute).

https://www.sapsecuritypages.com/category/getting-started-with-security/page/2/ 24/31
6/19/2019 Getting Started – Page 2 – Sap Security Pages

PA40 Initial Screen

On each subsequent screen, we enter the relevant information, like personal data,
organizational data, address, tax information, basic salary, bank details and click the save
button.

Create Hiring Action

https://www.sapsecuritypages.com/category/getting-started-with-security/page/2/ 25/31
6/19/2019 Getting Started – Page 2 – Sap Security Pages

PA40 Create Hiring Action

Create Personal Data

https://www.sapsecuritypages.com/category/getting-started-with-security/page/2/ 26/31
6/19/2019 Getting Started – Page 2 – Sap Security Pages

PA40 - Create Personal Data

Create Organizational Data

https://www.sapsecuritypages.com/category/getting-started-with-security/page/2/ 27/31
6/19/2019 Getting Started – Page 2 – Sap Security Pages

PA40 - Create Organizational Data

Create Address

https://www.sapsecuritypages.com/category/getting-started-with-security/page/2/ 28/31
6/19/2019 Getting Started – Page 2 – Sap Security Pages

PA40 - Create Address Data

Create Bank Details

https://www.sapsecuritypages.com/category/getting-started-with-security/page/2/ 29/31
6/19/2019 Getting Started – Page 2 – Sap Security Pages

PA40 - Create Bank Details

Final screen showing successful hiring of Mr Abap Developer with a personnel number of
2

https://www.sapsecuritypages.com/category/getting-started-with-security/page/2/ 30/31
6/19/2019 Getting Started – Page 2 – Sap Security Pages

PA40 - Final screen showing succesful hire

https://www.sapsecuritypages.com/category/getting-started-with-security/page/2/ 31/31