Basics of SAP Security
Basics of SAP Security
Agenda
1.Introduction to SAP Security
2.Building Blocks
User Master Record
Roles
Profiles
Authorization Objects
3. User Buffer
4. Troubleshooting of Authorization Issues.
SU53, ST01/STAUTHTRACE, SUIM
5. Sap Password Controls
RZ10
RZ11
6. Frequently Used SAP Security Transactions and Tables
1.Introduction to SAP Security
SAP stands for - Systems, Applications and Products in data processing.
1. Dialogue Users
These are interactive users.
It can login to SAP GUI and checks for user password has expired/initial.
Here user can update his new password as per the password policy.
Multiple logons are possible and can be restricted by parameters.
2. System User
Used to communicate within the system.
Cannot login to SAP GUI.
It wont check for password details, only admin can change password.
Eg: Internal RFC, External RFC.
3. Communication User
These users communicate between the systems.
Cannot login to SAP GUI.
System checks the details of password parameters.
4. Service User
This type of users are available to a group of users access.
It can login to SAP GUI.
It doesn’t check the details of password and only admin can change the password.
It accepts multiple logins to SAP systems.
5. Reference User
Used for authentication of administration.
It cannot login to SAP GUI.
User Administration (SU01)
Step 1: Step 2:
Enter transaction code “SU01” in On user maintenance screen,
the SAP command field and press update the following details.
enter. User: – Enter new user id that
you wants to create.
Click on create button (F8)
Step 3: – On next screen,
update the following
details.
Address tab: –
Title: – Update the title from drop
down list.
Last Name: – Update the user last
name, this is mandatory field that to
be update.
First name: – Update the first name
of user.
Communication: – Update all
communication details of user like
mobile number, email id and default
language.
Logon data: – On logon data
tab, update the following
details.
Step 1: – Enter transaction code “SU10” in the If you want to modify the details of user you
SAP command field and enter. can modify all at once. On user field, update
all the user that you want to mass change.
Now you modify the details of users, for example let change decimal notation and
date format.
Mark the change option and change the
decimal notation, date format and time
format.
Click on save button to save the data, you get
the notification about mass change. Press yes
to continue..
Similarly you can change user address details and Authorization details like
user group, role, Authorization object and so on. So mass user maintenance helps you to
User Group (SUGR)
SUGR is a transaction code used for
Maintaining User Groups in SAP.
It comes under the package SUSR.
When we execute this transaction
code, SAPMSUUG is the normal
standard SAP program that is being
executed in background.
It is Used to categorize user into a
common denominator, sort users into
logical groups and allow segregation
of user maintenance, this is especially
useful in a large organization.
Introduction to Roles
A role is a group of permissions/ authorizations that are provided to user.
Roles and Authorizations allow the users to access SAP standard as well as
custom transactions in a secure way.
Single role:
• It is a group of authorizations that are assigned to the user.
• Generally, these authorizations are assigned in the form of transactions, reports,
web address and functions.
Composite role:
• It consists of many single roles. Composite roles doesn’t contain any profile in it.
• We can add single role or derived role to composite role but we cannot add
composite role to composite role because composite role doesn’t contain any
profile.
Derived role: Master-Derived Role
• The derived role is a role that is derived from
the master role.
• It inherits the menu structure i,e. t-codes,
reports, web address from the master role,
except the organizational values such as
controlling area, company code,.. etc
• Profile: Profiles are the objects that actually store the authorization data.
• Transaction Codes: A transaction code is used to access functions or running programs
(including executing ABAP code) in the SAP application more rapidly.
• Authorization object class: It is a grouping of Authorization objects. It may contain one
or more than one authorization objects.
• Authorization Objects: Objects that define the relation between different fields and
also helps in restricting/ allowing the values of that particular field.
• Auth Fields and Values: An authorization enables you to perform a particular activity in
the SAP System, based on a set of authorization object field values.
• Organization level: This defines actually the organizational elements in SAP for ex:
Company Code, Plant, Purchase organization, Sales organization, Work Centers, etc.
Role
Administration(PFCG)
• Step 1: – Enter transaction code Step 2: – On “Role maintenance” screen update the
“PFCG” in the SAP command field following details.
and enter. Enter new role id that you want to create (In this configuration we are going to create
Z_ROLE_USER with certain transaction codes authorizations).
Click on create role button.
• Step 3: – On create role screen,
update the following details.
Description: – Enter the role descriptive
text, here we are updated as “Role for
end user procurement team”
Long text: – Update the long text of the
role.
After updating the detail, click on save
button.
• Step 4: – Now we have to assign transaction code to the role. Go to menu tab to
assign transactions and click on the transactions tab as shown below screen shot.
Click on save button and save the details, successfully we created user roles and
assigned in SAP.
Both the terms are often used in conjunction with each other in terms of security especially when it comes to gaining access to
the system. However, both are crucial and different topics with different concepts.
Authentication Authorization
• Authentication means confirming your • Authorization means granting access in the
own identity. system.
• It is the process of verifying whether access is
• It is the process of validating user allowed or not.
credentials to gain user access. • It determines what user can and cannot
• It determines whether user is what he access.
claims to be. • Authentication factors required for
• Authentication usually requires a authorization may vary, depending on the
security level.
username and a password.
• Authorization is done after successful
• Authentication is the first step of authentication.
User Buffer (SU56)
• When a User logs into the system, all of the authorizations that the
User has are loaded into a special place in memory called the User
Buffer.
• As the User attempts to perform activities, the system checks whether
the user has the appropriate Authorization Objects in the User Buffer.
• We can use this to analyze for a particular user, or reset the buffer for
the user.
• You can see the buffer in Transaction – SU56
4. Troubleshooting of
Authorization Issues
• we will learn about different methods to identify authorization issues.
• SU53 – last failed authorization check
• ST01/ STAUTHTRACE – SAP system trace for authorization checks
• SUIM - User information system
• SU53
Using this transaction you can analyze an access denied error in your system that just occurred. It
displays the last failed authorization check, the user’s authorization and the failed HR authorization
check.
Press Enter or Click the green tick Authorization Authorization Field Authorization Field
Object Values
• Type /nSU53 in transaction code area, Press I_VORG_MEL BETRVORG PMM2
Enter QMART M1
k General Filters
Click Settings to Save
• Before starting the Trace, request the user to • You have successfully taken the trace. Click
be in IW32 transaction with the order number
entered, this will reduce the trace length.
• Now Click
Click Execute
• Here you will be able to get the Authorization
Field and Values.
Authorization Authorization Authorization
Object Field Field Value
I_VORG_ORD BETRVORG BABL
AUFART PM01
• Initial Screen:
The SUIM initial screen looks like below attached
screen. we have the options for sorting users, roles,
profiles, authorizations, authorization objects,
transactions, comparison, where-used list and
change documents.
• User Node:
• Transactions:
We can search the transactions in a particular roles or
executable by users etc., for example, If I want to list
out the transactions which are executable for user
AAA, I can use the option “Executable by user”. in this
way, you can can get transactions list with multiple
selection conditions.
• Comparison:
SUIM makes you to compare two users, Like this way, you can compare roles, profiles etc.,
roles, profiles, authorizations and user
comparison across the two systems.
Here, I have compared DDIC user ID with
ADSCALLER.
The “comparison” column will be
• Red - if the the object is not assigned in
any one of the user.
• Yellow – object is exists both of the
user master data but field level access
is in different.
• Green - for both the user ID has the
authorization object with same field
level access.
• Where-Used List: • Change Documents:
Where-used list will be used to extract details about This option is really useful to track the changes in user
particular roles, profiles etc., where it is being used in ID, roles, role assignment to users, profiles and
the system. for example., I need to get the role authorizations. we can get last changed name list in
Z_xx_yy assignment to the users. so I can simply use SU01 or PFCG itself however we don’t know what
the Where-used list to find out who are all the users change has been done. SUIM will provide the feature
have this role. to track the changes done in user ID, roles, profiles by
date, month, year etc.,
5. Sap Password Controls
There are some Standard SAP Password Controls delivered by SAP which cannot be changed
• First-time users forced to change their passwords before they can log onto the SAP system,
or after their password is reset.
• Users can only change their password when logging on.
• Users can change their password at most, once a day.
• Users can not re-use their previous five passwords.
• The first character can not be “?” or “!”.
• The first three characters of the password cannot
• appear in the same order as part of the user name.
• all be the same.
• include space characters.
• The password cannot be PASS or SAP*.
SAP Passwords Controls using Profile Parameters
• In a SAP system, the minimum length for passwords is 3 by default and maximum length
that is allowed is 8.
• You can use the following system profile parameters to specify the minimum length of a
password and the frequency with which users must change their password.
• login/min_password_diff
• login/min_password_digits
• login/min_password_letters
• login/min_password_specials
• login/min_password_lowercase
• login/min_password_uppercase
• login/disable_password_logon
• login/password_charset
• login/password_compliance_to_current_policy
To change the Parameter value, run Transaction RZ10 and select the Profile as shown below −
• Select Extended Maintenance and • Select the parameter that you want to
click Display. change and click on Parameter at the top.
• When you click on the Parameter tab, you can • You will be prompted to save when you exit the
change the value of parameter in new window. screen. Click on Yes to save the parameter value.
You can also create the new parameter by clicking
on Create (F5).
• You can also see the status of the parameter in
this window. Type the parameter value and click
on Copy.
6. Frequently Used SAP Security Transactions and
Tables
T-code Description
SU01 User Maintenance
SU01D To Display Users
SU10 User Maintenance: Mass Changes
SUGR Maintain User groups
SUCOMP Maintain company address
SU02 For Manual creation of profiles
SU03 For Manual creation of authorization.
SU21 Maintain Authorization Objects
SU24 Auth Object check under transactions
SU25 For initial Customer table fill
SU3 Maintain default settings
T-code Description
SU53 Display Authority Check Values
SU56 Display user buffer
SUIM Authorization Reporting Tree
SUPC For generation of Mass profile
PFCG Role Maintenance
PFUD For Comparing User master in Dialog
ST01 User trace
SM01 For locking the transaction from execution
SM19 Configuration of Audit Log
SM20 Display Audit Log
S_BCE_68002111 List of users with Critical Authorizations
T-code Description
SE16 Data Browser
SE16N General Table Display
AL08 Users logged on globally
SM04 Users logged on to specific instance
SE10 Transport Organizer
SM36 To schedule Background jobs
SM37 to check status of Background Jobs
SM30 Table Maintenance
What is an SAP table?
• SAP tables are created, displayed and maintained via the SAP data dictionary using
transactions such as SE11 and SE80 and are the building blocks of the SAP environment.
• It is here where all the data within your SAP system is stored ready to be processed or
accessed via your ABAP code.
SAP Std Tables Description
contains information on auth. object class, auth. objects, fields and
AGR_1251 values in a role
AGR_1252 contains the orgnization values in the role
AGR_AGRS gives the single roles that are present in composite role
AGR_DEFINE information about master and child roles
AGR_TCODE information about t-codes present in a role
AGR_TEXTS contains the text and short description of a role
AGR_USER provides info about users assigned to a role
TACT store all the activities in the sap system
TSTC to see all t-codes in the system
TSTCT to store Transaction Code Texts data
USR40 To store illegal passwords
USOBT, USOBX and USOBT/X_C - difference
and use.
• USOBX and USOBT - SAP standard tables.
• USOBX - defines which authorization checks should occur within a transaction and which
authorization checks should be maintained in the profile generator.
• USOBT - lists the authorization object which are associated with the T-code.
Note:
In sap system, we can assign:
• Maximum number of profiles in a role - 312
• Maximum number of objects in a role - 150
• Maximum number of t-codes in a role – 14000
• Maximum number of fields in an object - 10