SAP Audit Information and Approach

SAPAuditInformationandApproachAuthorizationExample1.UserMasterRecordUser:FrankW.LyonsProfile:Example2.Profile:ExampleObject:Authorizations:S_ProgramABAP:3.Authorization:ABAP:Object:S_ProgramValues:Fields:*ProgramGroupSUBMIT,VARIANTActivityAuthorizationSystem:1.ProfilesOneormoreassignedtoauser2.ObjectsMustbeuniquenameswithoneormorefields3.FieldsContainvaluesforauthoritychecking4.AuthorizationsCanhavethesamenamesastheyarephysicallyandphysicallylinkedtoanobjectFieldgroupforanobjecthasmultiplevaluesandcanbesharedacrossobjectsInitialDefaults1.InitialClientsClient000StandardmodelClient001Modelforuserdefinedclients.(template)2.InitialUserIdsSAP*Defaultsuperuser.AusermasterrecordiscreatedduringinstallationbutitisnotneededbySAP*toaccessthecompletesystem.IftheSAP*masterrecordisdeleted,theSAP*accounthasthefollowingspecialprivileges:ItisnotsubjecttoauthorizationchecksandthereforehasallauthorizationsIthasthepassword“PASS”,whichcannotbechangedwithoutcreatinganewusermasterrecord.Topreventdeletion,assignSAP*usertoagroupcalledSUPERandonlysuperusershouldbeabletomaintainusergroupSUPER.3.InitialSecurityParametersParametersforuserlogonlogin/min_password/lngMinimumpasswordlengthdefaultis(3)login/password_expiration_timeNumberofdaysafterwhichapasswordmustbechanged.Thedefaultiszero,whichdoesnotenforcepasswordchanges.Recommendedvalue=45.login/fails_to_session_endNumberoftimesausercanenteranincorrectpasswordbeforethesystemendstheloginattempt.Thedefaultis(3).login/fails_to_user_lockNumberoftimesausercanenteranincorrectpasswordbeforethesystemlockstheuseragainstfurtherlogonattempts.Thedefaultis(12).Recommend(3).Whenapasswordislockedinthismanner,itisautomaticallyunlockedbythesystematthestartofthenextday(midnight).AddingUsers1.Eachusermusthaveamasterrecord.2.Eachusermasterrecordreferstooneormoreprofilesthatdeterminetheaccessrightsfortheuser.3.Masterrecordcontains:UserIDPasswordUsergroupsUsertypePeriodofvalidityreferencestoauthorizationprofilesMasterrecordscanbedeletedbutitwillaffecttheaudittrail.Bettertolocktheuser’smasterrecordMenuPath:Tools-Administration-UserMaintenance-User-Lock/Unlock.4.UserGroupIfapersonisassignedtoausergroup,onlytheadministratorswhoareauthorizedforthatusergroupcanalterusermasterrecords.Ifauserisnotassignedtoagroupthenanyuseradministratorcanaltertheusermasterrecord.AddingProfilesProfilesandAuthorizationsexistinbothmaintenanceandactiveversions.Allowsforupdatestomaintenancebeforeitisactivated.Separationofmaintenanceandactivationfunctions.1.SystemProfilesSAPStandardandSuperUserProfilesS_A.SYSTEMUnlimitedaccesstoallusers,profiles,andauthorizationsS_A.ADMINAuthorizationsforSAPsystemadministration.Thisincludesallauthorizationsexceptfor:MaintenanceofusersinusergroupSUPERMaintenanceofprofilesandauthorizationswithnamesbeginning“S_A.”S_A.CUSTOMIZAuthorizationsforuseintheSAPCustomizingsystemS_A.DEVELOPAuthorizationsforuseintheSAPDevelopmentenvironment(excludesanyuserorprofileauthorizations)S_A.USERBasissystemauthorizationsforend-users(e.g.,S_Program,S_DBC_MONI,etc.2.StartupProfilesProfileNameDescriptionS_ABAP_ALLAllABAP/4authorizationsS_ADMI_ALLAllsystemadministrationfunctionsS_BDC_ALLAllbatchinputactivitiesS_BTCH_ALLAllbatchprocessingauthorizationsS_DDIC_ALLDDIC:AllauthorizationsS_DDIC_SUDataDictionary:AllauthorizationsS_NUMBERNumberrangemaintenance:AllauthorizationsS_SCD0_ALLChangedocuments:AllauthorizationsS_SCRP_ALLAllSAPscripttext,styles,layoutsetsmaintenanceS_SPOOL_ALLAllspoolauthorizationsS_SYST_ALLAllsystemauthorizationsS_TABU_ALLStandardtablemaintenance:AllauthorizationsS_TSKH_ALLAllsystemadministrationauthorizationsS_USER_ALLUsermaintenance:AllauthorizationsSAP_ALLProvidesunlimitedaccesstomaintainallSAPR/3systemauthorizations,withthefollowingexceptions:MaintenanceofusersinusergroupSUPERMaintenanceofprofilesandauthorizationswithnamesbeginningS_USERSAP_ANWENDAllSAPR/3(excludingsystem)applicationauthorizationsSAP_NEWProvidesunlimitedaccesstoallauthorizationsaddedwithnewreleasesofSAPR/3.Z_ANWENDAlluserauthorizations(excludingBCsystem)3.ProfilesandtheirassociatedauthorizationvaluesetsarestoredinUSRxxtables.AddingAuthorizationsAuthorizationobjectsareusedtocheckauser’sauthoritytoperformactionsandaccessdatainR/3.Auser’sactionisapprovedonlyiftheuserpassestheauthorizationtestforeachfieldlistedinanobject.1.AuthorizationObjectsSAPcontainsanumberofauthorizationobjectsthatareusedtorestricttheabilityofuserstoperformcertainfunctionsandaccessinformation.AuthorizationobjectscancontainuptotenauthorizationIDsrepresentingsuchsystemelementsastransactions,tables,fields,orprograms.AuserisallowedaccessifthetheirmasterrecordliststheobjectforwhichtheauthorizationisbeingtestedandtheuserpassestheauthorizationtestforeachauthorizationID.Anauthorizationvaluesetisrequiredforaccess02=changeAuthorizationProfilesareusedtogranttheauthorizationvaluesetstoauser.Theusermasterrecordreferstoprofilesandtheprofiles,inturn,refer,tovaluesetsthatdeterminetheaccesscapabilitiesoftheuser.NewauthorizationobjectscanbecreatedbyMenuPath:S