SAPAuditInformationandApproach9349.docx

《SAPAuditInformationandApproach9349.docx》由会员分享，可在线阅读，更多相关《SAPAuditInformationandApproach9349.docx（73页珍藏版）》请在淘文阁 - 分享文档赚钱的网站上搜索。

1、SAP Audit Information and ApproachAuthorization Example1. User Master RecordUser: Frank W. LyonsProfile: Example2. Profile: Example Object: Authorizations: S_Program ABAP: 3. Authorization: ABAP: Object: S_Program Values: Fields: *Program Group SUBMIT, VARIANTActivityAuthorization System:1.ProfilesO

2、ne or more assigned to a user2.ObjectsMust be unique names with one or more fields3.FieldsContain values for authority checking4.AuthorizationsCan have the same names as they are physically and physically linked to an objectField group for an object has multiple values and can be shared across objec

3、tsInitial Defaults1.Initial Clients Client 000Standard model Client 001Model for user defined clients. (template)2.Initial User Ids SAP*Default super user. A user master record is created during installation but it is not needed by SAP* to access the complete system. If the SAP* master record is del

4、eted, the SAP* account has the following special privileges: It is not subject to authorization checks and therefore has all authorizations It has the password “PASS”, which can not be changed without creating a new user master record. To prevent deletion, assign SAP* user to a group called SUPER an

5、d only super user should be able to maintain user group SUPER.3.Initial Security Parameters Parameters for user logon login/min_password/lng Minimum password length default is (3) login/password_expiration_time Number of days after which a password must be changed. The default is zero, which does no

6、t enforce password changes. Recommended value = 45. login/fails_to_session_end Number of times a user can enter an incorrect password before the system ends the login attempt. The default is (3). login/fails_to_user_lock Number of times a user can enter an incorrect password before the system locks

7、the user against further logon attempts. The default is (12). Recommend (3). When a password is locked in this manner, it is automatically unlocked by the system at the start of the next day (midnight). Adding Users1. Each user must have a master record.2.Each user master record refers to one or mor

8、e profiles that determine the access rights for the user.3.Master record contains: User ID Password User groups User type Period of validity references to authorization profilesMaster records can be deleted but it will affect the audit trail. Better to lock the users master record Menu Path: Tools -

9、 Administration - User Maintenance - User - Lock/Unlock.4.User Group If a person is assigned to a user group, only the administrators who are authorized for that user group can alter user master records. If a user is not assigned to a group then any user administrator can alter the user master recor

10、d.Adding ProfilesProfiles and Authorizations exist in both maintenance and active versions. Allows for updates to maintenance before it is activated. Separation of maintenance and activation functions.1.System ProfilesSAP Standard and Super User ProfilesS_A.SYSTEMUnlimited access to all users, profi

11、les, and authorizationsS_A.ADMINAuthorizations for SAP system administration. This includes all authorizations except for: Maintenance of users in user group SUPER Maintenance of profiles and authorizations with names beginning “S_A.”S_A.CUSTOMIZAuthorizations for use in the SAP Customizing systemS_

12、A.DEVELOPAuthorizations for use in the SAP Development environment (excludes any user or profile authorizations)S_A.USERBasis system authorizations for end-users (e.g., S_Program, S_DBC_MONI, etc.2.Startup ProfilesProfile NameDescriptionS_ABAP_ALLAll ABAP/4 authorizationsS_ADMI_ALLAll system adminis

13、tration functionsS_BDC_ALLAll batch input activitiesS_BTCH_ALLAll batch processing authorizationsS_DDIC_ALLDDIC: All authorizationsS_DDIC_SUData Dictionary: All authorizationsS_NUMBERNumber range maintenance: All authorizationsS_SCD0_ALLChange documents: All authorizationsS_SCRP_ALLAll SAPscript tex

14、t, styles, layout sets maintenanceS_SPOOL_ALLAll spool authorizationsS_SYST_ALLAll system authorizationsS_TABU_ALLStandard table maintenance: All authorizationsS_TSKH_ALLAll system administration authorizationsS_USER_ALLUser maintenance: All authorizationsSAP_ALLProvides unlimited access to maintain

15、 all SAP R/3 system authorizations, with the following exceptions: Maintenance of users in user group SUPER Maintenance of profiles and authorizations with names beginning S_USERSAP_ANWENDAll SAP R/3 (excluding system) application authorizationsSAP_NEWProvides unlimited access to all authorizations

16、added with new releases of SAP R/3.Z_ANWENDAll user authorizations (excluding BC system)3.Profiles and their associated authorization value sets are stored in USRxx tables.Adding AuthorizationsAuthorization objects are used to check a users authority to perform actions and access data in R/3. A user

17、s action is approved only if the user passes the authorization test for each field listed in an object.1.Authorization Objects SAP contains a number of authorization objects that are used to restrict the ability of users to perform certain functions and access information. Authorization objects can

18、contain up to ten authorization IDs representing such system elements as transactions, tables, fields, or programs. A user is allowed access if the their master record lists the object for which the authorization is being tested and the user passes the authorization test for each authorization ID. A

19、n authorization value set is required for access 02 = change Authorization Profiles are used to grant the authorization value sets to a user. The user master record refers to profiles and the profiles, in turn, refer, to value sets that determine the access capabilities of the user. New authorizatio

20、n objects can be created by Menu Path: System - Services - Table Maintenance. Merely creating a new object does not initiate any authorization checking. Either ABAPs need to be modified to test the new objects, or additional authorization checks need to be defined. First assign a object class for th

21、e new object. Next use AUTHORITY-CHECK for ABAP/4 programs Or add additional authorization checks to the TSTC (transaction table) Menu Path: System - Services - Table Maintenance.2.Objects Objects are defined in the system and contain one or more fields that are used to test user access.3.Authorizat

22、ion Value Sets Are lists of all values (for each field) for which a user is authorized. Usually used to define tasks Profile allocate the tasks (authorization value set) to logical functions. These profiles are assigned to a physical user (master record).4.Basis System Authorization ObjectsObjectFie

23、ldsUsesS-PROGRAMProgram group ActivityABAP/4 programs that may be run.S_EDITORProgram group ActivityABAP/4 programs that may be displayed or editedABAP/4 QueryS_QUERYActivityWhether a user can run queries and whether the user can maintain ABAP/4 Query user groups System Administration FunctionsAdmin

24、istration FunctionsA variety of system functions such as:1. Whether a user may enter a value interactively to pass an authorization test that he does not have authorization for in his user master record2. Access to the ABAP/4 Dictionary3. Access to the interface painter4. System trace authority5. Ab

25、ility to add or delete additional authorization tests in the TSTC table6. Execute host operating system commandsCentral Field SelectionActivityAuthorization groupWhich ABAP/4 programs a user can use to dynamically alter attributes of fieldsTable MaintenanceAuthorization class ActivityAuthorize users

26、 to view and/or modify table contentsBatch Processing: Batch AdministratorAdministratorGive user administrator authorization over background processingBatch Processing: Batch User NameAuthorized userSpecify user Ids that a user may specify as the authorization for running background jobsBatch Proces

27、sing: Operations on Batch JobsOperations Job GroupSpecify the operations that users may perform on background jobs (Release, delete, etc.)Batch Input AuthorizationsQueue group name ActivityAuthorize a user to work with batch input sessionsQueue Management AuthorizationsQueue group nameActivityManage

28、ment of queues for trouble-shooting or problem analysisAuthorization Check for SM04, SM50AdministrationTo authorized users to lock or unlock transactions and to manage user sessions other than their own.Authorization for Update AdministrationAdministrationAuthorization to manage update records for o

29、ther usersEnqueue:Displaying and Deleting Lock EntriesActivitiesAuthorize users to maintain lock entries of other usersSpool: Device AuthorizationOutput DeviceAuthorizes users to use particular printersSpool ActionsSpool action ValueAuthorizes an administrator to perform specified actions on the spo

30、ol systemPublic Holiday and Calendar Access PrivilegesActivityAuthorization to display and/or maintain calendarsNumber Range MaintenanceActivityNumber range objectAuthorize users to maintain number rangesChange DocumentsActivityAuthorization to display, maintain, and/or delete change documentsTools

31、Performance MonitorAuthorization nameAuthorization to use sensitive functions of the performance monitorObjects - Authorizations S_TOOLS_EXAccess to view logon parameters S_PROGRAMABAP program accessFieldsValuesCommentsP_GROUP*Program group P_ACTIONSUBMITExecute programEDITMaintain program attribute

32、s and textsVARIANTStart and maintain variantsBTCSUBMIT Submit programs for background execution S_EDITORABAP program accessFieldsValuesCommentsP_GROUP*Program groupEDIT_ACTIONSHOWDisplay program sourceEDITAmend program source S_BDC_MONIBatch input sessionFieldsValuesCommentsBDCGROUPID*Name of batch

33、session for which a user is authorized (e.g. “FRANK”)BDCAKTIABTCSubmit sessions for executionAONLRun sessions in interactive modeANALAnalyze sessions, log and queueFREERelease sessionsLOCKLock/unlock sessionsDELEDelete sessions S_NUMBERNumber range authorizationFieldsValuesCommentsNROBJ*Number range

34、 object name for a vendorACTVT02Change03Display11Change the last-used number in a number range interval13Initialize the last-used number when transporting ranges between clients17Maintain number range object (pre 3.0) S_SCDOChange document authorizationFieldsValuesCommentsACTVT02Maintain and display

35、 change documents06Delete change documents08Display change documents12Maintain change document objectsProcesses1. BatchNumber of transactions entered into the system as a batch. Batch inputs can take place in the background where no changes can be made or in the foreground where transactions contain

36、ing errors can be interactively corrected. Restricting Access The Batch Input object restricts user activities in different batch input sessions. ANALAnalyze sessions. Display session, log, and queue dump DELEDelete sessions LOCKLock and unlock sessions FREERelease sessions ABTCSubmit sessions for b

37、ackground execution AONLRun sessions in interactive modes2.On-Line 3.BackgroundProgram executes on a background processing server without interactive user input. To run it must be scheduled.This can be done two ways:Menu Path: ABAP/4 - System Services - Reporting - Batch Request functionFrom backgro

38、und processing menu by selecting goto - Batch Request In either case the user must have a User ID to run the job. Users could be authorized to run background jobs but not foreground jobs.Before a background job can run, it must be released. The releasing of jobs is usually restricted to “Batch Admin

39、istrators”. Restricting Access The field Admin in the Batch Admin object is used to give a user administration authorizations. If this field contains a “Y”, the user has access to all background jobs in a SAP system and can perform any operation on any job. The field Activity in the S_PROGRAM object

40、 determines activities users are able to perform on an ABAP. A value of BTCSUBMIT allows a user to schedule the ABAP/4 program for background execution. The Auth user field of the Batch User Name object is used to restrict user-IDs specified as the authorized user for running a job. The Operation fi

41、eld of the Operations on Batch Jobs object is used to specify the operations that a user can perform on their own jobs. This is used to restrict users from deleting or releasing jobs. 4.ServicesCan run on different servers. Dialog Update Enqueue Background Message Server CPI-C Gateway Server Spool5.

42、Work Processes TSKHTask Handler DYNPScreen Processor ABAPProgram Processor DB-SSDatabase interface that converts ABAP/4 SQL into DBMS SQL.TransactionsSAP transactions allow different functions to be performed within R/3. Menu selection also generates transactions. To see which transaction is current

43、ly executing select Menu Path: System - Status.System transactions are applicable to the basis system and application transactions are specific to a certain module.Transactions can be locked and unlocked using Menu Path: Administration - Tcode Administration. When a transaction is locked, users can

44、not execute that transaction. To perform this function, a user requires the authorization object Authorization check for SM04, SM05 with a value of S in the Admin field.1.Controlled by DYNP processor Checks whether additional authorization checks are required to run the transaction (in TSTC Table).

45、Interprets the Dynpros, which involves creating the screens and applying the logic defined in the dynpro (field checks, etc.).2. All transactions are listed in the TSTC Table. This table includes: An indicator that the transaction has been locked or is available to be used. The ability to lock and unlock transaction