Documente Academic
Documente Profesional
Documente Cultură
1. Security Administration
2. Help Desk
• List off all transactions within the TSTC table beginning with the letters Y
or Z
• Tables>Data Display>Y*, and then Z*
Review ABAP programs to ensure that all system function calls are authorized. System function calls
allow are Unix commands that are passed to the operating system to perform a task at the operating system
level such as using Oracle SQL commands to query the database during the execution of an ABAP
program.
13. Review all SAP userids at the Unix operating system level. (etc/passwd and
etc/group files)
14. Review all relevant SAP change control directories under Unix
/usr/sap/trans
16. Determine that only authorized users have direct access to the Oracle database
management system. And determine that all default system passwords have been
changed.
Control types
Development Default
Integration No Change
Consolidation No Change
Recipient No Change
Determine if separate instances have been defined for development and testing
Use Transaction code SE38 to review the placement of programs in authorization groups
18. Determine who has the capability to add user master records.
S_USER_PRO
S_USER_AUT
21. List all SAP supplied profiles and authorizations that have been modified and review for
completeness.
22. List off the system parameter file (RSPARAM) and review the authentication
controls
- login/min_password_lng
- login/password_expiration_time
- login/fails_to_session_end
- login/fails_to_user_lock
24. Review SAP for any new objects/values that have been defined
Review changes to table AUTH for new fields and table TOBJ for new objects
25. Determine if all users have been assigned to a group. (Table USR02)
26. Determine that the SAP* profile has a user master record and that SAP* has had its
password changed and added to the SUPER group. Also determine if the password
has been stored in a secured location in case of an emergency.
27. Determine who are the members of the SUPER group and ensure that their
membership is required.
28. Determine how many users have SAP_ALL access in the production environment.
List all users with the following standard system profiles:
TOOLS>ADMINISTRATION>USER MAINTENANCE>USERS>MAINTAIN
USERS>INFORMATION>OVERVIEW>USERS> profile name >LIST>PRINT
S_ADMI_FCD For this object list users that have the following values:
Temp
Historical
Active
Revised
Use Transactions:
S_BDC_MONI
S_BDC_ALL
S_BTCH_ADM
S_BTCH_ALL
S_BTCH_USR
Batch log files (bdc/logfile) should be reviewed and any deletions, modifications, or
abended sessions subject to investigation and should be secured through the correct
use of the operating system security.
32. List users with authorization for SM04, SM50 (S_TSKH_ADM) which grants access to the transaction
locking function. Determine which transactions are locked on the production system by viewing
additional authority checks in table TSTC (Tools>Administration>Tcode Administration). Ensure that
at a minimum the following transactions are locked:
33. Determine if the parameters for the trace and log files are adequate
With the RSPARAM report, review the rstr/* and rslg/* parameters
If a transaction cannot finish correctly, the system rolls it back. The dialog program
first generates a log record in the VBLOG table.
Selection Criteria:
Date/Time – To – Date/Time
By User, Trans Code, SAP Process, Problem Classes (Messages)
35. Determine if backup procedures are appropriate for data and programs
On-line and off-line backups of all the file servers can be controlled through the
CCMS. Access to these transactions should be restricted, because these transactions
can causes all file servers to shut down.
Is access to the SAP archiving function restricted. (Verify which profiles have access
to transaction F040).
36. Determine who has access to the SAP customizing system (IMG, menu customizing)
S_A.CUSTOMIZ The profile gives all authorizations required for the Basis
activities in the customizing menu. (Table USR10 gives an
overview of all authorization objects in a profile.)
SQVI Tutorial
QucikViewer (SQVI)
QuickViewer (SQVI) is a tool for generating reports. SAP Query offers the user a whole
range of options for defining reports. SAP Query also supports different kinds of reports
such as basic lists, statistics, and ranked lists. QuickViewer (SQVI), on the other hand, is
a tool that allows even relatively inexperienced users to create basic lists. I have created a
tutorial for SQVI. SQVI Tutorial
SQVI Tutorial
There might come a time that you want the information and it is spread in multiple tables.
You can write a SQVI and get this info. In this tutorial we will write an SQVI to find out
role assigned to users with full name of the users.
You can get role assigned to users from AGR_USER table and users full name from
USER_ADDR. We will join both these table to get the result.
1. Execute transaction SQVI
2. Create a SQVI (z_user_role)
and
3. Put a title and comments. Make sure that you select Table join from Data source
7. Save the query and execute it. In the selection screen put the user you want to get
the info. You are ready with your SQVI query
Procedure to create ecatt script
Make sure the client setting is changed to allow ecatt. Follow the instruction below
Execute transaction SCC4
SAP R/3 Menu : Tools -> Administration -> Administration -> Client
Administration -> Client Maintenance
Then carry out the following steps:
1. Choose Display
2. Confirm the warning message Caution: The table is cross client.
3. Select your SAP R/3 client and choose Details.
4. In the Change View Clients: Details screen, activate the following settings:
• eCATT and CATT allowed.
5. Save.
6. Go back to the SAP Easy Access menu.
Now lets start with creating ecatt
On the eCATT (tcode -SECATT) initial screen, select the Test Script radio button
and enter a name for your new test script in the field beside it. Here, we will name it
ZCREATE_USER. Leave the remaining fields empty.
Choose the Create Object icon, as shown above, to open the editor for the test script.
On the Attributes tab, enter the following information:
Field Entry
Component BC-SEC
Leave the Target System field empty. We will not use this field in this tutorial.
Switch to editor tab and click on pattern. On the insert Statement window fill in as
below
Field Entry
Transaction SU01
This will start recording and take you to the user create screen and continue the user
creation. In our example a userid (ZTEST_97) is created with Z:TESTROLE. Save
the user and hit the back button. This will end the recording and you will we asked to
save the recording. Click Yes.