SAP Security

1. Security Administration

• Determine how security administration is organized

2. Help Desk

• Determine if the help desk is effective

Records incidents reports

3. Determine if proper system monitoring is performed

4. Determine if training is properly administrated

5. Determine if key system interfaces are properly controlled.

6. Obtain a list of all system users

7. Obtain a list of custom transactions

• List off all transactions within the TSTC table beginning with the letters Y
or Z
• Tables>Data Display>Y*, and then Z*

8. Obtain a listing of all Clients

• List table T001

9. Obtain a listing of all business areas

• List table TGSB and TGSBT

10. Obtain a list of all charts of accounts

• List table T004 and T004T

11. Obtain a listing of storage locations

• List table T001L

12. ABAP programs

Review ABAP programs to ensure that all system function calls are authorized. System function calls
allow are Unix commands that are passed to the operating system to perform a task at the operating system
level such as using Oracle SQL commands to query the database during the execution of an ABAP
program.
13. Review all SAP userids at the Unix operating system level. (etc/passwd and
etc/group files)

SIDADM system administration

ORASID Oracle administration
PCTEMU Terminal administration

14. Review all relevant SAP change control directories under Unix

/usr/sap/trans

15. Ensure that all default passwords have been changed.

16. Determine that only authorized users have direct access to the Oracle database
management system. And determine that all default system passwords have been
changed.

17. Correction and Transport (CTS)

Control types

Default Changes are allowed in corrections. Changes to SAP-provided objects

require a repair correction
No Change Changes are not allowed
Repairs Repairs are allowed but all must have corrections and all corrections are
flagged as repairs. Other types of changes are allowed with or without
corrections.
Unlimited Any changes are allowed with or without corrections. No corrections are
flagged as repairs

CTS Type CTS Changes

Development Default

Integration No Change

Consolidation No Change

Recipient No Change

Determine if change control procedures are formally documented.

Determine if separate instances have been defined for development and testing

Determine who is responsible for transport administration

Ensure that control tables are properly established

TSYST defines all systems to be used in CTS

TASYS defines all recipient systems

TDEVC defines all development classes

Use transaction code SE06 for CTS verification

Use Transaction code SE38 to review the placement of programs in authorization groups

- SE38 select attributes and select display

18. Determine who has the capability to add user master records.

S_USER_GRP and S_USER_ALL

19. Determine who can maintain profiles.

S_USER_PRO

20. Determine who can maintain autorizations.

S_USER_AUT

21. List all SAP supplied profiles and authorizations that have been modified and review for
completeness.

22. List off the system parameter file (RSPARAM) and review the authentication
controls

- login/min_password_lng
- login/password_expiration_time
- login/fails_to_session_end
- login/fails_to_user_lock

23. Determine how the profile SAP_NEW is being used.

24. Review SAP for any new objects/values that have been defined

Review changes to table AUTH for new fields and table TOBJ for new objects

25. Determine if all users have been assigned to a group. (Table USR02)
26. Determine that the SAP* profile has a user master record and that SAP* has had its
password changed and added to the SUPER group. Also determine if the password
has been stored in a secured location in case of an emergency.

27. Determine who are the members of the SUPER group and ensure that their
membership is required.

28. Determine how many users have SAP_ALL access in the production environment.
List all users with the following standard system profiles:

SAP_ALL All R/3 privileges

S_A.SYSTEM All SAP system functions
S_A.ADMIN System administration
S_A.CUSTOMIZ SAP customizing system
S_A.DEVELOP SAP development environment
S_ABAP_ALL All authorizations for ABAPs

TOOLS>ADMINISTRATION>USER MAINTENANCE>USERS>MAINTAIN
USERS>INFORMATION>OVERVIEW>USERS> profile name >LIST>PRINT

29. List all users with special SAP system administration

S_ADMI_FCD Access to ABAP/4 Data Dictionary

S_BDC_ALL Batch Input
S_DDIC_ALL DYNPRO and ABAP/4

S_EDI_BUK Creating and modifying ABAP/4 programs and use of

screen painter
S_EDITOR Ability to edit and modify ABAP’s programs
S_PROG_ADM Running ABAP/4 programs and submitting background
processing
S_PROGRAM Ability to run ABAPs

S_TABU_ADM System Table – table maintenance

S_BTCH_ADMS_ENQ_ALL Background Processing
S_TSKH_ADMS_ENQ_ALL Transactions – lock management for processing

30. Determine who has access to the ABAP/4 Data Dictionary

S_ADMI_FCD For this object list users that have the following values:

REPL, SE01 (CTS requests) and/or DDIC in the System Administration

Function field
SM21 in the Field Administration Function field (allows access to the
system log)
TCOD which allows the user to change additional authorization checks
 Versions for a particular object are maintained as: Utilities>Version Management
Menu.

Temp
Historical
Active
Revised

Use Transactions:

SE16 Data Browser

SE12 Dictionary Display
SE80 Object Browser
SCU3 Table history transaction

31. Determine who has batch access

S_BDC_MONI
S_BDC_ALL
S_BTCH_ADM
S_BTCH_ALL
S_BTCH_USR
Batch log files (bdc/logfile) should be reviewed and any deletions, modifications, or
abended sessions subject to investigation and should be secured through the correct
use of the operating system security.

32. List users with authorization for SM04, SM50 (S_TSKH_ADM) which grants access to the transaction
locking function. Determine which transactions are locked on the production system by viewing
additional authority checks in table TSTC (Tools>Administration>Tcode Administration). Ensure that
at a minimum the following transactions are locked:

SE01 Correction and transports

SE38 Ability to execute ABAP programs
SE11 Maintain data dictionary objects

33. Determine if the parameters for the trace and log files are adequate

With the RSPARAM report, review the rstr/* and rslg/* parameters

If a transaction cannot finish correctly, the system rolls it back. The dialog program
first generates a log record in the VBLOG table.

Transaction SM21 or Tools>Administration>Monitoring>System Log

Selection Criteria:
 Date/Time – To – Date/Time
By User, Trans Code, SAP Process, Problem Classes (Messages)

34. Determine if Spool access is properly restricted.

Verify who has the authorization object S_ADMI_FCD, S_SPO_ACT, and

S_SPO_DEV

35. Determine if backup procedures are appropriate for data and programs

On-line and off-line backups of all the file servers can be controlled through the
CCMS. Access to these transactions should be restricted, because these transactions
can causes all file servers to shut down.

Is access to the SAP archiving function restricted. (Verify which profiles have access
to transaction F040).

36. Determine who has access to the SAP customizing system (IMG, menu customizing)

S_A.CUSTOMIZ The profile gives all authorizations required for the Basis
activities in the customizing menu. (Table USR10 gives an
overview of all authorization objects in a profile.)

SQVI Tutorial

QucikViewer (SQVI)
QuickViewer (SQVI) is a tool for generating reports. SAP Query offers the user a whole
range of options for defining reports. SAP Query also supports different kinds of reports
such as basic lists, statistics, and ranked lists. QuickViewer (SQVI), on the other hand, is
a tool that allows even relatively inexperienced users to create basic lists. I have created a
tutorial for SQVI. SQVI Tutorial
SQVI Tutorial
There might come a time that you want the information and it is spread in multiple tables.
You can write a SQVI and get this info. In this tutorial we will write an SQVI to find out
role assigned to users with full name of the users.
You can get role assigned to users from AGR_USER table and users full name from
USER_ADDR. We will join both these table to get the result.
1. Execute transaction SQVI
2. Create a SQVI (z_user_role)
 and
3. Put a title and comments. Make sure that you select Table join from Data source

4. Click to insert tables. Insert AGR_USERS and USER_ADDR tables.

5. Select the correct join. Here we will join BNAME

Hit the back button
6. Here I will select Role name and user name from AGR_USERS table and Full
name from USER_ADDR, and also make user name as the selection field. So
when I run the query it will ask me to list the users.

7. Save the query and execute it. In the selection screen put the user you want to get
the info. You are ready with your SQVI query
Procedure to create ecatt script

Make sure the client setting is changed to allow ecatt. Follow the instruction below
Execute transaction SCC4
SAP R/3 Menu : Tools -> Administration -> Administration -> Client
Administration -> Client Maintenance
Then carry out the following steps:
1. Choose Display
2. Confirm the warning message Caution: The table is cross client.
3. Select your SAP R/3 client and choose Details.
4. In the Change View Clients: Details screen, activate the following settings:
• eCATT and CATT allowed.
5. Save.
6. Go back to the SAP Easy Access menu.
Now lets start with creating ecatt
On the eCATT (tcode -SECATT) initial screen, select the Test Script radio button
and enter a name for your new test script in the field beside it. Here, we will name it
ZCREATE_USER. Leave the remaining fields empty.

Choose the Create Object icon, as shown above, to open the editor for the test script.
On the Attributes tab, enter the following information:

Field Entry

Title Create user - SU01

Component BC-SEC

System Data Container TUTORIAL (optional)

Leave the Target System field empty. We will not use this field in this tutorial.
Switch to editor tab and click on pattern. On the insert Statement window fill in as
below

Field Entry

Group All Commands

Command TCD (Record)

Transaction SU01
This will start recording and take you to the user create screen and continue the user
creation. In our example a userid (ZTEST_97) is created with Z:TESTROLE. Save
the user and hit the back button. This will end the recording and you will we asked to
save the recording. Click Yes.

Save the Object as local object.

Go back and swith to change mode

Click on the button shown below

Select SU01_1 and click on the button shown below

Highlight Dynpro and click on the button shown below

This will switch to simualation mode and we have to parameterize. We

 paramerterized. User id , password and role. Look at the video
Hit the back button and save the script.

Dialog user 'A'

Individual system access (personalized)
• Logon with SAPGUI is possible. The user is therefore interaction-capable with
the SAPGUI.
• Expired or initial passwords are checked.
• Users have the option of changing their own passwords.
• Multiple logon is checked.
Usage: For individual human users (also Internet users)
System user 'B'
System-dependent and system-internal operations
• Logon with SAPGUI is not possible. The user is therefore not interaction-capable
with the SAPGUI.
• The passwords are not subject to to the password change requirement, that is, they
cannot be initial or expired.
• Only an administrator user can change the password.
• Multiple logon is permitted.
Usage: Internal RFC, background processing, external RFC (for example, ALE,
workflow, TMS, CUA)
Communication user 'C'
Individual system access (personalized)
• Logon with SAPGUI is not possible. The user is therefore not interaction-capable
with the SAPGUI.
• Expired or initial passwords are checked but the conversion of the password
change requirement that applies in principle to all users depends on the caller
(interactive/not interactive). (*)
• Users have the option of changing their own passwords.
Usage: external RFC (individual human users)
Service user 'S'
Shared system access (anonymous)
• Logon with SAPGUI is possible. The user is therefore interaction-capable with
the SAPGUI.
 • The passwords are not subject to the password change requirement, that is, they
cannot be initial or expired.
• Only a user administrator can change the password.
• Multiple logon is permitted.
Usage: Anonymous system access (for example, public Web services)
Reference user 'L'
Authorization enhancement
• No logon possible.
• Reference users are used for authorization assignment to other users.
Usage: Internet users with identical authorizations
Remarks:
(*) With all non-interactive system accesses (that is, not using the SAPGUI), the
password change rule (which exists for all users except for system and service users when
passwords are initial or have expired) is not enforced by the system if there is no
interaction option. However, provided that you can execute a password update dialog
with the user (=> middleware, such as SAP ITS, for example,), RFC client programs
should recognize the need to change a password and initiate the subsequent password
change by calling special function modules (=> see note 145715) or RFC-API functions
(as of 4.6C).
The user interaction (including handling error and exceptional situations) is provided here
with the middleware (= RFC client).