2. Determine that proper segregation of duties are in place for program development.
3. Determine that proper segregation of duties are in place for System Administration.
4. Determine that proper segregation of duties are in place for table maintenance.
5. Obtain a copy of the system control parameters to ensure that proper access control parameters are established. These are in Table RS38M. Path: System -> Services -> Reporting -> Enter RSPARAM -> Scroll down to each parameter.
login/password_expiration_time
- Changing of password after a certain number of days (default = 0)
login/min_password_ing
- Sets the minimum password length (default = 3)
login/fails_to_session_end
- Number of attempts before SAP stops the session (default = 3)
login/fails_to_user_lock
- Number of attempts before SAP locks the User Master record (default = 12)
rdisp/gui_auto_logout
- Inactivity parameter (default = 0, parameter not active)
6. Determine if additional password checks for specific password have been implemented.
Path: System -> Services -> Table Maintenance -> USR40 - DISPLAY
7. Ensure that all default passwords have been changed for all clients (000, 001, and 066)
SAP* - (default password = 06071992)
DDIC - (default password = 19920706)
SAPCPIC - (default password = admin)
EarlyWatch - (default password = support)
Sys - (default password = Change_On_Install )
System - (default password = Manager )
SAPr3 - (default password = SAPr3 )
8. Obtain a listing of the following:
SAP users - Table USR01
SAP activity codes - Table TACT
SAP profiles (both SAP supplied and user defined) - USR04
SAP authorization-objects - Table TOBJ
SAP transactions - Table TSTC
- Path: System -> Services -> Table Maintenance -> Enter TSTC -> Select -> DISPLAY
- Also Transaction SM31, SE16, SE17
- Custom Transaction (User defined start with a ‘X’, ‘Y’, or ‘Z’
9. Determine which transactions or programs allow a user to exit SAP and obtain an operating system prompt. Ensure that any user with this capability requires this for their job responsibilities
10. Determine who on the system has the following authorizations objects and profiles:
S_TABU_ANZ
- Display tables in all classes
S_TABU_ALL
- Standard table maintenance all authorizations
S_TABU_CLI
- Maintain client-independent tables
- Create/Change access to tables - client independent tables
S_TABU_DIS
- Create/Change access to object - Table Maintenance all tables
S_USER_ALL
- Permits complete authorizations to maintain users
SAP_ALL
- Permits all access privileges, except of the users of the “SUPER” user group.
S_TOOL_EX_A
- Access to the performance monitor
SAP_NEW
- Delivers all changes for authorization objects
S_BTCH_ADM
- Permits administration for managing background jobs
S_BDC_ALL
- All batch input activities
S_BTCH_ALL
- All batch processing authorizations
S_DDIC_ALL
- DDIC: All authorizations
S_DDIC_SU
- Data Dictionary: All authorizations
S_NUMBER
- Number range maintenance: All authorizations
FIELDS VALUE
NROBJ Any Number range object name (for example, KREDITOR for vendors
ACTVT 02 Change number range intervals
03 Display number range intervals
11 Change the last-used number in a number range interval
13 Initialize the last-used number when transporting ranges between clients
17 Maintain number range objects
S_SCDO_ALL
- Change documents: All authorizations
-- Activity Codes
--- 02 - Maintain and display change documents
--- 06 - Delete change documents
--- 08 - Display change documents
--- 12 - Maintain change documents
S_SCRP_ALL
- All SAPscripts texts, styles, layout sets maintenance
S_SYST_ALL
- All system authorizations
SAP_ANWEND
- All SAP R/3 (excluding system) application authorizations
Z_ANWEND
- All user authorizations (excluding BC system)
S_ABAP_ALL
- All ABAP/4 authorizations
S_ADMI_ALL
- All System administrative functions
S_A.SYSTEM
- Unlimited access to all users, profiles and authorizations (as offered by S_USER_ALL)
S_A.ADMIN
- Authorization for SAP system administration: This includes all authorizations except for:
- Maintenance of users in user group SUPER
- Maintenance of profiles and authorizations with names beginning “S_S.”
S_A.CUSTOMIZ
- Authorizations for use in the SAP Customizing system
S_A.DEVELOP
- Authorizations for use in the SAP Development environment (excludes any user or profile authorizations
S_A.USER
- Basis system authorizations for end-users (e.g. S_PROGRAM )
11. Determine who has data dictionary access by reviewing who has the following transaction capability
SE11
- ABAP/4 Data Dictionary Maintenance
SE12
- ABAP/4 Data Dictionary Display
SE13
- Maintain Technical Settings (Tables)
SE14
- Utilities for Dictionary Tables
SE15
- ABAP/4 Repository Information System
SE16
- Data Browser
12. Determine who on the system has the following authorization-objects for Security Administration
S_USER_AUT
- User Master Maintenance: Authorizations
- Transaction SU03 - Maintenance of Authorizations
- Transaction SU02 - Allocate Authorizations to a profile
S_USER_GRP
- User Master Maintenance: User Groups
- Transaction SU01 - Maintain Users
- Transaction SU10 - Delete or Add a Profile for all Users
- Transaction SU12 - Delete all Users
S_USER_PRO
- User Master Maintenance: Authorization Profile
- Transaction SU01 - Maintain Users
- Transaction SU02 -
- Transaction SU10 - Delete or Add a Profile for all Users
S_BDC_MONI
- Batch input authorization
-- FIELDS VALUES
BDCGROUPID Any Name of batch sessions for which the user is authorized (e.g. FRANK)
BDCAKTI ABTC Submit sessions for execution
AONL Run sessions in interactive mode
ANAL Analyze sessions, log and queue
FREE Release sessions
LOCK Lock/Unlock sessions
DELE Delete sessions
- Path: Tools -> Administration -> Maintain Users -> Authorizations -> Information -> Overview -> Authorizations -> Choose Object -> Select ‘Basis: Administration’ -> Scroll to the appropriate object -> Enter * in Authorization Field -> LIST -> Choose WHERE-USED LIST (To determine profiles) -> Select profile and Choose WHERE-USED LIST (To determine users who has this profile).
13. Determine who on the system has the following powerful authorization-objects
S_ADMI_FCD
- Provides system administration functions including the following:
- TRAC - ABAP/4 trace authorization
- STOP - ABAP/4 program debugging mode
- REPL - Altering values in debugging mode
- KERN - Examine the system kernel from within the ABAP/4 debugger
- CUAD - SE41 GUI Interface maintenance
- DDIC - Data Dictionary maintenance
- TCOD - Transaction code maintenance
- SE01 - Transport system transaction SE01
- FONT - SAPscripts font maintenance
- STOM - Changing system TRACE switches
- STOR - Evaluating traces
- SM21 - Evaluating system logs
- NADM - Network Administration
-- Transactions:
--- SM54
--- SM55
--- SM59
- UADM - Update Administration
-- Transactions:
--- SM13
- T000 - Create a new client
- TLCK - Lock/Unlock Transactions
- SPAD - Authorization for spool administration in all clients
- SPAR - Authorization for client-dependent spool administration
- SP01 - Authorization for administration of spool requests in spool output control (all users and clients)
- SP0R - Authorization for administration of spool requests (all users) in spool output control. Access is limited to spool requests in the current client of the user.
- BTCH - Test environment, batch
- UNIX - Execute UNIX commands from the SAP system with program SAPMSOS0
- RSET - Reset/Delete data without archiving
- SYNC - Reset buffers
S_BTCH_ADM
- Provides all authorizations for managing background jobs
- Path: Tools -> Administration -> Maintain Users -> Profiles -> Enter S_BTCH_ADM -> LIST -> Select profiles and choose WHERE-USED LIST.
S_PROGRAM
- Part of the object class ‘Basis: Development Environment’
- ABAP/4: Program Run Checks
--- Values for field P_GROUP
---- Any Any program group or for example (TEST)
--- Values for field P_ACTION
---- SUBMIT - start programs
---- EDIT - maintain program attributes, copy programs, delete programs
---- VARIANT - Maintain program attributes and texts
---- BTCSUBMIT - Submit program for background execution
S_TRANSPRT
- Part of the object class ‘Basis: Development Environment’
- Correction and Transport System and Request Management
- Permits access to ABAP/4 development workbench, customizing system, and Correction and Transport System
S_EDITOR
- Part of the object class ‘Basis: Development Environment’
- Permits editor checks for maintaining tables (release 2.)
S_QUERY
- Part of the object class ‘Basis: Development Environment’
- Authorization for ABAP/4 Query
- Permits you to run or maintain queries
S_DEVELOP
- Part of the object class ‘Basis: Development Environment’
- Permits access to ABAP/4 development tools and dictionary/data modeler, screen and menu painters, and object browser.
- Path: Tools -> Administration -> Maintain Users -> Authorization -> Information -> Overview -> Authorizations -> Choose Object -> Select ‘Basis: Development Environment’ -> Choose one of the objects -> Enter * in Authorization Field -> LIST -> Choose WHERE-USED LIST to obtain profiles -> Select profile and choose WHERE-USED LIST to obtain users.
14. Determine all users with the standard user profile S_SPOOL_ALL . This profile would provide the user with all authorities to bypass any restrictions on spool access.
15. Determine that all users on the system belong to a group.
16. Determine what audit trails exist and who reviews them on a regular bases
17. Ensure that SAP_NEW is not used in the production environment
- Allows for the automatic release updates of new authorizations to this user.
18. Determine who is defined to the “Super” user master record.
19. Ensure that the SAP* userid is protected by setting
login/no_automatic_user_sap*
20. Determine who has what access rights into the system by using the following methodology
Tools -> Administration -> Maintain Users -> Information -> Overview -> Authorization
Choose Object- (example Financial Accounting)
Then (example Company Code) *
Activity 02 (or any other activity code)
LIST
Where Used (gives you Authorization-objects)
Where Used (gives you Profiles)
Where Used (gives you Users)
Using this methodology you can view any critical object for any module to determine which users have what access rights.
21. Review procedures to ensure that additions, changes, and deletions of user’s access privileges are properly maintained.
22. Determine the procedures followed in the event emergency access privileges are required.
23. Determine who review the following log files:
- SAP System Log
- Operating System Logs for SAP messages (optional)
- Change Documents
- Dictionary Logs
- Path: Development -> ABAP/4 Dictionary -> Information System
- Log of Security Changes
- Path: Tools -> Administration -> Maintain Users -> [ USERS, PROFILES, AUTHORIZATIONS] -> Information -> Change Documents
-- Changes to a user’s authorizations
-- Changes to password, user type, user group, validity and account ID for a user
-- Changes to profiles (activation)
-- Changes to authorizations (activation)
- Activity Log
-- Path: Tools -> Administration -> Monitoring -> System Log
--- on [USER, DATE, TERMINAL, TYPE OF MESSAGE]
- CTS logs
-- Path: SE10
