—mtel I Introduction to SAP SecuritySymmetry’s 21%t Century Approach to Managed Services w Quality @ Proactive support delivered by US-based experts w@ Accessibility Ww 24x7 direct access to your support team w@ Affordability w Highly competitive fixed-pri contracts ¢What We’ll Cover w® Introduction — Why is Security Important? w& Legal Requirements w SOX, HIPAA, ITAR @ Risks & Controls Ww Why Unregulated Companies Should Care ® Security Architecture w User Master Record w Roles @ Profiles ® Authorization Objects w User Buffer w 4 Doors to SAP Security w Managing Security w Security Team @ Role owners and the approval process & Periodic Access Validation w Troubleshooting and information w Security ToolsWhy is Security Important? w Security is the doorway to the SAP system. w Security is a way of protecting information from unauthorized use. » Security can unlock the flexibility of the system and customize it for each user. @ Information stored in SAP is one of your company's most valuable business assets.What is SAP Security? w SAP application security controls who can do what in SAP. w Examples: w Who can approve purchase requisitions over $10,000 (ME54N)? Who can view other employees’ social security numbers in the system (PA20)? w Who can update vendor bank information (xK02)? w Who can create or modify users (SU01)?Security Objectives w Confidentiality - prevent users from viewing and disclosing confidential information. w Integrity - ensure the accuracy of the information in your company's system. @ Availability - prevent the accidental or deliberate loss or damage of your company’s information resources.Security Against Whom? w When people think about system security, they usually think about people autside the company w business espionage political rivals In reality, you need to protect against your own people @ Curiosity 1 ® Accidental access ° ® Intentional access 1sFactors to Consider w How important is your SAP system and the data stored in it to your business? w@ Do you have a policy requiring certain levels of security? w Do your internal or external auditors require a certain level of security for the information stored in your system? ® Will you need some degree of security in the foreseeable future?Legal Requirements w SOX, HIPAA, ITAR w@ Segregation of Duties vs. Excessive Access w Controls — Preventive vs. Detective w Why Smaller Companies Should CareSarbanes-Oxley (SOX) Act w Executives are ultimately responsible for confirming the design and effectiveness of internal controls w Excessive access and Segregation of Duties issues are key points w Ultimately — data integrity is keyControls — Preventive vs. Detective w In order to prevent fraud, accidental errors, and protect sensitive information we must have controls. w There are two main categories of controls: & Preventive controls: prohibit inappropriate access ® Authorizations, configuration, User-Exits, and so on w Detective controls: rely on other processes to identify inconsistencies Alerts, periodic reporting, system monitoringWhy Unregulated Companies Should Care mw Why should we care about segregating duties, excessive access or documenting our business processes if we are not publicly traded or Subject to legal requirements? w Documentation ® Reduction in errors © Cost of errors & Loss of customers Fraud happens @ Protection of trade secrets w Preserve confidential informationSecurity Architecture @ Authorization Objects Intro w User Master Record & Roles — Single, Derived, Composite w Task-based vs. Job-based Roles & Profiles @ Authorization Objects w User Buffer w 4 Doors to SAP SecurityAuthorization Concept eee re tg errs)Authorization Objects 1 Authorization Objecis are the keys to SAP security 1» When you attempt actions in SAP the system checks to see whether you have the appropiate Authorizations 1 The same Authorization Objects can be used by diferent A Transactions 1 Example - in ordor to display a table, a user must have the Authorization Object §. TABU. DIS with the appropiate valves Fianna oe ta Tet_ Tate asa a tooks ch s B ] ass StAlsane semenatstn anneUser Master Records w Required to establish access for Users. & Created when a User is created. w User Master Records are client-dependent! AUser Master Records w User Master Record information includes: w Name, Password, Address, Company information w User Group (used for security administration or searching capabilities) w Reference ta Roles and Profiles (access capabilities are not stored directly in user master records) m User type @ Dialog — typical for most users. ® System — cannot be used for dialog lagin, can communicate between systems and start background jabs » Communications Data — cannot be used for dialog login, can communicate between systems but cannot start background jobs Reference — cannot log in, used to assign additional Authorizations to Users Service — can log in but is excluded from password rules, etc. Used for Support users and Internet services ® Validity dates (from/to) ™ User defaults (logon language, default printer, date/decimal formats)User Master RecordRoles and Profiles w Users are assigned Roles and Profiles which contain Authorization Objects w Profiles contain Authorization Objects w Roles contain Profiles Ea w Profiles that come delivered with the system or were created from scratch can be assigned directly to users nA w Profiles that were created for a Role are attached to that Role cannot be =) assigned directly. You must assign the Role and the system will then assign the user the correct ProfileRoles w Roles are ‘built on top’ of Profiles and include additional components such as: w User menus Personalization @ Workflow w In modern SAP systems, users are typically assigned the appropriate Roles by the security team The system will automatically add the appropriate Profile(s) for each Role assigned w@ ****Authorization Objects only exist in Profiles (either on their own or when “nested” in roles) eee Descri Documentation Menu ProfileTips for Managing Roles - » Roles typically do not change often w Itis strongly recommended that they be created in a Development client, then transported to Quality (tested, hopefully) and finally promoted to Production. @ Roles should originate from the same client (pick one to be your “security development” client). w |tis much easier to assign an existing Role to a User than to create or modify a Rale. w SAP’s template Roles are intended only for example. w Best practice is to have Users tell you the exact Transactions they require and build Roles from scratch ® At the very least, copy them into your own namespace @ Be aware that many of them contain too much access so be careful!Roles ‘Change RolesRoles w Profile for a Role: i e E & 5 ee comteRoles — Types w There are 3 types of Roles: w Single - an independent Role Derived — has a parent and differs only in Organization Levels. Mi Transactions, Menu, Authorizations only at the parent level container that contains one or more Single or Derived @ Derived Role example: wm Purchaser Parent w@ ME21N, ME22N for all or no Purchasing Organizations @ Purchaser Child 4 w MEZIN, MEZ2N for Purchasing Organization 0001 w Purchaser Child 2 w MEIN, ME22N for Purchasing Organization 0002_ Roles — Types w& Composite Role example:Task-based vs. Job-based Roles w Task-based 1 Each Role can performs one function (usually one or only a few Transactions) 1 Verdar master creation Greate sales order w Job-based Ww Each Role contains most functions that a user will need for their job in the organization AP Ger w Buyer F Warchouse Manager w Hybrid approachProfiles Ww Authorization Objects are stored in Profiles Profiles are the original SAP Authorization infrastructure: Ultimately — a user's Authorization comes from the Profile/s that they have assigned w Profiles are different from RolesExamples of Delivered Profiles & SAP_ALL Delivered with the system Contains almost all Authorization Objects w SAP_NEW 1 Contains the new objects in the current release that are required to keep old transactions functioning 1 It does NOT contain all new Authorization Objects for that release WF S_Axx000x Standard BASIS Profiles for various job funetions (.e. customizing, development, administration, etc.)Authorization Objects Authorization Objects are the keys to SAP Security When you attempt actions in SAP, the system checks to see whether you have the appropriate Authorizations w The same Authorization Objects can be used by different aA Transactions 1 Example — inorder to dsp a table, a user must have the Authorization Object S_TABU_DIS with the appropriate values focstees [anmomstoncreyp (eer aayUser Buffer Ww When a User logs into the system, all of the Authorizations that the User has are loaded into a special place in memory called the User Butter As the User attempts to perform activities, the system checks whether the user has the appropriate Authorization Objects in the User Butter. Prw You can seo te tater in Transaction SU56Example of Authorization Check When attempting to execute a Transaction, each instance of @ required Authorization Object that a user has is checked by the system until the system finds a match 1 Example: User would like to create a Sales Order of the Document Type "Standard Order’ (OR). 1 One of the Authorization Objects that the system looks for is w V_VBAK AAT here are ws feles —Aetity and Order Type 1 To costo a sales order for this ype, th user wil need 7 V_VBAK AAT with w Aatily~01 (Create) 7 Order Type - OR (Standard Order)Example of Authorization Check To create a sales order for the Standard Order type, the user will need: V_VBAK AAT with: Actiiy 01 (Create) 1 Odor Type - OF (Standard Oxden The user might have this Object several times from several Roles. The system keeps checking unti it finds a match: w Role 1 Y_vBRK AAT 1 Avy = 09 (isla WF er Type "AN Er TyD=8) Y_vBRK AAT ‘Aziy 01 (Gens) WF er Tipe-81, 82,68 w ole 2 1 Y_VBAK AAT iy 01 (Crt) 1 coer Type OR, REAuthorization Checks w How does SAP test whether the user has Authorization to execute functions? What happens when | try to start and run a Transaction?Authorization Checks - Executing a Transaction 1, Does the Transaction Exist?Authorization Checks — Executing a Transaction Is the Transaction locke 1. Does the Transaction Exist? qAuthorization Checks — Executing a Transaction 3. Can the User start che Tra 2. Isthe Transaction locked? I 1. Does the Transaction Exist? qAuthorization Checks — Executing a Transaction 4. What can the User do in the Transaction? 3. Can the User start the Transaction? 1 2. Isthe Transaction locked? I 1 Does the Transaction ExistAuthorization Checks — Executing a Transaction 1) Does the Transaction exist? 1 All Transactions have an entry in table TSTC 2) Isthe Transaction locked? 1 Transactions are locked using Transaction SMO1 1 Once lacked, they cannat be used in any client 3) Can the User start the Transaction? 1 Every Transaction requires that the user have the Object 8 TCODE=Transaction Name 1 Some Transactions also requite another Authorization Object to start (varies depending on the Transaction) Ww 4) What can the User do in the Transaction? 1 Tho system will chock to S09 if the user has additional Authorization Objects as necessaryManaging Security w Security Team w Role Owners and the Approval Process. Periodic Access Validation Troubleshooting and information 1 User Information System (SUIM) F SU53 Authorization Trace (STO1) Security Audit log (SM19/SM20) Security Tools 1 Central User Administration Ww SAP NetWeaver Identity Management 1 SAP GRG Access Control Suite Symsoft ControlPanelGRCSAP is a Complex Ecosystem 1 There are many different SAP applications with different areas of oxpertise required 1 Some of these requite specialized security knowledge, e.g. HOM and BUBW. w Examples: ECC (Sales and Distrioution (SD), Materials Management (MM), Financial and Gost Accounting (FICO), Warehouse Management (WWM) ‘Quality Management (QM), Plant Maintenance (PM), Human Capital Management (HCW) Business Information Warehouse (BVBW) Customer Relationship Management (CRM) Supplier Relationship Management (SRM) Advanced Planner and Optimizer/Supply Chain Management (SCMVAPO) © Portal ...And whatever else SAP dreams up!Security Team Important to select an appropriate security team. Size consideration based on your organization 1 Auditing requirements 1» Amount of changes Security stat knowledge w Role changes should be done by the security team w User assignments can be processed by the security team or the basis team Unlocking Users/resetting passwords of Users can be done by the helpdeskSecurity Team Outsourcing is a good option for many companies. © Key reasons to outsource 1 Expert help avaliable ~ its hard for part-time securly stat to understand all ofthe complesites of SAP Security Internal stat may get overioaded and need extra help. Project work 1 Provide coverage during vacationsisick days WF Key considerations in choosing an outsourcing provider 1 Ongoing access to a team vs. consultant randomly assigned by a help desk 24x? access to support Fixed rate support vs. charge by the hourRole Owners and the Approval Process @ The security team may know how to make changes to access, but ‘will need to work with the business to determine what changes should be made. w Changes include making changes to Roles (modifying Authorizations, adding/removing Transactions) and assigning those Roles to users. Fhe viave Roe ranges approved ty he Rol omer Fix te vor assqnen crams aprovedy toy amare and te noone reper Sod leant acre cata aePeriodic Access Validation 7 i I's @ good idea to have Role matrix reports generated and reviewed periodically by Role owners: w Ensures that inappropriate changes were not made w Accountability W Consider doing this quarterly or at least yearlyPeriodic Access Validation w Example output of a report that was generated by ControlPanelGRC:User Information System Transaction SUIM Great place to got information about Usors/Roles w TIP —has had bugs over the years. If something seems incotrect, query the appropriate table directly. User information SystemSU53 1 Last Authorization check thet failed. 7 May or may not be the Authorization that the User actually needs. a Look at context clues to determine if it’s appropriate 1 User may need more Authorization Objects after this one is added. ‘apy Ruoraaion ator Ur T_FUR USERAuthorization Trace Transaction STOt Records all Authorization Checks performed while a User is in the system. a Doos not include Structural Authorizations in HR Security. 7 © ControiPaneiGAc Security Troubleshooter makes this process easier by recording the steps to recreate the issue, the Authorization ‘Trace, and sending he ulput the Secutty Team.Security Audit Lo; Records information about what Users are doing © Logorlogott Transactionsireports started or attempted to start 1 Password changes Workstation name of User Ismot on by default. Transactions SM19/SM20. w Does not record what data was changed by the User.In (CUA) Central User Administra‘ wy Manage Users from one SAP client 1 Simplifies User administration and can save a lot of time - especially for large environments. 1 Ityou own SAP, you already own this. All you need is someone to configure it There ate several “gotchas” that frequently come up when installing. We reoommend contacting a consultant who is CUA savvy Asynchronous! Ultimately, the Users and Roles exist in each client. CUAIs ‘only the place you log in to make changes!SAP Netweaver Identity Management w SAP's Identity Management Solution Cross system/cross vendor integration w Separate landscapevinsiallation w Highly configurable, contact someone who specializes in this, product,SAP GRC Access Controls Risk Analysis and Remediation 1 Find SoDs, excessive access for both Roles and Users 1 Alert Monitoring Compliant User Provisioning Ww Workflow for User ereations/mouifications 1 Incorporates SoD checks w Suporuser Privilege Management w Emergency, temporary access 1 Logs some of the user's actions, notifies managers when used w Enterprise Role Management 1 Workflow for Role creations/modifications 1 Incorporates SoD checksSymSoft ControlPanelGRC {© 2% gereraon comple automation solution User Rie Manager 7 Acclernes User and Fol change management WF FiskAnayze 17 eatine rik rahi ans mtgaion of Sexrecaion cf Dus and Serle Autharzaton ks Usage Analyzer 7 one raat cate page 1 Resin Biase Exar POE cl © Trareport Manager FF Atoms processing o charge aquest nih asta wok fF Bch Manager 1 Cross elem intactucure fr somal schedina, menting andracking of bath cbs (© Enmergency Access Manager 17 Manage eporay 222955 ~acacse rashes by Usar and epors ar outs or aw WF putokudtor| fF Blows careance eps to be shee anc sort o Users er ecu eviewKey Points ¥ ” ‘Securiy is the doorway to the SAP system Security is a way of protecting information from unauthorized use ‘Securily can unlock the flexibility ofthe system and customize it for each user Information stored in SAP is one of your company’s most valuable business assets. ‘SAP Security is complex and often iicull to manage and understand “There are legal requirements that influence SAP Security 1 Notall companies are required to comply wih these regulations. 1 Allbusinesses benef from having well defined processes “There are too's available to help manage securly — but ulmately a good security team is key