SAP Security

SAP SECUIRTY COURSE CONTENT
1 – Course Overview of SAP Security
SAP security is one of the most important technical module where the SAP security administrators are responsible for the development and administration of user rights on SAP systems. For success and effective functions in every organization, standard SAP security model has to be implemented at all levels.

2 – Introduction to SAP Security

3. What is SAP Security Design?
At its most fundamental level, SAP Security Design refers to the architectural structure of SAP security roles. However, effective security design is achieved via the convergence of role architecture:
1. SAP Security Organizational Structure & Governance – Ownership, Policies, and Accountability
2. SAP Security Processes – User Provisioning, Role Change Management, Emergency Access
3. Ongoing Management & Monitoring of the Security Environment – KPIs, Recertification, “Get Clean & Stay Clean”

The SAP Authorization Concept
The Components SAP User Master Record Master data for SAP users Authorization (Field Values): Authorization object with completed fields.
The SAP Authorization Concept .The Components Profiles Container of authorizations.
Authorization Object: Template for security that contains fields with blank values
Authorization (Field Values): Authorization object with completed fields
Roles :-Contains transaction codes, authorizations (mapped to one profile) and user assignments.
Authority Check Performed by SAP to help establish that a user has the correct authorization to execute a particular task

7 – Authorization check Process
This authorization type applies to the general SAP authorization check, which is set up using the transaction PFCG. Authorizations are defined by authorization objects . An authorization object specifies the fields that occur in an authorization. The system checks if a user has the corresponding authorization for certain field specifications in the user master record.
Authorizations are grouped together in authorization profiles .

8 – Creating and Maintaining User Master Data
9 – PFCG Profile Generator
10 – Authorization Maintenance
11 – Composite Roles
12 – Master Roles and Derived Roles
13 – End User Role Development
14 – User Administration – 4 eye principle
15 – Settings for Role Maintenance
16 – SAP Upgrade Steps
17 – Access Control Administration
18 – Analyze Authorization Issues
19 – Introduction to SAP – HR
20 – HR Authorization
21 – Structural Authorizations
22 – Indirect Role Assignment
23 – Transporting Authorizations
25 – Interface(RFC) Authorization
26 – Special Authorization
27 – Custom Auth Objects
28 – Call Transaction (SE97)
It’s quite common in the SAP world that one transaction calls another via different menu options. At the code level this is often implemented via the ABAP construct “CALL TRANSACTION”.
29 – CUA
30 – AIS
AIS – Audit Information System in SAP

31 – Security Audit Log
32 – CCMS Alert Monitor
33 – Activities Log
34 – User Monitoring and Reporting
35 – Segregation of Duty (SoD)
A segregation of duties risk is when a combination of abilities that when assigned to a backend user constitutes a risk. Objective of this risk is to facilitate the appropriate division of responsibilities.
Example risk: Maintain Accounting Periods vs. Post Accounting Document in GL Allow a user to inappropriately open accounting periods previously closed and fraudulently post documents to that period after month end.

Segregation of Duties & Sensitive Access How to monitor? • Companies have many different ways to monitor segregation of duties and sensitive access: ‒ SAP GRC Access Control ‒ Other access control systems (Approva, ControlPannel, SecurityWeaver, ACL, etc.) or “homegrown” monitoring tools ‒ Reporting transaction code “SUIM”.

36 – Critical Transaction & Critical Combination
use transaction SUIM to check the authorizations assigned to particular user or Role
37 – Securing User & Password
38 – Securing Production Systems
39 – SNC
Secure Network Communication (SNC) is a software layer in the SAP System architecture that provides an interface to an external security product.
40 – Conclusion