SlideShare uma empresa Scribd logo

How to perform critical authorizations and so d checks in sap systems

Transferir como DOCX, PDF
TL Technologies - Thoughts Become Things
TL Technologies - Thoughts Become Things
Educação
1 de 20
How to perform critical authorizations and SoD checks in SAP systems This blog describes how you can set up the Segregation of duties (SoD) analysis for the SAP security concept. I compare 2 methods, The first one is using the standard SAP report RSUSR008_009_NEW and the second one is using CSI Authorization Auditor 2014. Method 1 Using Standard SAP report It is possible to use the standard report RSUSR008_009_NEW to set up a basic SoD analysis in the SAP system (figure 1). Figure 1: Report RSUSR008_009_NEW With this report is it possible to get an overview of users/roles having access to critical authorizations and/or critical combinations (SoD conflicts). Before you can run the report, you need to define the rule set first. The rule set contains critical authorizations and critical combinations. The critical authorizations must be defined and after this is done, you can define the critical combinations. In this
example I will create a simple rule set for the critical authorizations to maintain customer master data finance view. The transaction and corresponding authorizations are defined (figure 2). Figure 2: Set up of critical authorizations in report RSUSR008_008_NEW After the critical authorizations are defined, the report can be run and the results (users/roles having access to the defined critical authorizations) are shown on the screen. A drill down functionality to see how the user gets the access to the critical authorizations is unfortunately not possible (figure 3) and the information if the transaction was executed by the user is also missing.
Figure 3: Results of critical authorizations user level The report shows the assignment of the critical authorizations and does not show you the SoD conflicts. To report the SOD conflicts, you have to define the critical authorizations first, followed by the critical combinations. A critical combination (SOD conflict) is one or more critical authorizations combined with AND logic (figure 4). Figure 4: Definition of critical combinations in report RSUSR008_009_NEW After the rule set with critical combinations is defined, the report runs and the users are shown. Once again, a detailed analysis how a user gets the authorizations is not possible with this report and the information if a user did really use the transactions of the SoD conflict is missing (figure 5). The
Definition of SOD conflicts is only using AND logic. Figure 5: Results of critical combinations user level Is it a useful report? If the rule set if defined correctly, the report will give the overview of users having access to critical authorizations. The critical authorizations can be defined with or without S_tcode value. However, there are many cons why you should not want to use this report: Creating the rule set for critical authorizations and/or critical combinations is very hard. If you want to extend the rule set with your organizational values it will become very hard to implement and can lead to thousands of rules. The rule set is local to each client so you have to define a rule set in every single client. The rule set can be transported, but the rule set you want to use in the development system will be a different one compared to the one in the production system. Therefore you should not use the transport option; it will overwrite your rule set. No pre-defined rule set can be used. You have to implement a rule set beginning from scratch. Defining the rule set will be more time consuming and cost more than buying existing external tooling. When you apply support packs you don’t get updates for the rule set. Running the report can take up a long time and is additional workload for the SAP server.
Creating the rule set is very hard, but maintaining the rule set will even be a more complex task. Change management must be set up to the rule set maintenance and the authorizations to do this must be restricted to the authorized users. The results of the report are only useful for high level reporting. In order to analyze how a certain critical authorizations or combination can be removed from a user, drilling down will not give the needed information. Documenting remediation, exceptions and compensating controls to mitigate the risks are not possible. The report will detect the issues from existing users; it will not prevent unauthorized authorizations when assigning roles to users. Who is responsible for the rule set and who is authorized to make changes to it? SOD conflicts are only created with AND logic between critical authorizations. Method 2: Using external tooling: CSI Authorization Auditor I will use CSI Authorization Auditor 2014 show how an external tool can be used for SoD checking. CSI Authorization Auditor comes with a pre-configured rule set with all critical authorizations and over 400 pre defined SOD conflicts. Therefore the definition of critical authorizations and SOD conflicts from scratch is not needed. This is a real time saver. The rule set can be adjusted to company values, like customized transactions, authorizations, organizational levels, locked transactions, deactivated authority checks et cetera. The organizational values like company codes, sales organizations, plants et cetera can be easily added and used across the analysis. If you already have a pre defines rule set for the SOd conflict and critical combinations, this can be imported into the tool as well.Changes to the rule set are logged and can be restricted for changing. Additional information regarding the critical authorizations like the risk, control objectives and suggested controls can be added to the rule set as well. THeSOd conflicts can be defined with various logics like AND, OR and even NOT logic. Figure 6 is an example of a pre defined critical authorization query, containing the critical authorizations to maintain customer master data in the finance view. The query is defined with the transactions (in the tab transactions) and the authorization values (in the tab authorization values). You can also adjust the pre defined queries and create new ones if you would like.
Figure 6: Pre defined critical authorizations set up Running the queries will show the users/ roles that have access to the defined critical authorizations. The result also gives more detailed information like how the users get access, via which profiles and/or roles. In the example picture below the yellow circles shows via which profiles/roles the transactions are assigned, the blue circles in figure shows via which profiles/roles the authorization values are assigned and if the user has executed the critical authorizations (red circles in figure 7). In this example the user not did execute (any of) the transactions for customer master data maintenance: XD01,XD02, XD99, FD02,FD05 or FD06.
Figure 7: Results critical authorizations with detailed information To do the SoD analysis, a pre defined SOD rule set can be used or a new SOD rule set can be defined from scratch. Defining the SoDruleset from scratch is very simple. Every critical authorization query is stored in a library and via drag and drop you can add queries to a SoD conflict. Additional information like the risk, recommendations, compensating controls, organizational levels that are applicable, et cetera can be added as well (figure 8).
Figure 8: Definition of SoD conflict in CSI Authorization Auditor After the critical combinations are defined, the audit can be done. The report will show the users/roles having the SoD conflict together with very useful additional information; Is the conflict executed by the user, via which role(s), profiles does the user gets the SoD conflict, is the conflict in the role itself, et cetera. Drill down detail reports (figure 9), high level reports, dashboards and trending reports are also possible to get a clear overview of the progress of clean up (getting and staying compliant) . Because the analysis is not done in the SAP system there is no additional workload for the SAP server.
Figure 9: Results of SoD conflict with detailed information Conclusion Defining the report RSUSR008_009_NEW will be a very time consuming and expensive job even if your SOD rule set is quite basic. Running the standard SAP report will take quite some time and will be additional workload for the SAP server. In the end it will be cheaper to buy an existing Security concept analyzing tools that offer more value because of the analysis functionality to get in compliance. Therefore I recommend to use external tooling like CSI Authorization Auditor. Geplaatst door Meta op 13:30 Geenopmerkingen: Dit e-mailenDitbloggen!Delen op TwitterDelen op FacebookDelen op Pinterest vrijdag 27 december 2013 Who is doing what in your SAP system? People who are using a SAP system all known the term transaction code. SAP data is restricted using role based access controls. Users that get access to the SAP system via a Graphical User interface (I include portal-like functionality just to keep it simple) and the restriction of SAP table data for the users is managed by the assigned authorizations of this user. If users want to have access to functionality in the SAP system, the transaction code is the front door to get access to this functionality. STAD data
SAP systems keep track of the transaction codes that were started by the users. This data is stored in the so called STAD data. STAD data can be used for monitoring, analyzing, auditing and maintaining the security concept. When analyzing the access restrictions to SAP functionalities and Segregation of Duty conflicts, STAD data can be used to answer questions like: Who has performed a certain critical functionality? And When? If a user has a critical Segregation of Duties conflict, did he actually perform this conflict? Also for maintaining and monitoring the security concept the STAD data can be very helpful. It will give the overview of the functionality (transaction codes) that a user did use. This information can be used doing Reverse Business Engineering to decide which functionality the user does and does not need. SAP systems only stores a limited period of STAD data. The number of days/weeks/months that the data is stored can be managed in the SAP system itself. The larger the period of the STAD data is defined, the more storing capacity the server needs. To downsize this capacity it is possible to make regular downloads of the STAD data and store this somewhere else. If this download is extended to the same database every time, you can have a large period of STAD data which is very valuable information. Example of download STAD data STAD data can be extracted from the SAP server(s) using the CSI Xtractor for example. This tool uses a Remote Function Call connection from the computer to the SAP server and the user logs on with his own SAP logon credentials (figure 1). Figure 1 – Logon with user-id and password to make RFC connection to SAP system
After selecting the period, the tool makes the downloads and you have a STAD database with all the STAD data from the SAP system (in this example I have created the database in Microsoft Access). Figure 2 - example of used transactions per user Figure 3 – Example of transactions being used This downloaded STAD data can be used by own reports/analysis. It is also possible to included this database and data in detailed SAP security analyse tools like CSI Authorization Auditor to analyze which transactions in a certain role were used by the user (figure 4) and of SOD conflicts were executed by the user (figure 5)
Figure 4 – Example of transactions being used in CSI Authorization Auditor Figure 5 – Example of SOD conflict with Executed (STAD) information Geplaatst door Meta op 12:37 Geenopmerkingen: Dit e-mailenDitbloggen!Delen op TwitterDelen op FacebookDelen op Pinterest dinsdag 10 december 2013 Fine tuning your GRC filter set with Custom transactions Sometimes it is necessary to create new (custom) transactions in the SAP systems. These customized transactions should always be taken into account when doing an audit/analysis on the authorizations concept.How to identify the authorization checks for these custom transactions? Not all custom transactions will be very critical (hopefully). But how to make sure you are including the critical ones in your analysis? First, have a look at the custom transactions that are existing. In the table TSTC, all available transactions are stored. 1.Via Se16 -> TSTC
2.Custom transactions will begin with the letter Y or Z. 2. Search on the y* and z* transactions 3.You get the overview of all existing custom transactions Not all custom transactions are critical, but the critical ones should be included in your analysis. You can have a look at the name of the custom transaction via table TSTCT, but even custom transactions with harmless names can be critical. So you have to go through every custom transaction to see what it really is. Once you have your list of critical transactions you want to include these in your rule set for auditing. But how to check if authorizations checks are included into the custom transaction? Normally a transaction can be secured by either having the authorization check included in the report itself, or by calling another transaction. How to check if the custom transaction has authorizations check(s): 1. Transactions that are secured via Call transactions and/or authority checks Via SE93 Enter the custom transaction and click button Display (example below is for transaction FD01)
2. Double click on the program 3. This will show the program (ABAP code). Open the Find option 4. Enter auth and search the main program
5. This will give you the AUTHORITY CHECKS as result. Hint: Double click on the line to see the details of the statement
6. 7. Should you not find any results, it is possible that the transaction will call another transaction and it will inherit the authorization checks from the called transaction. Check for “transaction” instead of “auth” When the custom transaction calls another transaction, double click on the transaction
8. Repeat steps 3-7 to find the authorization checks for this new transaction. Report RSABAPSC There is a report in SAP that shows the AUTHORITY CHECKS statements in the program code of a (custom) transaction. How to search if the ABAP program has “AUTHORITY CHECK” statement implemented using this report 1. VIA SA38 -> report RSABAPSC - 2. This program will trace the AUTHORITY-CHECK command that are defined in the program (ABAP code) of the custom transaction and will include the search in underlying sub programs. The recurrence level can be specified, “5” is de default value. In the example below I did a search on the AUTHORITY-CHECK values for the(not custom) transaction F110. Parameter transactions Some custom transactions will be used to maintain a certain table and will be defined as a parameter transaction. In this case, the authorization check on the table authorization group must be implemented (object S_TABU_LIN). How to check this? 1. Via SE93 enter the transaction and the result will look like
2. When the custom transaction code is a parameter transaction, the authorization group for table should be added. Scroll down and copy the view name. 3. Search which table authorization groups are assigned to the view Transaction SE11. Enter the view name and click the button display 4. The related tables for this view are shown in the sheet tables/ join conditions 5. Via Utilities -> Assign authorization group you can see the assigned table authorization groups for this view
The table TDDAT gives the relations between tables and table authorization groups. http://www.csi-tools.com/meta-s-blog

Recomendados

SAP BI 7 security concepts
SAP BI 7 security conceptsSAP BI 7 security concepts
SAP BI 7 security conceptsSiva Pradeep Bolisetti
 
SAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsSAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsRohan Andrews
 
Sap security tasks
Sap security tasksSap security tasks
Sap security tasksSiva Pradeep Bolisetti
 
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...akquinet enterprise solutions GmbH
 
Sap security interview question & answers
Sap security interview question & answersSap security interview question & answers
Sap security interview question & answersNancy Nelida
 
Sap s4 ccm concept for sales and purchasing
Sap s4 ccm concept for sales and purchasingSap s4 ccm concept for sales and purchasing
Sap s4 ccm concept for sales and purchasingVenkat Mannam
 
Introduction to SAP Security
Introduction to SAP SecurityIntroduction to SAP Security
Introduction to SAP SecurityNasir Gondal
 
SAP GRC 10 Access Control
SAP GRC 10 Access ControlSAP GRC 10 Access Control
SAP GRC 10 Access ControlNasir Gondal
 

Recomendados

SAP BI 7 security concepts
SAP BI 7 security conceptsSAP BI 7 security concepts
SAP BI 7 security conceptsSiva Pradeep Bolisetti
 
SAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsSAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsRohan Andrews
 
Sap security tasks
Sap security tasksSap security tasks
Sap security tasksSiva Pradeep Bolisetti
 
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...akquinet enterprise solutions GmbH
 
Sap security interview question & answers
Sap security interview question & answersSap security interview question & answers
Sap security interview question & answersNancy Nelida
 
Sap s4 ccm concept for sales and purchasing
Sap s4 ccm concept for sales and purchasingSap s4 ccm concept for sales and purchasing
Sap s4 ccm concept for sales and purchasingVenkat Mannam
 
Introduction to SAP Security
Introduction to SAP SecurityIntroduction to SAP Security
Introduction to SAP SecurityNasir Gondal
 
SAP GRC 10 Access Control
SAP GRC 10 Access ControlSAP GRC 10 Access Control
SAP GRC 10 Access ControlNasir Gondal
 
Sap Security Workshop
Sap Security WorkshopSap Security Workshop
Sap Security Workshoplarrymcc
 
Sap grc-access-control-solution
Sap grc-access-control-solutionSap grc-access-control-solution
Sap grc-access-control-solutionAnywhere Gondodza SAP.GRC.FI.B.COM.ACC.HONS (MSU)
 
081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grc081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grchkodali
 
SAP SD Interview Questions with Explanation
SAP SD Interview Questions with Explanation SAP SD Interview Questions with Explanation
SAP SD Interview Questions with Explanation Nbhati123
 
Solution Manager 7.2 SAP Monitoring - Part 3 - Managed System Configuration
Solution Manager 7.2 SAP Monitoring - Part 3 - Managed System ConfigurationSolution Manager 7.2 SAP Monitoring - Part 3 - Managed System Configuration
Solution Manager 7.2 SAP Monitoring - Part 3 - Managed System ConfigurationLinh Nguyen
 
Iia los angeles sap security presentation
Iia los angeles sap security presentation Iia los angeles sap security presentation
Iia los angeles sap security presentation hkodali
 
SAP Security interview questions
SAP Security interview questionsSAP Security interview questions
SAP Security interview questionsSiva Pradeep Bolisetti
 
Authorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.infoAuthorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.infosapdocs. info
 
Fiori for s4 hana troubleshooting tips and tricks
Fiori for s4 hana troubleshooting tips and tricksFiori for s4 hana troubleshooting tips and tricks
Fiori for s4 hana troubleshooting tips and tricksJasbir Khanuja
 
sap security interview_questions
sap security interview_questionssap security interview_questions
sap security interview_questionssumitmsn2
 
SAP Security important Questions
SAP Security important QuestionsSAP Security important Questions
SAP Security important QuestionsRagu M
 
Sap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online trainingSap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online traininggrconlinetraining
 
27631401 sap-implementation
27631401 sap-implementation27631401 sap-implementation
27631401 sap-implementationamolbdeore
 
Automatic vendor payment advice notes by mail
Automatic vendor payment advice notes by mailAutomatic vendor payment advice notes by mail
Automatic vendor payment advice notes by mailSURESH BABU MUCHINTHALA
 
Step by step on changing ecc source systems without affecting data modeling o...
Step by step on changing ecc source systems without affecting data modeling o...Step by step on changing ecc source systems without affecting data modeling o...
Step by step on changing ecc source systems without affecting data modeling o...Andre Bothma
 
Table maintenance generator and its modifications
Table maintenance generator and its modificationsTable maintenance generator and its modifications
Table maintenance generator and its modificationsscribid.download
 
Sap sd interview_questions_answers_and_explanations_espana_norestriction
Sap sd interview_questions_answers_and_explanations_espana_norestrictionSap sd interview_questions_answers_and_explanations_espana_norestriction
Sap sd interview_questions_answers_and_explanations_espana_norestrictionkdnv
 
Ragavendiran's Resume
Ragavendiran's ResumeRagavendiran's Resume
Ragavendiran's ResumeRagavendiran Kulothungan
 
Data migration methodology for sap v2
Data migration methodology for sap v2Data migration methodology for sap v2
Data migration methodology for sap v2cvcby
 
An expert guide to new sap bi security features
An expert guide to new sap bi security featuresAn expert guide to new sap bi security features
An expert guide to new sap bi security featuresShazia_Sultana
 
Authorization objects a simple guide
Authorization objects a simple guideAuthorization objects a simple guide
Authorization objects a simple guideAlbert Shumov
 
Practical guide for sap security
Practical guide for sap security Practical guide for sap security
Practical guide for sap security Siva Pradeep Bolisetti
 

Mais conteúdo relacionado

Mais procurados

Sap Security Workshop
Sap Security WorkshopSap Security Workshop
Sap Security Workshoplarrymcc
 
081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grc081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grchkodali
 
SAP SD Interview Questions with Explanation
SAP SD Interview Questions with Explanation SAP SD Interview Questions with Explanation
SAP SD Interview Questions with Explanation Nbhati123
 
Solution Manager 7.2 SAP Monitoring - Part 3 - Managed System Configuration
Solution Manager 7.2 SAP Monitoring - Part 3 - Managed System ConfigurationSolution Manager 7.2 SAP Monitoring - Part 3 - Managed System Configuration
Solution Manager 7.2 SAP Monitoring - Part 3 - Managed System ConfigurationLinh Nguyen
 
Iia los angeles sap security presentation
Iia los angeles sap security presentation Iia los angeles sap security presentation
Iia los angeles sap security presentation hkodali
 
Authorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.infoAuthorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.infosapdocs. info
 
Fiori for s4 hana troubleshooting tips and tricks
Fiori for s4 hana troubleshooting tips and tricksFiori for s4 hana troubleshooting tips and tricks
Fiori for s4 hana troubleshooting tips and tricksJasbir Khanuja
 
sap security interview_questions
sap security interview_questionssap security interview_questions
sap security interview_questionssumitmsn2
 
SAP Security important Questions
SAP Security important QuestionsSAP Security important Questions
SAP Security important QuestionsRagu M
 
Sap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online trainingSap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online traininggrconlinetraining
 
27631401 sap-implementation
27631401 sap-implementation27631401 sap-implementation
27631401 sap-implementationamolbdeore
 
Automatic vendor payment advice notes by mail
Automatic vendor payment advice notes by mailAutomatic vendor payment advice notes by mail
Automatic vendor payment advice notes by mailSURESH BABU MUCHINTHALA
 
Step by step on changing ecc source systems without affecting data modeling o...
Step by step on changing ecc source systems without affecting data modeling o...Step by step on changing ecc source systems without affecting data modeling o...
Step by step on changing ecc source systems without affecting data modeling o...Andre Bothma
 
Table maintenance generator and its modifications
Table maintenance generator and its modificationsTable maintenance generator and its modifications
Table maintenance generator and its modificationsscribid.download
 
Sap sd interview_questions_answers_and_explanations_espana_norestriction
Sap sd interview_questions_answers_and_explanations_espana_norestrictionSap sd interview_questions_answers_and_explanations_espana_norestriction
Sap sd interview_questions_answers_and_explanations_espana_norestrictionkdnv
 
Data migration methodology for sap v2
Data migration methodology for sap v2Data migration methodology for sap v2
Data migration methodology for sap v2cvcby
 
An expert guide to new sap bi security features
An expert guide to new sap bi security featuresAn expert guide to new sap bi security features
An expert guide to new sap bi security featuresShazia_Sultana
 

Mais procurados (20)

Sap Security Workshop
Sap Security WorkshopSap Security Workshop
Sap Security Workshop
 
Sap grc-access-control-solution
Sap grc-access-control-solutionSap grc-access-control-solution
Sap grc-access-control-solution
 
081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grc081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grc
 
SAP SD Interview Questions with Explanation
SAP SD Interview Questions with Explanation SAP SD Interview Questions with Explanation
SAP SD Interview Questions with Explanation
 
Solution Manager 7.2 SAP Monitoring - Part 3 - Managed System Configuration
Solution Manager 7.2 SAP Monitoring - Part 3 - Managed System ConfigurationSolution Manager 7.2 SAP Monitoring - Part 3 - Managed System Configuration
Solution Manager 7.2 SAP Monitoring - Part 3 - Managed System Configuration
 
Iia los angeles sap security presentation
Iia los angeles sap security presentation Iia los angeles sap security presentation
Iia los angeles sap security presentation
 
SAP Security interview questions
SAP Security interview questionsSAP Security interview questions
SAP Security interview questions
 
Authorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.infoAuthorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.info
 
Fiori for s4 hana troubleshooting tips and tricks
Fiori for s4 hana troubleshooting tips and tricksFiori for s4 hana troubleshooting tips and tricks
Fiori for s4 hana troubleshooting tips and tricks
 
sap security interview_questions
sap security interview_questionssap security interview_questions
sap security interview_questions
 
SAP Security important Questions
SAP Security important QuestionsSAP Security important Questions
SAP Security important Questions
 
Sap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online trainingSap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online training
 
27631401 sap-implementation
27631401 sap-implementation27631401 sap-implementation
27631401 sap-implementation
 
Automatic vendor payment advice notes by mail
Automatic vendor payment advice notes by mailAutomatic vendor payment advice notes by mail
Automatic vendor payment advice notes by mail
 
Step by step on changing ecc source systems without affecting data modeling o...
Step by step on changing ecc source systems without affecting data modeling o...Step by step on changing ecc source systems without affecting data modeling o...
Step by step on changing ecc source systems without affecting data modeling o...
 
Table maintenance generator and its modifications
Table maintenance generator and its modificationsTable maintenance generator and its modifications
Table maintenance generator and its modifications
 
Sap sd interview_questions_answers_and_explanations_espana_norestriction
Sap sd interview_questions_answers_and_explanations_espana_norestrictionSap sd interview_questions_answers_and_explanations_espana_norestriction
Sap sd interview_questions_answers_and_explanations_espana_norestriction
 
Ragavendiran's Resume
Ragavendiran's ResumeRagavendiran's Resume
Ragavendiran's Resume
 
Data migration methodology for sap v2
Data migration methodology for sap v2Data migration methodology for sap v2
Data migration methodology for sap v2
 
An expert guide to new sap bi security features
An expert guide to new sap bi security featuresAn expert guide to new sap bi security features
An expert guide to new sap bi security features
 

Destaque

Authorization objects a simple guide
Authorization objects a simple guideAuthorization objects a simple guide
Authorization objects a simple guideAlbert Shumov
 
Grc 10 training
Grc 10 trainingGrc 10 training
Grc 10 trainingsuresh
 
Part III of III: SAP Advanced Authorization for SAP Global Deployments: Octo...
Part III of III: SAP Advanced Authorization for SAP Global Deployments: Octo...Part III of III: SAP Advanced Authorization for SAP Global Deployments: Octo...
Part III of III: SAP Advanced Authorization for SAP Global Deployments: Octo...NextLabs, Inc.
 
Sap grc process control 10.0
Sap grc process control 10.0Sap grc process control 10.0
Sap grc process control 10.0Latha Kamal
 
CCNA - Dr. Mostafa Elgamala
CCNA - Dr. Mostafa ElgamalaCCNA - Dr. Mostafa Elgamala
CCNA - Dr. Mostafa ElgamalaMostafa Elgamala
 
Lsmw (Legacy System Migration Workbench)
Lsmw (Legacy System Migration Workbench)Lsmw (Legacy System Migration Workbench)
Lsmw (Legacy System Migration Workbench)Leila Morteza
 
SAP SD LSMW -Legacy System Migration Workbench
SAP SD LSMW -Legacy System Migration WorkbenchSAP SD LSMW -Legacy System Migration Workbench
SAP SD LSMW -Legacy System Migration Workbencharun_bala1
 
Validations in-lsmw
Validations in-lsmwValidations in-lsmw
Validations in-lsmwthopubaachi
 
Recording steps in SAP BDC
Recording steps in SAP BDCRecording steps in SAP BDC
Recording steps in SAP BDCSyam Sasi
 
54145899 sap-sd-int-tips
54145899 sap-sd-int-tips54145899 sap-sd-int-tips
54145899 sap-sd-int-tipsNitesh Mahajan
 
Accounts payable-notes
Accounts payable-notesAccounts payable-notes
Accounts payable-notesRangabashyam S
 
Microsoft MCSA - Install active directory domain services (adds) role
Microsoft MCSA - Install active directory domain services (adds) roleMicrosoft MCSA - Install active directory domain services (adds) role
Microsoft MCSA - Install active directory domain services (adds) roleHamed Moghaddam
 

Destaque (20)

Authorization objects a simple guide
Authorization objects a simple guideAuthorization objects a simple guide
Authorization objects a simple guide
 
Practical guide for sap security
Practical guide for sap security Practical guide for sap security
Practical guide for sap security
 
SAP SECURITY GRC
SAP SECURITY GRCSAP SECURITY GRC
SAP SECURITY GRC
 
Grc 10 training
Grc 10 trainingGrc 10 training
Grc 10 training
 
Part III of III: SAP Advanced Authorization for SAP Global Deployments: Octo...
Part III of III: SAP Advanced Authorization for SAP Global Deployments: Octo...Part III of III: SAP Advanced Authorization for SAP Global Deployments: Octo...
Part III of III: SAP Advanced Authorization for SAP Global Deployments: Octo...
 
Sap grc process control 10.0
Sap grc process control 10.0Sap grc process control 10.0
Sap grc process control 10.0
 
Introductio to network 1
Introductio to network 1Introductio to network 1
Introductio to network 1
 
Agile testingoverview
Agile testingoverviewAgile testingoverview
Agile testingoverview
 
GSM
GSMGSM
GSM
 
CCNA - Dr. Mostafa Elgamala
CCNA - Dr. Mostafa ElgamalaCCNA - Dr. Mostafa Elgamala
CCNA - Dr. Mostafa Elgamala
 
Lsmw (Legacy System Migration Workbench)
Lsmw (Legacy System Migration Workbench)Lsmw (Legacy System Migration Workbench)
Lsmw (Legacy System Migration Workbench)
 
SAP SD LSMW -Legacy System Migration Workbench
SAP SD LSMW -Legacy System Migration WorkbenchSAP SD LSMW -Legacy System Migration Workbench
SAP SD LSMW -Legacy System Migration Workbench
 
Validations in-lsmw
Validations in-lsmwValidations in-lsmw
Validations in-lsmw
 
Using idoc method in lsmw
Using idoc method in lsmwUsing idoc method in lsmw
Using idoc method in lsmw
 
Recording steps in SAP BDC
Recording steps in SAP BDCRecording steps in SAP BDC
Recording steps in SAP BDC
 
54145899 sap-sd-int-tips
54145899 sap-sd-int-tips54145899 sap-sd-int-tips
54145899 sap-sd-int-tips
 
Accounts payable-notes
Accounts payable-notesAccounts payable-notes
Accounts payable-notes
 
Asap methodology
Asap methodologyAsap methodology
Asap methodology
 
Microsoft MCSA - Install active directory domain services (adds) role
Microsoft MCSA - Install active directory domain services (adds) roleMicrosoft MCSA - Install active directory domain services (adds) role
Microsoft MCSA - Install active directory domain services (adds) role
 
SAP SD Complete Guide
SAP SD Complete GuideSAP SD Complete Guide
SAP SD Complete Guide
 

Semelhante a How to perform critical authorizations and so d checks in sap systems

CSI Authorization Auditor 2014 Brochure
CSI Authorization Auditor 2014 BrochureCSI Authorization Auditor 2014 Brochure
CSI Authorization Auditor 2014 BrochureCSI tools
 
5(re dfd-erd-data dictionay)
5(re dfd-erd-data dictionay)5(re dfd-erd-data dictionay)
5(re dfd-erd-data dictionay)randhirlpu
 
Accessing The Oracle Apps Database Without Having A Db Login
Accessing The Oracle Apps Database Without Having A Db LoginAccessing The Oracle Apps Database Without Having A Db Login
Accessing The Oracle Apps Database Without Having A Db Loginjhare
 
Are SSAE 16 Data Center Problems Impacting Customers? (SlideShare)
Are SSAE 16 Data Center Problems Impacting Customers? (SlideShare)Are SSAE 16 Data Center Problems Impacting Customers? (SlideShare)
Are SSAE 16 Data Center Problems Impacting Customers? (SlideShare)SP Home Run Inc.
 
Finger Gesture Based Rating System
Finger Gesture Based Rating SystemFinger Gesture Based Rating System
Finger Gesture Based Rating SystemIRJET Journal
 
IRJET - Scrutinize the Utility of Preserved Data with Privacy
IRJET - Scrutinize the Utility of Preserved Data with PrivacyIRJET - Scrutinize the Utility of Preserved Data with Privacy
IRJET - Scrutinize the Utility of Preserved Data with PrivacyIRJET Journal
 
IMPLEMENTATION OF SALES MODULES USING CRM
IMPLEMENTATION OF SALES MODULES USING CRMIMPLEMENTATION OF SALES MODULES USING CRM
IMPLEMENTATION OF SALES MODULES USING CRMIRJET Journal
 
Men Salon management system project and ppt
Men Salon management system project and pptMen Salon management system project and ppt
Men Salon management system project and pptpavisubashsp
 
Hr structural auths
Hr structural authsHr structural auths
Hr structural authshkodali
 
Week10 Analysing Client Requirements
Week10 Analysing Client RequirementsWeek10 Analysing Client Requirements
Week10 Analysing Client Requirementshapy
 
A Formal Framework for SAAS Customization Based on Multi-Layered Architecture...
A Formal Framework for SAAS Customization Based on Multi-Layered Architecture...A Formal Framework for SAAS Customization Based on Multi-Layered Architecture...
A Formal Framework for SAAS Customization Based on Multi-Layered Architecture...CSCJournals
 
SE_Module2.pdf
SE_Module2.pdfSE_Module2.pdf
SE_Module2.pdfADARSHN40
 
Whitepaper: Continuous Compliance in SAP Environments - Happiest Minds
Whitepaper: Continuous Compliance in SAP Environments - Happiest MindsWhitepaper: Continuous Compliance in SAP Environments - Happiest Minds
Whitepaper: Continuous Compliance in SAP Environments - Happiest MindsHappiest Minds Technologies
 
Continuous Compliance-in-Sap-Environments
Continuous Compliance-in-Sap-EnvironmentsContinuous Compliance-in-Sap-Environments
Continuous Compliance-in-Sap-Environmentshappiestmindstech
 
Onlineshopping 121105040955-phpapp02
Onlineshopping 121105040955-phpapp02Onlineshopping 121105040955-phpapp02
Onlineshopping 121105040955-phpapp02Shuchi Singla
 
Onlineshoppingonline shopping
Onlineshoppingonline shoppingOnlineshoppingonline shopping
Onlineshoppingonline shoppingHardik Padhy
 
Mobile store management
Mobile store management Mobile store management
Mobile store management Rupendra Verma
 
Introduction American Video Game Company is accepting propos.pdf
Introduction American Video Game Company is accepting propos.pdfIntroduction American Video Game Company is accepting propos.pdf
Introduction American Video Game Company is accepting propos.pdfsandeep252523
 
Migration approachquestionnaire checklist
Migration approachquestionnaire checklistMigration approachquestionnaire checklist
Migration approachquestionnaire checklistNandeep Nagarkar
 

Semelhante a How to perform critical authorizations and so d checks in sap systems (20)

CSI Authorization Auditor 2014 Brochure
CSI Authorization Auditor 2014 BrochureCSI Authorization Auditor 2014 Brochure
CSI Authorization Auditor 2014 Brochure
 
5(re dfd-erd-data dictionay)
5(re dfd-erd-data dictionay)5(re dfd-erd-data dictionay)
5(re dfd-erd-data dictionay)
 
Accessing The Oracle Apps Database Without Having A Db Login
Accessing The Oracle Apps Database Without Having A Db LoginAccessing The Oracle Apps Database Without Having A Db Login
Accessing The Oracle Apps Database Without Having A Db Login
 
Are SSAE 16 Data Center Problems Impacting Customers? (SlideShare)
Are SSAE 16 Data Center Problems Impacting Customers? (SlideShare)Are SSAE 16 Data Center Problems Impacting Customers? (SlideShare)
Are SSAE 16 Data Center Problems Impacting Customers? (SlideShare)
 
Finger Gesture Based Rating System
Finger Gesture Based Rating SystemFinger Gesture Based Rating System
Finger Gesture Based Rating System
 
IRJET - Scrutinize the Utility of Preserved Data with Privacy
IRJET - Scrutinize the Utility of Preserved Data with PrivacyIRJET - Scrutinize the Utility of Preserved Data with Privacy
IRJET - Scrutinize the Utility of Preserved Data with Privacy
 
IMPLEMENTATION OF SALES MODULES USING CRM
IMPLEMENTATION OF SALES MODULES USING CRMIMPLEMENTATION OF SALES MODULES USING CRM
IMPLEMENTATION OF SALES MODULES USING CRM
 
Men Salon management system project and ppt
Men Salon management system project and pptMen Salon management system project and ppt
Men Salon management system project and ppt
 
Hr structural auths
Hr structural authsHr structural auths
Hr structural auths
 
Week10 Analysing Client Requirements
Week10 Analysing Client RequirementsWeek10 Analysing Client Requirements
Week10 Analysing Client Requirements
 
A Formal Framework for SAAS Customization Based on Multi-Layered Architecture...
A Formal Framework for SAAS Customization Based on Multi-Layered Architecture...A Formal Framework for SAAS Customization Based on Multi-Layered Architecture...
A Formal Framework for SAAS Customization Based on Multi-Layered Architecture...
 
SE_Module2.pdf
SE_Module2.pdfSE_Module2.pdf
SE_Module2.pdf
 
Whitepaper: Continuous Compliance in SAP Environments - Happiest Minds
Whitepaper: Continuous Compliance in SAP Environments - Happiest MindsWhitepaper: Continuous Compliance in SAP Environments - Happiest Minds
Whitepaper: Continuous Compliance in SAP Environments - Happiest Minds
 
Continuous Compliance-in-Sap-Environments
Continuous Compliance-in-Sap-EnvironmentsContinuous Compliance-in-Sap-Environments
Continuous Compliance-in-Sap-Environments
 
Sap basis and_security_administration
Sap basis and_security_administrationSap basis and_security_administration
Sap basis and_security_administration
 
Onlineshopping 121105040955-phpapp02
Onlineshopping 121105040955-phpapp02Onlineshopping 121105040955-phpapp02
Onlineshopping 121105040955-phpapp02
 
Onlineshoppingonline shopping
Onlineshoppingonline shoppingOnlineshoppingonline shopping
Onlineshoppingonline shopping
 
Mobile store management
Mobile store management Mobile store management
Mobile store management
 
Introduction American Video Game Company is accepting propos.pdf
Introduction American Video Game Company is accepting propos.pdfIntroduction American Video Game Company is accepting propos.pdf
Introduction American Video Game Company is accepting propos.pdf
 
Migration approachquestionnaire checklist
Migration approachquestionnaire checklistMigration approachquestionnaire checklist
Migration approachquestionnaire checklist
 

Último

Presentation Activity 2. Unit 3 transv.pptx
Presentation Activity 2. Unit 3 transv.pptxPresentation Activity 2. Unit 3 transv.pptx
Presentation Activity 2. Unit 3 transv.pptxRosabel UA
 
Active Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfActive Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfPatidar M
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSJoshuaGantuangco2
 
Activity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translationActivity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translationRosabel UA
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parentsnavabharathschool99
 
Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Seán Kennedy
 
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...Postal Advocate Inc.
 
Expanded definition: technical and operational
Expanded definition: technical and operationalExpanded definition: technical and operational
Expanded definition: technical and operationalssuser3e220a
 
Millenials and Fillennials (Ethical Challenge and Responses).pptx
Millenials and Fillennials (Ethical Challenge and Responses).pptxMillenials and Fillennials (Ethical Challenge and Responses).pptx
Millenials and Fillennials (Ethical Challenge and Responses).pptxJanEmmanBrigoli
 
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONHumphrey A Beña
 
EMBODO Lesson Plan Grade 9 Law of Sines.docx
EMBODO Lesson Plan Grade 9 Law of Sines.docxEMBODO Lesson Plan Grade 9 Law of Sines.docx
EMBODO Lesson Plan Grade 9 Law of Sines.docxElton John Embodo
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management SystemChristalin Nelson
 
Dust Of Snow By Robert Frost Class-X English CBSE
Dust Of Snow By Robert Frost Class-X English CBSEDust Of Snow By Robert Frost Class-X English CBSE
Dust Of Snow By Robert Frost Class-X English CBSEaurabinda banchhor
 
Integumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.pptIntegumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.pptshraddhaparab530
 
ROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxVanesaIglesias10
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfVanessa Camilleri
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Mark Reed
 
Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4JOYLYNSAMANIEGO
 

Último (20)

Presentation Activity 2. Unit 3 transv.pptx
Presentation Activity 2. Unit 3 transv.pptxPresentation Activity 2. Unit 3 transv.pptx
Presentation Activity 2. Unit 3 transv.pptx
 
Active Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfActive Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdf
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
 
Activity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translationActivity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translation
 
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptxLEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parents
 
Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...
 
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
 
INCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptx
INCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptxINCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptx
INCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptx
 
Expanded definition: technical and operational
Expanded definition: technical and operationalExpanded definition: technical and operational
Expanded definition: technical and operational
 
Millenials and Fillennials (Ethical Challenge and Responses).pptx
Millenials and Fillennials (Ethical Challenge and Responses).pptxMillenials and Fillennials (Ethical Challenge and Responses).pptx
Millenials and Fillennials (Ethical Challenge and Responses).pptx
 
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
 
EMBODO Lesson Plan Grade 9 Law of Sines.docx
EMBODO Lesson Plan Grade 9 Law of Sines.docxEMBODO Lesson Plan Grade 9 Law of Sines.docx
EMBODO Lesson Plan Grade 9 Law of Sines.docx
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management System
 
Dust Of Snow By Robert Frost Class-X English CBSE
Dust Of Snow By Robert Frost Class-X English CBSEDust Of Snow By Robert Frost Class-X English CBSE
Dust Of Snow By Robert Frost Class-X English CBSE
 
Integumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.pptIntegumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.ppt
 
ROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptx
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdf
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)
 
Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4
 

How to perform critical authorizations and so d checks in sap systems

  • 1. How to perform critical authorizations and SoD checks in SAP systems This blog describes how you can set up the Segregation of duties (SoD) analysis for the SAP security concept. I compare 2 methods, The first one is using the standard SAP report RSUSR008_009_NEW and the second one is using CSI Authorization Auditor 2014. Method 1 Using Standard SAP report It is possible to use the standard report RSUSR008_009_NEW to set up a basic SoD analysis in the SAP system (figure 1). Figure 1: Report RSUSR008_009_NEW With this report is it possible to get an overview of users/roles having access to critical authorizations and/or critical combinations (SoD conflicts). Before you can run the report, you need to define the rule set first. The rule set contains critical authorizations and critical combinations. The critical authorizations must be defined and after this is done, you can define the critical combinations. In this
  • 2. example I will create a simple rule set for the critical authorizations to maintain customer master data finance view. The transaction and corresponding authorizations are defined (figure 2). Figure 2: Set up of critical authorizations in report RSUSR008_008_NEW After the critical authorizations are defined, the report can be run and the results (users/roles having access to the defined critical authorizations) are shown on the screen. A drill down functionality to see how the user gets the access to the critical authorizations is unfortunately not possible (figure 3) and the information if the transaction was executed by the user is also missing.
  • 3. Figure 3: Results of critical authorizations user level The report shows the assignment of the critical authorizations and does not show you the SoD conflicts. To report the SOD conflicts, you have to define the critical authorizations first, followed by the critical combinations. A critical combination (SOD conflict) is one or more critical authorizations combined with AND logic (figure 4). Figure 4: Definition of critical combinations in report RSUSR008_009_NEW After the rule set with critical combinations is defined, the report runs and the users are shown. Once again, a detailed analysis how a user gets the authorizations is not possible with this report and the information if a user did really use the transactions of the SoD conflict is missing (figure 5). The
  • 4. Definition of SOD conflicts is only using AND logic. Figure 5: Results of critical combinations user level Is it a useful report? If the rule set if defined correctly, the report will give the overview of users having access to critical authorizations. The critical authorizations can be defined with or without S_tcode value. However, there are many cons why you should not want to use this report: Creating the rule set for critical authorizations and/or critical combinations is very hard. If you want to extend the rule set with your organizational values it will become very hard to implement and can lead to thousands of rules. The rule set is local to each client so you have to define a rule set in every single client. The rule set can be transported, but the rule set you want to use in the development system will be a different one compared to the one in the production system. Therefore you should not use the transport option; it will overwrite your rule set. No pre-defined rule set can be used. You have to implement a rule set beginning from scratch. Defining the rule set will be more time consuming and cost more than buying existing external tooling. When you apply support packs you don’t get updates for the rule set. Running the report can take up a long time and is additional workload for the SAP server.
  • 5. Creating the rule set is very hard, but maintaining the rule set will even be a more complex task. Change management must be set up to the rule set maintenance and the authorizations to do this must be restricted to the authorized users. The results of the report are only useful for high level reporting. In order to analyze how a certain critical authorizations or combination can be removed from a user, drilling down will not give the needed information. Documenting remediation, exceptions and compensating controls to mitigate the risks are not possible. The report will detect the issues from existing users; it will not prevent unauthorized authorizations when assigning roles to users. Who is responsible for the rule set and who is authorized to make changes to it? SOD conflicts are only created with AND logic between critical authorizations. Method 2: Using external tooling: CSI Authorization Auditor I will use CSI Authorization Auditor 2014 show how an external tool can be used for SoD checking. CSI Authorization Auditor comes with a pre-configured rule set with all critical authorizations and over 400 pre defined SOD conflicts. Therefore the definition of critical authorizations and SOD conflicts from scratch is not needed. This is a real time saver. The rule set can be adjusted to company values, like customized transactions, authorizations, organizational levels, locked transactions, deactivated authority checks et cetera. The organizational values like company codes, sales organizations, plants et cetera can be easily added and used across the analysis. If you already have a pre defines rule set for the SOd conflict and critical combinations, this can be imported into the tool as well.Changes to the rule set are logged and can be restricted for changing. Additional information regarding the critical authorizations like the risk, control objectives and suggested controls can be added to the rule set as well. THeSOd conflicts can be defined with various logics like AND, OR and even NOT logic. Figure 6 is an example of a pre defined critical authorization query, containing the critical authorizations to maintain customer master data in the finance view. The query is defined with the transactions (in the tab transactions) and the authorization values (in the tab authorization values). You can also adjust the pre defined queries and create new ones if you would like.
  • 6.
  • 7. Figure 6: Pre defined critical authorizations set up Running the queries will show the users/ roles that have access to the defined critical authorizations. The result also gives more detailed information like how the users get access, via which profiles and/or roles. In the example picture below the yellow circles shows via which profiles/roles the transactions are assigned, the blue circles in figure shows via which profiles/roles the authorization values are assigned and if the user has executed the critical authorizations (red circles in figure 7). In this example the user not did execute (any of) the transactions for customer master data maintenance: XD01,XD02, XD99, FD02,FD05 or FD06.
  • 8. Figure 7: Results critical authorizations with detailed information To do the SoD analysis, a pre defined SOD rule set can be used or a new SOD rule set can be defined from scratch. Defining the SoDruleset from scratch is very simple. Every critical authorization query is stored in a library and via drag and drop you can add queries to a SoD conflict. Additional information like the risk, recommendations, compensating controls, organizational levels that are applicable, et cetera can be added as well (figure 8).
  • 9. Figure 8: Definition of SoD conflict in CSI Authorization Auditor After the critical combinations are defined, the audit can be done. The report will show the users/roles having the SoD conflict together with very useful additional information; Is the conflict executed by the user, via which role(s), profiles does the user gets the SoD conflict, is the conflict in the role itself, et cetera. Drill down detail reports (figure 9), high level reports, dashboards and trending reports are also possible to get a clear overview of the progress of clean up (getting and staying compliant) . Because the analysis is not done in the SAP system there is no additional workload for the SAP server.
  • 10. Figure 9: Results of SoD conflict with detailed information Conclusion Defining the report RSUSR008_009_NEW will be a very time consuming and expensive job even if your SOD rule set is quite basic. Running the standard SAP report will take quite some time and will be additional workload for the SAP server. In the end it will be cheaper to buy an existing Security concept analyzing tools that offer more value because of the analysis functionality to get in compliance. Therefore I recommend to use external tooling like CSI Authorization Auditor. Geplaatst door Meta op 13:30 Geenopmerkingen: Dit e-mailenDitbloggen!Delen op TwitterDelen op FacebookDelen op Pinterest vrijdag 27 december 2013 Who is doing what in your SAP system? People who are using a SAP system all known the term transaction code. SAP data is restricted using role based access controls. Users that get access to the SAP system via a Graphical User interface (I include portal-like functionality just to keep it simple) and the restriction of SAP table data for the users is managed by the assigned authorizations of this user. If users want to have access to functionality in the SAP system, the transaction code is the front door to get access to this functionality. STAD data
  • 11. SAP systems keep track of the transaction codes that were started by the users. This data is stored in the so called STAD data. STAD data can be used for monitoring, analyzing, auditing and maintaining the security concept. When analyzing the access restrictions to SAP functionalities and Segregation of Duty conflicts, STAD data can be used to answer questions like: Who has performed a certain critical functionality? And When? If a user has a critical Segregation of Duties conflict, did he actually perform this conflict? Also for maintaining and monitoring the security concept the STAD data can be very helpful. It will give the overview of the functionality (transaction codes) that a user did use. This information can be used doing Reverse Business Engineering to decide which functionality the user does and does not need. SAP systems only stores a limited period of STAD data. The number of days/weeks/months that the data is stored can be managed in the SAP system itself. The larger the period of the STAD data is defined, the more storing capacity the server needs. To downsize this capacity it is possible to make regular downloads of the STAD data and store this somewhere else. If this download is extended to the same database every time, you can have a large period of STAD data which is very valuable information. Example of download STAD data STAD data can be extracted from the SAP server(s) using the CSI Xtractor for example. This tool uses a Remote Function Call connection from the computer to the SAP server and the user logs on with his own SAP logon credentials (figure 1). Figure 1 – Logon with user-id and password to make RFC connection to SAP system
  • 12. After selecting the period, the tool makes the downloads and you have a STAD database with all the STAD data from the SAP system (in this example I have created the database in Microsoft Access). Figure 2 - example of used transactions per user Figure 3 – Example of transactions being used This downloaded STAD data can be used by own reports/analysis. It is also possible to included this database and data in detailed SAP security analyse tools like CSI Authorization Auditor to analyze which transactions in a certain role were used by the user (figure 4) and of SOD conflicts were executed by the user (figure 5)
  • 13. Figure 4 – Example of transactions being used in CSI Authorization Auditor Figure 5 – Example of SOD conflict with Executed (STAD) information Geplaatst door Meta op 12:37 Geenopmerkingen: Dit e-mailenDitbloggen!Delen op TwitterDelen op FacebookDelen op Pinterest dinsdag 10 december 2013 Fine tuning your GRC filter set with Custom transactions Sometimes it is necessary to create new (custom) transactions in the SAP systems. These customized transactions should always be taken into account when doing an audit/analysis on the authorizations concept.How to identify the authorization checks for these custom transactions? Not all custom transactions will be very critical (hopefully). But how to make sure you are including the critical ones in your analysis? First, have a look at the custom transactions that are existing. In the table TSTC, all available transactions are stored. 1.Via Se16 -> TSTC
  • 14. 2.Custom transactions will begin with the letter Y or Z. 2. Search on the y* and z* transactions 3.You get the overview of all existing custom transactions Not all custom transactions are critical, but the critical ones should be included in your analysis. You can have a look at the name of the custom transaction via table TSTCT, but even custom transactions with harmless names can be critical. So you have to go through every custom transaction to see what it really is. Once you have your list of critical transactions you want to include these in your rule set for auditing. But how to check if authorizations checks are included into the custom transaction? Normally a transaction can be secured by either having the authorization check included in the report itself, or by calling another transaction. How to check if the custom transaction has authorizations check(s): 1. Transactions that are secured via Call transactions and/or authority checks Via SE93 Enter the custom transaction and click button Display (example below is for transaction FD01)
  • 15. 2. Double click on the program 3. This will show the program (ABAP code). Open the Find option 4. Enter auth and search the main program
  • 16. 5. This will give you the AUTHORITY CHECKS as result. Hint: Double click on the line to see the details of the statement
  • 17. 6. 7. Should you not find any results, it is possible that the transaction will call another transaction and it will inherit the authorization checks from the called transaction. Check for “transaction” instead of “auth” When the custom transaction calls another transaction, double click on the transaction
  • 18. 8. Repeat steps 3-7 to find the authorization checks for this new transaction. Report RSABAPSC There is a report in SAP that shows the AUTHORITY CHECKS statements in the program code of a (custom) transaction. How to search if the ABAP program has “AUTHORITY CHECK” statement implemented using this report 1. VIA SA38 -> report RSABAPSC - 2. This program will trace the AUTHORITY-CHECK command that are defined in the program (ABAP code) of the custom transaction and will include the search in underlying sub programs. The recurrence level can be specified, “5” is de default value. In the example below I did a search on the AUTHORITY-CHECK values for the(not custom) transaction F110. Parameter transactions Some custom transactions will be used to maintain a certain table and will be defined as a parameter transaction. In this case, the authorization check on the table authorization group must be implemented (object S_TABU_LIN). How to check this? 1. Via SE93 enter the transaction and the result will look like
  • 19. 2. When the custom transaction code is a parameter transaction, the authorization group for table should be added. Scroll down and copy the view name. 3. Search which table authorization groups are assigned to the view Transaction SE11. Enter the view name and click the button display 4. The related tables for this view are shown in the sheet tables/ join conditions 5. Via Utilities -> Assign authorization group you can see the assigned table authorization groups for this view
  • 20. The table TDDAT gives the relations between tables and table authorization groups. http://www.csi-tools.com/meta-s-blog