"ACCESS"ing Your SAP Security Data

“ACCESS”ing Your SAP Security Data
BITI7186
Dennis A. Dargel - Senior Solution Architect/Manager
Capgemini

Presentation slides for all ASUG Annual
Conference sessions can be found at:
http://bit.ly/asug17slides
Presentation Materials

Take The Session Survey:
Be sure to complete the session evaluation
on the SAPPHIRE NOW and ASUG Annual
Conference mobile app.
Earn 25 ASUG Hub Club points for each
evaluation submitted. Redeem in the ASUG
Hub on the show floor
Download the app from iPhone
AppStore or Google Paly

Session Goal
This session covers the
utilization of Microsoft Access to
perform SAP security/ SAP governance
related data analytics.

01
02
03
Capgemini – Who We Are 04
05
06
07
08
09
SAP Security Structure
Overview
(SAP Security In A Nutshell)
SAP Security Governance
Some Key SAP Tables
(Security And Other)
Common SAP Table
Combinations
(For The Purpose of Analysis)
Using Microsoft Access
Security Analysis - Examples
Wrap-Up
Questions
Agenda

190,000+ people worldwide
working together as one team
North America
~16,780
Latin America
~8,580
Europe
~64,400
Middle-East
~95
Asia-Pacific
~5,060
India
~96,680
We are a multicultural people company

We use our extensive
industry expertise to
advise on strategy and
help you to transform
your business and
technology landscape
We provide a
next-generation
approach to
application
development,
system integration,
and maintenance
We deliver
technology services
to suit local
requirements for
infrastructure,
applications,
engineering, testing
and operations
We integrate,
manage,
(co-)develop your IT
infrastructure systems,
transaction and on
demand services
and/or business
activities
Consulting
Services
Application
Services
Technology
and
Engineering
Services
Other
Managed
Services
From a complete range of businesses ...

27 of the world’s 30 largest consumer products
companies
of the world’s 15 largest automotive OEMs
of the top 15 largest automotive suppliers
14
12
out of the top 20 Utilities companies12
of the top 15 banks
of the top 10 consumer finance companies
of the top 15 asset finance companies
of the 15 largest investment banks
9
6
13
10
… to scripting success worldwide

4%
60%
21%
15%
Revenue
€12,539
million
Operating Margin
€1,440
million
Operating Profit
€1,148
million
Revenue
by
Business
Revenue
by
Industry
Application Services
Consulting Services
Technology and
Engineering Services
Other Managed Services
Consumer Product, Retail, Distribution
& Transportation
Energy, Utilities & Chemicals
Financial Services
Public Sector
Others
Manufacturing, Automotive
& Life Sciences
Telecom, Media & Entertainment
11%
26%
17%4%
19%
7%
16%
2016 Performance

* SCC4
* SU02
* SU03
Profile:
ZD- TRUST
Authorization
Field Value: 16
Authorization
Field:
ACTVT
Authorization:
ZD-TRUST__00
Client: 100
INSTANCE:
D01
* SE16 (TABLE T000)
Role:
ZPC-XXX-DEV
-TRUSTING-
RFC
* Transaction
Used to create/
Access/assign
Content
USER:
JBROWN
* SU01
* PFCG
Authorization
Object Class:
AAAB
Authorization
Object:
S_RFCACL
Belongs
To
Assigned
To
SAP Security Structure Overview (SAP Security In A Nutshell)

Role
Auth. Class
Auth. Object
Authorization
AUTH. FIELD
Auth. Field value
PFCG

Client:100 SE16
T000 – Client Table

Available From Any
SAPGUI Screen
Client:
100
System Status

USR01 Table (some fields shown)
USR02 Table (some fields shown)
SE16
Most USR* Tables
Some AGR* Tables
USER:
JBROWN

SAP Security Governance
Areas of concern:
 Segregation of Duties
 Sensitive Access
 Mitigating Controls
 FireFighter Access
 Unused Access
Analytics can help with the analysis and
reduction of all five of these (and other)
governance concerns, as well as the
reduction of overall SAP security support
overhead.

Some Key SAP Tables - Security
USR01 : User Master Record
USR02 : User Logon Data
USR03 : User Address Data
USR04 : User Master Authorizations
USR05 : User Master PIDs
USR10 : User Master Authorization Profiles
USR21: User Name/Address Key Assignment (See ADR6)
USR40 : Illegal Passwords Table
USLA04 : CUA: Assignment of Users to Roles
USRACL: SNC Access Control List (ACL): User

Some Key SAP Tables - Security
AGR_1250 :
Activity Group Authorization Data
AGR_1251 :
Activity Group Authorization Data
AGR_1252 :
Activity Group Organization Elements
AGR_AGRS : Activity Groups In Composite
| Activity Groups
AGR_BUFFI : Activity Group Internet Links
AGR_DEFINE : Activity Group Definitions
AGR_TEXTS : Activity Group Texts
AGR_TCODES : Activity Group Menu
Transactions
AGR_TIME: Time Stamp for Role (Menu,
Profile, Authorizations)
AGR_TIMEB: Time Stamp for Role (Profile
Generation)
AGR_TIMEC: Time Stamp for Role (User
Assignment)
AGR_TIMED: Time Stamp for Role (Profile
Comparison, RFC Distribution)
AGR_HIER: Security Role Menu Entries

 ADR6: E-Mail Addresses
(Business Address Service)
 CDHDR: Change document header
 E070: Change & Transport System: Header of
Requests/Tasks
 E071: Change & Transport System: Object Entries
 RFCATTRIB: Administration table for RFC destinations
 RFCDES: Destination table for Remote Function Call
 TFDIR: Function Module/Function Group
Some Key SAP Tables - Other
 RSRREPDIR: BI Queries (Reports)
 RSRWORKBOOK: BI Workbooks
 RSDCUBE: Directory Of InfoCubes
 RSDCUBEIOBJ: InfoCube Fields
 RSDDTALOC: Local Directory Of
InfoProviders
 RSDINFOPROVDATA: InfoProvider Last Change
 RSDIPROIOBJT: InfoProvider InfoObject Texts
 RSDIOBJ: Directory of InfoObjects
 RSDIOBJT: InfoObject Texts
 RSECTXT: Authorization Texts
 RSECTXT_CL: Change Documents for Document Texts
 RSECUSERAUTH: BI AS Authorizations: Assignment of User
Authorizations
 RSECUSERAUTH_CL: BI AS Authorizations: Assignment of User
Auths (Change Log)
 RSECVAL: Analysis Authorization Values
 RSECVAL_CL: Authorization Value Change (Change Log)
 YGPS_MAPPING: GPS BW: Mapping of Roles to InfoProviders
 RSZCOMPDIR: BI Reporting Components

Key SAP Tables - Lookup
Table DD02T – Where you look up tables (table of tables)

Common SAP Table Combinations (For Analysis)
EXAMPLE 1 (User Role Assignments – Child
Systems):
 (USR02) User ID / User Group / User
Validity Dates
 (SUIM) User Name
 (AGR_USERS) Assigned Roles / Assigned
Role Validity Dates
 (AGR_TEXTS) Role Name
EXAMPLE 2 (User Email Addresses):
 (USR02) User
 (SUIM) User Name
 (USR21 – ADR6) Table Linkage To User
Email Address
EXAMPLE 3 (User CUA Role Assignments):
 (USLA04) CUA User Role Assignments (From
CUA System)
 (USR02) User ID / User Group / User Validity
Dates (From Child System(s))
 (SUIM) User Name (From Child System(s))
 (AGR_USERS) Assigned Roles / Assigned
Role Validity Dates (From Child System(s))
 (AGR_TEXTS) Role Name (From Child
System(s))

Microsoft Access Quick Lesson #1:
Database Creation/Data Import

Database Creation

SAP Data Export
Enter table name and click here
User this
button to copy
selections back to
main screen
Select/Deselect fields one by one
(checkbox)
Optionally: Use
the button on
the right to
“Deselect All”
fields and the
button on the
left to “Select
All” fields
Click on menu dropdowns “Settings”,
“Format List” and “Choose Fields” to
choose the fields to be displayed/exported
Click on menu dropdowns “Settings” and “Fields for
Selection” if it is desired to change the fields available
for filtering
Click on menu
dropdowns “System”,
“List”, “Save” and
“Local File (ALT YTAI)”
Enter filtering values, as well as desired output width and
maximum number of hits (returned records)
Enter the desired Directory and File Name (with a
.txt extension) and click on the Generate button
NOTE: Prior to dumping data, verify
that the “ALV Grid display” and
“Field Names” radio buttons are
selected under menu dropdown
“Settings”/”User Parameters”. This is
also where default width and
number of records (hits) can be set.
2 3
4
5
6 7
1

Select “No
primary key”,
enter the name to
give the table
containing the
imported data
and click “Finish”
Browse to and select the
text file to be imported
Select “External Data” and “Text File
from the top menu
Select “Delimited”
and “Other” with a
delimiter of Vertical
Bar
Define each field in the input file, checking the skip box for undesired fields. Be sure to
set the correct “Data Type” for each field (example date fields)
Click “Advanced” to save the
import specification for future use
importing the same file.
1
2
3
4
5
6
7
Access Data Import

D E M O
Database Creation/Data Import

Query Creation

Drag each table to be included in the query
into the query design window.
Connect key fields between tables by
clicking on one side and dragging to the
other side.
1
2
3
Query Creation

Query Creation
Drag each field to be included in the query
output to the query output layout boxes.
Add sort criteria, selection criteria and grouping
as desired. Criteria entered in brackets ([]) will be
asked for at query execution time.
Query output.
4
5
6

Query Creation
D E M O

Access Database Full Automation
(Overview Only)

Security Analysis – Day To Day
Example: Show status of transports (Security) progressing towards the production environments
(Transport heat map)
Tables (Input):
E070 - Change & Transport System: Header of Requests/Tasks (DEV/QA/PROD)
E071 - Change & Transport System: Object Entries of Requests/Tasks (DEV/QA/PROD)
Reports (Output):
Trans-Date Trans-No Trans-User Trans-Object
23-Jan-08 D10_P00035 RS861390 YRS:MF:MF:MAT_MD_MNT_PLT_FI
23-Jan-08 D10_P00035 RS861390 YRS:MF:MF:MAT_MD_MNT_PRC_FI
23-Jan-08 D10_P00035 RS861390 YRS:MF:MF:MAT_MD_MNT_SLS_S5
23-Jan-08 D10_P00035 RS861390 YRS:MF:MF:MAT_MD_PRD_HIER_MNT
23-Jan-08 D10_P00035 RS861390 YRS:MF:MF:MAT_MD_REQ
23-Jan-08 D10_P00035 RS861390 YRS:MF:MF:MAT_MD_REQ_APR
23-Jan-08 D10_P00035 RS861390 YRS:MF:MF:MAT_MD_REQ_PAPR
Trans-Date Trans-User Trans-No
23-Jan-08 RS861390 D10_P00035
09-Mar-08 RS861390 D10_P00001
12-Sep-12 30153141 D10K979034
12-Sep-12 30153141 D10K979035
13-Sep-12 02040979 S12K900745
Detailed Summary

Security Analysis – Periodic
Example: Quarterly sap production user counts
Tables (Input):
USR02 - Logon Data (Kernel-Side Use)
System Table (Internal To Database)
User Type Table (Internal To Database)
User Groupings Table (Internal To Database)
Users By Sector
and Group
SUBSYS UTYPE UTYPENAME COUNT
X01CLNT000 A DIALOG 110
X01CLNT200 A DIALOG 16965
X1HCLNT200 A DIALOG 73
X11CLNT000 B SYSTEM 85
X11CLNT200 B SYSTEM 97
X1HCLNT000 B SYSTEM 30
X11CLNT000 S SERVICE 23
X11CLNT200 S SERVICE 345
X1HCLNT000 S SERVICE 16
Users By System and Type
Report (Output):

Security Analysis – Utility
Role Postrolename In Preobj Postobj Auth Precombined Preindfields
P99:S:IT:ALE_SAP P99:S:IT:ALE_SAP T99 S_RFC S_RFC
ITALEBBSPP
04
ROLE:P99:S:IT:ALE_SAP-OBJECT:S_RFC-
FIELD:ACTVT:LOW:HIGH=16:NULL-
FIELD:RFC_NAME:LOW:HIGH=IDOC_DATE_TIME_GET:NULL:LOW:HIG
H=Y_RFC_DME_BUDGET:NULL:LOW:HIGH=Z_CAP_GET_PO_DETAIL
S:NULL:LOW:HIGH=Z_CREATE_CRMKUNNR_ENTRY:NULL:LOW:HIGH
=Z_MATNR_GET_EAN11:NULL:LOW:HIGH=Z_TRANSFER_POSTING_
MIGO:NULL:LOW:HIGH=ZSALES_BOM_EXTRACT:NULL:LOW:HIGH=ZS
D_YAFL_EXTRACT:NULL-FIELD:RFC_TYPE:LOW:HIGH=FUNC:NULL
ACTVT--RFC_NAME--
RFC_TYPE==~16~NULL~IDOC_DATE_TIME_GET~NULL
~FUNC~NULL~~~~~~~~~~~~~~
P99:S:SEC:USER_ADM P99:S:SEC:USER_ADM T99
S_USER_GR
P
S_USER_GR
P
SCUSERADM
N0
ROLE:P99:S:SEC:USER_ADM-OBJECT:S_USER_GRP-
FIELD:ACTVT:LOW:HIGH=ASTERISK:NULL-
FIELD:CLASS:LOW:HIGH=ASTERISK:NULL
ACTVT--
CLASS==~ASTERISK~NULL~ASTERISK~NULL~~~~~~~~
~~~~~~~
P99:S:POM:COA_REL P99:S:COA_REL T99
S_USER_GR
P
S_USER_GR
P
COA_REL000
00
ROLE:P99:S:POM:COA_REL-OBJECT:S_USER_GRP-
FIELD:ACTVT:LOW:HIGH=03:NULL-
FIELD:CLASS:LOW:HIGH=$CLASS:NULL
ACTVT--
CLASS==~03~NULL~$CLASS~NULL~~~~~~~~~~~~~~~
Example: Comparison of non-upgraded and upgraded system roles or same roles in two different
systems (Security Differences)
Tables (input):
AGR_1251 - Authorization data for the activity group (All but MANDT and VARIANT fields)
AGR_TCODES - Activity Group Menu Transactions (AGR_NAME and TCODE fields)
Report (Output):

Security Analysis – Utility
Example: Development – Versus – Quality – Versus – Test – Versus production role existence/role
assignment
Tables (input):
AGR_DEFINE – Activity Group Definitions (All Systems In Landscape)
AGR_USERS - Activity Group Texts (All Systems In Landscape)
Report (Output):
Column
Content
Description
Yellow -
downloaded
/transported
/deleted
Parent
Role In
Any
System
Assigned
In Any
System
Ever
Assigned
In PROD
Last
Year
Assigned
In PROD
In DEV
DEV
Creation
Year
Assigned
In DEV
In
MAINT
Assigned
In MAINT
In
QUAL
Assigned
In QUAL
In
PROD
Assigned
In PROD
In PROD
But Not
In DEV
In PROD
But Not
In MAINT
In PROD
But
Not In DEV
Or MAINT
In DEV
But Not
In MAINT
In MAINT
But Not
In DEV
Roleid
Parent
role
Assigned
Ever
assign
Last year Dev
Dev
create
year
Dev
assign
Maint
Maint
assign
Qual
Qual
assign
Prod
Prod
assign
Prod
not dev
Prod
not
maint
Prod
not dev
or maint
Dev
not
maint
Maint
not dev
APL No Yes Yes 2012 No No Yes Yes Yes No Yes No Yes No No No Yes
APP_DEV_S
UPPORT
Yes Yes No Yes 2002 Yes Yes Yes Yes Yes Yes No No No No No No
APP_DEV_S
UPPORT_P
RO
No Yes Yes 2014 Yes 2002 No Yes Yes Yes Yes Yes No No No No No No
APPLICATIO
N_DEV
Yes Yes No Yes 2006 Yes Yes Yes Yes Yes Yes No No No No No No
APPLICATIO
N_DEV_BI
No Yes Yes 2007 Yes 2006 Yes Yes Yes Yes Yes Yes No No No No No No
APPROVA_
BIZRIGHTS_
DSP
No No No Yes 2006 No Yes No No No No No No No No No No

Wrap-Up
1. Research required SAP table(s) using
DD02T table and/or Google.
2. Use SE16 or SE16 wrapper like
custom transaction to dump tables.
3. Dump tables in unconverted .txt
format.
4. Import table(s) into Microsoft Access.
Optionally create and save an Import
Specifications for future use importing
the same table(s).
5. Build Queries matching up tables
and/or creating intermediate work
tables.
6. Optionally build fully automated
database depending on frequency of
database usage and end user(s)
utilizing the database.

Insert Presentation Title
Insert Speaker Name(s)
& Company
“ACCESS” ing Your SAP Security Data
BITI7186
Dennis A. Dargel - Senior Solution Architect/Manager - Capgemini
Thank you for attending my session!
For questions, contact me at:
Don’t forget to fill out the Session Evaluation on the Mobile App!

Follow Us
Thank you for your time
Follow us on at @ASUG365

"ACCESS"ing Your SAP Security Data

Recomendados

Recomendados

Mais conteúdo relacionado

Mais de Capgemini

Mais de Capgemini (20)

Último

Último (20)

"ACCESS"ing Your SAP Security Data