basis security

8/14/2019 Basis Security

1/5

le:///G|/basis%20security.txt

eel ahmed

. what is a composite profile?omposite profiles are set of (MORE THAN TWO OR MORE PROFILES) authorization profiles, bothmple and composite. A composite profiles can contain unlimited number of profiles. Compositeofiles are

itable for users who have MULTIPLE responsibilities or job tasks in the system.hese profiles are sometimes known as reference profiles for assigning larger groupaccess privileges and having the possibility of better match users with several

sponsibilities.ample:SAP_ALLWhat is an authorization?uthorization provides permission to access certain transactions reports or data. Forch user activity or transaction an authorization check is performed to see if thequired authorizations have been provided to the user. Authorization limit access to

nsactions and objects in r/3 system.n authorization enables you to perform a particular activity in the SAP System, based

a set of authorization object field values.What is a profile?profile is a set of authorizations or user master records TO access certain transactions, reportsdata.What is a profile Generator?ofile generator allows authorization administrators to automatically generate andsign authorization profiles. Released with 3.1 G this tool accelerates R/3

plementation by simplifying the task of setting up the authorization environment.he administrator needs only to configure customer specific settings. The profilenerator is a new approach to defining the authorization environment. Theministrator no longer uses authorization objects to define authorizations forrious user groups.What is a security? Why it needs? Explain?

his unit focuses on the R/3 user within the R/3 System. However, it is important fore R/3 System administrator to control access to both the operating system (OS)here the R/3 Systems reside and the database (DB). External user IDs exist both at

e OS and DB levels that can be used to disrupt normal operation of the R/3ystem.ccess to the R/3 System is controlled at the client level. Each R/3 user mustve a user master record in the client in which that user will work. In R/3,thorizations are used to restrict access to programs and data.how can u modify or add the authorizations (after getting the usermp or user trace)?s: by using su24( it can possible thru expert mode only) or manualat authorizations screen( if we ring su24 and modify the required authorization object, then it shows the authorizations status

le:///G|/basis%20security.txt (1 of 5)11/21/2006 11:26:33 PM


2/5


"standard" if u do the modification by mannually by choosing the"manually" button at thethorizations screen and add or modify the requried authorization object to the role or profile , then itows thethorizations

atus as "manual".), after that u need to regenarate the profile and role too.

.What is an authorization object?

n object class is a logical grouping of authorization objects that share a similarrpose or business area. For example, object class Basis: Administration containsthorization objects that control access to Basis transactions.

he authorization object is the template from which the authorization is created. It ised in the ABAP code for authorization checks. Each object has up to 10 fields thate checked using AND logic before access is granted to the desired transaction.what r the authorizations statuses at the screen, while u rnerating profiles?ns. standard, maintained, changed, manually, old, new.

while generating the roles, if the user tab having different type of color symbols? What r they, explain?s: green, yellow and red.een: all authorizations have been maintainedllow: some authorizations must still be maintained

ed: organizational levels must be maintained

n activity group may contain one-to many (1-n) profiles depending upon the transactionslected from the company menu. If more than 150 authorizations are required for thensactions selected, multiple profiles are generated.

SUSR003 Checks for default password on user IDs SAP* and DDICSUSR005 Lists users with critical authorizationsSUSR006 Lists users who are locked due to incorrect logon .This report should be scheduled to runch day, just before midnight.SUSR007 Lists users with incomplete address dataSUSR008 Lists users with critical combinations of authorizations or transactionsSUSR009 Lists users with critical authorizations, with the option to select the critical authorizationsSUSR100 Lists change documents for users and shows changes made to a users security

SUSR101 Lists change documents for profiles and shows changes made to security profilesSUSR102 Lists change documents for authorizations and shows changes made to securitythorizations

SR01 contains the runtime data of the user master recordsSR02 is the table containing logon information such as the passwordSR03 includes the users' address informationSR04 contains users' authorizationsSR05 is the users' parameter ID table



3/5


SR09 contains user menusSR10 is the table for user authorization profilesSR11 contains the descriptive texts for profilesSR12 is the user master authorization values tableSR13 contains the descriptive short texts for authorizationsSR14 contains the logon language versions per userSR30 includes additional information for user menus

dir contains program authorization group assignmentsdat contains table authorization group assignmentsSH02, USH04, USH10 and USH12 contains Users and profile andthorization change history data.

bles related with authorizations objects and authorization fields are as follows:

OBJ is the authorization objects table containing the authorizationlds for each.

ACT contains the list of standard activities authorization fieldsthe system.

ACTZ is the table which defines the relationship between thethorization objects and the activities in those objects containinge Activity authorization field.

STC is the transaction code table where authorization objects

d values can be defined.

CCR_LOCK_CLIENT and unlock SCCR_UNLOCK_CLIENT.what are user groups?expalin?

ser groups are created by an administrator to organize users into logical groups and apply security,ch as:BasisFinanceShipping

purchasingsalesepending on the functionality of the usershat is a role? explain?ROLE describes the job position or acivity of a user

What is your minimum length for passwords?t the profile parameter login/min_password_lng. Default = 3Do users have to change their passwords on a regular basis?



4/5


t the profile parameter login/password_expiration_time.efault = 0 (users do not have to change passwords)Do you monitor unsuccessful logon attempts on a regular basis (daily)?eport RSUSR006 shows all unsuccessful logon attempts by a known user and aller locks.Have you set session termination after a number of unsuccessful logon attempts?t the profile parameter login/fails_to_session_end. Default = 3

Have you activated automatic logoff for idle users?t the profile parameter rdisp/gui_auto_logout. Default = 0 (off)Do you have users locked after a number of unsuccessful logon attempts? Is the default (12)propriate or have you changed the value?t the profile parameter login/fails_to_user_lock. Default = 12Does your R/3 System automatically remove user locks at midnight on the same day?t the profile parameter login/failed_user_auto_unlock. Default = 1 (yes)ogin/min_password_diff Default = 1

auth/no_check_in_some_cases Default = Y

PARAMETER DEFAULTlogin/create_sso2_ticket ---------- ----- 0login/disable_cpic ---------------------------- 0login/disable_multi_gui_login ............................. 0login/disable_multi_rfc_login ---------------- ---------- 0login/disable_password_logon ------------- --- ---- 0login/failed_user_auto_unlock ......................... .....1login/fails_to_session_end --------------------------------3login/fails_to_user_lock -- --- ----------------------------12

login/min_password_diff ....................................1login/min_password_digit ------------------------------------0login/min_password_letters ....................................0login/min_password_lng ------------------------------------3login/min_password_specials ...................................0login/no_automatic_user_sapstar --------------------------------0login/password_change_for_SSO ................................ -1login/password_expiration_time ---------------------------------0login/password_logon_usergroup

login/password_max_new_valid ------------------------------- 0login/password_max_reset_valid ................................0login/system_client ---------------------------------------000login/ticket_expiration_time ...................................60login/ticket_only_by_https -----------------------------------0login/ticket_only_to_host ...................................0login/ticketcache_entries_max ----------------------------------1000login/ticketcache_off ........................................0login/update_logon_timestamp ----------------------------------m



5/5


rdisp/gui_auto_logout Default value: 0

Authorization data administrator, who creates roles (transaction selection and authorization data),lects transactions, and maintains authorization data. However the authorization data administrator canly save data in the Profile Generator, since he or she is not authorized to generate the profile, He ore accepts the default profile name T_.... when doing this.SAP_ADM_AU

Authorization profile administrator, who checks and approves the data, and generates the authorization

ofile. To do this, he or she choose ? All Roles in transaction SUPC, and then specifies the abbreviationthe role to be edited. On the following screen, he or she checks the data by choosing Display Profile.

AP_ADM_PRUser administrator, who maintains the user data with the user maintenance transaction (SU01) andsigns roles to the users. This enters the approved profiles in the master records of the users.

AP_ADM_US

hese authorization checks are performed before the start of a program or table maintenance and whiche SAP applications cannot avoid:

tarting SAP transactions (authorization object S_TCODE)Starting reports (authorization object S_PROGRAM)Calling RFC function modules (authorization object S_RFC)Table maintenance with generic tools (S_TABU_DIS)

ou can lock a system at the OS level by running: tp locksys pf=tpprofilexample: To lock your DEV system enter this command: tp locksys DEV=saptranshostsapmnttransbintp_domain_dev.pflsers will get this message if they attempt to log on: "Upgrade still running. Logon not possible".

otice that the message is not exactly accurate. TP locksys is mainly used during release upgrades so theessage is kind of generic. But, it works!unlock the system, run: tp unlocksys pf=tpprofile

ow you can tell your boss that you know how to keep the users off the system!nly SAP* and DDIC can log on to any of the clients in the system that has been locked.

he idea to check, if SAP* is present in the client you want isommand: SELECT * FROM USR02 WHERE MANDT='XXX' and BNAME='SAP*'MANDT here is the client) ... this is an optional step ...

elete the record SAP* ON THE REQUIRED CLIENT ONLY on table USR02.ommand: delete from USR02 where MANDT='XXX' and BNAME='SAP*').

le:///G|/basis%20security txt (5 of 5)11/21/2006 11:26:33 PM

basis security

Documents