SAP Authorizations:

Is it now difficult or easy?

Johan Hermans CEO johan.hermans@csi-tools.com

SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage

© C

SI

tools

. All R

ights

Reserv

ed

.

2

Johan Hermans

Licentiate commercial and financial sciences, 1992, EHSAL, specialization accountancy

Certified Information Systems Auditor (CISA), 1997

Certified BBP mySAP.com Consultant, 2000

Certified SAP NetWeaver Security Consultant, 2004

Certified Information Security Manager (CISM), 2005

Certified in Risk and Information System Control (CRISC) 2011

Founder of CSI tools in 1997

Assisted over 400 companies and organizations to improve the access rights in SAP environments

© C

SI

tools

. All R

ights

Reserv

ed

.

3

SAP authorizations

The basics of SAP authorizations are not understood

People make it way to complex

Let us start with some eye-openers

© C

SI

tools

. All R

ights

Reserv

ed

.

4

Demonstration in SAP R/3

Parameter Transactions

© C

SI

tools

. All R

ights

Reserv

ed

.

5

Demonstration in SAP R/3

You can post an A/P document with an A/R transaction

© C

SI

tools

. All R

ights

Reserv

ed

.

6

Also with Enjoy transactions

You can post an A/P document with an A/R transaction

© C

SI

tools

. All R

ights

Reserv

ed

.

7

Report Tree Transactions

Give Access

OB52: C FI Maintain Table T001B

S_ALR_87003642: IMG Activity: SIMG_CFMENUORFBOB52

PFCG: Role Maintenance

S_ALR_87003541: IMG Activity: ORIP_SU01

S_ALR_87003755: IMG Activity: SIMG_CFMENUORK1PFCG

S_ALR_87005766: IMG Activity: SIMG_CFMENUORKEPFCG

S_BCE_68000373: IMG Activity: PROF_GEN_PFCG

…

© C

SI

tools

. All R

ights

Reserv

ed

.

8

Start transaction code SE37

Execute function module ‘SUPRN_INS_OR_DEL_PROFILE ‘

Enter user-id, profile (here SAP_ALL) to add and action

Required Authorizations or

S_TCODE = SE37

S_DEVELOP

ACTVT = 03, 16

OBJTYPE = FUGR

OBJNAME = SUPRN

Demonstration in SAP R/3

© C

SI

tools

. All R

ights

Reserv

ed

.

9

Execute any ABAP, function module, …

via SM37

Start transaction SM37

Select a Job

Select a Step

Select a Program

GoTo Program

Other Object (Shift + F5)

Test (F8)

© C

SI

tools

. All R

ights

Reserv

ed

.

10

Demonstration in SAP R/3

using RFC you can download all table content without SE16

© C

SI

tools

. All R

ights

Reserv

ed

.

11

Two Core Elements in SAP Application Security

Key questions: Transaction codes Authorization Objects

How many … exist in an SAP ECC 6.0 system?

Purpose?

Transaction codes Authorization Objects

Typical reply by security administrators

20.000 A multiple of 20k

Purpose? To manage access rights To restrict on organizational levels

Transaction codes Authorization Objects

Reality + 150.000 1.000 for “R/3” functionality

Purpose! Only first line of defense To manage access rights

© C

SI

tools

. All R

ights

Reserv

ed

.

12

Manage with +1 000 SAP authorization

objects and not +150.000 transactions

9 for posting FI documents F_BKPF_...

9 for vendor master data F_LFA1_...

9 for customer master data F_KNA1_...

24 for material master data M_MATE_...

2 for payments F_REGU_...

_____________________________________________

1.000 objects are grouped into 300

example: company code: BUKRS

your authorizations requirements

can be simplified into 300 one-liners

© C

SI

tools

. All R

ights

Reserv

ed

.

13

+ 150 000 transaction codes: nobody can

know them all, which is THE risk

TSTCA check

S_TCODE:

transaction code check

!! only once !!

authority check on

authorization objects

command

field

DATA

tables

transaction

code

menu

ABAP

programs

© C

SI

tools

. All R

ights

Reserv

ed

.

14

Most applications audit only on +500

transaction codes with a path defined

Data to be protected

User interface

Database server

Application Server F-22

Program SAPMF05A

Authority Check F_BKPF_

ACTVT = 01 !

FB01

Program SAPMF05ATOP

150.000 possible

entries

300 kind of

objects

Million

combinations

© C

SI

tools

. All R

ights

Reserv

ed

.

15

Authority checks are sequential: you

cannot tell which path will be followed!

© C

SI

tools

. All R

ights

Reserv

ed

.

16

reveal inconsistencies: who has access to the

data, who can start transaction

Data to be protected

User interface

Database server

Application Server F-22

Program SAPMF05A

Authority Check F_BKPF_

ACTVT = 01 !

FB01

Program SAPMF05ATOP

150.000 possible

entries

300 kind of

objects

Million

combinations

© C

SI

tools

. All R

ights

Reserv

ed

.

17

find inconsistencies in what people can

do, did and can almost do command

field

DATA

tables

transaction

code

menu

ABAP

programs

Confidentiality

Integrity

Availability

Authorizations ?

F_BKPF_*

FB01

F-22

ABAD

F-91

F.43 F.18

FB60 FB75

…

… …

© C

SI

tools

. All R

ights

Reserv

ed

.

18

Role Concept Challenges

Multiple

Users need

Multiple Transactions

Users need only

access to

Specific Data in

Display or

Maintenance

mode.

They use

Transactions to

get there.

SAP has some

100.000

Transactions

The Number of

Users can Vary

from 20

to 1.000.000

Average number of

Used Transactions

within a Company

Can Vary Over

Time from 2000

to 8000

600 users

3000 tcodes

Let’s make a case …

© C

SI

tools

. All R

ights

Reserv

ed

.

19

Possible Scenarios : Extreme Cases

600 Users 3000 Transactions

Organizational Technical

600 Roles

3000 Roles

what where

12000 Roles

what where

what

1 role / transaction

© C

SI

tools

. All R

ights

Reserv

ed

.

20

Possible Scenarios : 1 Role per User

Advantages Disadvantages

Technical Easy to Build : Group Transactions and Create Role

Cannot Separate “create for company code 1000” and “display for company code 3000” without breaking PFCG best practices

Functional Nice Overview of all Transactions per User

• Complex and often long interviewing

cycles • Nightmare from

change management perspective • unclear ownership

(access to multiple (sub)processes and organizational data in one the role)

• SoD Rules Changes have major impact on the roles

600 Users 600 Roles

© C

SI

tools

. All R

ights

Reserv

ed

.

21

Possible Scenarios : 1 Role per Transaction

Advantage Disadvantage

Technical Very Easy to build: put each transaction in separate role

• Huge Amount of Roles to initially

create and to maintain after data restriction changes

• User cannot have not more than 300 assigned roles (*)

Functional Very Transparent ; all is at user assignment level

• Heavy User Request Procedure:

user needs to request 300 to 400 roles and does not have this knowledge

(*) Simplified: real limit is 312 profiles in user-id

3000 Transactions 3000 Master Roles

© C

SI

tools

. All R

ights

Reserv

ed

.

22

Possible Scenarios : Solution in Between

600 Users 3000 Transactions

Organizational Technical

600 Roles

3000 Roles

what where

12000 Roles

what where

what

1 role / transaction

what where

© C

SI

tools

. All R

ights

Reserv

ed

.

23

Possible Scenarios :

Intermediate Conclusion

A SAP role concept is built based on the technical view

Grouping of transactions is needed

A SAP role concept is built based on the organizational view

Roles should be transparent for

business, easy-to-manage and

flexible

Intelligent grouping of transactions and authorizations is needed

© C

SI

tools

. All R

ights

Reserv

ed

.

24

Try to Group 2 Transaction Codes in 1 Role

FK01 FB03 F_LFA1_APP ACTVT 01

F_LFA1_APP APPKZ F

F_LFA1_BUK ACTVT 01

F_LFA1_BUK BUKRS $BUKRS

F_LFA1_GEN ACTVT 01

F_LFA1_GRP ACTVT 01

F_LFA1_GRP

F_BKPF_BUK ACTVT 03

F_BKPF_BUK BUKRS $BUKRS

F_BKPF_KOA ACTVT 03

F_BKPF_KOA KOART K

F_LFA1_APP ACTVT 01

F_LFA1_APP APPKZ F

F_LFA1_BUK ACTVT 01

F_LFA1_BUK BUKRS $BUKRS

F_LFA1_GEN ACTVT 01

F_LFA1_GRP ACTVT 01

F_LFA1_GRP

F_BKPF_BUK ACTVT 03

F_BKPF_BUK BUKRS $BUKRS

F_BKPF_KOA ACTVT 03

F_BKPF_KOA KOART K

FK01 and FB03

$BUKRS = 1000 $BUKRS = *

$BUKRS = ????

technical issue: * vs 1000

create vendor for company code 1000 display all A/P postings

create vendor for company code 1000 and display all A/P postings

what

where

Different Business Processes use Same Master Data: so process based grouping is NOT the Solution

© C

SI

tools

. All R

ights

Reserv

ed

.

25

Possible Scenarios : Data Level Based !

9 for posting FI documents F_BKPF_...

9 for vendor master data F_LFA1_...

9 for customer master data F_KNA1_...

24 for material master data M_MATE_...

2 for payments F_REGU_...

_____________________________________________

1.000 objects are grouped into 300

example: company code BUKRS

your authorizations requirements need to be simplified into 300 one-liners

© C

SI

tools

. All R

ights

Reserv

ed

.

26

Possible Scenarios : Data Level Based ?

post FI docs: FB01

F_BKPF_... ACTVT 01 BUKRS 1000

display vendor master data

F_LFA1_... ACTVT 03 BUKRS *

update customer master data

F_KNA1_... ACTVT 02 BUKRS 2000

display material master

M_MATE_... ACTVT 03 WERKS 3000

Full Flexibility on and and what where

© C

SI

tools

. All R

ights

Reserv

ed

.

27

Conclusion

Identify who can do what is extremely difficult:

Million ABAPs, +150k transaction codes, RFC and web dynpro’s … nobody knows all possibilities!

SAP authorizations is extremely easy:

If you have the core authorization, you have potential access

If you should not have access, remove the core authorization

And do not forget that authority checks is a complete different story !

Use applications that focus on authorizations and not on transaction codes

© C

SI

tools

. All R

ights

Reserv

ed

.

28

Small last remark

Do not forget that you can disable authority checks!

Thank you!

Any Questions?

Johan Hermans CEO johan.hermans@csi-tools.com