csi tools sap authorization presentation troopers 2014
DESCRIPTION
TRANSCRIPT
SAP Authorizations:
Is it now difficult or easy?
Johan Hermans CEO [email protected]
SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
© C
SI
tools
. All R
ights
Reserv
ed
.
2
Johan Hermans
Licentiate commercial and financial sciences, 1992, EHSAL, specialization accountancy
Certified Information Systems Auditor (CISA), 1997
Certified BBP mySAP.com Consultant, 2000
Certified SAP NetWeaver Security Consultant, 2004
Certified Information Security Manager (CISM), 2005
Certified in Risk and Information System Control (CRISC) 2011
Founder of CSI tools in 1997
Assisted over 400 companies and organizations to improve the access rights in SAP environments
© C
SI
tools
. All R
ights
Reserv
ed
.
3
SAP authorizations
The basics of SAP authorizations are not understood
People make it way to complex
Let us start with some eye-openers
© C
SI
tools
. All R
ights
Reserv
ed
.
4
Demonstration in SAP R/3
Parameter Transactions
© C
SI
tools
. All R
ights
Reserv
ed
.
5
Demonstration in SAP R/3
You can post an A/P document with an A/R transaction
© C
SI
tools
. All R
ights
Reserv
ed
.
6
Also with Enjoy transactions
You can post an A/P document with an A/R transaction
© C
SI
tools
. All R
ights
Reserv
ed
.
7
Report Tree Transactions
Give Access
OB52: C FI Maintain Table T001B
S_ALR_87003642: IMG Activity: SIMG_CFMENUORFBOB52
PFCG: Role Maintenance
S_ALR_87003541: IMG Activity: ORIP_SU01
S_ALR_87003755: IMG Activity: SIMG_CFMENUORK1PFCG
S_ALR_87005766: IMG Activity: SIMG_CFMENUORKEPFCG
S_BCE_68000373: IMG Activity: PROF_GEN_PFCG
…
© C
SI
tools
. All R
ights
Reserv
ed
.
8
Start transaction code SE37
Execute function module ‘SUPRN_INS_OR_DEL_PROFILE ‘
Enter user-id, profile (here SAP_ALL) to add and action
Required Authorizations or
S_TCODE = SE37
S_DEVELOP
ACTVT = 03, 16
OBJTYPE = FUGR
OBJNAME = SUPRN
Demonstration in SAP R/3
© C
SI
tools
. All R
ights
Reserv
ed
.
9
Execute any ABAP, function module, …
via SM37
Start transaction SM37
Select a Job
Select a Step
Select a Program
GoTo Program
Other Object (Shift + F5)
Test (F8)
© C
SI
tools
. All R
ights
Reserv
ed
.
10
Demonstration in SAP R/3
using RFC you can download all table content without SE16
© C
SI
tools
. All R
ights
Reserv
ed
.
11
Two Core Elements in SAP Application Security
Key questions: Transaction codes Authorization Objects
How many … exist in an SAP ECC 6.0 system?
Purpose?
Transaction codes Authorization Objects
Typical reply by security administrators
20.000 A multiple of 20k
Purpose? To manage access rights To restrict on organizational levels
Transaction codes Authorization Objects
Reality + 150.000 1.000 for “R/3” functionality
Purpose! Only first line of defense To manage access rights
© C
SI
tools
. All R
ights
Reserv
ed
.
12
Manage with +1 000 SAP authorization
objects and not +150.000 transactions
9 for posting FI documents F_BKPF_...
9 for vendor master data F_LFA1_...
9 for customer master data F_KNA1_...
24 for material master data M_MATE_...
2 for payments F_REGU_...
_____________________________________________
1.000 objects are grouped into 300
example: company code: BUKRS
your authorizations requirements
can be simplified into 300 one-liners
© C
SI
tools
. All R
ights
Reserv
ed
.
13
+ 150 000 transaction codes: nobody can
know them all, which is THE risk
TSTCA check
S_TCODE:
transaction code check
!! only once !!
authority check on
authorization objects
command
field
DATA
tables
transaction
code
menu
ABAP
programs
© C
SI
tools
. All R
ights
Reserv
ed
.
14
Most applications audit only on +500
transaction codes with a path defined
Data to be protected
User interface
Database server
Application Server F-22
Program SAPMF05A
Authority Check F_BKPF_
ACTVT = 01 !
FB01
Program SAPMF05ATOP
150.000 possible
entries
300 kind of
objects
Million
combinations
© C
SI
tools
. All R
ights
Reserv
ed
.
15
Authority checks are sequential: you
cannot tell which path will be followed!
© C
SI
tools
. All R
ights
Reserv
ed
.
16
reveal inconsistencies: who has access to the
data, who can start transaction
Data to be protected
User interface
Database server
Application Server F-22
Program SAPMF05A
Authority Check F_BKPF_
ACTVT = 01 !
FB01
Program SAPMF05ATOP
150.000 possible
entries
300 kind of
objects
Million
combinations
© C
SI
tools
. All R
ights
Reserv
ed
.
17
find inconsistencies in what people can
do, did and can almost do command
field
DATA
tables
transaction
code
menu
ABAP
programs
Confidentiality
Integrity
Availability
Authorizations ?
F_BKPF_*
FB01
F-22
ABAD
F-91
F.43 F.18
FB60 FB75
…
… …
© C
SI
tools
. All R
ights
Reserv
ed
.
18
Role Concept Challenges
Multiple
Users need
Multiple Transactions
Users need only
access to
Specific Data in
Display or
Maintenance
mode.
They use
Transactions to
get there.
SAP has some
100.000
Transactions
The Number of
Users can Vary
from 20
to 1.000.000
Average number of
Used Transactions
within a Company
Can Vary Over
Time from 2000
to 8000
600 users
3000 tcodes
Let’s make a case …
© C
SI
tools
. All R
ights
Reserv
ed
.
19
Possible Scenarios : Extreme Cases
600 Users 3000 Transactions
Organizational Technical
600 Roles
3000 Roles
what where
12000 Roles
what where
what
1 role / transaction
© C
SI
tools
. All R
ights
Reserv
ed
.
20
Possible Scenarios : 1 Role per User
Advantages Disadvantages
Technical Easy to Build : Group Transactions and Create Role
Cannot Separate “create for company code 1000” and “display for company code 3000” without breaking PFCG best practices
Functional Nice Overview of all Transactions per User
• Complex and often long interviewing
cycles • Nightmare from
change management perspective • unclear ownership
(access to multiple (sub)processes and organizational data in one the role)
• SoD Rules Changes have major impact on the roles
600 Users 600 Roles
© C
SI
tools
. All R
ights
Reserv
ed
.
21
Possible Scenarios : 1 Role per Transaction
Advantage Disadvantage
Technical Very Easy to build: put each transaction in separate role
• Huge Amount of Roles to initially
create and to maintain after data restriction changes
• User cannot have not more than 300 assigned roles (*)
Functional Very Transparent ; all is at user assignment level
• Heavy User Request Procedure:
user needs to request 300 to 400 roles and does not have this knowledge
(*) Simplified: real limit is 312 profiles in user-id
3000 Transactions 3000 Master Roles
© C
SI
tools
. All R
ights
Reserv
ed
.
22
Possible Scenarios : Solution in Between
600 Users 3000 Transactions
Organizational Technical
600 Roles
3000 Roles
what where
12000 Roles
what where
what
1 role / transaction
what where
© C
SI
tools
. All R
ights
Reserv
ed
.
23
Possible Scenarios :
Intermediate Conclusion
A SAP role concept is built based on the technical view
Grouping of transactions is needed
A SAP role concept is built based on the organizational view
Roles should be transparent for
business, easy-to-manage and
flexible
Intelligent grouping of transactions and authorizations is needed
© C
SI
tools
. All R
ights
Reserv
ed
.
24
Try to Group 2 Transaction Codes in 1 Role
FK01 FB03 F_LFA1_APP ACTVT 01
F_LFA1_APP APPKZ F
F_LFA1_BUK ACTVT 01
F_LFA1_BUK BUKRS $BUKRS
F_LFA1_GEN ACTVT 01
F_LFA1_GRP ACTVT 01
F_LFA1_GRP
F_BKPF_BUK ACTVT 03
F_BKPF_BUK BUKRS $BUKRS
F_BKPF_KOA ACTVT 03
F_BKPF_KOA KOART K
F_LFA1_APP ACTVT 01
F_LFA1_APP APPKZ F
F_LFA1_BUK ACTVT 01
F_LFA1_BUK BUKRS $BUKRS
F_LFA1_GEN ACTVT 01
F_LFA1_GRP ACTVT 01
F_LFA1_GRP
F_BKPF_BUK ACTVT 03
F_BKPF_BUK BUKRS $BUKRS
F_BKPF_KOA ACTVT 03
F_BKPF_KOA KOART K
FK01 and FB03
$BUKRS = 1000 $BUKRS = *
$BUKRS = ????
technical issue: * vs 1000
create vendor for company code 1000 display all A/P postings
create vendor for company code 1000 and display all A/P postings
what
where
Different Business Processes use Same Master Data: so process based grouping is NOT the Solution
© C
SI
tools
. All R
ights
Reserv
ed
.
25
Possible Scenarios : Data Level Based !
9 for posting FI documents F_BKPF_...
9 for vendor master data F_LFA1_...
9 for customer master data F_KNA1_...
24 for material master data M_MATE_...
2 for payments F_REGU_...
_____________________________________________
1.000 objects are grouped into 300
example: company code BUKRS
your authorizations requirements need to be simplified into 300 one-liners
© C
SI
tools
. All R
ights
Reserv
ed
.
26
Possible Scenarios : Data Level Based ?
post FI docs: FB01
F_BKPF_... ACTVT 01 BUKRS 1000
display vendor master data
F_LFA1_... ACTVT 03 BUKRS *
update customer master data
F_KNA1_... ACTVT 02 BUKRS 2000
display material master
M_MATE_... ACTVT 03 WERKS 3000
Full Flexibility on and and what where
© C
SI
tools
. All R
ights
Reserv
ed
.
27
Conclusion
Identify who can do what is extremely difficult:
Million ABAPs, +150k transaction codes, RFC and web dynpro’s … nobody knows all possibilities!
SAP authorizations is extremely easy:
If you have the core authorization, you have potential access
If you should not have access, remove the core authorization
And do not forget that authority checks is a complete different story !
Use applications that focus on authorizations and not on transaction codes
© C
SI
tools
. All R
ights
Reserv
ed
.
28
Small last remark
Do not forget that you can disable authority checks!