Overview of SAP Authorisations.docx
- 文档编号:9379265
- 上传时间:2023-05-18
- 格式:DOCX
- 页数:16
- 大小:30.09KB
Overview of SAP Authorisations.docx
《Overview of SAP Authorisations.docx》由会员分享,可在线阅读,更多相关《Overview of SAP Authorisations.docx(16页珍藏版)》请在冰点文库上搜索。
OverviewofSAPAuthorisations
OverviewofSAPAuthorisations
ThisdocumentisintendedasanintroductiontoauditingSAPSecurity
Subscribetoourtutorials
1.TheSAPR/3authorisationconcept[Edit]
TheSAPR/3authorisationconceptpermitstheassignmentofgeneraland/orfinelydetaileduserauthorisations.Theseassignmentscanreachdowntothetransaction,fieldandfieldvaluelevel.Theseauthorisationsarecentrallyadministeredinusermasterrecords.Actionsbyausermayrequireseveralauthorisations.
Forexample,tochangeamaterialmasterrecord,authorisationsarerequiredforthe:
Transaction'change'
Specificmaterialtype
Viewsofthematerialmasterrecord
Generalauthorisationtoworkwiththecompanycode
Theresultingrelationshipscanbecomeverycomplex.TheSAPR/3authorisationconceptisbasedonauthorisationobjects.Eachauthorisationobjectisacombinationofauthorisationfields.Anauthorisationalwaysreferstoanauthorisationobjectandcancontainintervalsfortheauthorisationfieldvalues.Authorisationchecksprotectthefunctionsorobjectsauserchooses.Standard-deliveredSAPR/3functionsorobjectshavethesechecksembeddedintheprogramlogic.
Authorisationadministratorscreateauthorisationsthatareassignedtousersincollectionscalledprofiles.TheProfileGenerator(PG),astandardtoolinSAPR/3,usuallygeneratesauthorisationsandauthorisationprofiles,althoughauthorisationscanalsobemanuallyinsertedintoaprofile.
2.Terminology[Edit]
AuthorisationObjectClass
Authorisationobjectsaregroupedinlogicalgroupingsofauthorisationobjectclass.
AuthorisationObject
Authorisationobjectsallowcomplexuserauthorisationchecks.Anauthorisationobjectgroupsupto10authorisationfieldsinan'AND'relationship.Allthefieldsarecheckedsimultaneouslytocheckwhetherauserisallowedtoperformacertainaction.Usersmayonlyconductanactivityiftheysatisfytheauthorisationcheckforeachoftheauthorisationfieldintheauthorisationobject.
AuthorisationField
Thisisthesmallestunitagainstwhichtheauthorisationcheckisdone.ThefieldsinanauthorisationobjectarelinkedtodataelementsintheSAPABAPDictionary.Thepermissiblevaluesconstituteanauthorisation.Whenanauthorisationchecktakesplace,thesystemchecksthevaluesthatyouhavespecifiedinanauthorisationagainstthoserequiredtocarryingouttheaction.Usersmayonlycarryouttheactioniftheysatisfytheconditionsforeveryfielddefinedforaspecificauthorisationobject.
Authorisation
AnauthorisationistheauthoritytoperformaparticularactionintheSAPR/3systembasedonasetofauthorisationfieldvaluesinanauthorisationobject.Eachauthorisationreferstoexactlyoneauthorisationobjectandoneormorepossiblevaluesforeachauthorisationfieldlistedforthatauthorisationobject.Authorisationsareutilisedintheusermasterrecordasroles.Bythemselves,authorisationsdonotexist.Theyonlyhavemeaninginsidearole.
AuthorisationProfile
Authorisationprofilecontainsauthorisationsfordifferentauthorisationobjects.Userauthorisationsareassignedusingauthorisationprofiles.Onceaprofileischanged,thechangeswillaffectalluserstowhomthisprofileisassignedandtakeeffectonlywhentheuserlogson.Userswhoareloggedonwhenthechangetakesplaceremainunaffectedduringtheircurrentsession,butwhentheylogonagain,theirprofilewillchangeaccordingly.Auser'sauthorisationsareloadedintotheuserbufferonlywhentheylogonon.Toautomaticallygenerateanauthorisationprofile,youmustfirstcreatearole.
Role
Aroleisasetoffunctions/transactionsdescribingactivitiesoraspecificworkarea.TheAccountReceivableAccountantrole,forexample,containsauthorisationstotransactionsandReportsneededbytheaccountantsfortheirdailywork.Arolecanbeassignedtoanynumberofusers.BesidesthenormalSAPR/3logonusers,youcanalsoassignrolestoobjecttypessuchasjobs,organisationunitsorpositions.BesidesthepredefinedSAProlesavailableinthesystem,youcanalsocreateyourowncustomroles.
CompositeRole&SingleRole
Acompositerole(alsoknownascollectiverole)isagroupofseveraldifferent(single)roles.Itisnotpossibletogroupcompositerolesintocompositeroles. Compositerolesdonotcontainauthorisationdata.Ifyouwanttochangetheauthorisationinacompositerole,youmustmaintaintheauthorisationdatainthe(single)roles.Usersassignedtoacompositeroleareautomaticallyassignedtothecorresponding(single)roles.Themenutreeofacompositeroleisacombinationofthemenusofallthe(single)rolesitcontained.Mergingofmenutreesfrom(single)rolesmayleadtocertainmenuitemsbeinglistedmorethanonce.
3.HowAuthorisationWorks[Edit]
IfAuthorisationAallowstheusertoperformcreate,changeanddisplayactivitiesincompanycodes1000and2000.
AndAuthorisationBallowstheusertoperformonlydisplayactivityincompanycodes1000,2000and3000.
ThenauserwhohasauthorisationAandauthorisationB,canperformcreate,changeanddisplayactivitiesincompanycodes1000and2000,andcanonlyperformdisplayactivityincompanycode3000.
AuthorisationCheck
Thischeckdecideswhetherauserisauthorisedtoexecuteaparticularaction.Processes,functionsanddataaccessinSAPR/3systemcanonlybeperformedwhenuserauthorisationshavebeencheckedsuccessfullyintherespectivesystemandapplicationprograms.
UserMasterRecord
UsermasterrecordenablestheusertologontotheSAPR/3systemandallowlimitedaccesstofunctionsandobjectsbasedonauthorisationprofiles.Usermasterrecordsareclient-specific.YoumustmaintainusermasterrecordsforeachclientinanSAPsystem.
4.GenericUserId's[Edit]
Allusersshouldhaveauniqueidentifier(userID)fortheirpersonalandsoleusetoensurethatactivitiescanbetracedtotheresponsibleindividual.InexceptionalcircumstanceswherethereisaclearbusinessbenefittheuseofashareduserIDforagroupofusersoraspecificjobcanbeused.Approvalbymanagementshouldbedocumentedforsuchcases.Additionalcontrolsmayberequiredtomaintainaccountability.
SAP*
ThestandardSAPuserSAP*presentsaparticularlyhighriskbecauseitcontainsfullaccessrightstotheSAPsystemandhasstandardpasswordswhicharewidelyknown.SAP*shouldneverbeusedinanysystemandshallbecontrolledviathefollowingmeasures:
LocktheuseridSAP*
RemoveallprofilesfromuserSAP*
TheABAPreportRSUSR003shouldberunonaregularbasistocheckthesecurityofthestandardSAPusersinallsystems.
Backgroundbatchuser
Backgroundjobsarenottobedependentonanindividual'suserID.InsteadalljobsshouldbescheduledtorununderaspecificbackgroundjobuserID.ThisusershouldbeasystemusersecuredtoanappropriateusergroupandwillusuallyhavewideaccesssuchasSAP_ALL.TheabilitytoscheduleajobundersuchauserIDwillbetightlycontrolled.
SettingupRemoteCommunications
ThereareminimumacceptablesettingsthatmustbefollowedwhensettingupanRFCfordialupconnection(transactioncodeSM59).
Thefollowingguidelinesaretobeadheredto:
AccesstotransactionSM59shouldbelimitedtoonlyBasisAdministrationpersonnel.
Useraccountsused,asinterfaceaccountsbetweentwosystemsmustbeanon-dialogusertypeandassignedtotheusergroupNON-DIALOG.
SAPaccountsetupforOSSconnections
Periodically,SAPwillneedtobeabletologontoaclientSAPsysteminordertolookintoOSSproblemsthathavebeensubmitted. Suchrequestswillrequirethreethingsbeimplemented:
1.Openserviceconnection.
SAPuseraccountandpassword.
Basisteamtoopenappropriateserviceconnection.
Generally,requestsaresubmittedforthenon-productionenvironments.However,fromtimetotime,arequestforproductionissubmitted.Accesstotheproductionenvironmentmustonlybefordisplayandapprovalmustbereceivedfromthecustomersystemowner.Iftheerrorcanbeduplicatedinanon-productionsystem,accessshouldbegrantedinanon-productionsystemFIRST.Accesstoaproductionsystemshouldbethelastresort.
TheBasisteamisresponsibleforopeningandclosingserviceconnections.TheSecurityteamisresponsibleformanagingandsettingupofuseraccountsneededbySAP.TofacilitatethesetupofanSAPuseraccountandtomoreeasilyidentifysuchaccountslateron,standardisationisnecessary.
Thefollowingstandardsshouldbeapplied:
UserID-ShouldbeintheformatSAP-xx,wherexxistheapplicationthatisbeingresearched(e.g.:
SAP-BC,SAP-JV,andSAP-FI). Thiswillallowforidentification(ifanythingisupdatedinthesystem)oftheappropriatemodule. ItalsoallowsformultipleSAPuserstousethesystematthesametimeandhaveauniqueidforeach.
ValidUntil-haveanendvaliditydate
OSSserviceconnectionscanonlybeopenedforamaximumof10days.
Profiles-Inthenon-productionclients,itisrecommendedthattheaccountbeassignedthesameaccessasthepersonmakingtherequest,assumingthatZZrolesareassignedandSAP_ALLandSAP_NEWarenotassigned.Thiswillallowallusertransactionalaccessandsupportaccess.
5.SystemSecurityParameterSettings[Edit]
InadditiontothestandardR/3authenticationmechanismofeachuserrequiringanindividualuseridandpasswordthefollowingsystemparametersshouldbeset:
Parameter
Setting
Numberoftimesusercanattemptlogon
login/fails_to_user_lock=4
4timesthereafteruserlocked
Userslockedduetoincorrectlogons
login/failed_user_auto_unlock=0
Usersarenotunloc
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- Overview of SAP Authorisations
![提示](https://static.bingdoc.com/images/bang_tan.gif)