Monday, May 17, 2010

Sap Security General Jobs, Guideines & Info

SAP Security



1. Security Administration



* Determine how security administration is organized



2. Help Desk



* Determine if the help desk is effective

+
Records incidents reports



3. Determine if proper system monitoring is performed



4. Determine if training is properly administrated



5. Determine if key system interfaces are properly controlled.



6. Obtain a list of all system users



7. Obtain a list of custom transactions



* List off all transactions within the TSTC table beginning with the letters Y or Z

o Tables>Data Display>Y*, and then Z*



8. Obtain a listing of all Clients



* List table T001



9. Obtain a listing of all group companies



* List table T042G



10. Obtain a listing of all business areas



* List table TGSB and TGSBT



11. Obtain a listing of all credit control areas



* List table T014 and T014T



12. Obtain a list of all charts of accounts



* List table T004 and T004T



13. Obtain a listing of all plants



* List tables T001W and TVKWZ



14. Obtain a listing of storage locations



* List table T001L



15. Obtain a listing of all purchasing organizations



* List table T024W



16. Obtain a listing of all purchasing groups



* List table T024



17. Obtain a listing of all sales organizations



* List table TVKO and TVKOT



18. Obtain a listing of distribution channels



* List table TVTW, TVTWT, and TVKOV



19. Obtain a listing of all divisions



* List tables TSPA, TSPAT, and TVKOS



20. Obtain a listing of sales areas



* List table TVTA



21. Obtain a listing of sales offices



* List tables TVBUR, TVKBT, and TVKBZ



22. Obtain a listing of sales groups



* List tables TVKGR, TVBVK, and TVGRT



23. ABAP programs



Review ABAP programs to ensure that all system function calls are authorized. System function calls allow are Unix commands that are passed to the operating system to perform a task at the operating system level such as using Oracle SQL commands to query the database during the execution of an ABAP program.



24. Review all SAP userids at the Unix operating system level. (etc/passwd and etc/group files)



SIDADM system administration

ORASID Oracle administration

PCTEMU Terminal administration



25. Review all relevant SAP change control directories under Unix



/usr/sap/trans



26. Ensure that all default passwords have been changed.



27. Determine that only authorized users have direct access to the Oracle database management system. And determine that all default system passwords have been changed.



28. Correction and Transport (CTS)



Control types



Default Changes are allowed in corrections. Changes to SAP-provided objects require a repair correction

No Change Changes are not allowed

Repairs Repairs are allowed but all must have corrections and all corrections are flagged as repairs. Other types of changes are allowed with or without corrections.

Unlimited Any changes are allowed with or without corrections. No corrections are flagged as repairs



CTS Type CTS Changes



Development Default



Integration No Change



Consolidation No Change



Recipient No Change



Determine if change control procedures are formally documented.



Determine if separate instances have been defined for development and testing



Determine who is responsible for transport administration



Ensure that control tables are properly established



TSYST defines all systems to be used in CTS



TASYS defines all recipient systems



TDEVC defines all development classes



Use transaction code SE06 for CTS verification



Use Transaction code SE38 to review the placement of programs in authorization groups



o SE38 select attributes and select display



29. Determine who has the capability to add user master records.



S_USER_GRP and S_USER_ALL



30. Determine who can maintain profiles.



S_USER_PRO



31. Determine who can maintain autorizations.



S_USER_AUT



32. List all SAP supplied profiles and authorizations that have been modified and review for completeness.



33. List off the system parameter file (RSPARAM) and review the authentication controls



o login/min_password_lng
o login/password_expiration_time
o login/fails_to_session_end
o login/fails_to_user_lock



34. Determine how the profile SAP_NEW is being used.



35. Review SAP for any new objects/values that have been defined



Review changes to table AUTH for new fields and table TOBJ for new objects



36. Determine if all users have been assigned to a group. (Table USR02)



37. Determine that the SAP* profile has a user master record and that SAP* has had its password changed and added to the SUPER group. Also determine if the password has been stored in a secured location in case of an emergency.



38. Determine who are the members of the SUPER group and ensure that their membership is required.



39. Determine how many users have SAP_ALL access in the production environment. List all users with the following standard system profiles:



SAP_ALL All R/3 privileges

S_A.SYSTEM All SAP system functions

S_A.ADMIN System administration

S_A.CUSTOMIZ SAP customizing system

S_A.DEVELOP SAP development environment

S_ABAP_ALL All authorizations for ABAPs



TOOLS>ADMINISTRATION>USER MAINTENANCE>USERS>MAINTAIN USERS>INFORMATION>OVERVIEW>USERS> profile name >LIST>PRINT



40. List all users with special SAP system administration



S_ADMI_FCD Access to ABAP/4 Data Dictionary

S_BDC_ALL Batch Input

S_DDIC_ALL DYNPRO and ABAP/4



S_EDI_BUK Creating and modifying ABAP/4 programs and use of screen painter

S_EDITOR Ability to edit and modify ABAP’s programs

S_PROG_ADM Running ABAP/4 programs and submitting background processing

S_PROGRAM Ability to run ABAPs



S_TABU_ADM System Table – table maintenance

S_BTCH_ADMS_ENQ_ALL Background Processing

S_TSKH_ADMS_ENQ_ALL Transactions – lock management for processing



41. Determine who has access to the ABAP/4 Data Dictionary



S_ADMI_FCD For this object list users that have the following values:



REPL, SE01 (CTS requests) and/or DDIC in the System Administration Function field

SM21 in the Field Administration Function field (allows access to the system log)

TCOD which allows the user to change additional authorization checks



Versions for a particular object are maintained as: Utilities>Version Management Menu.



Temp

Historical

Active

Revised



Use Transactions:



SE16 Data Browser

SE12 Dictionary Display

SE80 Object Browser

SCU3 Table history transaction



42. Determine who has batch access



S_BDC_MONI

S_BDC_ALL

S_BTCH_ADM

S_BTCH_ALL

S_BTCH_USR

Batch log files (bdc/logfile) should be reviewed and any deletions, modifications, or abended sessions subject to investigation and should be secured through the correct use of the operating system security.



43. List users with authorization for SM04, SM50 (S_TSKH_ADM) which grants access to the transaction locking function. Determine which transactions are locked on the production system by viewing additional authority checks in table TSTC (Tools>Administration>Tcode Administration). Ensure that at a minimum the following transactions are locked:



SE01 Correction and transports

SE38 Ability to execute ABAP programs

SE11 Maintain data dictionary objects



44. Determine if the parameters for the trace and log files are adequate



With the RSPARAM report, review the rstr/* and rslg/* parameters



If a transaction cannot finish correctly, the system rolls it back. The dialog program first generates a log record in the VBLOG table.



Transaction SM21 or Tools>Administration>Monitoring>System Log



Selection Criteria:



Date/Time – To – Date/Time

By User, Trans Code, SAP Process, Problem Classes (Messages)



45. Determine if Spool access is properly restricted.



Verify who has the authorization object S_ADMI_FCD, S_SPO_ACT, and S_SPO_DEV



46. Determine if backup procedures are appropriate for data and programs



On-line and off-line backups of all the file servers can be controlled through the CCMS. Access to these transactions should be restricted, because these transactions can causes all file servers to shut down.



Is access to the SAP archiving function restricted. (Verify which profiles have access to transaction F040).



47. Determine who has access to the SAP customizing system (IMG, menu customizing)



S_A.CUSTOMIZ The profile gives all authorizations required for the Basis activities in the customizing menu. (Table USR10 gives an overview of all authorization objects in a profile.)

No comments:

Post a Comment

Monday, May 17, 2010

Sap Security General Jobs, Guideines & Info

SAP Security



1. Security Administration



* Determine how security administration is organized



2. Help Desk



* Determine if the help desk is effective

+
Records incidents reports



3. Determine if proper system monitoring is performed



4. Determine if training is properly administrated



5. Determine if key system interfaces are properly controlled.



6. Obtain a list of all system users



7. Obtain a list of custom transactions



* List off all transactions within the TSTC table beginning with the letters Y or Z

o Tables>Data Display>Y*, and then Z*



8. Obtain a listing of all Clients



* List table T001



9. Obtain a listing of all group companies



* List table T042G



10. Obtain a listing of all business areas



* List table TGSB and TGSBT



11. Obtain a listing of all credit control areas



* List table T014 and T014T



12. Obtain a list of all charts of accounts



* List table T004 and T004T



13. Obtain a listing of all plants



* List tables T001W and TVKWZ



14. Obtain a listing of storage locations



* List table T001L



15. Obtain a listing of all purchasing organizations



* List table T024W



16. Obtain a listing of all purchasing groups



* List table T024



17. Obtain a listing of all sales organizations



* List table TVKO and TVKOT



18. Obtain a listing of distribution channels



* List table TVTW, TVTWT, and TVKOV



19. Obtain a listing of all divisions



* List tables TSPA, TSPAT, and TVKOS



20. Obtain a listing of sales areas



* List table TVTA



21. Obtain a listing of sales offices



* List tables TVBUR, TVKBT, and TVKBZ



22. Obtain a listing of sales groups



* List tables TVKGR, TVBVK, and TVGRT



23. ABAP programs



Review ABAP programs to ensure that all system function calls are authorized. System function calls allow are Unix commands that are passed to the operating system to perform a task at the operating system level such as using Oracle SQL commands to query the database during the execution of an ABAP program.



24. Review all SAP userids at the Unix operating system level. (etc/passwd and etc/group files)



SIDADM system administration

ORASID Oracle administration

PCTEMU Terminal administration



25. Review all relevant SAP change control directories under Unix



/usr/sap/trans



26. Ensure that all default passwords have been changed.



27. Determine that only authorized users have direct access to the Oracle database management system. And determine that all default system passwords have been changed.



28. Correction and Transport (CTS)



Control types



Default Changes are allowed in corrections. Changes to SAP-provided objects require a repair correction

No Change Changes are not allowed

Repairs Repairs are allowed but all must have corrections and all corrections are flagged as repairs. Other types of changes are allowed with or without corrections.

Unlimited Any changes are allowed with or without corrections. No corrections are flagged as repairs



CTS Type CTS Changes



Development Default



Integration No Change



Consolidation No Change



Recipient No Change



Determine if change control procedures are formally documented.



Determine if separate instances have been defined for development and testing



Determine who is responsible for transport administration



Ensure that control tables are properly established



TSYST defines all systems to be used in CTS



TASYS defines all recipient systems



TDEVC defines all development classes



Use transaction code SE06 for CTS verification



Use Transaction code SE38 to review the placement of programs in authorization groups



o SE38 select attributes and select display



29. Determine who has the capability to add user master records.



S_USER_GRP and S_USER_ALL



30. Determine who can maintain profiles.



S_USER_PRO



31. Determine who can maintain autorizations.



S_USER_AUT



32. List all SAP supplied profiles and authorizations that have been modified and review for completeness.



33. List off the system parameter file (RSPARAM) and review the authentication controls



o login/min_password_lng
o login/password_expiration_time
o login/fails_to_session_end
o login/fails_to_user_lock



34. Determine how the profile SAP_NEW is being used.



35. Review SAP for any new objects/values that have been defined



Review changes to table AUTH for new fields and table TOBJ for new objects



36. Determine if all users have been assigned to a group. (Table USR02)



37. Determine that the SAP* profile has a user master record and that SAP* has had its password changed and added to the SUPER group. Also determine if the password has been stored in a secured location in case of an emergency.



38. Determine who are the members of the SUPER group and ensure that their membership is required.



39. Determine how many users have SAP_ALL access in the production environment. List all users with the following standard system profiles:



SAP_ALL All R/3 privileges

S_A.SYSTEM All SAP system functions

S_A.ADMIN System administration

S_A.CUSTOMIZ SAP customizing system

S_A.DEVELOP SAP development environment

S_ABAP_ALL All authorizations for ABAPs



TOOLS>ADMINISTRATION>USER MAINTENANCE>USERS>MAINTAIN USERS>INFORMATION>OVERVIEW>USERS> profile name >LIST>PRINT



40. List all users with special SAP system administration



S_ADMI_FCD Access to ABAP/4 Data Dictionary

S_BDC_ALL Batch Input

S_DDIC_ALL DYNPRO and ABAP/4



S_EDI_BUK Creating and modifying ABAP/4 programs and use of screen painter

S_EDITOR Ability to edit and modify ABAP’s programs

S_PROG_ADM Running ABAP/4 programs and submitting background processing

S_PROGRAM Ability to run ABAPs



S_TABU_ADM System Table – table maintenance

S_BTCH_ADMS_ENQ_ALL Background Processing

S_TSKH_ADMS_ENQ_ALL Transactions – lock management for processing



41. Determine who has access to the ABAP/4 Data Dictionary



S_ADMI_FCD For this object list users that have the following values:



REPL, SE01 (CTS requests) and/or DDIC in the System Administration Function field

SM21 in the Field Administration Function field (allows access to the system log)

TCOD which allows the user to change additional authorization checks



Versions for a particular object are maintained as: Utilities>Version Management Menu.



Temp

Historical

Active

Revised



Use Transactions:



SE16 Data Browser

SE12 Dictionary Display

SE80 Object Browser

SCU3 Table history transaction



42. Determine who has batch access



S_BDC_MONI

S_BDC_ALL

S_BTCH_ADM

S_BTCH_ALL

S_BTCH_USR

Batch log files (bdc/logfile) should be reviewed and any deletions, modifications, or abended sessions subject to investigation and should be secured through the correct use of the operating system security.



43. List users with authorization for SM04, SM50 (S_TSKH_ADM) which grants access to the transaction locking function. Determine which transactions are locked on the production system by viewing additional authority checks in table TSTC (Tools>Administration>Tcode Administration). Ensure that at a minimum the following transactions are locked:



SE01 Correction and transports

SE38 Ability to execute ABAP programs

SE11 Maintain data dictionary objects



44. Determine if the parameters for the trace and log files are adequate



With the RSPARAM report, review the rstr/* and rslg/* parameters



If a transaction cannot finish correctly, the system rolls it back. The dialog program first generates a log record in the VBLOG table.



Transaction SM21 or Tools>Administration>Monitoring>System Log



Selection Criteria:



Date/Time – To – Date/Time

By User, Trans Code, SAP Process, Problem Classes (Messages)



45. Determine if Spool access is properly restricted.



Verify who has the authorization object S_ADMI_FCD, S_SPO_ACT, and S_SPO_DEV



46. Determine if backup procedures are appropriate for data and programs



On-line and off-line backups of all the file servers can be controlled through the CCMS. Access to these transactions should be restricted, because these transactions can causes all file servers to shut down.



Is access to the SAP archiving function restricted. (Verify which profiles have access to transaction F040).



47. Determine who has access to the SAP customizing system (IMG, menu customizing)



S_A.CUSTOMIZ The profile gives all authorizations required for the Basis activities in the customizing menu. (Table USR10 gives an overview of all authorization objects in a profile.)

No comments:

Post a Comment