SAP Security GRC online training in India, UK & USA call +91-8099902123
1. CONTENT:
SAP Security Roles and Responsibilities:
Different type of SAP systems:
1. R/3(old) or ECC(new)
2. APO
3. CRM
4. BI
5. SRM
6. Central User Administration(CUA)
7. Portal
8. GRC toll for SAP Security (old toll - VIRSA)
User Administration Tasks:
1. Password Reset
2. User lock and unlocking
3. User creation – IT user and Business user
2. 4. Different type of users OSS & RFC
5. User Groups creation
6. User Parameters updating
7. Changing user group
8. Updating user date format, decimal notation, Time zone & Printers
9. Adding roles to users on permanent or temporary basis
10. Deleting roles from user
11. Adding or deleting profiles to user (not required..just to know)
12. Down loading security reports from SUIM
13. Finding missing authorizations with the SU53 dump
14. Finding role with SU53 missing authorization
15. Assigning additional roles to the user with or without validity
3. 16. Assigning a role to the 100 users at a time(SU10)
17. Locking and unlocking 100 users at a time
18. Changing user group or time zone to 100 users at a time
19. Creation of RFC,BATCH and OSS users
20. Extending user validity and extending role validity
21. User inactivation and user reactivation
22. User termination
23. Downloading STAD report from user
24. Checking the audit logs - SM20
25. Tracing the user authorizations
26. CUA Administration
27. Transaction lock and unlock
4. 28. Mass role deletion( 2 Types)
Role Administration:
1. Following roles naming convection while creation of roles
2. Creation of single roles
3. Creation of composite Roles
4. Creation of Derived roles
5. Adding Tcode to a role
6. Removing Tcode from a role
7. Updating objects in the roles as per missing authorization dump
8. Updating organizational values in to the roles
9. Creating global roles in all the systems
10. Updating roles while creation and modification with the reference of SU24
5. 11. Role transportation (including inter client)
12. Template role creation
13. Area menu role creation
14. Role upload and download
15. Role Deletion
16. Pfud & supc ( Monthly maintenance security Activities)
Other Key Activities:
1. Client open
2. OSS connection open and access details update in service market place
3. RFC connection creation
4. Providing sensitive Tcode, objects and Roles access
6. 5. Providing fire call access (User firecall/Role firecall)
6. Providing developer key
7. Providing access key for object
8. PFUD and SUPC for maintenance activity
9. SAP Licensing(Measurement Data)
10. Portal user administration including mass changes
SAP Security Reporting for SOX Compliance:
1. Downloading user’s login report who are not login to the system from past 7 days
after creation user ID
2. Downloading user’s report who are not login to the system from past 45 days
3. Down loading user’s report who are not login to the system from past 90 days
4. Client Settings status scc4, scc1
7. 5. Security System Parameter checking – RZ11
6. Forbidden Password Report---SE16---USR40
7. Tracking security users list and their roles---SUIM
8. List the non dialog users and make sure those users should not be in locked status--
SUIM
9. Random request checking for quality of work
10. User termination as per weekly HR termination report
11. Download SM20-audit log report on weekly basis
12. Users with Incomplete Address Data - rsusr007(Last Name, First Name, Email)
13. No User should have SAP_ALL & SAP_NEW profiles assigned to dialog users-SUIM
14. RSUSR003 is used for checking SAP* and DDIC in all clients along with login
parameters. This report is used to ensure SAP* and DDIC have been secured in all
clients. This report also allows checking of login parameters, such as number of invalid
login attempts until user lock, login/system and client.
8. 15. Document details steps of Emergency ID process for debug access.(AGR_USERS) Debug
Roles should be expired for users.
16. Review Batch, RFC and Sensitive Accounts – SUIM (Users should not be locked)
SAP Security Tables :( SE16 or SE16N)
AGR_USERS - Users list for a role
AGR_TCODES - Tcodes list for a role
AGR_AGRS - LIST OF SINGLE ROLES IN COMP ROLE
AGR_DEFINE - LIST OF DERIVED ROLES IN A PARENT ROLE
AGR_1251 - ROLE COMPLETED INFORMATION
AGR_1252 - ORG VALUES DETAILS FOR A ROLE
AGR_PROF PROFILE NAME FOR ROLE
USER_ADDR -ADDRESS DATA FOR USERS
USR01 -USER MASTER DATA
(RUNTIMEDATA)
USR02 -LOGON DATA
(PASSWORD, USERNAME, VALIDITY DATE ETC..)
USR04 -USER MASTER AUTHORIZATION
(ONE ROW PER USER)
USR06 -LICENSE DATA
USR40 - ILLEGAL PASSWORDS LIST
USOBT RELATION -TRANSACTION TO AUTHORIZATION OBJECT (SAP)
USOBT_C RELATION -TRANSACTION TO AUTH. OBJECT (CUSTOMER)
USOBX CHECK -TABLE FOR TABLE USOBT
9. USOBXFLAGS -TEMPORARY TABLE FOR STORING USOBX/T* CHANG
USOBX_C CHECK -TABLE FOR TABLE USOBT_C
BI SECURITY:
OVERVIEW OF BI SYSTEM (BI 7.0)
REPORTING AUTHORIZATION OBJECTS
BI ANALYSIS AUTHORIZATIONS
TROUBLE SHOOTING.
SAP ECC systems:
ECC DEV (DR2) -100 and 200
ECC Test (QR2) -100 and 200
ECC PRD (PR2) -100
CRM DEV (DC2) -100,200 and 400
CRM TEST (QC2) -100,200 and 400
CRM PRD (PC1) -100
SAP three system landscape with transport root:
10. Role:
1. Role is a combination of the Tcodes
2. 3 type of roles
a) Single Role
b) Composite Role
c) Derived or Base Role
3. Role structure
User
.
.
Role (Tcodes)
.
.
Profile
.
.
Auth Class (MM, PP, SD, BC, BS)
.
.
Auth Object
.
11. .
Field Values
4. Common authorization class AAAB
5. Common authorization object S_TCODE
What is SOX and SOD?
Sarbanes-Oxley is a best practice for all types of companies who wish to identify
with good governance practices.
SOX have become the ad hoc standard for financial transparency, trust, and
corporate accountability.
Sox guidelines have been built based on the Sections 302 and 404.
Those sections will describe the good governance practices.
For full filling SOX compliance, we are using a tolls called VIRSA,GRC and Bizright.
RULE
What is SOD?
Across an enterprise there are various functions and these functions are
performed, together by a set of roles/responsibilities.
SoD says that these set of Roles/responsibilities should be assigned in such a way
that, across an enterprise, any individual should not have end to end access rights
over any function
12. Segregation of Duties deals with access controls. Access Control ensures that one
individual should not have access to two or more than two incompatible duties
GRC Topics:
GRC Access control 5.3
Introduction
SOX Rules and SOD Concepts
Risk Analysis and Remediation (RAR)
-Risk Analysis on User and Role Level
-Rule set
-Mitigation
-Configuration of RAR
Super User Privilize Management (SPM)
-Fire Fighter Configuration
-Reports
Over view On Compliance User Provisioning (CUP)
1. Performing Fire Fighter activity in EAM
2. Approver delegation and approver delegation report
3. Owner assigning firefighter id’s and controllers
4. User level violation report
5. Role level violation report
6. Finding mitigated users list
7. Background Jobs schedule and monitoring
8. How to find the log report of the Firefighter by using SPM