SAP Audit Ination and Approach

《SAP Audit Ination and Approach》由会员分享，可在线阅读，更多相关《SAP Audit Ination and Approach（67页珍藏版）》请在装配图网上搜索。

1、SAP Audit Information and ApproachAuthoriizatioon Exaample1. Userr Mastter ReecordUser: FFrank W. LyyonsProfilee: Exaample2. Proffile: Exammple Objject: Autthorizzationns: S_PPrograam AABAP: 3. Authhorizaation: ABAPP: Objecct: S_Progrram Vallues: FFieldss: *Progrram Grroup SUBBMIT, VARIAANTActivvity

2、Authoriizatioon Sysstem:1.ProffilesOne oor morre asssignedd to aa userr2.ObjeectsMust be unnique namess withh one or moore fieldds3.FielldsContaain vaalues for aauthorrity ccheckiing4.AuthhorizaationssCan hhave tthe saame naames aas theey aree physiicallyy and physiicallyy linkked too an oobjecttFie

3、ld ggroup for aan objject hhas muultiplle vallues aand caan be shareed acrross oobjecttsInitiall Defaaults1.Inittial CClientts Client 000Standdard mmodel Client 001Modell for user definned cllientss. (teemplatte)2.Inittial UUser IIds SAP*Deefaultt supeer useer. AA userr mastter reecord is crreatedd

4、duriing innstalllationn but it iss not needeed by SAP* to acccess the ccompleete syystem. If the SSAP* mmasterr recoord iss deleeted, the SSAP* aaccounnt hass the folloowing speciial prrivileeges: It is nnot suubjectt to aauthorrizatiion chhecks and tthereffore hhas alll autthorizzationns It has the

5、 ppasswoord “PPASS”, whicch cann not be chhangedd withhout ccreatiing a new uuser mmasterr recoord. To prevvent ddeletiion, aassignn SAP* userr to aa grouup callled SSUPER and oonly ssuper user shoulld be able to maaintaiin useer grooup SUUPER.3.Inittial SSecuriity Paarametters Parametters ffor usse

6、r loogon login/mmin_paassworrd/lngg Minimumm passsword lengtth deffault is (33) login/ppasswoord_exxpirattion_ttime Number of daays affter wwhich a passswordd mustt be cchangeed. TThe deefaultt is zzero, whichh doess not enforrce paassworrd chaanges. Reccommennded vvalue = 45. login/ffails_to_seessi

7、onn_end Number of tiimes aa userr can enterr an iincorrrect ppasswoord beefore the ssystemm endss the loginn atteempt. The defauult iss (3). login/ffails_to_usser_loock Number of tiimes aa userr can enterr an iincorrrect ppasswoord beefore the ssystemm lockks thee userr agaiinst ffurtheer loggon att

8、temptts. TThe deefaultt is (12). Recoommendd (3). Wheen a ppasswoord iss lockked inn thiss mannner, iit is autommaticaally uunlockked byy the systeem at the sstart of thhe nexxt dayy (middnightt). Adding Userss1. Eacch useer musst havve a mmasterr recoord.2.Eachh userr mastter reecord referrs to one

9、 oor morre proofiless thatt deteerminee the aaccesss righhts foor thee userr.3.Mastter reecord contaains: User IDD Passworrd User grroups User tyype Period of vaaliditty referennces tto autthorizzationn proffilesMaster recorrds caan be deletted buut it will affecct thee audiit traail. Betteer to loc

10、k the uuserss mastter reecord Menu Path: Toolls - AAdminiistrattion - Userr Mainntenannce - User - Locck/Unllock.4.Userr Grouup If a peerson is asssigneed to a useer grooup, oonly tthe addminisstratoors whho aree authhorizeed forr thatt userr grouup cann alteer useer masster rrecordds. IIf a uuser i

11、is nott assiigned to a groupp thenn any user adminnistraator ccan allter tthe usser maaster recorrd.Adding ProfiilesProfilees andd Authhorizaationss exisst in both mainttenancce andd actiive veersionns. AAllowss for updattes too mainntenannce beefore it iss actiivatedd. Seeparattion oof maiintenaanc

12、e aand acctivattion ffunctiions.1.Systtem PrrofileesSAP Staandardd and Superr Userr ProffilesS_A.SYSSTEMUnlimitted acccess to alll useers, pprofilles, aand auuthoriizatioonsS_A.ADMMINAuthoriizatioons foor SAPP systtem addminisstratiion. TThis iincluddes alll autthorizzationns exccept ffor: Maintenna

13、nce of ussers iin useer grooup SUUPER Maintennance of prrofilees andd authhorizaationss withh namees begginninng “S_A.”S_A.CUSSTOMIZZAuthoriizatioons foor usee in tthe SAAP Cusstomizzing ssystemmS_A.DEVVELOPAuthoriizatioons foor usee in tthe SAAP Devvelopmment eenviroonmentt (exccludess any user or

14、prrofilee authhorizaationss)S_A.USEERBasis ssystemm authhorizaationss for end-uusers (e.g., S_PPrograam, S_DBC_MMONI, etc.2.Starrtup PProfillesProfilee NameeDescripptionS_ABAP_ALLAll ABAAP/4 aauthorrizatiionsS_ADMI_ALLAll sysstem aadminiistrattion ffunctiionsS_BDC_AALLAll battch innput aactiviitiesS

15、_BTCH_ALLAll battch prrocesssing aauthorrizatiionsS_DDIC_ALLDDIC: AAll auuthoriizatioonsS_DDIC_SUData Diictionnary: All aauthorrizatiionsS_NUMBEERNumber rangee mainntenannce: AAll auuthoriizatioonsS_SCD0_ALLChange documments: All authoorizattionsS_SCRP_ALLAll SAPPscrippt texxt, sttyles, layoout seet

16、s maaintennanceS_SPOOLL_ALLAll spoool auuthoriizatioonsS_SYST_ALLAll sysstem aauthorrizatiionsS_TABU_ALLStandarrd tabble maaintennance: All authoorizattionsS_TSKH_ALLAll sysstem aadminiistrattion aauthorrizatiionsS_USER_ALLUser maaintennance: All authoorizattionsSAP_ALLLProvidees unllimiteed acccess

17、 tto maiintainn all SAP RR/3 syystem authoorizattions, withh the folloowing excepptionss: Maintennance of ussers iin useer grooup SUUPER Maintennance of prrofilees andd authhorizaationss withh namees begginninng S_UUSERSAP_ANWWENDAll SAPP R/3 (exclludingg systtem) aappliccationn authhorizaationssSAP

18、_NEWWProvidees unllimiteed acccess tto alll authhorizaationss addeed witth neww releeases of SAAP R/33.Z_ANWENNDAll useer autthorizzationns (exxcludiing BCC systtem)3.Proffiles and ttheir assocciatedd authhorizaation valuee setss are storeed in USRxxx tablles.Adding AuthoorizattionsAuthoriizatioon o

19、bjjects are uused tto cheeck a users autthoritty to perfoorm acctionss and accesss datta in R/3. A ussers actioon is approoved oonly iif thee userr passses thhe autthorizzationn testt for each fieldd listted inn an oobjectt.1.Authhorizaation Objeccts SAP conntainss a nuumber of auuthoriizatioon objj

20、ects that are uused tto resstrictt the abiliity off userrs to perfoorm ceertainn funcctionss and accesss infformattion. Authhorizaation objeccts caan conntain up too ten authoorizattion IIDs reepreseentingg suchh systtem ellementts as transsactioons, ttabless, fieelds, or prrogramms. A user is alllo

21、wedd acceess iff the theirr mastter reecord listss the objecct forr whicch thee authhorizaation is beeing ttestedd and the uuser ppassess the authoorizattion ttest ffor eaach auuthoriizatioon ID. An authhorizaation valuee set is reequireed forr acceess 022 = chhange Authoriizatioon Proofiless are us

22、ed to grrant tthe auuthoriizatioon vallue seets too a usser. TThe usser maaster recorrd reffers tto proofiless and the pprofilles, iin turrn, reefer, to vaalue ssets tthat ddetermmine tthe acccess capabbilitiies off the user. New autthorizzationn objeects ccan bee creaated bby Mennu Patth: Syystem -

23、 Serrvicess - Taable MMainteenancee. Meerely creatting aa new objecct doees nott inittiate any aauthorrizatiion chheckinng. EEitherr ABAPPs neeed to be moodifieed to test the nnew obbjectss, or addittionall authhorizaation checkks neeed to be deefinedd. First aassignn a obbject classs for the nnew o

24、bbject. Next usse AUTTHORITTY-CHEECK foor ABAAP/4 pprograams Or add addittionall authhorizaation checkks to the TTSTC (transsactioon tabble) MMenu PPath: Systeem - SServicces - Tablee Mainntenannce.2.Objeects Objectss are definned inn the systeem andd conttain oone orr moree fiellds thhat arre useed

25、 to test user accesss.3.Authhorizaation Valuee Setss Are lissts off all valuees (foor eacch fieeld) ffor whhich aa userr is aauthorrized. Usuallyy usedd to ddefinee taskks Profilee alloocate the ttasks (authhorizaation valuee set) to llogicaal funnctionns. TThese profiiles aare asssigneed to a phyys

26、icall userr (masster rrecordd).4.Basiis Sysstem AAuthorrizatiion ObbjectssObjectFieldsUsesS-PROGRRAMProgramm grouup ActtivityyABAP/4 progrrams tthat mmay bee run.S_EDITOORProgramm grouup ActtivityyABAP/4 progrrams tthat mmay bee dispplayedd or eediteddABAP/4 QueryyS_QUERYYActivittyWhetherr a usser c

27、aan runn querries aand whhetherr the user can mmaintaain ABBAP/4 Queryy userr grouups System Adminnistraation FuncttionsAdminisstratiion FuunctioonsA varieety off systtem fuunctioons suuch ass:1. Whetther aa userr may enterr a vaalue iinteraactiveely too passs an aauthorrizatiion teest thhat hee doe

28、ss not have authoorizattion ffor inn his user masteer reccord2. Acceess too the ABAP/4 Dicctionaary3. Acceess too the interrface paintter4. Systtem trrace aauthorrity5. Abillity tto addd or ddeletee addiitionaal autthorizzationn testts in the TTSTC ttable6. Execcute hhost ooperatting ssystemm commma

29、ndsCentrall Fielld SellectioonActivittyAuthoriizatioon grooupWhich AABAP/44 proggrams a useer cann use to dyynamiccally alterr attrributees of fielddsTable MMainteenanceeAuthoriizatioon claass AcctivittyAuthoriize ussers tto vieew andd/or mmodifyy tablle conntentssBatch PProcesssing: Batcch Admminis

30、ttratorrAdminisstratoorGive usser addminisstratoor autthorizzationn overr backkgrounnd proocessiingBatch PProcesssing: Batcch Useer NammeAuthoriized uuserSpecifyy userr Ids that a useer mayy speccify aas thee authhorizaation for rrunninng bacckgrouund joobsBatch PProcesssing: Operrationns on Batchh

31、JobssOperatiions JJob GrroupSpecifyy the operaationss thatt userrs mayy perfform oon bacckgrouund joobs (RReleasse, deelete, etc.)Batch IInput AuthoorizattionsQueue ggroup name ActivvityAuthoriize a user to woork wiith baatch iinput sessiionsQueue MManageement AuthoorizattionsQueue ggroup nameActivi

32、ttyManagemment oof queeues ffor trroublee-shoooting or prroblemm anallysisAuthoriizatioon Cheeck foor SM004, SMM50AdminisstratiionTo authhorizeed useers too lockk or uunlockk trannsactiions aand too manaage usser seessionns othher thhan thheir oown.Authoriizatioon forr Updaate AddminisstratiionAdmin

33、isstratiionAuthoriizatioon to managge upddate rrecordds forr otheer useersEnqueuee:Displayying aand Deeletinng Locck EnttriesActivittiesAuthoriize ussers tto maiintainn lockk entrries oof othher ussersSpool: Devicce AutthorizzationnOutput DevicceAuthoriizes uusers to usse parrticullar prrinterrsSpoo

34、l AActionnsSpool aactionn ValuueAuthoriizes aan admministtratorr to pperforrm speecifieed acttions on thhe spoool syystemPublic Holidday annd Callendarr Acceess PrrivileegesActivittyAuthoriizatioon to displlay annd/or mainttain ccalenddarsNumber Rangee MainntenannceActivittyNumber rangee objeectAuth

35、oriize ussers tto maiintainn numbber raangesChange DocummentsActivittyAuthoriizatioon to displlay, mmaintaain, aand/orr deleete chhange docummentsTools PPerforrmancee MoniitorAuthoriizatioon nammeAuthoriizatioon to use ssensittive ffunctiions oof thee perfformannce moonitorrObjectss - Auuthoriizatio

36、ons S_TOOLSS_EXAccesss to view logonn paraameterrs S_PROGRRAMABAP progrram acccessFieldsValueesCommeentsP_GROUPP*Progrram grroup P_ACTIOONSUBMIITExecuute prrogrammEDITMMaintaain prrogramm attrributees andd texttsVARIANTTStartt and mainttain vvarianntsBTCSUBMMIT SSubmitt proggrams for bbackgrround ex

37、eecutioon S_EDITOORABAP progrram acccessFieldsValueesCommeentsP_GROUPP*Progrram grroupEDIT_ACCTIONSHOWDispllay prrogramm sourrceEDITAAmend progrram soource S_BDC_MMONIBatchh inpuut sesssionFieldsValueesCommeentsBDCGROUUPID*Name of baatch ssessioon forr whicch a uuser iis authoorizedd (e.gg. “FRRANK”

38、)BDCAKTIIABTCSubmiit sesssionss for execuutionAONLLRun ssessioons inn inteeractiive moodeANALLAnalyyze seessionns, loog andd queuueFREEEReleaase seessionnsLOCKKLock/unlocck sesssionssDELEEDelette sesssionss S_NUMBEERNumbeer rannge auuthoriizatioonFieldsValueesCommeentsNROBJ*Numbeer rannge obbject na

39、me for aa venddorACTVT02Changge03Displlay11Changge thee lastt-usedd numbber inn a nuumber rangee inteerval13Initiializee the last-used numbeer wheen transsportiing raanges betweeen cllientss17Mainttain nnumberr rangge objject (pre 33.0) S_SCDOChangge doccumentt authhorizaationFieldsValueesCommeentsA

40、CTVT02Mainttain aand diisplayy channge doocumennts06Delette chaange ddocumeents08Displlay chhange documments12Mainttain cchangee docuument objecctsProcessses1. BattchNumbeer of transsactioons ennteredd intoo the systeem as a baatch. Batcch inpputs ccan taake pllace iin thee backkgrounnd wheere noo c

41、hannges ccan bee madee or iin the forregrouund whhere ttransaactionns conntainiing errrors can be innteracctivelly corrrecteed. Restriccting Accesss The Battch Innput oobjectt resttrictss userr actiivitiees in diffeerent batchh inpuut sesssionss. ANALAnnalyzee sesssions. Dissplay sessiion, llog, aan

42、d quueue ddump DELEDeelete sessiions LOCKLoock annd unllock ssessioons FREEReeleasee sesssions ABTCSuubmit sessiions ffor baackgroound eexecuttion AONLRuun sesssionss in iinteraactivee modees2.On-LLine 3.BackkgrounndProgrram exxecutees on a bacckgrouund prrocesssing server withoout innteracctive use

43、r inputt. Too run it muust be schedduled.This caan be done two wways:Menu Paath: AABAP/44 - Syystem Serviices - Repoortingg - Baatch RRequesst funnctionnFrom baackgroound pprocesssing menu by seelectiing gooto - Batchh Requuest In eithher caase thhe useer musst havve a UUser IID to run tthe joob. UU

44、sers couldd be aauthorrized to ruun bacckgrouund joobs buut nott foreegrounnd jobbs.Before a bacckgrouund joob cann run, it mmust bbe relleasedd. Thhe relleasinng of jobs is ussuallyy resttricteed to “Batcch Admministtratorrs”. Restriccting Accesss The fieeld Addmin iin thee Batcch Admmin obbject is

45、 ussed too givee a usser addminisstratiion auuthoriizatioons. If thhis fiield ccontaiins a “Y”, the uuser hhas acccess to alll bacckgrouund joobs inn a SAAP sysstem aand caan perrform any ooperattion oon anyy job. The fieeld Acctivitty in the SS_PROGGRAM oobjectt deteerminees acttivitiies ussers aar

46、e abble too perfform oon an ABAP. A vvalue of BTTCSUBMMIT alllows a useer to scheddule tthe ABBAP/4 progrram foor bacckgrouund exxecutiion. The Autth useer fieeld off the Batchh Userr Namee objeect iss usedd to rrestriict usser-IDDs speecifieed as the aauthorrized user for rrunninng a jjob. The Opee

47、ratioon fieeld off the Operaationss on BBatch Jobs objecct is used to sppecifyy the operaationss thatt a usser caan perrform on thheir oown joobs. This is ussed too resttrict userss fromm deleeting or reeleasiing joobs. 4.ServvicesCan ruun on diffeerent serveers. Dialog Update Enqueuee Backgroound M

48、essagee Servver CPI-C GGatewaay Serrver Spool5.Workk Proccessess TSKHTaask Haandlerr DYNPSccreen Proceessor ABAPPrrogramm Proccessorr DB-SSDDatabaase innterfaace thhat coonvertts ABAAP/4 SSQL innto DBBMS SQQL.TransacctionssSAP traansacttions alloww diffferentt funcctionss to bbe perrformeed witthin

49、RR/3. Menu selecction also generrates transsactioons. To seee whiich trransacction is cuurrenttly exxecutiing seelect Menu Path: Systtem - Statuus.System transsactioons arre appplicabble too the basiss systtem annd appplicattion ttransaactionns aree speccific to a certaain moodule.Transacctionss can

50、 be loocked and uunlockked ussing MMenu PPath: Adminnistraation - Tcoode Addminisstratiion. When a traansacttion iis loccked, userss can not eexecutte thaat traansacttion. To pperforrm thiis funnctionn, a uuser rrequirres thhe autthorizzationn objeect Auuthoriizatioon cheeck foor SM004, SMM05 wiith

51、a valuee of SS in tthe Addmin ffield.1.Conttrolleed by DYNP proceessor Checks whethher addditioonal aauthorrizatiion chhecks are rrequirred too run the ttransaactionn (in TSTC Tablee). Interprrets tthe Dyynpross, whiich innvolvees creeatingg the screeens annd appplyingg the logicc defiined iin thee

52、dynppro (ffield checkks, ettc.).2. Alll trannsactiions aare liisted in thhe TSTTC Tabble. This tablee inclludes: An indiicatorr thatt the transsactioon hass beenn lockked orr is aavailaable tto be used. Thee abillity tto locck andd unloock trransacctionss is ccontroolled usingg authhorizaation objec

53、ct Autthorizzationn Checck forr SM044, SM550. Additioonal aauthorrizatiion chhecks to bee perfformedd. Onnly ussers wwith tthe vaalue TTCOD iin thee fielld, Addmin FFunctiions iin objject, Systeem Admmin Fuunctioons haave thhe abiility to addd, allter, or deelete thesee addiitionaal autthorizzationn

54、 testts. If a trransacction is noot marrked aas reqquirinng autthorizzationn checcks thhen anny useer cann run the ttransaactionn.Transacction typess: SU93 annd SU991Displlays cchangees masster rrecordds andd proffiles SE30 Tracee funcction SU53Authoorizattion ccheck failuures SU02 Activvationn of p

55、profilles SU03Activvationn of aauthorrizatiions SU0AAssignnment of usser IDD SU01Assiggnmentt of uusers to prrofilees andd alteer thee passwword oof anyy userr SU10Assiggnmentt of pprofilles foor a rrange of ussers SU12Delette alll userrs TU02View logonn paraameterrs SM52Unix commaand liine prrompt

56、SU21Groupping oof objjects into objecct claasses (exammple iis Bassis Addminisstratiion, FFinanccial Accouuntingg)TablesSAP is charaacteriized bby thee use of thhousannds off appllicatiion annd conntrol tablees. TThe seetup oof thee conttrol ttabless, to a larrge exxtent, deteerminees in whichh way

57、a SAPP insttallattion ffunctiions.Logicall viewws proovidedd by tthe ABBAP/4 Dictiionaryy of aall daata (ccontrool datta, maaster data, and transsactioon datta) sttored in SAAP sysstem.All conntrol tablees staart wiith thhe lettter “TT”.Controll tablles caan be displlayed and mmaintaained on-liine.

58、Menu Path: Systtem - Serviices - Tablle Maiintenaance. In oorder to reestricct tabbles aa numbber off tablle autthorizzationn classses sshouldd be ddefineed. AAll sttandarrd tabbles hhave bbeen aassignned too authhorizaation classses. Authoorizattion oobjectt, Tabble Maaintennance is ussed too mainn

59、tain the ttabless in eeach aauthorrizatiion cllass. Two levells of accesss aree alloowed vvalue = 02 (add, channge, oor dellete) and 003 (diisplayy onlyy).To modiify a tablee struucturee Menuu Pathh: Toools - CASE - Devvelopmment - Dataa Dicttionarry - MMainteenancee.Loggingg of cchangees cann be aaccompplisheed by usingg channge doocumennt objjects to sppecifyy whicch tabbles aare loogged and tthe leevel oof logg