SAP-SECURITY Syllabus:
- INTRODUCTION TO ERP.
- CLIENT / SERVER ARCHITECTURE.
- R/3 ARCHITECTURE. [DIALOG, BACKGROUND, UPDATE, ENQUEUE, SPOOL WORK PROCESS
- SYSTEM LANDSCAPE [SINGLE, TWO, THREE SYSTEM LANDSCAPE].
- CLIENT CONCEPT.
- SECURITY ARCHITECTURE.
- TERMONOLOGY OF AUTHORIZATIONS.
- USER ADMINISTRATION.
- USER SETTINGS.
- AUTHORIZATIONS IN GENERAL.
- CREATING & IMPLEMENTING AN AUTHORIZATION CONCEPT.
- BASIC TERMINOLOGY OF AUTHORIZATIONS.
- WORKING WITH PROFILE GENERATORS.
- ¨ PROFILE GENERATOR & STANDARD ROLES.
- ¨ SUBTITLES OF AUTHORIZATIONS MAINTAINANCE.
ROLES:
- COMPOSITE ROLE
- SINGLE ROLE
- DERIVED ROLE
- PARENT ROLE & CHILD ROLE.
- TROUBLE SHOOTING SECIURTIY ISSUES- SYSTEM TRACE & SU53.
- PROFILE GENERATOR- INSATLLATION & UPGRADE.
- TRANSPORTING ADMINISTRATIONS.
- CENTRAL USER ADMINISTRATION.
- INTRODUCTION TO SARBANES OXLEY AUDIT.
- WHAT ARE SEGGREGATION OF DUTIES?
- SOX ANALYSIS TOOLS
GRC SECURITY:
- COMPLIANCE CALIBRATOR.
- FIRE FIGHTER.
- ACCESS ENFORCER.
- ROLE EXPERT.
SAP ENTERPRISE PROTAL:
- SAP Enterprise Portal Security-Basics.
HR SECURITY CONCEPTS - Basics of ESS /MSS:
ECC 6.0 Security:
- INTRODUCTION.
- ELEMENTS OF THE SAP AUTHORIZATUION CONCEPT.
- ASAP IMPLEMENTATION METHODOLOGY.
- USER ADMINISTRATION.
- USING THE PROFILE GENERATOR.
- SECURING SYSTEM (USING ROLES / AUTHORIZATIONS).
- TROUBLESHOOTING MISSING AUTHORIZATIONS.
- TRANSPORT OF AUTHORIZATION COMPONENTS.
- CENTRAL USER ADMINISRTATION – IMPLEMENTATION & ADMINSTRATION.
- PERIODIC ACTIVITES – DAILY / WEEKLY / MONTHLY. Etc….
- SAP LICENSE ADMINISTRATION.
- SAP MARKET PLACE / OSS USER ADMINISTRATION.
Enterprise resource planning''' ('''ERP''') systems integrate internal and external [[management information]] across an entire organization—embracing [[finance]]/[[accounting]], [[manufacturing]], sales and service, [[customer relationship management]], etc. ERP systems automate this activity with an integrated [[software]] application. The purpose of ERP is to facilitate the flow of information between all business functions inside the boundaries of the organization and manage the connections to outside stakeholders.
ERP systems can run on a variety of [[computer hardware]] and [[Computer network|network]] configurations, typically employing a [[database]] as a repository for information.
ERP as an extension of material requirements planning (MRP)
2)CLIENT / SERVER ARCHITECTURE:
Client-server-model.svg|thumb|A [[computer network diagram]] of clients communicating with a server via the [[Internet]]. Both the clients and the server are [[Node (networking)|nodes]] (communication points) on the [[Computer network|network]]. The arrangement of the nodes in a network is called the ''[[network topology]]''.]]
The '''client–server model''' is an approach to [[computer network programming]] developed at [[Xerox PARC]] during the 1970s. It is now prevalent in [[computer network]]s. [[Email]], the [[World Wide Web]], and [[network printing]] all apply the client–server model.
The model assigns one of two roles to the [[computer]]s in a [[Computer network|network]]: [[Client (computing)|Client]] or [[Server (computing)|server]]. A ''server'' is a computer system that selectively shares its [[Resource (computer science)|resources]]; a ''client'' is a computer or [[computer program]] that initiates contact with a server in order to make use of a resource. [[Data (computing)|Data]], [[CPU]]s, [[Printer (computing)|printers]], and [[data storage device]]s are some examples of resources.
This sharing of computer resources is called ''[[time-sharing]]'', because it allows multiple people to use a computer (in this case, the server) at the same time. Because a computer does a limited amount of work at any moment, a time-sharing system must quickly prioritize its [[Computer multitasking|tasks]] to accommodate the clients.
Clients and servers exchange messages in a [[request-response]] [[messaging pattern]]: The client sends a request, and the server returns a response. To communicate, the computers must have a common language, and they must follow rules so that both the client and the server know what to expect. The language and rules of communication are defined in a [[communications protocol]]. All client-server protocols operate in the [[application layer]].
Whether a computer is a client, a server, or both, it can serve multiple functions. For example, a single computer can run [[web server]] and [[file server]] [[software]] at the same time to serve different data to clients making different kinds of requests. Client software can also communicate with server software on the same computer.<ref>The [[X Window System]] is one practical example.</ref> Communication between servers, such as to synchronize data, is sometimes called ''[[inter-server]]'' or ''server-to-server'' communication
List of ABAP-transaction codes related to SAP security :
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
- what is sap?
- what are the advantages of sap ?
- what are the disadvantages of sap?
- SAP Componenet
- sap versions
2. sap 3-tier architecture
- PRESENTATION LAYER
- APPLICATION LAYER
- DATABASE LAYER
S=System A=Applications P=Product
SAP is an Package and it is an ERP package
SAP is the market and technology leader in Business management software, providing comprehensive business software through SAP applications services.
1.1 What are the advantages of SAP?
Authorization Groups: The authorization group allows extended authorization protection for particular objects
The checking of authorizations in an SAP system. There are essentially two checks, The first check is performed by the system when transactions are called, and the second is then performed by checks in program.
SAP Advantages are Integration, Efficiency, Cost Reduction, Less Personal, and Accuracy.
1.Integration
Integration can be the highest benefit of them all. The only real project aim for implementing ERP is reducing data redudancy and redudant data entry. If this is set as a goal, to automate inventory posting to G/L, then it might be a successful project. Those companies where integration is not so important or even dangerous, tend to have a hard time with ERP. ERP does not improve the individual efficiency of users, so if they expect it, it will be a big disappointment. ERP improves the cooperation of users.
2.Efficiency
Generally, ERP software focuses on integration and tend to not care about the daily needs of people. I think individual efficiency can suffer by implementing ERP. the big question with ERP is whether the benefit of integration and cooperation can make up for the loss in personal efficiency or not.
§ 3.CostReduction
It reduces cost only if the company took accounting and reporting seriously even before implementation and had put a lot of manual effort in it. If they didn't care about it, if they just did some simple accounting to fill mandatory statements and if internal reporting did not exists of has not been fincancially-oriented, then no cost is reduced.
§ 4. Less personnel
Less reporting or accounting personnel, but more sales assistants etc.
§ 5.Accuracy
No. People are accurate, not software. What ERP does is makes the lives of inaccurate people or organization a complete hell and maybe forces them to be accurate (which means hiring more people or distributing work better), or it falls.
1.2 What are the disadvantages of SAP?
§ 1.Expensive
This entails software, hardware, implementation, consultants, training, etc. Or you can hire a programmer or two as an employee and only buy business consulting from an outside source, do all customization and end-user training inside. That can be cost-effective.
It depends. SAP can be configured to almost anything. In Navision one can develop almost anything in days. Other software may not be flexible.
2.Notveryflexible
It depends. SAP can be configured to almost anything. In Navision one can develop almost anything in days. Other software may not be flexible.
1.3 SAP Components: SAP Basis and ABAP(Installed Automatically)
a. XI
b. BI
c. FI
d. CRM
e. SRM
f. SCM etc
1.4 SAP Versions: ECC 5.0/6.0/7.0
1. SAP: 3-Tier Architecture
Ø Presentation Layer: Logon Pad
Ø Application Layer: SAP
Ø Database Layer: Oracle
Ø Presentation Layer: Logon Pad
Ø Application Layer: SAP
Ø Database Layer: Oracle
Presentation Layer: The presentation layer enables the user to interact with the relevant application. This interface is typically called the GUI (Graphical User Interface) and it is used to execute the application logic, utilizing the other layers in the combined infrastructure. SAP LOGON PAD is a Presentation Layer in system architecture.
Application Layer: Applications are executed in the application layer. SAP (SAP ECC6.0, 4.7) is an Application Layer in system architecture
Database Layer: Database layer is managed data processing. Oracle, SQL is database layer in system architecture.
1. How to create customize system in SAP Logon Pad?
§ Click on SAP Log on Pad
§ Click on User_Defined button
§ Provide Description, Application Server, System ID, System No. Click on Save.
§ Example: Creating IRB system in SAP.
1. What is SAP Authorization?§ An authorization is a permission to perform a certain action in the SAP System.§ Authorizations are used to control access at the application level..
§ SAP Authorization concept is basically used for SAP Security
§ Security: Security means protecting your data and your busines
.§ Security: Information security is a top priority – for our enterprise solutions, and for your enterprise operations.
§ Transaction Code: Transaction code is a combination of multiple programs.§ SU01, PFCG, SU53, SUIM, SU01D etc Transaction Codes normally using in SAP Authorization.
§ Is a combination/groups of programs.
§ Some examples are:1. SU01: User Maintaince2. PFCG: Role Maintaince3. SU53: Authorization Check4. SM01: Lock/Unlock Tcode5. SU24: Maintain Auth Object check under transaction6. SU10: User Mass maintaince7. SU01D: User Display
Field: Smallest unit against which a check should be run. It is a least granular element/data element to secure the data/information.
Authorizations: Authorizations are used to control access at the application level.
Authorization Object: Groups 1 to 10 authorization fields together. These fields are then checked simultaneously.
Authorization Object Class: Logical grouping of authorization objects
Profile: Profiles is to provide Authorization based on provided Authorizations and Authorization Objects. We used to create profiles up to 4.6C version in SU02 Transaction Code, after 4.6C version these profiles will create automatically while modifying/creating roles or generation roles.
Role: Its is a combination of Menu’s, Authorizations, Profiles and personalization. A role is a group of activities performed within business scenarios. Or Activities assigned to the user. Or a role is a set of functions describing a specific work area. Roles consist of Menu, Authorizations, Organizational values.
Authorization Groups: The authorization group allows extended authorization protection for particular objects
Role Administration
PFCG: Creation of roles/profile generation.
Roles: Consists of transaction codes and authorization objects organisational values.
Options:
a. Display Role
b. Change Role
c. Create Role
d. Create Composite Role
e. Copy Role
f. Delete Role
g. Transport Role
h. Download Role
i. Upload Role
j. Mass_Download
k. Mass_Transport
Display Role: Readable mode only
i. Go to PFCG
ii. Provide Role name in Role name field and click on Display button. You will get all the details about that role. It provides Description, Menu Tab, and Authorization User.
Create Role: Creation of Role.
i. Go to PFCG
ii. Provide Role name and click on create button.(You will see Red colour icon that means we have to fulfil all that information)
iii. Provide description and long text.
iv. In Menu Tab: Create folder and add transaction code in that folder.(Eg: SU01D)
v. In Authorizations Tab:
a) Click on Authorization Tab.
b) Will ask for save the changes. Click on save.
c) As per SAM document we have to provide organisational level in authorization object values. Save it. Execute now.
d) Click on Generate Authorization Profile. Profile will generate automatically.
Create Role: This is in editable mode.
i. Go to PFCG
ii. Provide role name which we want to modify and click on change role icon
iii. Now, we are able to change description of role and long text of the role in Menu tab. We can create a folder also and able to add transaction code in that folder.
iv. In Authorization Tab: we have to generate new profile for each modification.
Delete Role: Deletion of role from system. Just provide Role Name and click on Delete icon. It will delete from system.
Copy Role: Copy a old role information from old role
a) Go to PFCG
b) Provide role name and click on Copy role icon.
c) It will ask from role to role.(From Role to Existing role).
d) To Role=> New Role=> Copy all/Copy selectively.
e) Once you done with copied part then click on change role.
f) During copy of role menus and description copied from old in to the new role and also it copy authorization objects and organisational level. We have to generate new profile for this role because profile is never copy.
Create Composite Role: Two or more roles is nothing but composite
a) Go to PFCG
b) Provide role name and click on composite role
c) Provide description as well as long text.
d) Tab which are available in this role are Roles, Menu, User, Personalisation. (Note: Authorizations tab is absent in this role)
e) Composite: Two or more single role. Provide single role in roles tab. Move to menu tab and click on Save.
f) In Menu Tab: we can create new folder.
Transport Role: Go to PFCG
a) Provide role name
b) Click on Transport role
c) Click on check box(also transport generated profiles for single roles)
d) Click on Execute. Click on continue. Again continue.
e) Create Request(click on)(will prompt for customer requirement)
f) Provide description for Transport Request(TR)
g) Click on save and continue. TR will generate automatically.
h) This is using for only one role.
Mass Transport:
a) Go to PFCG
b) PFCG=>Utilities=>Mass_Transport
c) Click on Multiple selection
d) Will ask for single values and same provide
e) Click on execute. Again click on execute. Click on continue.
f) Create request
g) Provide description for TR
h) Click on save and continue
i) One TR will generate for multiple roles.
Download Role:
a) Go to PFCG
b) Provide role name
c) Role=>Download
d) Click on continue. Save as(save at machine)
e) Click on save. You will get action performed successfully.
f) Message: you successfully download role
g) Other than profile everything is same in downloaded role
Mass Download Role:
a) Go to PFCG
b) Utilities menu in menu bar=>Mass_Download
c) Click on multiple selection
d) Provide roles for downloading
e) Click on copy then execute
f) Click on continue=>Save As=>provide file name and click on save=>continue.
Upload Role:
a) Go to PFCG
b) Role=>Upload
c) Click on continue.
d) Open(select file name from system)
e) Click on open and then continue. If role is already exists then they will ask for override.
f) NOTE: while uploading ticket in SAP we have to regenerate the profile in Authorization tab and save it.
Mass Upload Role:
a) Go to PFCG
b) Role=> Upload
User Types
1. Dialog: Communicate to the system interactively.
2. System: Background procession user. It is used in within system.
Dialog logon is not possible. No Human User.
3. Communications: Dialog logon is not possible. Use a user type communication without dialog between systems.
4. Service: Used as a dialog user. Dialog logon is possible. A User type of service is a dialog user that is available to an anonymous larger group of users/ multiple logon allowed. During the logon the system does not check initial password.
5. Reference: Like the service user. A reference user is a general user not assigned to a particular person.
Authorization Check:
SU53 transaction code is using for Authorization check.
a) Go to SU53b) Able to see Authorization check failedc) Able to see all authorizations given to that user.d) To overcome this we have to find another transaction code with proper permission from L3 and assigned that role to that user.e) Use SUIM transaction code for help. 
No comments:
Post a Comment