Scribd
Upload
326 views19 pages

Sap Security and Controls

SAP is an ERP software system that provides security through user authorizations which are assigned via authorization objects, fields, profiles, roles and users to control access and segregate duties, with increased focus on controls due to regulations around fraud, security breaches, and compliance. SAP performs authorization checks at the kernel level when a transaction is initiated and at the program level using ABAP authority-check statements to validate the user's access rights based on their assigned authorizations.

Uploaded by

sandeep kumar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
326 views19 pages

Sap Security and Controls

SAP is an ERP software system that provides security through user authorizations which are assigned via authorization objects, fields, profiles, roles and users to control access and segregate duties, with increased focus on controls due to regulations around fraud, security breaches, and compliance. SAP performs authorization checks at the kernel level when a transaction is initiated and at the program level using ABAP authority-check statements to validate the user's access rights based on their assigned authorizations.

Uploaded by

sandeep kumar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 19

SAP SECURITY AND

CONTROLS
What is SAP?
SAP (System Application and Product) is the name of the biggest European German
Software company as well as the name of software itself.
The company was founded in 1972 by the five IBM employees.
SAP R/3 Software has been developed using ABAP/4 as a programming language.
SAP is the ERP (Enterprise Resource Planning) system that aims to integrate all the
different modules(SD,MM,CO,HR etc) in the company.The integration results in
consistency of data throught out the system and the company as a whole.
As of 2005, SAP employs over 28,900 people in more than 50 countries.
Purpose of Security
◦ Assign users rights to perform job tasks that they need to do.
◦ Prohibit users from doing tasks that they are not supposed to do.

Increased Focus on Security and Controls


A. Fraud
B. Security Breaches
C. Regulatory Compliance
◦ Sarbanes-Oxley (SOX)
◦ Family Educational Rights and Privacy Act (FERPA)
◦ Gramm-Leach-Bliley Act (GLBA)
◦ Health Insurance Portability and Accountability Act (HIPAA)
Security Risks
1. Access Control
◦ Do some users have too much access?
◦ Sufficient access restrictions to private information?

2. Segregation of Duties (SoD)


Segregation of Duties is a primary internal control intended to prevent or decrease the
risk of errors or irregularities by assigning conflicting duties to different personnel.
ELEMENTS OF AUTHORIZATION
SAP Application Security Mechanism in R/3 Systems is controlled by means of the Authorizations.
What are Authorizations?
Authorizations consist of values by means of which users are allowed to conduct activities within the R/3 System.
Authorizations are the basic building blocks for SAP Net weaver Security which consists of various components. They are
the following:-
Authorization object class
Authorization objects
Authorization fields and Field Values
Profiles
Roles
Users
AUTHORIZATION
Authorization Object Class
Authorization object classes encompasses all the authorizations within it. Object classes are
segregated based on the different components of the System. eg:- Basis, FI, HR etc. Logical
grouping of authorization Objects.

An Auth. Object class can contain multiple objects which are subsequently required for gaining
access to run certain activities. Eg:- executing transactions and reports
Authorization Objects
They are containers for the authorization fields and their respective field values. A max. of ten
fields can be present per object and each field is related by AND condition i.e. only if all field
values are satisfied, then only the concerned user would be allowed to execute that activity.

It allows complex tests of an authorization for multiple conditions

NB:- An Authorization object can belong to a single class only.


Authorization Fields and Field Values
Smallest Unit against which a check is to be run.
In authorization objects, authorization fields represent the values to be tested during
authorization checks.
In SAP R/3 System, transactional security is maintained within the Authorization Fields ? where
the fields' Authorization Checking occurs. Examples of Authorization Fields include: company
codes, sales distribution groups, user groups, activity, application areas and development
classes.
Profiles
Profiles are containers in which standard as well as additional authorizations are encompassed
and associated with a respective user in the User Master Record.

User authorizations are associated to users in the form of profiles only.


Profiles are of two types:-
Simple Profile and Composite Profile
Roles
Roles are just a grouping of activities (or tasks) a user has authorization to access and/or
perform.

Roles are based on the jobs that an particular user is authorized to conduct within the R/3
System. Eg:- A Purchase dept. clerk who is responsible for creating purchase requests need not
have access to tables storing invoice details.
A role assigned to a user also determines the list of transactions that are to be part of the
customized user menu. Only the transaction, reports and web addresses included within the
assigned roles would be visible to the user.
Users
Users are the entities to whom profiles are assigned in the form of roles. A user is assigned one
or more profiles by the system administrator. These profiles define all of the user's system
authorizations.
ELABORATE VIEW OF THE CONCEPT OF
AUTHORIZATION CHECK
Objectives :-
The audience will be able get an overview of
 Different types of Authority checks in SAP
 Different Tables and Transactions involved
ELABORATE VIEW OF THE CONCEPT OF
AUTHORIZATION CHECK
Why are Auth Checks Required ?
When initiating a transaction, SAP application internally performs a series of checks (Kernel level
& ABAP Program level check) to ensure the user is authorized who has initiated the transaction
has got the authority to do so or not.
Checks are done in a ordered manner as detailed below:-
The program checks whether the transaction code exists in table TSTC
The program checks whether the transaction code is locked by the administrator (transaction
code SM01).
The program checks whether the user has the authority to start the transaction
Authorization Check
SAP Application performs Security oriented Authorization checks at two levels.
They are:
At the kernel level (Incorporated into the Application/System)
At the Runtime level (ABAP Program level Check)
The System level checks are performed at the initiation of a transaction while the Program level
check takes place only after the Kernel level checks are successful.
Program Level Check
Authorization checks in programs are performed using the ABAP command authority-check
Whenever a transaction is initiated, the corresponding SAP program responsible for running it
performs the ABAP program level check. The programmers place the authority-check
statement/condition within this.
The following authorization checks are performed thru these check statements:
Authorization object for that transaction
Corresponding field values for each of the fields present within the object and only if allowable
combination of field values are found, then the transaction is allowed to run or else it stops
generating an error message.
Check Results
After the checks are performed, the System throws back a return code which should one out of
the following based on the result arrived at y the system.
0- User has got access to the auth object as well as to the right field values. So he/she can
continue to execute the transaction
4- User has the authorization for the auth object/objects required for executing the transaction,
but the field values do not match and the user can not continue further.
12- User does not have any kind of authorization for the object and therefore cannot be allowed
to run the transaction.
16- No profile mapped o the corresponding user can be found in the user master record.
SU24
Example

You might also like