GRC Nordic SAP User Management

GRC Nordic SAP User Management webinar

Team today

Christa Schönberg Mikko Syrjänen

Deep Dive into SAP Security

Authorization check logic and its consequences

Authorization Objects

How the system authorization checks work

Consequences of the nature of theobjects

Protect your data systematically


System authorization check

Consequenses 1: Display roles

Consequences 2: Customcode authorizations

Consequences 3: Protecting specific data

Summary and take-aways








• Authorization Objects• An authorization object allows complex tests of an authorization for

multiple conditions. Authorizations allow users to execute actions within the system. For an authorization check to be successful, all field values of the authorization object must be appropriately maintained in the user master.

• From SAP HELP, 2020








Terminology• Authorization Object Name• Authorization Object Text• Class; Logical grouping of

objects• Fields

• All fields within one object are checked simultaneously

• If for example Plant and Activity are not in the same object, then you cannot combine Display and all plants / Create and one plant for one role / person








A user startstransaction FB50

Object S_TCODE is checked

Object F_BKPF_BUK is

checked

Object F_BKPF_BUP is

checked

Object F_BKPF_GSB is

checked

Object F_BKPF_KOA is

checkedUser action

(save, execute, generate etc.)

The user entersthe data to the

transactions

The user action is executed

• All authorization objects and values are loaded at logon to the USER BUFFER (su56) in alphabetical order

• When the code is execute, the user buffer (su56 transaction) is checked

• It has NO RELEVANCY for what transaction certain objects were given

ROLE: Bookkeeper• F_BKPF_BUK• Company Code 1000• All Activities

Behaviour of authorization objects with multiple instances







ROLE: Payment recorder• F_BKPF_BUK• Company Code 1000• Display

ROLE: Financial reporter• F_BKPF_BUK• All Company Codes• Display activity

• One user must have a systematically set of limitations so that accesses do not start to leak

• In this example, 1 user & 3 roles, three different setups• The first that the code finds that allows usage will be used irrespective of whether

the access was given for a specific transaction• In practice this user has global display and all activities in CoCode 1000, which is not

what was wanted in the payment recorder role

Consequences 1: Display roles

Let’s grant MIGO in display “Yes”

OK. The role is called MIGO Display. “Erh…yes…we try”







MIGO DISPLAY

Hey this works!


Time goes by…..Authorization Objects






MIGO DISPLAY

Accounts PayablesAccountant Finance

Reporting

Period EndAssistant


But it says DISPLAY!!!I approved Display. How can you do Goods Receipts??







MIGO DISPLAY

Accounts PayablesAccountant Finance

Reporting

Period EndAssistant








• Be aware of the problem• Display roles should only have Display tcodes

• Non-display tcodes open up if posting roles are assigned separately• Non-display tcodes may get activity change from SU24 easily to the role if

maintained in the first place in a wrong way• Use Screen variants• Dont grant access to this type of multifuntional transactions in display roles

• CJ20n• MIGO• MIRO• FS00, …. Etc

• Minimize the risk of the system opening up by managing this in a very pedantic way

Consequences 2: Custom Code Authorizations







• Custom code has no authorization check unless it is programmed in except S_TCODE

• It means that if you grant it to users they can see and do everything there that the code allows to

• You should always:• Implement at least an activity check, organizational level check• Aim to use own authorization objects unless clearly a standard one can be used ie

don't use standard objects in the wrong way• Ensure SoD library is updated when creating custom code if tcode is SOD relevant• Are you showing GDPR relevant information in the custom code

Consequences 3: Protecting special data







• You want to make sure that a specific account group is limited away from certain users

• Find out the object that limits this business object (SU24)

• Choose potential object and make some tests

• Decide what object and field values to use

• Find all roles that has this field and analyse current values

• Ensure that you systemically restrict ALL roles with this object correctly and also make sure the role assignment process takes this limitation in account

Real life experiences…

Search help in vendor and customer master data In many systems the authorization check

for customer and vendor master search do not check the authorization objects before you actually enter the master data itemThis means a user can list everything in the search box even if not authorized to, before they enter the master data itemThen list it all and download the items. You can search customer data and vendor data with very many criteria in the search help. There are SAP Notes that fix this issue and activate the checks.

Real life experiences…

Search help in vendor and customer master data

Activation of the check triggered directly the need to maintain the *_GRP object systematicallyDependent on in how many roles the object existed each had to do a massive activity to update big numbers of rolesThe new roles needed transportation to production simultaneously with the activated check

Summary and take aways







• Authorization objects are • collections of fields that are checked at the same time• loaded into the user buffer at logon in alphabetical order• the SAP codes looks for a right value combination when the user

executes a program• Roles must have systematically maintained authorization

object values in order to make sure the restrictions work• Display roles should hence only have display t-codes• Custom code must have authorization checks separately

implemented• Special data must be protected from all object instances

in all roles, systematically for the restrictions to work

GRC Nordic tapahtumat2020

Tapahtuma Ajankohta

› Webinaari: SAP autorisointikonsepti Webinaari: 16.11, 18.11

› Vuodelle 2021 julkaistaan uusi mielenkiintoinen sarja!

Documents

GRC Nordic SAP User Management