Embed Size (px)
DESCRIPTION
SAP
Citation preview
Q. SAP Security T-codesA. Frequently used security T-codes
SU01 Create/ Change User SU01 Create/ Change User PFCG Maintain RolesSU10 Mass ChangesSU01D Display UserSUIM ReportsST01 TraceSU53 Authorization analysis
Q List few security TablesClick here fo r se c urity tables
Q How to create users?Execute transaction SU01 and fill in all the field. When creating a new user, you must enter an initial password for that user on the Logon data tab. All other data is optional.
Q What is the difference between USOBX_C and USOBT_C?The table USOBX_C defines which authorization checks are to be performed within a transaction and which not (despite authority-check command programmed ). This table also determines which authorization checks are maintained in the Profile Generator.
The table USOBT_C defines for each transaction and for each authorization object which default values an authorization created from the authorization object should have in the Profile Generator.
Q What authorization are required to create and maintain user master records?
The following authorization objects are required to create and maintain user master records:
• S_USER_GRP: User Master Maintenance: Assign user groups
• S_USER_PRO: User Master Maintenance: Assign authorization profile
• S_USER_AUT: User Master Maintenance: Create and maintain authorizations
Q List R/3 User Types
1. Dialog users are used for individual user. Check for expired/initial passwords Possible to change your own password. Check for multiple dialog logon
2. A Service user - Only user administrators can change the password. No check for expired/initial passwords. Multiple logon permitted
3. System users are not capable of interaction and are used to perform certain system activities, such as background processing, ALE, Workflow, and so on.
4. A Reference user is, like a System user, a general, non-personally related, user. Additional authorizations can be assigned within the system using a reference user. A reference user for additional rights can be assigned for every user in the Roles tab.
Q What is a derived role?
• Derived roles refer to roles that already exist. The derived roles inherit the menu structure and the functions included
(transactions, reports, Web links, and so on) from the role referenced. A role can only inherit menus and functions if no transaction codes have been assigned to it before.
• The higher-level role passes on its authorizations to the derived role as default values which can be changed afterwards. Organizational level definitions are not passed on. They must be created anew in the inheriting role. User assignments are not passed on either.
• Derived roles are an elegant way of maintaining roles that do not differ in their functionality (identical menus and identical transactions) but have different characteristics with regard to the organizational level.
Q What is a composite role?
• A composite role is a container which can collect several different roles. For reasons of clarity, it does not make sense and is therefore not allowed to add composite roles to composite roles. Composite roles are also called roles.
• Composite roles do not contain authorization data. If you want to change the authorizations (that are represented by a composite role), you must maintain the data for each role of the composite role.
• Creating composite roles makes sense if some of your employees need authorizations from several roles. Instead of adding each user separately to each role required, you can set up a composite role and assign the users to that group.
• The users assigned to a composite role are automatically assigned to the corresponding (elementary) roles during comparison. Follow the link to learn more
Q. What does the different color light mean in profile generator?
A.
Q. What are the different tabs in PFCG?
A.
Q What does user compare do?If you are also using the role to generate authorization profiles, then you should note that the generated profile is not entered in the user master record until the user master records have been compared. You can automate this by scheduling report FCG_TIME_DEPENDENCY on a daily.
Q. Can we convert Authorization field to Org, fieldA. Authorization field can be changed to Organization field using PFCG_ORGFIELD_CREATE or ZPFCG_ORGFIELD_CREATEUse SE38 or SA38 to run the above report.
• Organizational level fields should only be created before you start setting up your system. If you create organizational level fields later, you might have to do an impact analysis. The authentication data may have to be postprocessed in roles.
• The fields "Activity", "ACTVT" and "Transaction code", "TCD" cannot be converted into an organizational level field.
In addition, all affected roles are analyzed and the authorization data is adjusted. The values of the authorization field which is
now to become the organizational level field are removed and entered into the organizational level data of the role.Note: Table for Org Element- USORGRefer to Note 323817 for more detail.
Q. How many profiles can be assigned to any user master record. A. Maximum Profiles that can be assigned to any user is ~ 312. Table USR04 (Profile assignments for users). This table contains both information on the change status of a user and also the list of the profile names that were assigned to the user. The field PROFS is used for saving the change flag (C = user was created, M = user was changed), and the name of the profiles assigned to the user. The field is defined with a length of 3750 characters. Since the first two characters are intended for the change flag, 3748 characters remain for the list of the profile names per user. Because of the maximum length of 12 characters per profile name, this results in a maximum number of 312 profiles per user.
Q. Can you add a composite role to another composite role?A. No
Q. How to reset SAP* password from oracle database.
A. Logon to your database with orasid as user id and run this sqldelete from sapSID.usr02 where bname='SAP*' and mandt='XXX';commit;Where mandt is the client.
Now you can login to the client using sap* and password pass
Q. What is difference between role and profile.A. A role act as container that collect transaction and generates the associated profile. The profile generator (PFCG) in SAP System automatically generates the corresponding authorization profile. Developer used to perform this step manually before PFCG was introduced bySAP. Any maintenance of the generated profile should be done using PFCG.
Q. What is user buffer?A. When a user logs on to the SAP R/3 System, a user buffer is built containing all authorizations for that user. Each user has their own individual user buffer. For example, if user Smith logs on to the system, his user buffer contains all authorizations of role USER_SMITH_ROLE. The user buffer can be displayed in transaction SU56.
A user would fail an authorization check if:
• The authorization object does not exist in the user buffer
• The values checked by the application are not assigned to the authorization object in the user buffer
• The user buffer contains too many entries and has overflowed. The number of entries in the user buffer can be controlled using the system profile parameter auth/number_in_userbuffer.
Q. How to find out all roles with T-code SU01?A. You can use SUIM > Roles by complex criteria or RSUSR070 to find out this. Go to the Selection by Authorization Value. In Object 1 put S_TCODE and hit enter. And put SU01 in Transaction code and hit execute (clock with check) button. I use authorization object, as you can use this to test any object.
You can also get this information directly from table, if you have access to SE16 or SE16N. Execute SE16N
Table AGR_1251 Object S_TCODE VALUE (low) SU01
Q. How to find out all the users who got SU01 ?A. You can use SUIM >User by complex criteria or (RSUSR002) to find this out. Go to the Selection by Authorization Value. In Object 1 put S_TCODE and hit enter. And put SU01 in Transaction code and hit execute (clock with check) button. I use authorization object, as you can use this to test any object.
Q. How to find out all the roles for one composite role or a selection of composite roles?A. Execute SE16N Table AGR_AGRS Composite roles You can put multiple composite
roles using the more button
Q. How to find out all the derived roles for one or more Master (Parent) roles?A. Execute SE16N Table AGR_DEFINE
Use either agr_name field or Parent_agr field.
Q. How can I check all the Organization value for any role?A. Execute SE16N Table AGR_1252
Role Type in the role here and hit execute.You can always download all the information to spreadsheet also
using .
Q. How do I restrict access to files through AL11?A. First create an alias. Go to t-code AL11 > configure > create alias. Let say we are trying to restrict alias DIR_TEMP which is /tmp. Open PFCG and assign t-code AL11, and change the authorization for S_DATASET as mentioned below Activity 33 Physical file name /tmp/* Program Name with Search Help *
Q. How can I add one role to many users?A. SU10. If you have less than 16 users then you can paste the userids. If you have more than 16 users – Click on Authorization data
and click on next to users and upload from clipboard .Hit the change button and go to the role tab and add the roles to be assigned and hit save.
Q. What are the Best practices for locking expired users?A. Lock the user. Remove all the roles and profiles assigned to the user. Move them to TERM User group.
Q. How can be the password rules enforced ?A. Password rules can be enforced using profile parameter. Follow the link to learn more about the profile parameter.
Q. How to remove duplicate roles with different start and end date from user master?A. You can use PRGN_COMPRESS_TIMES to do this. Please refer to note 365841 for more info.
Q. How come the users have authorization in PFCG, but user still complains with no authorization?
A. Make sure the user master is compared. May be the there is a user buffer overflow Also check the profile- Follow the instruction below. SUIM > User by complex criteria. Put the userid of user who is having issue. Execute Double click on the user id and expand the tree. Select the profile in question and see if the authorization is correct or not. If not do the role reorg in PFCG and see if that helps.
Q. How can I have a display all roles. A. Copy sap_all and open the role and change the activity to 03 and 08
Q. How can I find out all actvt in sap?A. All possible activities (ACTVT) are stored in table TACT (transaction SM30), and also the valid activities for each authorization object can be found in table TACTZ (transaction SE16).
Q. What is SAP? A. SAP is the name of the company founded in 1972 under the German name (Systems, Applications, and Products in Data Processing) is the leading ERP (Enterprise Resource Planning) software package.
Q. Explain the concept of “Business Content” in SAP Business Information Warehouse? A. Business Content is a pre-configured set of role and task-relevant information models based on consistent Metadata in the SAP Business Information Warehouse. Business Content provides selected roles within a company with the information they need to carry out their tasks. These information models essentially contain roles, workbooks, queries, InfoSources, InfoCubes, key figures, characteristics, update rules and extractors for SAP R/3,
mySAP.com Business Applications and other selected applications.
Q. What is IDES? A. International Demonstration and Education System. A sample application provided for faster learning and implementation.
Q. What is SAP R/3? A. A third generation set of highly integrated software modules that performs common business function based on multinational leading practice. Takes care of any enterprise however diverse in operation, spread over the world. In R/3 system all the three servers like presentation, application server and database server are located at different system.
Q. What are presentation, application and database servers in SAP R/3? A. The application layer of an R/3 System is made up of the application servers and the message server. Application programs in an R/3 System are run on application servers. The application servers communicate with the presentation components, the database, and also with each other, using the message server. All the data are stored in a centralized server. This server is called database server.
Q. What should be the approach for writing a BDC program? A. Convert the legacy system data to a flat file and convert flat file into internal table. Transfer the flat file into sap system called “sap data transfer”. Call transaction(Write the program explicitly) or create sessions (sessions are created and processed ,if success data will transfer).
Q. What are the major benefits of reporting with BW over R/3? Q. Would it be sufficient just to Web-enable R/3 Reports? A. Performance — Heavy reporting along with regular OLTP
transactions can produce a lot of load both on the R/3 and the database (cpu, memory, disks, etc). Just take a look at the load put on your system during a month end, quarter end, or year-end — now imagine that occurring even more frequently. Data analysis — BW uses a Data Warehouse and OLAP concepts for storing and analyzing data, where R/3 was designed for transaction processing. With a lot of work you can get the same analysis out of R/3 but most likely would be easier from a BW.
Q. What is the difference between OLAP and Data Mining? A. OLAP - On line Analytical processing is a reporting tool configured to understand your database schema, composition facts and dimensions. By simple point-n-clicking, a user can run any number of canned or user-designed reports without having to know anything of SQL or the schema. Because of that prior configuration, the OLAP engine “builds” and executes the appropriate SQL. Mining is to build the application to specifically look at detailed analyses, often algorithmic; even more often misappropriate called “reporting.
Q. What is “Extended Star Schema” and how did it emerge? A. The Star Schema consists of the Dimension Tables and the Fact Table. The Master Data related tables are kept in separate tables, which has reference to the characteristics in the dimension table(s). These separate tables for master data is termed as the Extended Star Schema.
Q. Define Meta data, Master data and Transaction data A. Meta Data: Data that describes the structure of data or MetaObjects is called Metadata. In other words data about data is known as Meta Data. Master Data: Master data is data that remains unchanged over a long period of time. It contains information that is always needed in the same way. Characteristics can bear master data in BW. With master data
you are dealing with attributes, texts or hierarchies. Transaction data: Data relating to the day-to-day transactions is the Transaction data.
Q. What is Bex? A. Bex stands for Business Explorer. Bex enables end user to locate reports, view reports, analyze information and can execute queries. The queries in workbook can be saved to there respective roles in the Bex browser. Bex has the following components: Bex Browser, Bex analyzer, Bex Map, Bex Web.
Q. What are variables? A. Variables are parameters of a query that are set in the parameter query definition and are not filled with values until the queries are inserted into workbooks. There are different types of variables which are used in different application: Characteristics variables, Hierarchies and hierarchy node, Texts, Formulas, Processing types, User entry/Default type, Replacement Path.
Q. What is AWB?. What is its purpose? A. AWB stands for Administrator WorkBench . AWB is a tool for controlling, monitoring and maintaining all the processes connected with data staging and processing in the business information warehousing.
Q. What is the significance of ODS in BIW? A. An ODS Object serves to store consolidated and debugged transaction data on a document level (atomic level). It describes a consolidated dataset from one or more InfoSources. This dataset can be analyzed with a BEx Query or InfoSet Query. The data of an ODS Object can be updated with a delta update into InfoCubes and/or other ODS Objects in the same system or across systems. In contrast to multi-dimensional data storage with InfoCubes, the data in ODS Objects is stored in transparent, flat database tables.
Q. What is Extractor? A. Extractors is a data retrieval mechanisms in the SAP source system. Which can fill the extract structure of a data source with the data from the SAP source system datasets. The extractor may be able to supply data to more fields than exist in the extract structure.
Q. How do I change the name of master / parent role keeping the name of derived/child role same? I would like to keep the name of derived /child role same and also the profile associated with the child roles.A. First copy the master role using PFCG to a role with new name you wish to have. Then you have to generate the role. Now open each derived role and delete the menu. Once the menus are removed it will let you put new inheritance. You can put the name of the new master role you created. This will help you keep the same derived role name and also the same profile name. Once the new roles are done you can transport it. The transport automatically includes the Parent roles.
What is the difference between C (Check) and U (Unmaintained)?A. Background:When defining authorizations using Profile Generator, the table USOBX_C defines which authorization checks should occur within a transaction and which authorization checks should be maintained in the PG. You determine the authorization checks that can be maintained in the PG using Check Indicators. It is a Check Table for Table USOBT_C.
In USOBX_C there are 4 Check Indicators.· CM (Check/Maintain)- An authority check is carried out against this object.- The PG creates an authorization for this object and field values are displayed for changing.
- Default values for this authorization can be maintained.
· C (Check)- An authority check is carried out against this object.- The PG does not create an authorization for this object, so field values are not displayed. - No default values can be maintained for this authorization.
· N (No check)- The authority check against this object is disabled.- The PG does not create an authorization for this object, so field values are not displayed. - No default values can be maintained for this authorization.
·U (Unmaintained)- No check indicator is set.- An authority check is always carried out against this object.- The PG does not create an authorization for this object, so field values are not displayed. - No default values can be maintained for this authorization..
R/3 Security Tips
QucikViewer (SQVI)QuickViewer (SQVI) is a tool for generating reports. SAP Query offers the user a whole range of options for defining reports. SAP Query also supports different kinds of reports such as basic lists, statistics, and ranked lists. QuickViewer (SQVI), on the other hand, is a tool that allows even relatively inexperienced users to create basic lists. I have created a tutorial for SQVI. SQVI
Tutorial
User assignmentNever insert generated profiles directly into the user master record (Transaction SU01). Assign the role to the user in the Roles tab in transaction SU01 or choose the User tab in role maintenance (PFCG) and enter the user to whom you want to assign the role or profile. If you then compare the user master records, the system inserts the generated profile in the user master record.
Do not assign any authorizations for modules you have not yet installedIf you intend to gradually add modules to your system, it is important you do not assign any authorizations for those modules you have not yet installed. This ensures that you cannot accidentally change data in your production system you may need at a later stage. Leave the corresponding authorizations or organizational levels open.
Creating SPRO Display only. You might be asked to give SPRO display while implementing your SAP. Igenerally give these authoriztion to make it display only. Please test it.
Object Field Value
S_PROJECTPROJECT_ID
*
S_PROJECTPROJ_CONF
*
S_RFC ACTVT 03
S_RFCRFC_NAME
*
S_RFCRFC_TYPE
*
S_TABU_CLICLIIDMAINT
'
S_TABU_DISACTVT 03
S_TABU_DISDICBERCLS
*
S_TRANSPRT
TTYPEDeactivate or remove PIEC and TASK
S_CODEREMOVE
SPRO
Creating Authorization Fields In authorization objects, authorization fields represent the values to be tested during authorization checks.To create authorization fields, choose Tools --> ABAP Workbench --> Development --> Other Tools --> Authorization Objects --> Fields.To create an authorization field, proceed as follows:
1. Choose Create authorization field.
2. On the next screen, enter the name of the field. Field names must be unique and must begin with the letter Y or Z.
3.Assign a data element from the ABAP Dictionary to the field.
You can often use the fields defined by SAP in your own authorization objects. If you create a new authorization object, you do not need to define your own fields. For example, you can use the SAP field ACTVT in your own authorization objects to represent a wide variety of actions in the system.
Creating Authorization ObjectsAn authorization object groups together up to ten authorization fields that are checked together in an authorization check.To create authorization fields, choose Tools --> ABAP Workbench, Development --> Other tools --> Authorization objects --> Objects.Enter a unique object name and the fields that belong to the object. Object names must begin with the letter Y or Z in accordance with the naming convention for customer-specific objects.You can enter up to ten authorization fields in an object definition. You must also enter a description of the object and documentation for it. Ensure that the object definition matches the ABAP AUTHORITY-CHECK calls that refer to the object.
Locking Security Holes through IMG transactionsEven though you have restricted your users from SU01 or PFCG (to modifiy themselves or other people) they can get into these areas by the different IMG transaction codes. If your core team or user community has access to:
OY20 - AuthorizationsOY21 - User profilesOY22 - Create subadministratorOY24 - Client maintenanceOY25 - CS BC: Set up ClientOY27 - Create Super UserOY28 - Deactivate SAP*
Security Tables
Table Description
USR02 Logon data
USR04User master authorization (one row per user)
UST04User profiles (multiple rows per user)
USR10Authorisation profiles (i.e. &_SAP_ALL)
UST10CComposit profiles (i.e. profile has sub profile)
USR11Text for authorisation profiles
USR12 Authorisation values
USR13 Short text for authorisation
USR40 Tabl for illegal passwords
USGRP User groups
USGRPT Text table for USGRP
USH02Change history for logon data
USR01 User Master (runtime data)
USER_ADDR Address Data for users
AGR_1016Name of the activity group profile
AGR_1016BName of the activity group profile
AGR_1250Authorization data for the activity group
AGR_1251Authorization data for the activity group
AGR_1252Organizational elements for authorizations
AGR_AGRS Roles in Composite Roles
AGR_DEFINE Role definition
AGR_HIER2Menu structure information - Customer vers
AGR_HIERT Role menu texts
AGR_OBJAssignment of Menu Nodes to Role
AGR_PROF Profile name for role
AGR_TCDTXTAssignment of roles to Tcodes
AGR_TEXTSFile Structure for Hierarchical Menu - Cus
AGR_TIMETime Stamp for Role: Including profile
AGR_USERSAssignment of roles to users
USOBT Relation transaction to
authorization object (SAP)
USOBT_CRelation Transaction to Auth. Object (Customer)
USOBXCheck table for table USOBT
USOBXFLAGSTemporary table for storing USOBX/T* chang
USOBX_CCheck Table for Table USOBT_C
R/3 Security Tcodes
R/3 Security- Audit Check End User
Role Administration
User Administration
Profile Generator Configuration
Transport
Transaction Code
Menu Path
Purpose
SU3
System --> User Profile--> Own Data
Set address/defaults/parameters
SU53
System --> Utilities --> Display Authorization Check
Display last authority check that failed
SU56
Tools --> Administration --> Monitor --> User Buffer
Display user buffer
Transaction Code
Menu Path
Purpose
PFCG
Tools --> Administration --> User Maintenance --> Role
Maintain roles using the Profile Generator
PFUD
<none>
Compare user master in dialog.
This function can also be calle
SUPC
Tools --> Administration --> User Maintenance --> Role
Mass Generation of Profiles
Transaction Code
Menu Path
Purpose
SU01
Tools --> Administration --> User Maintenance --> Use
Maintain Users
SU01D
Tools --> Administration --> User Maintenance --> Displ
Display Users
SU10
Tools --> Administration --> User Maintenance --> Use
User mass maintenance
SU02
Tools --> Administration --> User Maintenance --> Man
Manually create profiles
SU03
Tools --> Administration --> User Maintenance --> Man
Manually create authorizations
Transaction Code
Menu Path
Purpose
RZ10
Tools --> CCMS --> Configuration --> Profile Maintenan
Maintain system profile parameters.(auth/no_check_in_
SU25
IMG Activity:Enterprise IMG --> Basis Compo
Installation1. Initial Customer Tables FillUpgrade2a. Prepa
SU24
Same as for SU25: Select: Change Check Indicators
Maintain Check Indicators
Maintain Templates
Transaction Code
Menu Path
Purpose
SCCL
Tools --> Administration --> Administration --> Client Adm
Local client copy (within one system, between different clients
SCC9
Tools --> Administration --> Administration --> Client Adm
Remote Client Copy (between clients in different systems) Data ex
SCC8
Tools --> Administration --> Administration --> Client Adm
Client transport (between clients in different systems) Data exch
<none>
Tools --> Administration --> User Maintenance --> Roles -
Mass transport of roles
<none>
Tools --> Administration --> User Maintenance --> Roles -
Upload/Download of Roles
SU25
Point 3.
Transport of Check indicators
STMS
Tools -->Administration --> Transports --> Transport Ma
Transport Management System
Transaction Code
Menu Path
Purpose
RZ10
Tools --> CCMS --> Configuration --> Profile Maintenance
Maintain system profile parameters.(auth/no_check_in_some_cas
RZ11
Description of system profile parameters
SM01
Tools --> Administration --> Administration --> Transaction Code
Lock transaction codes from execution
Transaction Code
Menu Path
Purpose
SU20
Tools --> ABAP Workbench --> Development --> Other Tools --> Authoriz
List of authorization fields
SU21
Tools --> ABAP Workbench --> Development --> Other Tools --> Authoriz
List of authorization objects (Initial screen lists by object class)
Transaction Code
Menu Path
Purpose
SE84
Tools --> Administration --> User Maintenance --> Information System
Information System for SAP R/3 Authorizations
SECR*
<none>
Audit Information System
Transaction Code
Menu Path
Purpose
SM30(TablesV_BRG,V_DDAT)
System --> Services --> Table Maintenance --> Extended Table Maintenance
Create table authorization groups (V_BRG)Maintain assignments to tables (V_DDAT)
Transaction Code
Menu Path
Purpose
SE43
ABAP Workbench --> Development --> Other Tools --> Area Menus
Maintain (Display) Area Menus
There comes a time when you have to deal with auditors. I have put together a check list to go through. If this is a new implementation you should go through this and may be you can impress your boss.
If you feel I should add more email me [email protected]
SAP R/3 user ID SAP* and other system user id has been adequately secured.
The production system has been set to productive.
Access Restriction: SCC4 and SE06
S_DEVELOP is secured
Change management is secured and controlled
Transport access to production is restricted
Developer access in production
Change critical number range is restricted
Custom tables has authorization group
Locking of sensitive systems transaction codes
BDC user types should has only required access
Run Program in the back ground
Changes to critical SAP R/3 tables are logged
Scheduling and Monitoring Batch jobs
Access to run reports should be restricted.
Critical and custom SAP R/3 tables are restricted.
SAP R/3 user ID SAP* and other system user id has been adequately secured.
Performed the following steps to confirm that user ID SAP* has been adequately secured:
Tools --> Administration --> Administration --> Client Adm
Local client copy (within one system, between different clients
Tools --> Administration --> Administration --> Client Adm
Remote Client Copy (between clients in different systems) Data ex
Tools --> Administration --> Administration --> Client Adm
Client transport (between clients in different systems) Data exch
Tools --> Administration --> User Maintenance --> Roles -
Tools --> Administration --> User Maintenance --> Roles -
Tools -->Administration --> Transports --> Transport Ma
Maintain system profile parameters.(auth/no_check_in_some_cas
Tools --> Administration --> Administration --> Transaction Code
Tools --> ABAP Workbench --> Development --> Other Tools --> Authoriz
Tools --> ABAP Workbench --> Development --> Other Tools --> Authoriz
Tools --> Administration --> User Maintenance --> Information System
System --> Services --> Table Maintenance --> Extended Table Maintenance
Create table authorization groups (V_BRG)Maintain assignments to tables (V_DDAT)
ABAP Workbench --> Development --> Other Tools --> Area Menus
• Verified whether default password of SAP* was changed in all production clients:Execute transaction code SA38, and run report RSUSR003.
• Reviewed RSUSR003 report to verify that the parameter login/no_automatic_user_sapstar is set (value =0).
•Who has sap_all andsap_new
Execute transaction code SUIMClick on “User”Click on “List of users according to complex selection criteria”.Click on “By user profiles”.Enter SAP_ALL in the Profile field and click Execution button
Execute transaction code SUIMClick on “User”Click on “List of users according to complex selection criteria”.Click on “By user profiles”.Enter SAP_NEW in the Profile field and click on the Execution button
Risk: The SAP_ALL profile grants a user full/complete access to all functions in the SAP system and has the potential to be misused. The SAP_ALL profile should only be assigned to a minimal number of users on the system.
The default SAP R/3 passwords for DDIC,
SAPCPIC and EarlyWatch (in client 066) have been changed and access restricted to the super user.Performed the following procedures to verify that the default SAP R/3 passwords for DDIC, SAPCPIC and EarlyWatch have been changed and access restricted to the super user ID:
• Execute transaction: SA38
• Program: RSUSR003
• Default passwords that should be changed:
• SAP* - PASS
• DDIC - 19920706
• SAPCPIC - ADMIN
• EarlyWatch - SUPPORT
Risk: SAP comes supplied with a number of default user IDs, all of which have default passwords. The passwords to these IDs are well known, and therefore if they are not changed, the IDs could potentially be misused
To review any passwords which are not allowed for users to use:Execute transaction code: SE16Table name: USR40 Risk: Table USR40 is used to prevent users from using a list of commonly guessed passwords. If it is not used it increases the possibility that users could select trivial passwords or you can use profile parameter to do this
The SAP R/3 system profile parameters have
been set to appropriate values. Performed the following procedures to determine whether the SAP R/3 system profile parameters have been set to appropriate values: click here for more deail on profile parameter
R/3 Security- Audit Check
The production system has been set to productive.
To verify that the company codes utilized in the SAP R/3 systems are set to productive. There are various company codes that come as default within SAP. This is to ensure that only the company codes that are being used should be checked and set-up as productive. SOX team/ Security team should perform the following steps:
Execute transaction code: OBR3
Review “Productive” column and ensure applicable global settings have not been checked off.
The production client settings have been flagged to not allow changes to programs and configuration.
Performed the following steps to verify that production client settings have been flagged to not allow changes to programs and configuration:
Execute transaction code SCC4 (all clients) and SE06
Double click on the applicable production client.
Verify that changes to client dependent and client independent objects are not allowed and that the client is set to productive.
R/3 Security- Audit Check
Access Restriction: SCC4 and SE06
Transaction codes SCC4 and SE06 are critical transactions which can be used to prevent direct changes being made to the production system. If these transactions are not appropriately set there is a risk that unauthorized changes may be made directly in the production system, without going through the appropriate change management process.
Performed the following steps to verify that the ability to make changes to client and system settings is restricted and access
privileges are appropriately assigned based on job responsibilities. Perform the following steps
Query 1
Execute transaction code: SUIM
Select User by complex criteria
Authorization object: S_TCODE
Transaction code value: SCC4
Authorization object: S_TABU_DIS
Activity: 02 and 03
Authorization Group: SS
Authorization object: S_TABU_CLI
Indicator for cross client maintenance: X
Query 2
Execute transaction code: SUIM
Authorization object: S_TCODE
Transaction code value: SCC4
Authorization object: S_ADMI_FCD
System Administration Function: T000
Authorization object: S_CTS_ADMI
Administration task: INIT
Query 3
Execute transaction code: SUIM
Authorization object: S_TCODE
Transaction code value: SE06
Authorization Objects: s_transprt
Activity Value: *
Request Type: *
Authorization Objects: s_cts_admi
Administration Task: RELE
S_DEVELOP is secured
Only the SAP R/3 super user has S_DEVELOP authorization object with critical activity values in the production system.
Performed the following procedures to verify that only super user has S_DEVELOP authorization object with critical activity values in the production system:
Query
Execute transaction code: SUIM
S_TCODE: SE38
Authorization Object: S_DEVELOP
All fields: “*”
Risk: The risk here is that users who have this access, have the ability to perform development related functions in the production system. Such access should be restricted to developers in the development system only.
Change management is secured and controlled
Performed the following procedures to ensure that SAP R/3 change management environment provides a secure and controlled structure for software changes.
Start the transaction SE16, enter the table name and choose option Display.
TCESYST Environments
Inspect the table TCESYST which details the various environments.
TCETRAL Cross Transports
Inspecte the table TCETRAL, note various transport layers. Reviewed transport layers .
TCEDELI Recipient systems
Inspect the table TCEDELI which details with SAP systems receive released transports.
Transport access to production is restricted
Performed the following procedures to verify that the ability to make transports to production is restricted and access privileges are appropriately assigned based on job responsibilities:
Risk: The risk here is that users who have this access, have the ability to move code from the development environment to the production environment.
Executed transaction: SUIM
Authorization object: S_TCODE
Transaction code value: SE11
Authorization Object: S_TRANSPRT
Activity value: 01 OR 43
Request Type: DTRA OR CUST
Developer access in production
The ability to make changes to the SAP R/3 Data Dictionary is restricted and access privileges are appropriately assigned based on job responsibilities.
Performed the following procedures to verify that the ability to make changes to the SAP R/3 Data Dictionary is restricted and access privileges are appropriately assigned based on job responsibilities:
Executed transaction: SUIM
Authorization object: S_TCODE
Transaction code value: SE11
Authorization object: S_DEVELOP
Activity value: 01 or 02
Other fields: “*”
Risk: The risk here is that users who have this access, have the ability to maintain the SAP database (data dictionary).
Identify users who can do development in Production
Execute transaction code: SUIM
S_TCODE: SE38
Authorization Object: S_DEVELOP
Activity: 02 and 03
All fields: LEAVE BLANK
All fields: “*”
Risk: The risk here is that users who have this access, have the ability to perform development related functions in the production system. Such access should be restricted to developers in the development system only.
Execute transaction code: SUIM
S_TCODE: SE38
Authorization Object: S_DEVELOP
Development Object ID: PROG
Activity: 02
All fields: “*” AND LEAVE BLANK
Risk: The risk here is that users who have this access, have the ability to perform development related functions in the production system. Such access should be restricted to developers in the development system only.
Execute transaction code: SE16
Table Name: DEVACCESS
Risk: Developer key is required along with the open system to make changes within production.
Change critical number range is restricted. (company code, charts of accounts etc.)
Performed the following procedures to verify that the SAP system appropriately restricts the ability to change critical number
ranges (i.e., company codes, chart of accounts, accounting period data, etc.).
Execute transaction code SUIM
Authorization object: S_TCODE
Transaction code value: SNRO
Authorization object: S_NUMBER
Activity: 02
Number of number range: “*”
Risk: The risk here is that users who have this access, have the ability to maintain critical number ranges.
Custom tables has auth group Performed the following procedures to verify that all customized SAP R/3 tables have been assigned to the appropriate authorization group:
Executed transaction code: SE16
Table name: TDDAT
Table name: Z*, Y*
Risk: If tables are not assigned to authorization groups it is not possible to appropriately control direct access to tables.
Locking of sensitive systems transaction codes in Production environment.
Query
The authorization to lock and unlock transaction codes should only granted to selected few users. This also applies to costumer developed tcodes provided they are entered in table TSTCA through transaction code SE93
Do check using the following report in production who has this access.
Execute transaction: SM01
OR
Execute transaction: SE16
Table Name: TSTC
C info field: 20 to 20
Risk: SAP recommends that certain sensitive transactions be locked in the production system to prevent accidental or malicious use. The risk therefore is that these transactions be accidentally run, or run with malicious intent.
Query
Generated a list of users who have access to lock/unlock transaction codes.
Execute transaction code: SUIM
S_TCODE: SM01
Authorization object: S_ADMI_FCD
Field value: TLCK (lock/unlock transactions)
Risk: These users have the ability to lock or unlock sensitive transactions which should not be run in the production system.
BDC user types should has only required access. Don't need sap_all
To verify that BDC users are assigned only authorizations to perform the required task, performed the following steps:
Execute transaction code SUIM
Click on “User”
Click on “List of users according to complex selection criteria”.
Click on “By user ID”.
Then execute by clicking on the small green check mark.
Click on “Other view” twice to display the user type for all listed user IDs.
Risk: The risk here is that these IDs have been provided “super user” access rights, which is excessive based on the typical needs for these IDs. Such IDs could potentially be misused.
An overview of jobs scheduled in the SAP R/3 system is performed regularly.
Performed the following steps to produce a listing of batch input sessions:
Execute transaction code SM35
Enter a * in the “Session name” field and “Created By” field.
Click on “Incorrect” Tab.
Risk: If batch sessions are not monitored on a regular basis, there is a risk that important batch sessions will contain errors or not be completely processed and therefore processing of critical financial information will not be complete and the issue will not be identified on a timely basis
Run Program in the back ground
By default user is allowed to schedule reports for background processing, but cannot release. Authorization for to release jobs is controlled by S_BTCH_JOB. Activity RELE is needed to release jobs. Activity PROT is required to display log. The other authorization like delete change andmove should only be assigned to the batch adminstrator.
S_BTCH_ADM should be granted to batch administrator and not to all the users. This is a critical authorization can release other users jobs. Controls access to jobs in all clients of a system.
S_BTCH_NAM can be used to schedule jobs under a different user id. Never give * as this would allow the user to start batch jobs under any user id.
To check who all have acces to this production follow the instruction below
Execute transaction code SUIMS_tcode: SM36/SM37Authorization Objects: S_BTCH_JOB, S_BTCH_NAMJob Operations: RELE: Summary of jobs for a group: “*”Background user ID.: “*”
Risk: The risk here is that users who have this access, have the ability to run programs directly in the background, bypassing
transaction level security in SAP, and could potentially run programs /transactions they are not explicitly authorized to run.
Batch input - SM35
Batch input transaction code SM35 needs authorizationforobject S_BDC_MONI. You can restrict the privileages tocertain sesssion byentering the respective session name or name range. If you use name range then naming convetion should be used properly.
Execute transaction code SUIMS_tcode: SM35Authorization Objects: S_BDC_MONIBatch Input monitoring activity: “*”Session Name: “*”
Risk: The risk here is that users who have this access, have the ability to process batch transactions without being explicitly authorized to do so.
Changes to critical SAP R/3 tables are logged and management regularly reviews the logs.
Run transaction SE16, table DD09L and noted that tables have been selected for logging.
Query
Execute transaction code: SUIM
S_TCODE: SE01
Authorization object: S_TRANSPRT
Activity: 02
Field Object in Workbench Organizer: UPGR
Risk: The risk here is that users who have this access, have the ability to transport matchcodes into the production system. Such access should be restricted to basis administrators only.
Scheduling Batch jobs
By default user is allowed to schedule reports for background processing, but cannot release. Authorization for to release jobs is controlled by S_BTCH_JOB. Activity RELE is needed to release jobs. Activity PROT is required to display log.
The other authorization like delete change andmove should only be assigned to the batch adminstrator.
S_BTCH_ADM should be granted to batch administrator and not to all the users. This is a critical authorization can release other users jobs. Controls access to jobs in all clients of a system.
S_BTCH_NAM can be used to schedule jobs under a different user id. Never give * as this would allow the user to start batch jobs under any user id.
To check who all have acces to this production follow the instruction below.
Performed the following steps to verify which users have the ability to change the SAP R/3 job schedule:
Execute transaction code SA38, RSUSR002
S_tcode: SM36 (Schedule)
Authorization Object: S_BTCH_JOB
Job Operations: RELE
Summary of jobs for a group: “*”, *
Risk: The potential risk here is that users who have this access, have the ability to run programs directly in the background, bypassing transaction level security in SAP, and could potentially run programs or transactions they are not explicitly authorized to run.
Monitoring Batch jobs
Run transaction SM37 to check if any of the jobs that had been during the last year are still active.
Risk: If jobs are not monitored on a regular basis, there is a risk that jobs will not run to completion and therefore processing of critical financial information will not be complete and the issue will not be identified on a timely basis
Access to run reports should be restricted.
Execute transaction code SUIM
S_tcode: SA38
Authorization Objects: S_PROGRAM
User action ABAP program: SUBMIT ( foreground and background)
Authorization Group: *, “*”
Risk: The risk here is that users who have this access, have the ability to run programs directly, bypassing transaction level
security in SAP, and could potentially run programs /transactions they are not explicitly authorized to run.
Execute transaction code SUIM
S_tcode: SA38
Authorization Objects: S_PROGRAM
User action ABAP program: EDIT (maintain attributes, text elements, ABAP/4 utilities to copy and delete programs)
Authorization Group: *
Risk: The risk here is that users who have this access, have the ability to maintain program attributes.
Critical and custom SAP R/3 tables are restricted.
Execute transaction SUIM
Authorization Object: S_TCODE
Transaction Code: SM31 (enhanced tables maintenance)
Authorization object: S_TABU_DIS
Activity: 02 AND 03
Risk: The risk here is that users who have this access, have the ability to maintain table data directly in the production system. This includes transactional, masterfile, security and configuration data.
Execute transaction SUIM
Authorization Object: S_TCODE
Transaction Code: SM31
Authorization object: S_TABU_DIS
Activity: 02 AND 03
Authorization Object: S_TABU_CLI
Identify if custom transactions have references to authorization objects.
Execute transaction code: SE16
Table name: TSTCA / TSTC
TCODE: Z*
Check table TSTCA and verified that no Z transactions existed. Verified in table TSTC that the majority were secured by Authorization objects. Since all transactions are secured by S_Tcode this control is still effective.
Introduction
SAP Business Information Warehouse (SAP BW) as a core component of SAP NetWeaver data warehousing functionality, provides both a business intelligence platform and a suite of business intelligence tools. With the tool set provided, relevant business information can be integrated into SAP BW and transformed and consolidated there. SAP BW enables analysis and interpretation as well as the distribution of this information. Based on this analysis, sound decisions can be made and goal oriented activities can be initiated. With extensive predefined
information models provided for the various roles in a company (BI Content), SAP BW also increases the usability of these analyses and enables a quick, cost-effective implementation.
Data warehousing in SAP BW represents the integration, transformation, consolidation, cleanup and storage of data. It also signifies the extraction of data for analysis and interpretation. The data warehousing process includes data modeling, data extraction and the management of the data warehouse management processes.
SAP BW Authorization Specifics In an SAP BW system there are two different types of authorization objects.
1. Standard authorization objects: This type of authorization objects is provided by SAP and covers all checks for e.g. system administration tasks, data modelling tasks, and for granting access to InfoProviders for reporting. For this type of authorizations the same concept and technique is used as in an SAP R/3 system.
2. Reporting authorization objects: For more granular authorization checks on an InfoProvider’s data you need another type of authorization objects defined by the customer. With these objects you can specify which part of the data within an InfoProvider a user is allowed to see.
Both types of authorization objects use the same authorization framework. Technically they are treated in the same way. However, the design of reporting authorizations is more complex because you need to design the reporting authorization objects first. This is an additional step that needs to be treated with care because the structure of the authorization objects determines the possible use in regards to selections, combinations and granularity. In your project you need expertise in the area of
reporting authorizations; knowledge of the basis authorization framework is not sufficient.
User Type in BW
There are different types of users in SAP BW. Most of your users will be the users who execute queries and workbooks. These people could be considered "reporting users" or "end users." To read more about how to secure reporting users click here
There are also users who develop new queries. Some people may refer to them as "power users" or "data analysts." The users who develop queries may also create new workbooks and may be responsible for publishing that information to the right audience.
Then, there are users who create new objects like InfoCubes, InfoAreas, and InfoObjects. They also schedule data loads, create update rules for InfoCubes, monitor performance, and set up source systems. The users who do these tasks are normally referred to as "administration users." read more about how to secure administrator users click here
Using Workbooks model
Generally power user create query to suit their teams needs and save the results in a workbook. They may want to save the workbooks to their Favorites folder for easy retrieval later, or they may want to save the workbooks to a location where other users can execute the same workbook. ..More
Linking BW to Enterprise Portal (EP) Step-by-step list, explaining how to link a BW system to an EP system. ...More
Setting up RFC to R3 system BW RFC / ALE Setup.In SAP BW, you should create a system (not a dialog) user called BWALE. BWALE should have the authorization profile (not Role)S_BI-WHM_RFC…. ...More
Transaction Code in BW
• RRMX: Launches the BEx Analyzer, which is used to create andexecute queries
• RSA1: Launches the Administrator Workbench, which is used bySAP BW administrator
Reporting User Security
Authorization Objects Used Primarily by Reporting Users In order to execute any query, you must have access to
S_RS_ICUBE, S_RS_COMP, S_RS_COMP1 and S_RS_FOLD.
S_RS_COMP is a powerful object that enables you to make choices on how to secure. There is one field in S_RS_COMP that relates to the query, and another field that relates to the InfoCube. This gives you the option to secure by query name, InfoArea, or InfoCube.
Tips • InfoArea = group of InfoCubes• InfoCube = actual data• InfoObject=field (for example: company code, plant, or cost center)
AdministratorThere are users who create new objects like InfoCubes,InfoAreas, and InfoObjects. They also schedule data loads, create updaterules for InfoCubes, monitor performance, and set up source systems. The
users who do these tasks are normally referred to as "administration users."
Some of the common tasks performed by administration users are:
• Set up and maintain different source systems and connections to SAP BW
• Manage metadata and define new InfoObjects, DataSources, and InfoSources
• Create transfer rules and update rules
• DesignInfoCubes
• Schedule and monitor data-loading processes
Administration authorization objects are primarily used when doinganything in the Administrator Workbench (transaction codeRSA1). Theprimary objects used are:
S_RS_ADMWB: Administrator Workbench - ObjectsAuthorization object S_RS_ADMWB is the most critical authorizationobject in administration protection. When you do anything in transactioncode RSA1, object S_RS_ADMWB is the first object checked. There are twofields in this object: Activity and Administrator Workbench Object. Each ofthe two fields can have a variety of values.The possible values for the Administrator Workbench field are:
• SourceSys: Working with a source system
• InfoObject:Creating, maintaining InfoObjects
• Monitor: monitoring data brought over from the source systems
• Workbench: Checked as you execute transaction code RSA1
• InfoArea:Creating and maintaining InfoAreas
• ApplComp: Limiting which application components you can access
• InfoPackage: Creating and scheduling InfoPackages for data extraction
• Metadata: Replication and management of the metadata repository
The following list shows possible values for the Activity field.
• Maintain - 03
• Execute-16
• Administer document storage - 23
• Update metadata - 66
Other Authoization objects for Admin user
Authorization object/ Technical name
Description
Administrator Workbench -Objects S_RS_ADMWB
Authorizations for working with individual objects of the Administrator Workbench. In detail, these are: source system, InfoObject, monitor, application component, InfoArea, Administrator Workbench, settings, metadata, InfoPackage, InfoPackage group, Reporting Agent settings, Reporting Agent package, documents (for metadata, master data, hierarchies, transaction data), document
store administration, InfoSpoke.
Administrator Workbench - InfoObject S_RS_IOBJ
Authorizations for working with individual InfoObjects and their sub-objectsUntil Release 3.0A, only general authorization protection was possible with authorization object S_RS_ADMWB. General authorization protection for InfoObjects still works as in the past. Special protection with S_RS_IOBJ is only used if there is no authorization for S_RS_ADMWB-IOBJ.
Administrator Workbench - InfoSource (flexible update) S_RS_ISOUR
Authorizations for working with InfoSources with flexible updating and their sub-objects
Administrator Workbench - InfoSource (direct update) S_RS_ISRCM
Authorizations for working with InfoSources with direct updating and their sub-objects
Administrator Workbench - InfoCube S_RS_ICUBE
Authorizations for working with InfoCubes and their sub-objects
Administrator Workbench - MultiProvider
Authorizations for working with MultiProviders and their sub-objects Until BW 3.0B, Support Package 1,
S_RS_MPRO authorizations for MultiProviders were checked by using the authorization object S_RS_ICUBE. As of BW 3.0B, Support Package 2, this can be maintained, or you can change the check over to the authorization object S_RS_MPRO. To do this, choose in Customizing under Business Information Warehouse ® General BW Settings ® Settings for Authorizations.
Administrator Workbench – ODS object S_RS_ODSO
Authorizations for working with ODS objects and their sub-objects.
Administrator Workbench - InfoSet S_RS_ISET
Authorizations for working with InfoSets
Administrator Workbench - hierarchy S_RS_HIER
Authorizations for working with hierarchies
Administrator Workbench – Master data maintenance
S_RS_IOMAD
Authorizations for processing master data in the Administrator Workbench
Linking BW to Enterprise Portal (EP)
Summary Step-by-step list, explaining how to link a BW system to an EP system. (Note: Those are the personal notes an EP novice, they should not be used as a reference!)
Linking a BW System to the Enterprise Portal (EP6.0):In the following article, I want to share my experience in linking a BW System (release BW3.5) to an Enterprise Portal (release BW6.0SP2). Before diving into the subject matter, I want to note that I am fairly technically experienced in the BW system, however so far only had very limited exposure to the EP, or to J2EE platforms in general. Given this, first I was ready to hand over the task of linking the two systems to an experienced colleague. On a second thought, however, I said to myself "heck, lets give it a try". After browsing through the documentation and some system settings, after about 2 hours I had successfully built (and tested) the connection (again, with NO prior experience in this area at all)! (Ok, I admit, 5 minutes counseling by an EP expert probably had helped as well). [Before I go into details, just a warning: The steps before worked for me. However results may vary, things depend partially on your local IT infrastructure. Also, some of my statements below *could* be incorrect. For any serious activities, you should make sure to either receive the proper training, or to consult with an expert in the respective area.] Those were the steps I had to take (btw, I had super user rights on the EP):
1.Once logged into the EP, choose "System Administration", then "System Configuration", then "System".
2.You will see a screen "System Landscape Editor", and on the left to it "Portal Content". Right-Click on "Portal Content", and choose New >> System".
3.The System Wizard comes up. Choose "SAP_R3_LoadBalacing" (if your system is load balanced, like in my case). Click "next".
4.Enter the following:
System Name (here I choose the 3 digit system name from the logon, something like BW1?) System ID (here I choose the logical system ID, like BW1CLNTT003; you can get this e.g. from table T000 in the BW system) System ID Prefex (a prefix to find and group your settings, e.g. BW) Then save as system. Click "next".
1.Choose "Property Category = Connector", and maintain the following fields:
Application Host (the address of the host; you can get this e.g. from the BW WAD from a web query URL string; it?s what comes after http:// and before ?:[port]"; something like ?usbw0101.xxx.com") Logical System ID (you can get from table T000 in the BW system, something like "BW1CLNT003") SAP Client (BW client name) SAP System Name (here I entered the 3 letter system name, like "BW1") SAP System Number (you get this e.g. from the BW logon properties) Server Port (this again you get e.g. from the query URL string mentioned above, it?s the number which comes after the Application host; e.g. ?8100?) System Template Name (here I used again the logical system ID
from above) System Type ("SAP_BW", of course)
1.Choose "Property Category = WAS", and maintain the following fields:
WAS description (same as System Name above, e.g. "BW1") WAS host name (same as application host above, but together with port number from above, i.e. something like "usbw0101.xxx.com:8100") WAS path "/sap/bw/bex" WAS protocol ("http")
1.Choose "Property Category = User Management", and maintain the following:
Logon Method ("SAPLOGONTICKET"). User mapping fields ("{003,800}Client;Language") User Mapping Type ("admin, user") Save all your settings.
1.Still from the same screen, choose "System Aliases". Create and save a new "System Alias". Basically, I picked the logical system ID "BW1CLNT003" as system alias, and saved this.
2. Almost finished: As a next step, I had to perform what?s called ?user mapping? (so the EP can talk to the BW on behalf of a specific user). I went to "User Administration", the "User Mapping". I searched (in this case) for my user in "Users", then (under "Logon Data for System") selected the BW system, and maintained the login settings.
Final Step: Now you are ready to test the system connection! For this purpose, go to "System Administration", then "Support", from here to "SAP Application". Under "Tool" select "BWReport", and push ?Run?. Select your BW system, and a BEx Web
Application Query String (you can use the string from the WAD URL above, basically the piece which starts with "cmd"; e.g. like? cmd=ldoc&TEMPLATE_ID=LSTEMP?). Execute, and you should see the query results right in your Portal!
Enterprise Portal
SAP Enterprise Portal offers users a single point of access to all applications, information, and services needed to accomplish their daily tasks. Links to back-end and legacy applications, self-service applications, company intranet services, and Internet services are all readily available in the user’s portal.
Portal Architecture overview
The security features of SAP Enterprise Portal include: •Authentication – Confirms or denies user identity through user ID and password, This can be done by using the existing LDAP Server •Authorization – Enforces role-based authorization for all content under the administrative control of the portal and prevents unauthorized access.
If you plan to have external users (internet users ) access your portal or backend system. Have a proxy server installed and place it in DMZ. Follow the link below at the bottom of this page for installing proxy server. The advantage is you don’t have your portal server facing the world, and disadvantage is that you
have additional hardware.
I prefer proxy server for internal users also. I can hide the port number from users.
Single Sign-On (SSO) Single Sign-On (SSO) provides secure access to multiple systems without requiring users to reenter ID and password information for each application. In a portal environment, an SSO mechanism maps portal authentication information to each application for which a user holds predefined access permissions. This reduces user frustration, providing enhanced interaction with enterprise resources via the portal. You can have SSO enable for Portal using third party tool like Siteminder from Netegrity. This will use Windows authentication. This means once you signon to your windows operating system,you don’t have to sign on to portal again.
Then you have to enable SSO between Protal and R3 system so that you don’t have to sign on to R3 or any other SAP system if
you are accessing data from any of these systems. This can be done using SAP logon. Logon ticket, verifies the digital signature, and extracts the appropriate user ID.
If you plan to have external users access your portal / backend system. You can have additional layer of security by giving them secureid or digital certificate.
Apache Configuration for J2EE Web Applications
This document explains and describes how to set up the Apache Web server for use with the SAP J2EE Engine. This example is based on a Red Hat Linux installation and is transferable to all other operating systems. It will give you instructions how to configure the Apache with Proxy Mode The backend used in the tests was a SAP J2EE Server running Enterprise Portal 6.0. ....more
If you are one of those admin who faces few of the issues listed below
• Users access multiple systems, including SAP and non-SAP Systems. Some systems reside in a dedicated network zone in the intranet but many systems reside on different networks or on the Internet.
• Users need to have different IDs and passwords to access these systems.
• Each of these systems also maintains its own password policy. For example, in the SAP HR system, the user has to change his or her password every 30 days. In the next system, the user has to change the password every 90 days. In another system, the user does not need to regularly change his or her password at all.
What does this lead to? Users forget their passwords. The administrator is constantly resetting passwords. Keep in mind that this makes social engineering much easier.
Solution is Single Sing On. SSO users access multiple systems based on single authentication.
