SAP Security On A New SAP Implementation

Similar Messages

• SAP Security handover from the Onshore Implementation team Documents

  Dear All,
  We are an Implementation & Support Team and we are getting SAP Security handover from the Onshore Implementation team where in future we ought to continue the Implementation.
  Please could you let me know what others documents which we require for handling the complete security landscape for our Scenario!
  CRM, BI, BS, SOLMAN, EP and PI
  Please suggest any other documents besides the below or any other specific details with respect to each Module,
  u2022           Enterprise-Wide Role Matrix
  u2022           Role Implementation Framework Prototype
  u2022           User Authorization and Strategy Management Procedures
  u2022           User Role and Authorization Concept Technical Design
  u2022           SAP Security Organization Hierarchy Requirements
  u2022           Transaction to Role Mapping
  u2022           Role to Position Mapping
  u2022           Available authorization policy documents
  u2022           Role matrix with segregation of Duties
  Many Thanks

  What do you have defined for your support?
  Presumably you have quoted a price per call but what do you cover and how do you calculate the charge to your client?
  Please let me know so that I can undercut your quote.
  Damn - forgot to ask who your client was and the contact name.
  Cheers
  David
  Edited by: David Berry on Feb 11, 2011 12:29 AM
  Edited by: David Berry on Feb 11, 2011 12:30 AM

• How about "installment-plan" SAP Educaton in the newer SAP technologies ?

  OK - so SAP wants more customers doing the new SAP advanced technologies.
  If that's the case, SAP should want more folks out there who are qualified in these advanced technologies - BI, XI, WebD, etc.
  So, why not offer SAP Education on the installment plan with a 5% interest-on-balance fee?
  Is the idea too simple?

  David,
  Your idea is probably correct, just it should not be SAP offering the loans.  Instead SAP could partner with one or many of its banking customers to offer such type of "tuition assistance".  SAP and the banking customer could decide how to compensate each other for the service.
  This assume that SAP would want to try to market its courses to a larger audience.  I will say one offering that definitely would get more exposure is making the full training catalog of course available through the virtual training offering.  I'm still waiting for the CRM marketing class to be offered in such fashion.
  The only drawback is that the classes still cost the almost the same regardless of delivery method.
  Take care,
  Stephen

• Career growth in SAP Security.

  Hi,
  I have done MCA.I joined MNC as a fresher. Then I got training on SAP ABAP. But I am alloted to a project and working on SOX compliance in application security (for SAP system) i.e. monitoring and internal auditing. Here I have exposer to diffrent IT application security control, GRC, etc.
  Now I am really confused with my future growth. At this stage of my start of career I am not able to decide whether I should switch to SAP security or be with SAP ABAP once I rolled off from this project.
  Will you please guide me for choosing the best career path? and future growth in SAP security?

  Hai
  Try to Work on what u got ,after 2 Years there is  a huge recruitment for SAP Supporti n BI.
  There is a lot of Benifits in BI Compared to any other module  .Since it is technofunctional module(Very Good in Market)
  Assign Points if it is Useful
  Thank u
  Naveen

• Role of a Security Consultant in an SAP implementation Project

  Hi All,
  What is the role of a Security Consultant in an SAP implementation Project and the stages in which he is involved?

  Hello Mohammed,
  The role of a Security consultant in any SAP product implementation (not just GRC) is wide enough and it's hard for anyone to sum up on a single forum post. Still I can give you some pointers.
  Security consultants come from different backgrounds, some from networking, database administration, infrastructure and even development like me. They contribute enormously to any product implementation from scratch (landscape design) to go-live (and continuous maintenance) so they are active on every phase of the implementation.
  Following are some of the activities they may perform (or participate)
  -System Landscape Design (work closely with BASIS and DBAs)
  -Check Infrastructure feasibility from security perspective (For Portals exposed to internet or extranet work closely with network providers for firewall security, VPS etc.)
  -Propose security guidelines, access policies, disaster recovery plan, business continuity roadmap (work closely with information security consultants and internal auditors or risk management teams)
  - Implement SAP solution specific Security measures (involves almost every SAP solution) for example: SAP R/3 security, GRC, BW/BI, HR, FI, Portal security etc.
  - participate in application integration for example: LDAP, IDM, SAP UME, shared directories etc (User master records security is on high priority).
  -   Check for any possible backdoor access vulnerabilities (ex: open RFCs, function modules like ping_rfc), and it involves almost all SAP solutions and there are special procedures to analyze such vulnerabilities.
  there are many such activities that a security consultant perform on day to day basis. Please do not interprete the above mentioned activities (entirely) as a criteria for any security consultant profile. There are many many possibilities for a security consultants to work from pen testing to SoD violation remediation. That's why I said it's not easy to sum up security.
  Always remember, Security and GRC are two sides of a coin they work together. however GRC is more of a combination of policy, regulation, events and involves management participation whereas security is a purely technical practice.
  You may also be interested to know what it takes to become a forensic security specialist.  Take a quick look at [http://amudee.com/?p=378|http://amudee.com/?p=378]
  Best Regards,
  Amol Bharti

• Frustrated. Need Advice on SAP Security Implementation!!!

  I'm very frustrated with my latest project and I would really appreciate your feedback.
  I recently joined a company that's implementing SAP. They are already in the realization phase and will soon enter the final preparation stage. I was brought in to implement SAP Security. I was provided with a  compiled list of roles and tcodes based on the blueprints from the teams and this was my starting point.
  I wanted to do a presentation with the teams so that we all know what my expectations/requirements are from them and vice versa. In preparation for this, I gathered their processes from their blueprints. I wanted them to break each processes into detailed activities/tasks/functions. From there, they can identify the tcodes and then the roles. I also wanted to do this approach because the company is following SOX regulations. I showed this to my team lead and the PM and the PM adviced me not to go with this strategy because there would be too much work involved. I wanted this approach because I also wanted to do the SOD but I was told not to do it because it would only confused them. He just wanted to work on polishing the list of roles and tcodes.
  Some teams leads are all experienced people while other teams are not because they are working with an employee from the company. Kinda like a partnership, 1 is a consultant while the other is a team lead from the company. Which I believe is normal practice so that there is knowledge transfer.
  So I had my presentation and I found out that most of the team leads have not seen this compilation of roles and tcodes. I also found out that even though they are already in the realization stage, majority of the teams have no idea what roles to give nor do they know who to give it to. I also asked for the org chart from the HR team but I was told that they still don't have it and cannot give it to me. They even asked me why I need it. They also informed me that HR structural authorizations are not going to be implemented and yet nobody can give me a damn good reason why. All they tell me is that because they don't need it.
  So as you can see, I'm not getting the cooperation/support I need to be able to do my job properly. How can I when every strategy I wanted to do is being turned down? What should I do? Really need your advice on how to proceed. Your inputs are highly appreciated.
  Thanks in advance!

  Julius, Auke and Alex,
  Im sure everyone would agree that the advice you guys offer is more than valuable. Thank you for that.
  I myself have been encountering the same situation that Litz is facing except for that in my case the Management is very co-operative (and trust me, this helps a lot). My problem is that neither me nor my Management know what access  needs to be given to Consultants or IT Staff after GoLive or even now.The Functional Consultants "don't have the time" to tell me what Tcodes they need access to, and they insist that they should have sap_all, and I have no idea what access they SHOULD have.
  I was going to post another thread for my questions but I guess there are already too many which address the same issue. These threads did give me a good insight on how SAP Security should be managed, and I was able to get some of it chalked out. I have a few questions though, which I wasn't too sure about even after reading through the countless threads.
  Most consultants in my company had sap_all in QA since no one knew what they should be have and often had we noticed that they would be playing with the Basis Tcodes. Now knowing what they have been doing in QA, I do not want to give them sap_all in Prod (although they insisted) at any cost. So, I made a role (z:sap_all), copied sap_all, disabled Basis Tcodes and assigned it to them. Then I kept adding Tcodes one by one on request basis.
  We haven't gone Live (they say that we are still in testing phase since the final cutover is due in the next few weeks) yet and I know that this cannot work after Go-Live since z:sap_all has Tcodes like SE38, AL11, SM50 etc in Prod. They say that they need these to do processing and it is okay to give it to them since we haven't gone live. I would also like to mention that my company is trying to get SOX compliant and needs these things in place.
  I have been entrusted a BIG responsiblity and am trying my best to live up to the expectations and I am relying yon you guys to help me out.All the Business Roles are in place, and its just the IT roles that I'm worried about.
  So, my questions are
  1. Until how long is it okay for Functional Consultants to have this kind of access in Prod ?
  2. After we Go-Live, would a display only role for all functional Tcodes suffice for them ? Or should they have Basis Tcodes too ? If yes, which ones (Im asking this because I know that it should be minimal)
  3. I have been to told to create an "IT-Support role" by the Manager of the Implementation Partner for after GoLive. But he has no idea what T-codes it should have or what it does. Any ideas on this ?
  4. I have read about the "firefighting role". Im guessing that the IT Support Role is the same as this. But what exactly does the firefighting role have? And in what situations is it assigned?
  5. How important is the period before the final Cutover important as far as SOX compliance goes?
  A little enlightenment on the common issues encountered after Go Live would also help me assess the situation a lot better.
  I hope Im not asking too much of your time here. Thank you again guys !! Appreciate it !
  Kunal

• SAP Security Planning and implementation with SOX/SOD compliance

  hello
  Hi guys, i am a security guy
  could you tell me ,"SAP Security Planning and implementation with SOX/SOD compliance" 
  what does it mean.
  <removed_by_moderator>
  thanks
  Ramesh
  Edited by: Julius Bussche on Feb 2, 2008 1:26 PM

  Ramesh Sammiti wrote:>
  > hello
  >
  > Hi guys, i am a security guy
  >
  > could you tell me ,"SAP Security Planning and implementation with SOX/SOD compliance" 
  > 
  > what does it mean.
  >
  >
  > <removed_by_moderator>
  >
  >
  > thanks
  > Ramesh
  Forgive me for saying, but it means:
  Implementing security which complies with Sarbanes Oxley requirements and takes into account Segregation of Duties.
  SOX and SOD are different things, from a security perspective SOX is generally technical security based and SOD is business process based (although bus proc has big SOX component).
  There is a plethora of information via yahoo/google etc.
  Edited by: Julius Bussche on Feb 2, 2008 1:28 PM

• Complete Customising step to implement SAP PP module for New client.

  hi frnds,
  Can Any body tell me that wht are the intial to final step to be follow(step-by-step) to configure & customise the SAP PP Module for new Client.Suppose industry is Process Industry.
  I'll be graceful to all who help in this regard.
  Thanks
  Parminder

  Hi Parminder,
  Go to Transaction OPPQ- Maintain Plant paramets, OPPR-Maintain MRP groups and copy the setting from Plant 1000 to your new Plant.
  Then create new items again by copying the standard ones.
  Thanks and regards
  Muruegsan

• Implementing SAP Security

  Hi,
  For a new ECC implementation, what is the best strategy or approach to use in implementing roles and authorization? Is there a blueprint that I can use?
  FYI, we are not implementing Virsa.
  Your response is highly appreciated.

  Litz Tee wrote:>
  > Is there a blueprint that I can use?
  I doubt you'll ever find (a usable) one for free or on such a forum for that matter. Most of us earn (part of) our money designing them tailored to the customers' needs. I for one am surely not going to give examples away.
  The best strategy will always be:
  1- determine the needs in the company (what are the tasks for various people and which resources do they need to achieve their goals).
  2- determine which data has to be secured.
  3- draw a concept based on above information and have it validated by the business.
  4- design taskroles (singles) per task and functionroles (composites) to group tasks into functions.
  5- test both tasks and functions. The first test can be part of a unit test while the second one will be like an integration test.
  People you need:
  Functional consultants per module. They know about module-specific authorization stuff.
  Business consultants and/or key users who know which processes there are and how they're divided over the various jobs/functions in the company
  The (internal) auditors to tell you which information needs to be secured.
  As you see this is not a one person job and the outcome will differ per company.
  Jurjen

• Sap-security: Myths about CUA

  can anybody plz tell me, what is the process of creating/maintaining CUA by a sap-security admin?
  Edited by: Julius Bussche on Oct 15, 2010 10:41 AM

  Not sure what you meant by that "wilderness" comment... (though I use it myself sometimes
  I have a customer implementing new systems on release 7.10 so they have no legacy CUA or coding etc.
  They are using CUA from SolMan for all logical systems (ERP; BW, PI, SolMan) with the exception of the ERP productive client where the users are provisioned via SAML (currently external ID mapping for initial loads, later federation).
  We have 3 million SU01 users...
  CUA is very rubust, and if you understand how it works and what the tweaks are then it works like a charm.
  Even when the "C" in "CUA" becomes a hassle with decentral admin requirements (user groups are a classic example in the master) then there are simple ways to deal with most of them in SHD0.
  If you have already consolidated your systems or even implementing new ones, then you should not exclude CUA as an option.
  My benchmarks are:
  -  CUA is easy to implement but requires a central guru for the tool. A knowledgeable admin can get it up and running in a few days.
  -  IdM is infact a development environment and not only a tool. It is an organizational project (possibly beyond company boundaries) which an admin cannot perform on their own.
  Depending on the requirements and systems in the landscape, you choose the tool.
  CUA is not obsolete!
  Cheers,
  Julius

• CUP - Issue regarding creation of New SAP ID in CUP.

  System :  SAP GRC 5.3 SP 12..
  We have requirement where in we need to design a workflow for creation of New SAP ID.
  The Naming convention followed for SAP ID is FIRST LETTER of FIRST NAME and LAST NAME with maximum 8 characters.
  For Eg
  JOHN SMITH would have SAP ID as JSMITH
  JERRY SMITH would  have SAP ID as  JSMITH01
  The requirement here is when user fill the REQUEST FORM for NEW User ID there is field where in the requestor need to put the desired SAP ID,
  Can a validation be set OR Logic be written so that user can put the SAP ID as per the naming convention..?
  Also , any other solution as to how the situtation can be handled in CUP...
  Regards.
  Ajit

  Hi Ajit,
  Yes, you can maintain the user ID in the Active Directory. User id will be now auto populated in the request form, from Active Directory when  we data Source is LDAP -Actice directory. So when user login to end user form to create a request, It's all information( user details + manager details ) will fetched from Active Directory.
  It is not possible to change userid in later stage of approval in the request.
  You can have security as final stage and guide them to create user manually as per naming convention.
  Make auto provisioning OFF in CUP
  Kind Regards,
  Srinivasan

• Where is com/sap/security/core/server/secstorefs/SecStoreFS?

  Hi,
  I am trying to create a Java client in NWDS that retrieves a DataSource object via JNDI from my XI 3.0 system.
  I have added the jars I could think of (connector.jar, jta.jar, sapj2eeclient.jar, sapopensta.jar, etc.) to my build path.
  When I attempt to retrieve the DataSource object via my Context I get the following exception:
  java.lang.NoClassDefFoundError: com/sap/security/core/server/secstorefs/SecStoreFS
       at com.sap.sql.connect.OpenSQLConnectInfo.getStore(OpenSQLConnectInfo.java:798)
       at com.sap.sql.connect.OpenSQLConnectInfo.lookup(OpenSQLConnectInfo.java:783)
       at com.sap.sql.connect.OpenSQLDataSourceImpl.setDataSourceName(OpenSQLDataSourceImpl.java:209)
       at com.sap.sql.connect.OpenSQLDataSourceImpl.setDataSourceName(OpenSQLDataSourceImpl.java:197)
       at com.sap.engine.services.dbpool.spi.ManagedConnectionFactoryImpl.createManagedConnection(ManagedConnectionFactoryImpl.java:113)
       at com.sap.engine.services.dbpool.spi.DefaultConnectionManagerImpl.allocateConnection(DefaultConnectionManagerImpl.java:26)
       at com.sap.engine.services.dbpool.cci.ConnectionFactoryImpl.getConnection(ConnectionFactoryImpl.java:51)
       at com.hclaxon.xi.tools.CommsChannelConfigurator.createDBConnection(CommsChannelConfigurator.java:382)
       at com.hclaxon.xi.tools.CommsChannelConfigurator.run(CommsChannelConfigurator.java:425)
       at com.hclaxon.xi.tools.CommsChannelConfigurator.main(CommsChannelConfigurator.java:465)
  Exception in thread "main"
  Could someone please tell me which jar contains the class mentioned above?
  thanks
  Brian

  Hi all,
  Update to original question. I realised I was using a newer version of the openSQL api, so changed that.
  Now I get a different execption:
  java.lang.NoClassDefFoundError: com/sap/security/core/server/secstorefs/SecStoreFSException
       at java.lang.Class.getDeclaredConstructors0(Native Method)
       at java.lang.Class.privateGetDeclaredConstructors(Class.java:1618)
       at java.lang.Class.getConstructor0(Class.java:1930)
       at java.lang.Class.newInstance0(Class.java:278)
       at java.lang.Class.newInstance(Class.java:261)
       at com.sap.sql.connect.OpenSQLDataSource.newInstance(OpenSQLDataSource.java:148)
       at com.sap.sql.connect.OpenSQLDataSource.newInstance(OpenSQLDataSource.java:133)
       at com.sap.engine.services.dbpool.spi.ManagedConnectionFactoryImpl.createManagedConnection(ManagedConnectionFactoryImpl.java:102)
       at com.sap.engine.services.dbpool.spi.DefaultConnectionManagerImpl.allocateConnection(DefaultConnectionManagerImpl.java:26)
       at com.sap.engine.services.dbpool.cci.ConnectionFactoryImpl.getConnection(ConnectionFactoryImpl.java:51)
  Can anyone tell me where this class is?
  thanks
  Brian

• What are the Essentials for a Sap Security Consultant.

  Hi Gurus,
  I have completed a Implementation in which I alone handled the entire Security . It is a defense client .
  Now I am technically expert at security. But I have no functional knowledge.
  Implementing Security in SAP one needs to have knowledge of funtional process as well. The course that are purely technical stuff and I have good idea of techincal stuff.
  The Question is what is a Sap Security Consultant expected to know . And how to go about acquiring that knowledge?

  Hi Hussain,
  There is a little bit of release-dependent-everything in this thread: Authorization for VAP2 in conflict with VD02 for F_KNA1_GRP
  Try solve it and you will understand that you need the requirements (without that you are anyway doomed) and the knowledge and the appropriate access to create / test it.
  BAPI's are remote enabled stable interfaces to SAP standard functionality. They are the best examples of combining functional, technical and standard skills in a sustainable way without creating a mess (a mess, way beyond the bounds of your concerns...).
  If you learn to use the available tools and information sources, then you dont need to stress about the essentials, even if your customer makes a design error before or after your advice.
  Cheers,
  Julius

• New sap user creation

  Hi All SAP experts,
  My company has implemented 2 Systems SAP Landscape with one development and one production server which are running on R/3 Enterprise 4.7 (Kernel Release 6.20) with Microsoft SQL 2000 as database server.
  I have the following questions regarding new sap user creation by using user copy function.
  1.When I request to create new SAP User by using user copy function ,should I just create the user acct in DEV and transport it to PROD System? If yes, how could I do that?
  2.When I request to create new SAP User by using user copy function, can I just create it on PROD System only? If yes, what is the impact?
  3.When using User copy function to create new user acct, should I select all parts (like adress ,defaults,reference user, user groups.....) of the existing user to be cloned to new user acct?
  Thanks.
  Leon

  Hi Leon,
  Answer to your questions in their respective order:
  1. You can create user in DEV and then make remote client copy to PRD system using scc9 t-code. Here you can choose user accounts and authorizations for the copy. ( Rem: Data will be overwritten in target system when copied).
  You can also use client export/import(scc8/scc7)
  But, When you do the client import from the exported files using STMS,you will have to select only one of the transport requests and then STMS automatically selects the other requests for you.
  Then it will show you the different transport requests that you have created during your export, the client copy profile and the target system and client. The customizing and application data is deleted in the target client before copying for all profiles except SAP_USER. This is technically unavoidable (and hence the data will be overwritten).
  So if you can afford overwritting of user data in target client , you can go with the above procedure.
  2. Using  user copy in su01, you can copy one user to another user only in that client and is confined to that system only. So yes, If you want 2 or more users to have same authorizations, profiles ,etc etc.. you can choose this in PROD system.
  3. It depends.. If you want user to be in same group, then you can choose user groups. If you want them to have same authorizations , you can choose roles and profiles... If you want them to have same company address and others,... you can select address.. and so on.
  Also below link provides required steps in case you choose local/ remote client copy:
  http://www.sap-basis-abap.com/bc/client-copy-by-using-scc8-and-scc7.htm
  Hope this helps...
  Thanks,
  Ajith
  Edited by: Ajith Kamath on Oct 20, 2009 8:28 AM

• Advice needed: what does your company log for SAP security role changes?

  My client has a situation where for many years, they never logged changes to SAP security roles.  By that I mean, they never logged even basic details, like who requested a change, tested it, approved it, and what changed!!  Sadly their ticketing system is terrible, completely free-form text and not even searchable. 
  Does anyone here use Word docs, Excel sheets, or some other way to capture security role change details?   What details do you capture?  What about Projects, that involve dozens of changes and testing over several months?
  I plan to recommend, at least, they need to use a unique# (a ticket#, or whatever) for every change and update the same in PFCG role desc tab, plus in CTS description of transports... but what about other details, since they have a bad ticketing system?  I spoke with internal audit and change Mgmnt "manager" about it, and they are clueless and will not make recommendations.  It's really weird but they will get into big trouble eventually without any logs for security changes!

  Does anyone here use Word docs, Excel sheets, or some other way to capture security role change details? What details do you capture? What about Projects, that involve dozens of changes and testing over several months?
  I have questions:
  a) Do you want to make things straight
  b) Do you want to implement a versioning mechanism
  c) You cannot implement anything technical, but you`re asking about best "paper" practise?
  The mentioned scenarios can be well maintained if you use SAP GRC Solutions 10 (Business Role Management)
  Task Based, Approvals, Risk Analysis, SOD and role generation and maintenance in a structured way (Business Role Management). Workflow based, staged process with approvals.
  PFCG transaction usage will be curtailed to minimum if implemented fully.
  Do we really want to do things "outside" PFCG?
  @all:
  a) do you guys use custom approval workflows for roles?
  b) how tight your processes are? how much paperwork, workflow, tickets, requests and incidents you have to go through to change a role?
  c) who is a friend of GRC here, raise your hand
  Cheers Otto
  p.s.: very interesting discussion, I would like to learn something here about how it works out there in the wild