sap system critical authorizations check v1.1.doc

8/14/2019 SAP System Critical Authorizations Check v1.1.doc

http://slidepdf.com/reader/full/sap-system-critical-authorizations-check-v11doc 1/12

SAP SystemSAP System

Critical Authorizations Check Critical Authorizations Check



Document Control

Version Revision Date Revision Description Author Sign-off

Target Readership



Table of Contents

1 PURPOSE.......................................................................................................................................................4

2 SYSTEM CRITICAL AUTHORIZATIONS CHECK...............................................................................5

2.1 SAP PRODUCTIVE SYSTEM CRITICAL AUTHORIZATIONS .....................................................................5

2.2 SAP SYSTEM CRITICAL AUTHORIZATIONS MONITORING......................................................................6



1 Purpose

The purpose of this document is to describe the procedure used for SAP system criticalauthorizations check, applicable within Praktiker Group for the SAP systems.

This document represents the repository of all the important Praktiker strategies and decisionregarding this topic.



2 Sstem Critical Authori!ations Chec"

2#1 SAP Productive Sstem Critical Authori!ations

The purpose of this section is to describe system critical authorizations that need to be restrictedand monitored for SAP implementation/support team members but, also, eternal consultants andlocal users.

As the SAP system !"# and $%&' is in producti(e use and the (olume of business data isincreasing daily, there must be established a clear and smooth procedure for checkingauthorizations of SAP users access to sensiti(e transactions / programs that could constitute a riskfor system security.

#n this regard, we focus on monitoring access to below different types of sensiti(e authorizations)

1# SAP$A%% Profile#

This composite profile contains all SAP authorizations, meaning that a user with this profilecan perform all tasks in the SAP system. *e should therefore not assign this authorizationprofile to any of our "unctional users. +umber of users with this profile assigned must be(ery little and usually it is assigned only to technical or emergency users.

#nstead of using the SAPA-- profile, we should distribute the authorizations it contains tothe appropriate positions. "or eample, instead of assigning your system administrator !orsuperuser' the authorization SAPA--, assign him or her only those that apply to system

administration, namely the S authorizations. These authorizations gi(e him or herenough rights to administer the entire SAP system, without allowing him or her to performtasks in other areas such as Personnel.

SAPA-- should be implemented only in case of traceable reasons and restrictedindi(idual cases and that they ha(e to be deacti(ated after use. The use has to bemonitored and documented according to audit reuire0ments

2# A&AP Programming authori!ation

1isk related to A2AP programming in the producton en(ironment must be clearlyunderstood and eliminated. Some programs could be ruled in the production en(ironment

by assigning authorizations. 3e(elopment work and the necessary tools are basicallyprotected by the following authorizations ob4ects)

• SP15G1A& 0 starting A2AP programs !S62&#T' and maintaining related

program attributes

• S3787-5P 9 calling and utlizing the de(elopment en(ironment.

%ritical authorizations occur when users ha(e change authorizations for the authorizationob4ect S3787-5P in the production en(ironment and, at the same time, can startchanged programs !authorization S62&#T for the authorization ob4ect SP15G1A&'.

An entry 3726G in the field ob4ect type and :;<= !change' in the field acti(ity for the

authorization ob4ect S3787-5P brings a risk of changed to the main storage, which arenot documented. SAP recommends that only system administrators and special users to



ha(e authorization for the authorization ob4ect S3787-5P in production system. 7(enso, to maintain acti(ity type :;>= !display' instead of :;<= !change'.

2#2 SAP Sstem Critical Authori!ations 'onitoring

The purpose of this section is to define policies and procedures in order to monitor access tosensiti(e SAP transaction / SAP programs for SAP implementation/support team members but,also, eternal consultants and local users.

Procedure

&onitoring critical authorizations will be performed in se(eral steps, for both producti(e systems!"#%5 and $%&')

1# 'onitoring SAP$A%% Profile Assignments

SAPA-- profile assignments will be checked by using standard transactionS2%7?@;;>BC 0 2y Profiles.

Selection screen will be maintained by completing SAPA-- under the Profile name.



1esult of the transaction will de displayed in a -ist "ormat

The list will be sa(ed in an 7cel format at the below location)

$)DSAP%%D3ataDPraktiker Pro4ect %ontrol 2ookD;C 1oles and Authorization%onceptDmySAP 71P %ritical Authorizations &onitoring

+ame of the file from P# ;; will be SAP "# %ritical Auth SAPA-- .ls !represents the calendar date at which the list was eecuted'.

+ame of the file from P$ ;; will be SAP $%& %ritical Auth SAPA-- .ls !represents the calendar date at which the list was eecuted'.



2# 'onitoring A&AP Programming authori!ation (S$D)V)%*P+

A2AP sensiti(e authorizations will be checked with help of transaction S2%7?@;;E;; 06sers by %omple Selection %riteria with (ariant FA2AP %$7% =.

Selections that are maintained in the abo(e selection)

0 Authorization 5b4ect ST%537 !represent code of transaction that users can eecute'

o Transaction %ode S7 !could be S7>@, S7?, S7?+,..'

0 Authorization 5b4ect S3787-5P !permits access to de(elopments like programs'

o Acti(ity ;< !%hange'

o 5b4ect Type P15G !Program' or 3726G.



The result of eecuting the transaction will be a list in the format below

The list will be sa(ed in an 7cel format at the below location)

$)DSAP%%D3ataDPraktiker Pro4ect %ontrol 2ookD;C 1oles and Authorization%onceptDmySAP 71P %ritical Authorizations &onitoring

+ame of the file from P# ;; will be SAP "# %ritical Auth S3787-5P .ls !represents the calendar date at which the list was eecuted'.

+ame of the file from P$ ;; will be SAP $%& %ritical Auth S3787-5P .ls! represents the calendar date at which the list was eecuted'.



,# 'onitoring A&AP Programming authori!ation (S$PR*RA'+

A2AP sensiti(e authorizations will be checked with help of transaction S2%7?@;;E;; 06sers by %omple Selection %riteria with (ariant FA2AP %$7% <=.

Selections that are maintained in the abo(e selection)

0 Authorization 5b4ect SP15G1A&!allows access to programs

o Authorization group S62&#T

0 Authorization 5b4ect S3787-5P !permits access to de(elopments'

o Acti(ity ;< !%hange'



.# SAP Sstem Critical Authori!ations - Roles and Responsibilities#

1esponsible for this analysis and procedure is SAP %ompetence %enter. 7ach -ist sa(edon shared folder will be completed with eplanations for 3ialog 6sers that are included inthe -ist. "urther actions to be applied depending on the analysis result and documented inthe 7cel files.

Procedural Steps are to be eecuted by &r %laudiu 2oca !SAP %%' at the end of eachuarter.

"iles to be sa(ed separated for the two SAP operati(e producti(e en(ironment) "inancialSAP !P# ;;' and $uman %apital &anagement SAP !P$ ;;'.

sap system critical authorizations check v1.1.doc

Documents