Mostrando las entradas con la etiqueta seguridad. Mostrar todas las entradas
// // 9 comentarios

Objetos de autorización por Transacción

Este artículo sobre SAP BASIS lo publiqué en los comienzos de este blog, y es muy importante para quienes estén comenzando en el mundo de la administración de sistemas SAP, especialmente en seguridad de roles y perfiles de usuarios en el ERP.

Objetos de autorización por Transacción

Tenemos una transacción que nos indica los objetos que toca cada transacción que deseemos ejecutar, es la SU24.

También podremos ver esta información a través de la tabla USOBT.

Podemos ver los objetos usados por una RFC, un Servicio TADIR o un servicio externo.

Transacción SU24 - Consultoria-SAP


Objetos de Autorización - Consultoría SAP


Podremos filtrar por cualquier campo para tener mas claro que objetos realmente toca la transacción.

Por una cuestión de tiempo no puedo seguir el desarrollo de este artículo, pero si necesitas más ayuda sobre este tema por favor envía tu consulta gratis a nuestro foro de ayuda SAP y será respondida a la brevedad.

Más información



Saludos,
--SidV

Leer más ...
// // 8 comentarios

Guía de Seguridad SAP HANA

SAP HANA está ganando terreno rápidamente gracias a los beneficios de velocidad que trae para las empresas, y es inevitable que la seguridad en HANA pronto será una prioridad para la mayoría de las empresas y auditores de sistemas. 

Soluciones como la suite en SAP HANA y S4HANA se están volviendo más comunes en las organizaciones empresariales. El sueño de correr ERP y Analytics en la misma plataforma está empezando a tomar forma y esto está llevando a más organizaciones conceder acceso directamente a la base de datos SAP HANA.

Las soluciones ERP de SAP son el elemento vital de muchas organizaciones y, por consiguiente, deben estar protegidas en todas las capas. 

Muchas organizaciones han fallado en implementar cualquier nivel de seguridad dentro de su base de datos de SAP HANA. Podrían haber asegurado su capa de aplicación SAP, pero nada de eso importará la segunda persona que cometen fraude masivo al cambiar los datos directamente en las tablas del servidor de aplicaciones SAP. 

Con algunas sentencias SQL INSERT, UPDATE y DELETE, alguien podría enviarse unos cuantos cheques de $ 6.000 cada semana sin ser detectado.

Leer más ...
// // 3 comentarios

La Matriz de Roles en SAP

Muchas veces es necesaria una matriz de usuarios SAP, será una matriz de roles, funciones, transacciones, usuarios, usuarios clave, y por qué no, consultores (si los hubiese de forma interna en la organización en cuestión).

A continuación ampliaremos conceptos sobre las matrices de seguridad SAP que cada uno de los miembros de nuestra comunidad ha usado, y/o experimentado. No ingresaremos en el ámbito del SAP GRC, sino algo más general desde la administración de sistemas SAP (SAP BASIS).

Leer más ...
// // 1 comentario

Los vectores de ataque más críticos en sistemas SAP

Seguridad en SAP

A traves de HackPlayers me entero que Onapsis Research Labs analizó miles de vulnerabilidades para identificar los tres métodos más comúnmente utilizados de hacking en datos críticos alojados en aplicaciones de SAP, así como la interrupción de los procesos clave del negocio. 

Leer más ...
// // 2 comentarios

Errores críticos (y mortales) en cuanto a Seguridad SAP

Errores de Seguridad SAPA través de Segu.info me entero que Andreas Wiegenstein a través de virtualforge.com ha escrito un artículo donde describe los 9 errores críticos (denominados como pecados mortales) que se comenten respecto a la seguridad en SAP. De acuerdo al autor, hay problablemente más de un millón de cosas que los clientes de SAP pueden hacer respecto a la seguridad, pero ha recopilado los más críticos que ha observado a lo largo de 10 años brindando pruebas de penetración a la seguridad de SAP de diversos clientes.

Leer más ...
// // 3 comentarios

Riesgos de Seguridad: SE16 y SM30

Se16 y los riesgos SAP

Consulta:

"¿Qué problema tiene que los funcionales tengan acceso a la transacción SE16?"

Antes de responder a la consulta, tenemos que aclarar conceptos sobre la SE16 y otras transacciones relacionadas.

Transacción SAP: SE16

Básicamente es una transacción para mostrar información de una tabla determinada. Cuando es "se16" es una transacción normal. A diferencia de cuando se habla de la transacción "SE16N" que se denomina transacción enjoy, ya que permite tener mayor personalización en cuanto a la interfaz de usuario.
Leer más ...
// // 1 comentario

Trace de Autorizaciones SAP

Trace de autorizaciones por medio de la transacción ST01: una muy buena herramienta para auditores y administradores de seguridad SAP.


Esta herramienta posee características que la hace ser una de las más importantes para auditar y obtener evidencia de accesos de los usuarios del sistema SAP:
  • Herramienta de fácil uso y es recomendable dominar el concepto de autorización para su utilización e interpretación adecuada (capa 1, 2 y 3 de seguridad de autorizaciones)
  • Herramienta que no merma el performance de la operación del ambiente en donde se tenga activada (no es invasiva). Este es el típico motivo por el cual se le bloquea el acceso a los auditores, perdiendo la oportunidad de obtener evidencia de muy buena calidad para la auditoría. Si el trace está activo solamente para la verificación de autorizaciones, no habría merma de performance. Eventualmente podríamos tener impacto, en la medida que activemos todas las opciones del trace (RFC, tablas, etc.)
Leer más ...
// // 1 comentario

SAP ADM955 [Actualizado 2018]

Nota de actualización 2018: la descarga está disponible nuevamente gracias al aporte incansable de un miembro de la comunidad que ha decidido permanecer en el anonimato.


Manual ADM955 SAP GRC Access Control - Installation

Instructor Handbook
Contenido:
  • Unit 1: Introduction
    Introduction
  • Unit 2: Pre-Installation Requirements
  • Hardware and Software Requirements
  • Software and Service Pack Downloads
  • RTA Installation
  • SLD Configuration
  • IGS Configuration
  • Unit 3: Access Control Installation
  • Access Control Installation
Leer más ...
// // Escribe un comentario

Authorization Objects for ALE EDI

Following is a list of some of the authorization objects used for carrying out ALE & EDI development. Contact your Basis Administrator to set up your user-id for ALE and EDI functions.

Object ALE/EDI: Maintaining logical systemsAuthorization B_ALE_LS_ALL
————————————————————————-
| Field Values
| Logical system
| *
————————————————————————-

Object ALE/EDI: Distributing master dataAuthorization B_ALE_MA_ALL
————————————————————————-
| Field Values
————————————————————————-
| Logical message type
| *
————————————————————————-

Leer más ...
// // 1 comentario

SAP PM: authorisation objects

How to get the authorisation objects for SAP PM?


Check this for the common PM authorisation objects:
  • I_ILOA - Change location and accounting data in the order
  • I_CCM_ACT - Configuration Control authorization object
  • I_ALM_ME - Mobile Asset Management

  • I_VORG_MEL - PM/QM: Business Operation for Notifications
  • I_QMEL - PM/QM: Notification Types
  • I_BEGRP - PM: Authorization Group
Leer más ...
// // Escribe un comentario

Tablas: claves SAP

Alguna de las tablas donde se guardan claves de SAP son:

  • DEVACCESS: Registra todas las claves de desarrolladores
  • ADIRACCESS: Registra todas las claves de los objetos modificados
  • TDEVC y vista V_TDEVC: Registra todas las clases de desarrollos o paquetes


Fuente consultada: Sap-adm.blogspot.com

Leer más ...
// // 1 comentario

Security tables

Table Description Reports

  • USR02 Users Data (logon data) RSUSR020
  • USR04 User master authorization (one row per user)
  • UST04 User profiles (multiple rows per user)
  • USR10 Authorisation profiles (i.e. &_SAP_ALL)
  • UST10C Composit profiles (i.e. profile has sub profile)
  • USR11 Text for authorisation profiles
  • USR12 Authorisation values RSUSR030
  • USR13 Short text for authorisation
  • USR40 Tabl for illegal passwords
  • USGRP User groups
  • USGRPT Text table for USGRP
  • USH02 Change history for logon data
  • USR01 User Master (runtime data)
  • USER_ADDR Address Data for users
  • AGR_1016 Role and Profile RSUSR020
  • AGR_1016B Role and Profile
  • AGR_1250 Role and Authorization data
  • AGR_1251 Role Object, Authorization, Field and Value RSUSR040
  • AGR_1252 Organizational elements for authorizations
  • AGR_AGRS Roles in Composite Roles
  • AGR_DEFINE To See All Roles (Role definition) RSUSR070
  • AGR_HIER2 Menu structure information - Customer vers
  • AGR_HIERT Role menu texts
  • AGR_OBJ Assignment of Menu Nodes to Role
  • AGR_PROF Profile name for role
  • AGR_TCDTXT Assignment of roles to Tcodes
  • AGR_TEXTS File Structure for Hierarchical Menu – Cus
  • AGR_TIME Time Stamp for Role: Including profile
  • AGR_USERS Assignment of roles to users
  • USOBT Relation transaction to authorization object (SAP)
  • USOBT_C Relation Transaction to Auth. Object (Customer)
  • USOBX Check table for table USOBT
  • USOBXFLAGS Temporary table for storing USOBX/T* chang
  • USOBX_C Check Table for Table USOBT_C
  • TSTCA Transaction Code, Object, Field and Value

More User/Security tables

  • DEVACCESS Table of development users including dev access key
  • USR02 Logon data
  • USR04 User master authorization (one row per user)
  • UST04 User profiles (multiple rows per user)
  • USR10 Authorisation profiles (i.e. &_SAP_ALL)
  • UST10C Composit profiles (i.e. profile has sub profile)
  • USR11 Text for authorisation profiles
  • USR12 Authorisation values
  • USR13 Short text for authorisation
  • USR40 Tabl for illegal passwords
  • OBJT Authorisation objetc table
Leer más ...
// // Escribe un comentario

Security Reports

SAP Security Report Name Description


  • RSUSR_SYSINFO_ROLE (YOU NEED TO LOG ON TO THE CENTRAL SYSTEM FOR THIS) Report cross-systm information/role STANDARD SELECTION, User name, Receiving system, SELECT ROLE Role
  • RSUSR_SYSINFO_PROFILE (YOU NEED TO LOG ON TO THE CENTRAL SYSTEM FOR THIS) Report cross-systm information/profile STANDARD CRITERIA User Name, Receiving system, Profile
  • RSUSRSUIM Same as SUIM User Information System
  • RSUSR402 Download user data for CA manager from Secude
  • RSUSR300 Set External Security Name for all Users
  • RSUSR200 List of Users According to Logon Date and Password Change
  • RSUSR102 Change Documents for Authorizations
  • RSUSR000 Currently Active Users Tcodes SU04 and AL08
  • RSUSR002 Users by Complex Selection Criteria (search by User, Group, User Group, Reference User, User ID Alias, Role, Profile Name, Tcode, SELECTION BY FIELD NAME, Field Name, SELECTION BY AUTHORIZATIONS Authorizatrion Object, Authorization, SELECTION BY VALUES, Authorization Object 1, AND Authorization Object 2, AND Authorization Object3, ADDITIONAL SELECTION CRITERIA, Account number, Start Menu, Output Device, Valid Until, Locked Users ONLY, Unlocked Users Only, CATT Check ID
  • RSUSR002_ADDRESS Select User According to Address, NAMES, First Name, Last Name, User, COMMUNICATION PATHS, Company, City, Buildings, Room, Extension, OTHER DATA, Department, Cost Center
  • RSUSR003 Check the Passwords of Users SAP* and DDIC in All Clients (SAP* DDIC SAPCPIC )
  • RSUSR004 Restrict User Values to the following Simple Profiles and Auth Objs SELECTION CRITERIA Single Profiles, Authorization Objs
  • RSUSR005 List of Users with Critical Authorizations (SAME AS RSUSR009 but difference is here you can't chose)
  • RSUSR006 List of Users According to Logon Date and Password Change
  • RSUSR007 List Users Whose Address Data is Incomplete (here give the Required Address Data)
  • RSUSR008 Critical Combinations of Authorizations at Transaction Start (Can view either Critical Combinations or Users)
  • RSUSR009 List of User with Critical Authorizations SAME AS RSUSR005 but here you can (Check using either customer data of Check using SAP data
  • RSUSR010 Transaction for User with Profile or Authorization (Transaction executable either by, User, with Role, Profile, Authorization
  • RSUSR011 Lists of transactions after selection by User, profile or obj SELECTION FOR User
  • RSUSR012 Search authorizations, profiles and users with specified object value (DISPLAY authorization objects, DISPLAY authorizations, DISPLAY profiles, DISPLAY users)
  • RSUSR020 Profiles by Complex Criteria SELECTION CRITERIA Profile, Profile test, ADDITIONAL CRITERIA FOR PROFILES, Composite Profile, Single Profile, Generated Profiles, SELECTION BY CONTAINED PROFILES Profile, SELECTION BY AUTHORIZATIONS, Authorization Object, Authorization, SELECTION BY VALUES, Auth obj, auth obj2, auth obj3, SELECTION BY ROLE
  • RSUSR030 Authorizations by Complex Selection Criteria SELECTION CRITERIA, Auth Object, Authorization, BY VALUES
  • RSUSR040 Authorization Objects by Complex Criteria, STANDARD SELECTIONS, Authorization object, ADDITIONAL CRITERIA Object class, Obj class text, Field
  • RSUSR050 COMPARISIONS, Compare Users, USER A ------** USER B--------, ROLES, PROFILES< AUTHORIZATIONS, Across Systems
  • RSUSR070 Roles by Complex Selection Criteria STANDARD SELECTION Role, Description, SELECTION BY USER Assignments
  • RSUSR100 Change Documents for Users
  • RSUSR101 Change Document for Profiles

More info: http://forums.sdn.sap.com/thread.jspa?threadID=131118

Leer más ...
// // Escribe un comentario

Gestion Autorizaciones HR

Gestión de autorizaciones a través de la estructura organizativa en SAP HR

Con esta autorización se limita la rama de la estructura organizativa a la cual pueden acceder los usuarios.

Es una autorización standard de SAP que por defecto asigna a todos los usuarios la rama principal de la estructura organizativa activa.

Para refinar estas autorizaciones, hay que seguir dos pasos:

1.- Definir perfiles estructurales (ramas de la estructura organizativa y tipos de objetos)

2.- Asignar perfiles estructurales a los usuarios.

Estas actividades se pueden ejecutar en la SPRO en la rama “Gestión de personal – Gestión de personal – Herramientas – Gestión de autorizaciones – Autorizaciones estructurales de la gestión de organización” . El funcionamiento en detalle se explica en el manual de SAP HR940 – Authorizations in HR – Unidad 7.

Definir perfiles estructurales

Esta actividad se corresponde a la transacción OOSP.

Se entiende como perfil un grupo de ramas de la estructura organizativa que se podrán asignar después a los usuarios.

Por defecto, existe un perfil “ALL” que se refiere a la rama principal de la estructura organizativa y es el que se asigna por defecto a los usuarios. Es decir, por defecto, los usuarios tienen acceso a la rama principal de la estructura organizativa.

Si queremos filtrar las ramas a las que pueden acceder los usuarios, tenemos que crear perfiles propios definiendo las ramas a las que pueden acceder.

Asignar autorizaciones estructurales

Esta actividad se corresponde a la transacción OOSB.

En esta actividad se asignan los usuarios a los perfiles que se hayan creado.

Hay una entrada standard SAP* a la cual se le aplica el perfil ALL. Esta entrada es la que hace que si un usuario no tiene un perfil concreto asociado, se le aplica este y tiene visibilidad completa de la estructura organizativa.

En esta tabla hay que indicar:

- Usuario

- Perfil asociado

- Fecha de inicio para aplicar el perfil

- Fecha de fin para aplicar el perfil

- Exclusión ( para hacer autorizaciones inversas )

También se dispone de un botón de “Visualizar objetos” con el que podemos validar el nivel de visibilidad de un usuario con un perfil asociado.

Reblogueado desde XiscoRoca

Leer más ...
// // Escribe un comentario

SE16N: The security implications

Why you should not do this in any productive system, or any system that you don't wish to restore because you've messed up referential integrity....

  • Reason 1: If you are ISO certified, then you will be going against their instructions
  • Reason 2: If you are bound by SOX compliance then you will not be adhering to it
  • Reason 3: You can cause data inconsistencies between tables that have relationships with each other. It will not maintain referential integrity between the tables.
  • Reason 4: SAP will not support any inconsistencies brought about by this method


Regarding security around this feature here are some points to note:

  1. It can be protected by the developer authorization S_DEVELOP (object type DEBUG activity 03 and 02 and 01). The user needs access to both SE16N and DEBUG before it's available.
  2. All changes to table contents are updated in seperate change document tables. These tables are:
    - SE16N_CD_KEY : Change Documents Header - Stores the user, the modification date and time
    - SE16N_CD_DATA : Change Documents Data
  3. In addition you can apply notes 503274 and 597117 to specify a display transaction only, which does not allow table changes.
  4. If you are paranoid then block the transaction via SM01
  5. If you are crazy paranoid then remove the transaction from table TSTC ;)


Lastly a comment from Julius:


"For other readers, please also see SAP note 587410. With this authorization, you can use SE16N's function modules to go *accross client boundaries* and turn the change authorization checks on S_DEVELOP and S_TABU_DIS OFF (!) when calling the FM."


Suggestions for use:


I only use this on Z tables in a development environment where I do not wish to have table maintenance generated and I understand the referential integrity associated with the table.


Any thoughts and comments go to http://forumsa.sdn.sap.com/thread.jspa?threadID=1504272

Kevin Wilson Active Contributor Silver: 500-1,499 points is a Sr. SAP Solution Engineer for QData USA Inc. and founder of ERPGenie.COM




Reblogged from Sdn.sap.com
Leer más ...
// // Escribe un comentario

Transaction SE16N vulnerability

Please restrict access to SE16N in your production systems.  If you're sufficiently paranoid, you may want to remove the transaction it completely

I've known for a while that, in some releases of SAP, transaction SE16N can be used to change SAP tables, regardless of authorisations or security settings. It's not something I've been keen to see widely disseminated, as there are major systemic risks in making changes this way. More dangerously, it provides a way to override authorisations by giving your userid (or your accomplice's userid) the SAP_ALL role.

SE16N, before entering &SAP_EDIT in the command field

Essentially, you run transaction SE16N, then type &SAP_EDIT into the command field and press enter.

SE16N, AFTER entering &SAP_EDIT in the command field

In the example below, I've changed the User Group to SUPER.

SE16N, changing User Group to SUPER

Personally, I'd recommend making the transaction unavailable (perhaps even removing it from TSTC ?) in your production system - Your firefighter userid can be given authorisation to allow the appropriate people to add it back in, if necessary.

The reason for mentioning it at all is that SAP Mental Notes and IT-Toolbox SAP on DB2 for z/OS have stated that changes using this method are permanently logged in the tables listed below:


SE16N_CD_KEY : Change Documents – Header
SE16N_CD_DATA : Change Documents – Data

This means, in theory, that you can can query these tables to audit the usage of SE16N to change data. My attitude is that it's all well and good knowing Joe Bloggs has broken your system, but I would rather not have to deal with the broken system in the first place. However, there's a bigger issue.....

When I tested this out on an ECC6 IDES system (DB2 on Windows 2003), the SE16N_CD* tables were not updated.

SE16N, ECC6 IDES, does not appear to update the SE16N_CD* tables

1 - The knowledge of this method of changing data, which is available on production systems to anyone with access to the SE16N transaction is being more widely disseminated.

2 - There appears to be at least one major platform / release that does not support audit of the method of changing data.

Martin English Active Contributor Silver: 500-1,499 points - I am a Netweaver Technical Consultant for CSC Australia, supporting the complete SAP lifecycle from pre-sales planning through to decommissioning. The opinions expressed here very rarely coincide with those of my employer, customers, or indeed any one else. This is written by me, not them.

Reblogged from Sdn.sap.com
Leer más ...
// // Escribe un comentario

SAP Trends

What SAP Trends Should IT Services Firms Pursue?

In the SAP services world, there is always the danger of getting too far ahead of the market. That’s why we are always working the phones to get at one fundamental question – across the SAP roadmap, what are customers actually buying? Formal surveys have their place, but so does the “backchannel.” In a recent backchannel conversation, a colleague told me about a firm that had spoken to 100 customers about their SAP priorities. The five most frequently mentioned? Upgrades and Enhancement Packs, Solution Manager, Mobility, Security, and Development/UI Technologies.
For this mid-summer blog post, I’ll do my own analysis of each of these areas, providing a reason for investment, some trends to monitor, and some resources that can further the understanding in each of these five trends.
  1. Development/UI Technologies
    Reason for investment: Users are looking for an intuitive UI experience that more closely resembles socialized “Web 2.0” environments. Also, light UIs can help to extend SAP to a broader user base beyond the heavy financial users who are way more comfortable in Excel than everyone else.
    Trends to monitor: Increased use of dashboarding, either through SAP Crystal Dashboard Design (formerly Xcelsius), or other tools. There's a new UI emphasis on integration with the UI environments users prefer, such as Microsoft SharePoint.

    Resources:
    SAP User Interface Technology home page on SDN; theEnterprise Geeks frequently cover SAP UI trends in their podcasts, including excellent content on Web Dynpro ABAP on their ABAP Freak Show, which is increasingly becoming a customer favorite for SAP UI design.

  2. Solution Manager
    Reason for investment: SAP Solution Manager is mandatory only for certain functions such as ERP 6.0 system upgrades, but companies are finding themselves more familiar with the SAP “SolMan” tool set due to its positioning by SAP as the key to deriving value from Enterprise Support. The technical administration capabilities of Solution Manager, such as Central System Administration and System Monitoring.

    Trends to monitor:
    Firms that can help companies integrate Solution Manager into Application Lifecycle Management (ALM) methodologies and understand SolMan’s process monitoring capabilities can deliver a greater value to end users than those who approach SolMan as simply “technical tools expertise.”
    Resources: SAP’s Application Lifecycle Management home page on SDN, SAP Solution Manager blog category on SCN, Panaya’s recent survey on SAP Solution Manager adoption.

  3. Upgrades and Enhancement Packs
    Reason for investment: SAP upgrades are still driven by the carrot and the stick – the carrot being the advanced capabilities of ERP 6.0, the stick being the extended maintenance burdens. However, the rush to upgrade can be overestimated. Companies are taking their time, building their business case, and upgrading when there is more than just the “stick” of extended maintenance to push them forward. Those companies running ERP 6.0 are looking for a better understanding of what they can get out of Enhancement Packs and examining the most relevant EhP functionality for their projects. Enhancement Packs are better understood by customers than they were a year ago, but understanding how EhPs impact different functional areas of SAP continues to separate the best consultants from the rest.

    Trends to monitor:
    “Big bang” upgrades are a rarity. Streamlined technical upgrades, followed by focused business-cases-driven functional enhancements are now the norm. Tools that streamline testing and pre-upgrade development chores are gaining real traction.
    Resources: SAP's upgrade resource library, SAP upgrade forum on SCN, SearchSAP.com piece on third party SAP upgrade tools.

  4. Mobility
    Reason for investment: The newcomer to this list, mobility is clearly not an SAP-fantasized trend but one with customer traction. Perhaps the biggest change in the SAP mobility space is the shift from talk of “point solutions” to the need for an Enterprise Mobility strategy that gives structure and central management of the surge in point solutions for different focused applications like field service or e-procurement. With the Sybase acquisition not yet complete, there are legitimate customer questions around the best SAP mobility strategy, spawning a need for consultants who can not only implement solutions but validate roadmaps.

    Trends to monitor:
    In addition from the shift from point solutions to Enterprise Mobility, another trend is clearly the movement of iPhones and soon Androids into the BlackBerry-dominated corporate smart phone environment. Companies are also expanding mobility business cases into management line use with business cases that empower busy managers to approve workflow steps on the fly.
    Resources: Mobile technology area on SDN, Mobility blog categoryon the SAP Community Network, SAP Mobility trends podcast I conducted with two fellow SAP Mentors Kevin Benedict and John Appleby.

  5. Security
    SAP security is a steady concern for companies. But as SAP environments become more complex, security issues do too. BI security, mobile security, and the morphing of security into Identity Management are all areas to pursue. There is now a separation between consultants who understand security from solely a technical angle and those who guide SAP customers through the creation of a modern SAP security strategy.

    Trends to monitor:
    Governance, Risk and Compliance also includes security-related issues in terms of access and process controls. Expertise in SAP's GRC components and how they tie into overall security management can be a differentiator.
    Resources: Security and Identity Management home page on SDN, SCN blogs on Security and Identity Mangement.

Leer más ...