* Determine how security administration is organized
2. Help Desk
* Determine if the help desk is effective
+
Records incidents reports
3. Determine if proper system monitoring is performed
4. Determine if training is properly administrated
5. Determine if key system interfaces are properly controlled.
6. Obtain a list of all system users
7. Obtain a list of custom transactions
* List off all transactions within the TSTC table beginning with the letters Y or Z
o Tables>Data Display>Y*, and then Z*
8. Obtain a listing of all Clients
* List table T001
9. Obtain a listing of all group companies
* List table T042G
10. Obtain a listing of all business areas
* List table TGSB and TGSBT
11. Obtain a listing of all credit control areas
* List table T014 and T014T
12. Obtain a list of all charts of accounts
* List table T004 and T004T
13. Obtain a listing of all plants
* List tables T001W and TVKWZ
14. Obtain a listing of storage locations
* List table T001L
15. Obtain a listing of all purchasing organizations
* List table T024W
16. Obtain a listing of all purchasing groups
* List table T024
17. Obtain a listing of all sales organizations
* List table TVKO and TVKOT
18. Obtain a listing of distribution channels
* List table TVTW, TVTWT, and TVKOV
19. Obtain a listing of all divisions
* List tables TSPA, TSPAT, and TVKOS
20. Obtain a listing of sales areas
* List table TVTA
21. Obtain a listing of sales offices
* List tables TVBUR, TVKBT, and TVKBZ
22. Obtain a listing of sales groups
* List tables TVKGR, TVBVK, and TVGRT
23. ABAP programs
Review ABAP programs to ensure that all system function calls are authorized. System function calls allow are Unix commands that are passed to the operating system to perform a task at the operating system level such as using Oracle SQL commands to query the database during the execution of an ABAP program.
24. Review all SAP userids at the Unix operating system level. (etc/passwd and etc/group files)
SIDADM system administration
ORASID Oracle administration
PCTEMU Terminal administration
25. Review all relevant SAP change control directories under Unix
/usr/sap/trans
26. Ensure that all default passwords have been changed.
27. Determine that only authorized users have direct access to the Oracle database management system. And determine that all default system passwords have been changed.
28. Correction and Transport (CTS)
Control types
Default Changes are allowed in corrections. Changes to SAP-provided objects require a repair correction
No Change Changes are not allowed
Repairs Repairs are allowed but all must have corrections and all corrections are flagged as repairs. Other types of changes are allowed with or without corrections.
Unlimited Any changes are allowed with or without corrections. No corrections are flagged as repairs
CTS Type CTS Changes
Development Default
Integration No Change
Consolidation No Change
Recipient No Change
Determine if change control procedures are formally documented.
Determine if separate instances have been defined for development and testing
Determine who is responsible for transport administration
Ensure that control tables are properly established
TSYST defines all systems to be used in CTS
TASYS defines all recipient systems
TDEVC defines all development classes
Use transaction code SE06 for CTS verification
Use Transaction code SE38 to review the placement of programs in authorization groups
o SE38 select attributes and select display
29. Determine who has the capability to add user master records.
S_USER_GRP and S_USER_ALL
30. Determine who can maintain profiles.
S_USER_PRO
31. Determine who can maintain autorizations.
S_USER_AUT
32. List all SAP supplied profiles and authorizations that have been modified and review for completeness.
33. List off the system parameter file (RSPARAM) and review the authentication controls
o login/min_password_lng
o login/password_expiration_time
o login/fails_to_session_end
o login/fails_to_user_lock
34. Determine how the profile SAP_NEW is being used.
35. Review SAP for any new objects/values that have been defined
Review changes to table AUTH for new fields and table TOBJ for new objects
36. Determine if all users have been assigned to a group. (Table USR02)
37. Determine that the SAP* profile has a user master record and that SAP* has had its password changed and added to the SUPER group. Also determine if the password has been stored in a secured location in case of an emergency.
38. Determine who are the members of the SUPER group and ensure that their membership is required.
39. Determine how many users have SAP_ALL access in the production environment. List all users with the following standard system profiles:
SAP_ALL All R/3 privileges
S_A.SYSTEM All SAP system functions
S_A.ADMIN System administration
S_A.CUSTOMIZ SAP customizing system
S_A.DEVELOP SAP development environment
S_ABAP_ALL All authorizations for ABAPs
TOOLS>ADMINISTRATION>USER MAINTENANCE>USERS>MAINTAIN USERS>INFORMATION>OVERVIEW>USERS> profile name >LIST>PRINT
40. List all users with special SAP system administration
S_ADMI_FCD Access to ABAP/4 Data Dictionary
S_BDC_ALL Batch Input
S_DDIC_ALL DYNPRO and ABAP/4
S_EDI_BUK Creating and modifying ABAP/4 programs and use of screen painter
S_EDITOR Ability to edit and modify ABAP’s programs
S_PROG_ADM Running ABAP/4 programs and submitting background processing
S_PROGRAM Ability to run ABAPs
S_TABU_ADM System Table – table maintenance
S_BTCH_ADMS_ENQ_ALL Background Processing
S_TSKH_ADMS_ENQ_ALL Transactions – lock management for processing
41. Determine who has access to the ABAP/4 Data Dictionary
S_ADMI_FCD For this object list users that have the following values:
REPL, SE01 (CTS requests) and/or DDIC in the System Administration Function field
SM21 in the Field Administration Function field (allows access to the system log)
TCOD which allows the user to change additional authorization checks
Versions for a particular object are maintained as: Utilities>Version Management Menu.
Temp
Historical
Active
Revised
Use Transactions:
SE16 Data Browser
SE12 Dictionary Display
SE80 Object Browser
SCU3 Table history transaction
42. Determine who has batch access
S_BDC_MONI
S_BDC_ALL
S_BTCH_ADM
S_BTCH_ALL
S_BTCH_USR
Batch log files (bdc/logfile) should be reviewed and any deletions, modifications, or abended sessions subject to investigation and should be secured through the correct use of the operating system security.
43. List users with authorization for SM04, SM50 (S_TSKH_ADM) which grants access to the transaction locking function. Determine which transactions are locked on the production system by viewing additional authority checks in table TSTC (Tools>Administration>Tcode Administration). Ensure that at a minimum the following transactions are locked:
SE01 Correction and transports
SE38 Ability to execute ABAP programs
SE11 Maintain data dictionary objects
44. Determine if the parameters for the trace and log files are adequate
With the RSPARAM report, review the rstr/* and rslg/* parameters
If a transaction cannot finish correctly, the system rolls it back. The dialog program first generates a log record in the VBLOG table.
Transaction SM21 or Tools>Administration>Monitoring>System Log
Selection Criteria:
Date/Time – To – Date/Time
By User, Trans Code, SAP Process, Problem Classes (Messages)
45. Determine if Spool access is properly restricted.
Verify who has the authorization object S_ADMI_FCD, S_SPO_ACT, and S_SPO_DEV
46. Determine if backup procedures are appropriate for data and programs
On-line and off-line backups of all the file servers can be controlled through the CCMS. Access to these transactions should be restricted, because these transactions can causes all file servers to shut down.
Is access to the SAP archiving function restricted. (Verify which profiles have access to transaction F040).
47. Determine who has access to the SAP customizing system (IMG, menu customizing)
S_A.CUSTOMIZ The profile gives all authorizations required for the Basis activities in the customizing menu. (Table USR10 gives an overview of all authorization objects in a profile.)
Activate and Configure SAP ITS Webgui on SAP ECC 6.0
Since SAP ECC 5.0 and ECC 6.0, SAP has integrates its SAP Internet Transaction Server (ITS) on its server. You don’t need to install separate ITS server. You just need to activate and configure it. Follow this procedure :
Check if you have activated:
1) With transaction SICF and locate the services by path
/sap/public/bc/its/mimes
/sap/bc/gui/sap/its/webgui
2)With Transaction SE80 locate from the menu, Utilities –> Settings–>Internet Transaction Server (Tab)–>Publish (Tab) and set “On Selected
Site” = INTERNAL.
This restricts the publication in the next step to the integrated (internal) ITS.
3)In SE80 only, Locate the Internet Services: SYSTEM and WEBGUI.
Publish these services with the Context Menu -> Publish -> Complete Service
4)Now Browse to http://<server>:<icmport>/sap/bc/gui/sap/its/webgui/! and login to the webgui.
증상 :
SM59에서 MDX Parser Connection Test를 하면 아래와 같이 에러가 남
원인 :
The MDX parser is an executable program that is installed with the kernel.
The file name is mdxsvr.exe.The communication between ABAP and MDX parser is carried out in
binary format and the MDX parser works internally with UTF-8.
Therefore, there is no special UNICODE version of the MDX parser
and so the current NON-UNICODE RFC library is required.
간단해석-UNICODE 버전이없음. NON-UNICODE RFC Library가필요함.
해결방법 :
# Librfc32.dll 을모든서버에적용함.
1.Non-Unicode 용librfc32.dll 을download 받는다.
•(Non unicode kernel 받으면해결)
2.Stop all application which use librfc32.dll
•관련Service down 시키면됨. Reboot Best)
3./usr/sap/<SID>/sys/exe 에해당파일을카피한다. (Unicode일경우exe\uc\xxxxxx)
•기존파일은백업해놓을것.
4.Register librfc32.dll with regsvr32
•도스창에서입력“ regsvr32 <full patch>\librfc32.dll “
전기기간 어쩌구 저쩌구 나오면서 전기가 안된다고 할때는 OB52에서 전기기간 설정내용을 봐라.
시작기간과 종료기간안에 들어가 있어야지 전기가 된다.
제일끝에 Augr은 F_BKPF_BUF authorization object에 의해서 컨트롤 된다. (넣으면 저 권한가진 사람만 전기됨)
What you need to do is make sure that in OB52 a split is made between the group that is allowed and the group that is not allowed.
Taken from SAP documentation.
Use
A posting period can be made available to only a limited set of users
using the authorization group.
Procedure
If only a limited set of users is to be able to post in a particular
posting period, proceed as follows:
o Add the posting period authorization (authorization object
F_BKPF_BUP) to the authorizations of the selected users. Assign an
authorization group (e.g. '0001').
o Enter the account type '+' for the posting period variant to which
the restriction is to apply. Enter the period(s) whose use is to be
restricted in the first period, those which are available to all
users in the second period, and the authorization group (e.g.
'0001') in the last column.
What we have done at our company is that we have created a role with only the auth object F_BKPF_BUP in the auth profile with value 0002 and assigned this to the composite roles of users who require this access.
All other roles that have this same object, it has been set to the value 0001. This holds the risk that with mass generation, this setting is overwritten.
What you can do to restrict this, is change the standard setting in SU24 to include 0001 instead of *. This way, you limit the risk and only have to monitor one role.