Register Login

SAP Security

SAP Security

1. Security Administration

Determine how security administration is organized

2. Help Desk

Determine if the help desk is effective
Records incidents reports

3. Determine if proper system monitoring is performed

4. Determine if training is properly administrated

5. Determine if key system interfaces are properly controlled.

6. Obtain a list of all system users

7. Obtain a list of custom transactions

List off all transactions within the TSTC table beginning with the letters Y or Z  
Tables>Data Display>Y*, and then Z*

8. Obtain a listing of all Clients

List table T001

9. Obtain a listing of all group companies

List table T042G

10. Obtain a listing of all business areas

List table TGSB and TGSBT

11. Obtain a listing of all credit control areas

List table T014 and T014T

12. Obtain a list of all charts of accounts

List table T004 and T004T

13. Obtain a listing of all plants

List tables T001W and TVKWZ

14. Obtain a listing of storage locations

List table T001L

15. Obtain a listing of all purchasing organizations

List table T024W

16. Obtain a listing of all purchasing groups

List table T024

17. Obtain a listing of all sales organizations

List table TVKO and TVKOT

18. Obtain a listing of distribution channels

List table TVTW, TVTWT, and TVKOV

19. Obtain a listing of all divisions

List tables TSPA, TSPAT, and TVKOS

20. Obtain a listing of sales areas

List table TVTA

21. Obtain a listing of sales offices

List tables TVBUR, TVKBT, and TVKBZ

22. Obtain a listing of sales groups

List tables TVKGR, TVBVK, and TVGRT

23. ABAP programs

Review ABAP programs to ensure that all system function calls are authorized.  System function calls allow are Unix commands that are passed to the operating system to perform a task at the operating system level such as using Oracle SQL commands to query the database during the execution of an ABAP program.

24. Review all SAP userids at the Unix operating system level.  (etc/passwd and etc/group files)

SIDADM        system administration
ORASID         Oracle administration
PCTEMU        Terminal administration

25. Review all relevant SAP change control directories under Unix


26. Ensure that all default passwords have been changed.

27. Determine that only authorized users have direct access to the Oracle database management system.  And determine that all default system passwords have been changed.

28. Correction and Transport (CTS)

Control types

Default            Changes are allowed in corrections. Changes to SAP-provided objects require a repair correction
No Change      Changes are not allowed
Repairs            Repairs are allowed but all must have corrections and all corrections are flagged as repairs.  Other types of changes are allowed with or without corrections.
Unlimited        Any changes are allowed with or without corrections. No corrections are flagged as repairs

CTS Type                  CTS Changes

Development               Default

Integration                  No Change

Consolidation              No Change

Recipient                     No Change

Determine if change control procedures are formally documented.

Determine if separate instances have been defined for development and testing

Determine who is responsible for transport administration

Ensure that control tables are properly established

TSYST            defines all systems to be used in CTS

TASYS           defines all recipient systems

TDEVC           defines all development classes

Use transaction code SE06 for CTS verification

Use Transaction code SE38 to review the placement of programs in authorization groups

    SE38 select attributes and select display

29. Determine who has the capability to add user master records.


30. Determine who can maintain profiles.


31. Determine who can maintain autorizations.


32. List all SAP supplied profiles and  authorizations that have been modified and review for completeness.

33. List off the system parameter file (RSPARAM) and review the authentication controls


34. Determine how the profile SAP_NEW is being used.

35. Review SAP for any new objects/values that have been defined

Review changes to table AUTH for new fields and table TOBJ for new objects

36. Determine if all users have been assigned to a group. (Table USR02)

37. Determine that the SAP* profile has a user master record and that SAP* has had its password changed and added to the SUPER group.  Also determine if the password has been stored in a secured location in case of an emergency.

38. Determine who are the members of the SUPER group and ensure that their membership is required.

39. Determine how many users have SAP_ALL access in the production environment. List all users with the following standard system profiles:

SAP_ALL             All R/3 privileges
S_A.SYSTEM      All SAP system functions
S_A.ADMIN        System administration
S_A.CUSTOMIZ  SAP customizing system
S_A.DEVELOP   SAP development environment
S_ABAP_ALL     All authorizations for ABAPs


40. List all users with special SAP system administration

S_ADMI_FCD                 Access to ABAP/4 Data Dictionary
S_BDC_ALL                   Batch Input
S_DDIC_ALL                  DYNPRO and ABAP/4

S_EDI_BUK              Creating and modifying ABAP/4 programs and use of screen painter
S_EDITOR                 Ability to edit and modify ABAP’s programs
S_PROG_ADM         Running ABAP/4 programs and submitting background processing
S_PROGRAM            Ability to run ABAPs

S_TABU_ADM              System Table – table maintenance
S_BTCH_ADMS_ENQ_ALL   Background Processing
S_TSKH_ADMS_ENQ_ALL   Transactions – lock management for processing

41. Determine who has access to the ABAP/4 Data Dictionary

S_ADMI_FCD     For this object list users that have the following values:

REPL, SE01 (CTS requests) and/or DDIC in the System Administration Function field
SM21 in the Field Administration Function field (allows access to the system log)
TCOD which allows the user to change additional authorization checks

Versions for a particular object are maintained as:  Utilities>Version Management Menu.


Use Transactions:

SE16               Data Browser
SE12               Dictionary Display
SE80               Object Browser
SCU3              Table history transaction

42. Determine who has batch access

Batch log files (bdc/logfile) should be reviewed and any deletions, modifications, or abended sessions subject to investigation and should be secured through the correct use of the operating system security.

43. List users with authorization for SM04, SM50 (S_TSKH_ADM) which grants access to the transaction locking function.  Determine which transactions are locked on the production system by viewing additional authority checks in table TSTC (Tools>Administration>Tcode Administration).  Ensure that at a minimum the following transactions are locked:

SE01         Correction and transports
SE38         Ability to execute ABAP programs
SE11         Maintain data dictionary objects

44. Determine if the parameters for the trace and log files are adequate

With the RSPARAM report, review the rstr/* and rslg/* parameters

If a transaction cannot finish correctly, the system rolls it back.  The dialog program first generates a log record in the VBLOG table.

Transaction SM21 or Tools>Administration>Monitoring>System Log

                  Selection Criteria:

                  Date/Time – To – Date/Time
By User, Trans Code, SAP Process, Problem Classes (Messages)

45. Determine if Spool access is properly restricted.

Verify who has the authorization object S_ADMI_FCD, S_SPO_ACT, and S_SPO_DEV

46. Determine if backup procedures are appropriate for data and programs

On-line and off-line backups of all the file servers can be controlled through the CCMS.  Access to these transactions should be restricted, because these transactions can causes all file servers to shut down.

Is access to the SAP archiving function restricted. (Verify which profiles have access to transaction F040).

47. Determine who has access to the SAP customizing system (IMG, menu customizing)

S_A.CUSTOMIZ             The profile gives all authorizations required for the Basis activities in the customizing menu.  (Table USR10 gives an overview of all authorization objects in a profile.)