viernes, 27 de febrero de 2009

R/3 Security Tips

QucikViewer (SQVI)

QuickViewer (SQVI) is a tool for generating reports. SAP Query offers the user a whole range of options for defining reports. SAP Query also supports different kinds of reports such as basic lists, statistics, and ranked lists. QuickViewer (SQVI), on the other hand, is a tool that allows even relatively inexperienced users to create basic lists. I have created a tutorial for SQVI. SQVI Tutorial

User assignment

Never insert generated profiles directly into the user master record (Transaction SU01). Assign the role to the user in the Roles tab in transaction SU01 or choose the User tab in role maintenance (PFCG) and enter the user to whom you want to assign the role or profile. If you then compare the user master records, the system inserts the generated profile in the user master record.

Do not assign any authorizations for modules you have not yet installed
If you intend to gradually add modules to your system, it is important you do not assign any authorizations for those modules you have not yet installed. This ensures that you cannot accidentally change data in your production system you may need at a later stage. Leave the corresponding authorizations or organizational levels open.

Creating SPRO Display only
You might be asked to give SPRO display while implementing your SAP. Igenerally give these authoriztion to make it display only. Please test it.

S_TRANSPRTTTYPEDeactivate or remove PIEC and TASK

Creating Authorization Fields

In authorization objects, authorization fields represent the values to be tested during authorization checks.
To create authorization fields, choose Tools --> ABAP Workbench --> Development --> Other Tools --> Authorization Objects --> Fields.
To create an authorization field, proceed as follows:

  1. Choose Create authorization field.
  2. On the next screen, enter the name of the field. Field names must be unique and must begin with the letter Y or Z.
  3. Assign a data element from the ABAP Dictionary to the field.

You can often use the fields defined by SAP in your own authorization objects. If you create a new authorization object, you do not need to define your own fields. For example, you can use the SAP field ACTVT in your own authorization objects to represent a wide variety of actions in the system.

Creating Authorization Objects

An authorization object groups together up to ten authorization fields that are checked together in an authorization check.
To create authorization fields, choose Tools --> ABAP Workbench, Development --> Other tools --> Authorization objects --> Objects.
Enter a unique object name and the fields that belong to the object. Object names must begin with the letter Y or Z in accordance with the naming convention for customer-specific objects.
You can enter up to ten authorization fields in an object definition. You must also enter a description of the object and documentation for it. Ensure that the object definition matches the ABAP AUTHORITY-CHECK calls that refer to the object.

Locking Security Holes through IMG transactions

Even though you have restricted your users from SU01 or PFCG (to modifiy themselves or other people) they can get into these areas by the different IMG transaction codes. If your core team or user community has access to:

OY20 - Authorizations
OY21 - User profiles
OY22 - Create subadministrator
OY24 - Client maintenance
OY25 - CS BC: Set up Client
OY27 - Create Super User
OY28 - Deactivate SAP*

No hay comentarios: