SAP ECC security

ECC- Enterprise central component

EHP – Enhancement package

Latest version – SAP ERP 6.0 and EHP 8

1972 – SAP R2

1992– SAP R3 R3 architecture

2004 – SAP ERP Presentation layer

2011 – SAP HANA Application layer

2013 – SAP suite HANA with Fiori UX Data base layer

2015 – SAP s4 Hana digital core

2018 – SAP s4 Hana intelligent ERP cloud platform

Technical modules Functional modules

MM,QA,HR,SD,FICO,PS,TR,PP,

2.ABAP PM,WS or EWS

3.BI or BW

4. net weaver

Administrations

1. SAP GRC 2. SAP Basic 3. SAP Security

SAP Security

User Administration ECC, Role Administration, Audit

SAP GRC12 E2E Implementation

ARA – Access risk analysis { User and role }

EAM – Emergency access management

BRM – business role management ‘

ARM – access risk management

Projects in SAP

1. Implementation – fresh start for SAP

2. Support – consultants will handle their modules and do their work

3. Upgrade- version upgrades from one version to new version (need to check user access n all after
upgrade)

4. Roll out - implementation in new client location

5. Migration - old database to new data base like oracle to S4 HANA

The person who is working from the client side or business side is called END User or client

Entire system access or landscape access to security consultants

For functional consultants will provide access to that particular module in entire landscape

Landscape for consultants for that particular module

Development

Quality

Production

End User from business side

Production

SU01 - user creation - single user

PFCG – role creation/maintenance

/n – closes the present or will go back one screen (or if we use /n and t-code then it will close the
present screen and opens the next screen t-code screen)

/o – if we use /o before the t-code then it will open another window with that transaction code

/nex - it will close the session without pop-up

role

different types of client ID's will be there in dev and config environment

for RFC connections we will use SM59 T-code.

Roles are transportable

But Users are not transportable (In every system we need to create the new user manually)

CUA-- Central User Administration

GRC-- Governance risk and compliance

SU01 -Single user maintenance SU10 mass user creation or multiple user creation

SU01D-User Display

P:C=GOPI123qapitol.com SNC Process

SU3 - Maintain User profile

SUGR-Maintain User groups

SUCOMP-User Company Address Maintenance

Fields in SU01 –T-code

Documentation, address, logon data, SNC, Defaults, Parameters, roles, profiles, groups, personalization,
LIC data

*SNC should be added as follows

Starting should be : p:cn = is common for all post That userID should be and @Company NAME

EX - SNC : (“p:cn=ADMIN203@amazon” )
User Naming Conventions

FIRST NAME

LAST NAME

We have 5 types of users in SAP security base up on requirement we will assign to users.

1. Dialog user (A):

•Dialog user is the normal user who will login using GUI. Generally, we will assign to business
users who is working for different processes.

•Multiple Logon is possible but it can be restricted by the parameter

Login/disable_multi_gui_login & login/min_password_Ing

• Whenever the user trying to login for 1st time system will ask to change the password. And
password will expire in 90 days.

2. System User (B):

•Generally, we will use system type users for RFC connections, CUA & Background jobs.

•For this user password will not expire & GUI logon is not possible with this user

• And used to communicate with in the SAP system using RFC connections.

3. Communication User (C):

•Generally, we will use Communication type users for RFC connections, CUA & Background jobs.
Sap to non-sap systems

•For this user password will expire & GUI logon is not possible with this user

4. Reference User (D):

•Reference type is to provide extra privileges to the user, if someone goes for vacation to
complete his work user may require extra authorization.

•We need to maintain as reference user in ROLES tab in SU01. Who is working behalf of him?

•If, for particular user whose profiles are exceeded more than 312, Then we will add reference
user for this dialog user then he will get access for perform extra activities.

• Login is not possible with this user and while creating also u no need to give password.

5. Service User (E):

 •Service type user ids we use for Training Test ID's , test users and Firefighter user ids in GRC.

•For this user password will not expire

• Multiple logons possible.

Logon data user group: - this is the primary user group which we can assign to the user, and we can
provide admin access using this user group and it is controlled by the authorization object S_USER_GRP

Groups tab: - If the user is working for more than module or more than one region

RZ10 is used to change the parameters

RZ11 is used to add or select the parameters to the users

AGR_define - all the roles assigned to the user history

LOCK CODES and tables

/nSE16 to check the tables

Usr02 – to check the user

Error codes:

0 – NOT LOCKED

32 – locked globally by administrator using CUA System

64 – Locked locally administrator

128 – locked due to incorrect logons (limited terms )

192 – locked due to multiple incorrect logons (limited terms ) and user locked by system admin

USER ID Length – 12

User Group Length – 12

Role Length - 30 char

We can’t change or create the password in su10 mass user creation but we can lock the users in su10

S_user_grp in logon data tab,

SAP Standard users:

SAP *

EARLY WATCH

LOCK USERS: SU10 & EWZ5:

EWZ5: We need to copy and paste the users like SU10 & administrators will not get locked, If you want
you can select the user whom you want to lock/unlock. And it will not the already locked users, And
while unlocking also it will not unlock the users which is locked before/Already locked users.

EWZ6: To unlock users.

Most of the times we will use SU10 only to lock the multiple users. In EWZ5 there might be chance of
locking the other users by chance, so we only use SU10 for multiple users lock and unlocking.

DDIC - DATA Dictionary

SAP* - SAP ALL

Default users in SAP system:

Default Passwords in SAP

Whenever a new SAP system is built, upgraded, copied, or restored from backup, one of the very first
tasks is SAP Security Administrator should do is to check whether the default standard users provided by
SAP has had their default password changed, locked, if in some cases, have their profiles resolved.

Below are the default passwords for the standard users in SAP.

User Description Clients Default Password

SAP* SAP system super user 000, 001, and 066 06071992, PASS
New Clients

EARLYWATCH Dialog user for the Support

Early Watch service 066

19920706
Software logistics and 000, 001
DDIC ABAP 000 and 001
 Software logistics
super user

SAP_ALL is a SAP standard profile, which is used on need basis, to resolve particular issues which may
arise during the usage of SAP. It is used by Administrators/Developers only and is applied on a need to
use basis, then withdrawn. It contains all SAP system objects and Transactions. SAP_ALL is very critical
and only SAP* contains SAP_ALL attached to it in the production system. No other dialog users have
SAP_ALL attached to them.

SAP_NEW is used in the Production environment during a version upgrade whereas SAP_ALL shouldn't
be or not allowed be used in Production (for audit purposes obviously), except where necessary, in a
controlled manner with all proper approvals from the customer.

to make SAP Super user we need to give these two profiles to that user...

1. S_A. System 2. S_A.Admin 3. S_A. ABAP

If an employee left the company, we will not delete the employee’s data and ID etc.

 Just we will
1. Change the user type to Reference user
2. Deactivate the password
3. Mark the user as Expired, deleted or roll off of terminated
4. And we change the validity is previous day date
5. Remove the roles and license, and lock the user id

ST22 – to check the dump error

ROLE ADMINISTRATION
1. System
2. Clients
3. Users
4. Roles
5. TCODES/Authorizations
6. Authorization of object class
7. Authorization object
8. Authorization Fields
9. Fields Values

PFCG: is the T-code is used to create the role, create,

change/display/transport/download/upload the composite role etc.
ROLE: Role is a container of T-codes, profiles, auth classes, Auth Object, Auth Fields, Activities,
Weblinks, Menu &URLS

UPTO 14000 Tcodes can be pulled at a time, and there is no limit of assigning roles to user

Development system

Configuration system

Technical roles

Functional roles

End user Roles / Business roles

The roles concept is there from 4.6C version

Authorization: Means some Access or permission to user activities

EX: Create, change and display

Types of roles

1. Single Roles:
a. Master role
b. Derived role
c. Enabler role
2. Composite roles
a. Single roles
3. Business roles

1. Maintain Role : Create, change access

 Read Role: Display Access
 General roles : For all the users in the project (SU53, )

AUTHORISATION Fields

SU20 – T-Code to create auth field and list of its auth fields values. Authorization filed
maintenance

SU21 – T-code to create auth object classes/Objects.

SU24: Check Indicators:

Is customer copy, Whenever the new implementation or upgradation happened, the data will
be copied from su22 to SU24,

SU22 is the SAP standard data and SU24 is customer copy, And the details are copied from
USOBT to USOBT_C, USOBX to USOBX_C

Few Authorizations objects

1. S_USER_GRP
2. S_USER_AGR
3. S_USER_ AUT
4. S_USER_PRO
5. S_USER_SYS
6. S_USER_TCD

Do Not check:

These objects are not checked during the transaction execution

Check - Yes, without values:

These objects are checked during transaction execution and auth object will copy to role but
field values will not copy from SU24.

Check - Yes

These objects are checked during transaction execution and pulled into a role when the
transaction is added to a role.

We also have option to maintain default values IN SU24, of authorization fields for the object

And values also copied to a role

Check - No:

These objects are checked during transaction execution but are not pulled into a role even if
the transaction is added to the menu.

SU25:

It is a one-time activity during implementation & upgrades as part of post installation will
perform this activity
Once we click on 1st step: Initial fill of customer tables.

SU22 data will be copy from SU24 from USOBT to USOBT_C & USOBX to USOBX_C

Customer table data will be store & will see in SU24 t-code.

PFCG TABS:

Description Menu Authorization user personalization

Description Tab: Fill the long text with info like: Who, when and were creating the role.

Menu Tab: Fill the List of T-codes here

Authorization tab: Got to change Auth data and generate profile

User tab: Indicates list users assigned to this role

Personalization Tab: Do Not touch it

Authorization objects:

1. S_USER_GRP
2. S_USER_AUT
3. S_USER_AGR
4. S_USER_SYS
5. S_USER_TCD
6. S_USER_VAL
7. S_TABU_NAM

Traffic lights:

Green: Maintained authorization field values

Yellow: Partially unmaintained Authorization fields (Field values r missing/partly

maintained) it is acceptable

Red: Unmaintained authorization fields (it is not acceptable; we need to assign proper value
or we need to remove that auth field value)

Single Role (master role): It is role which contains T-codes, authorizations and its field values
Derived Role: It is single role which is derived from another single role.

(All the Authorizations, T-codes and its field values are pulled from master role and it will be
differed with the org values)

Access can be deferred from the org field

Composite Role: It is group of single roles

Role name: MS_MM_PROCUREMENT_SPLST_IND

1.Is it possible to add the T-codes in derived role?

Ans: No, we can’t add the T-codes in derived role, The transaction tab will be disabled, But
technically it is possible (Manually we can add the Object or the program(T-code))

After the authorization in the objects window manually, we can add the t-codes

Difference b/w change authorization data and Expert Mode for profile generation

Change Authorization DATA: If we didn’t make any changes in menu tab(Like we are not adding or
deleting the T-code in menu tab), That time we can use this option

Expert mode for profile generation:

1. Delete and recreate the profile: If we want to delete all the maintained values, manually
added objects and the changed details of a role on that time we need to choose this option
2. Edit old status
3. Read with old status and merge with new data: If we are adding or deleting any T-Code in
the menu tab, then we have to select this option

Authorization object Status:

Standard: Whenever we are adding the tcode in a role, where the data is pulled from SU24 then
that is called standard data.

Maintained: If you maintain any value in empty authorization field value then the status will
become maintained.

Changed: If you (change/Remove or Add) the standard authorization field values then the status will
become changed.

Manual:

If you add any authorization object manually then the status will become manually.
We can check manually added authorization object in table AGR_1251

Single role tabs or derived role tabs:

Description menu workflow Authorizations Users MiniApps Personalization

Composite role TABS:

Description, Role, Menu, Users and personalization

And if you add T-code in menu tab then it will show in user menu screen and where used
list. You can see in AGR_TCODES table

And if you add T-code manually then it will not show in user menu screen and where used
list and also in AGR_TCODES but you can see in AGR_1251 table

All the tables related with roles starts with AGR *(Activity Group – Role Name)

T000 – Table which contains clients

SE16 – is to see the tables

AGR_DEFINE - All roles’ definitions and master role and derived roles information’s

AGR_AGRS – Single and composite role info or relation

AGR_TCODE – role and its T-codes added in the menu tab

AGR_USERS – Users assigned to a role, user role and dates

AGR_TEXTS – To get roles texts &through texts wee get role names

AGR_TIMEB – Time stamp of the role

AGR_1251 – Roles and its auth values and manually added authorizaions

AGR_1252 – Roles and its org values

To Develop the SAP, they have used ABAP (Advance business application programming)
language
And to develop S4/HANA is UI5 is used……………

Role transportation
1. PFCG
2. DEV
3. We need to take role owner permission while moving changes from one system to another system
4. Configuration
5. QA
6. Once QA is done we need to take CAP approval to move changes to PRODUCTION
7. Production

Delete derived role Master role: (Role deletion process)

Firstly, before deleting the role, we will be creating one alternate role, after moving
that role into the production after securing the approval

First, we will check is there any inheritance then we will break the inheritance first
then role will become a single role

We will be getting the approval for role deletion

And before deleting the role we will be capturing the transport request in
development client and in development configuration client

Once this n all done, we will be capturing the transport request and we are moving
into the across the landscape
ECCK910291
 Remove the inheritance before capturing in transport request.
 Then role becomes single role.
 And capture that single role derived role in transport request
 Then delete the role in DEV system
 Then release the subtask & main task will be released by manager
 Move the changes in to UT client for testing with functional consultants
 Then move the changes from DEV to QA using STMS_IMPORT
 Once the UAT is completed
  After providing the business justification, get the CAB(Change Advisory Board)
Approval & move the changes in to production

 SE01 = For both workbench/development transport and customizing transport

 SE09 = workbench/development transport
 Se10 = customizing transport

Trouble shooting
SUIM – User Information System

Scenario One: User Does not have the access for certain T-code

(You are not authorized to use the transaction)

Steps:

1.By raising the service request and mail to security team with Tcode details

2.If there is no service request ID, then we will request the user to raise a ticket and send the request ID
and we will ask the user to send the SU53 screen shot

And also we can check from admin side as well in SU53 transaction, we can find the icon DISPLAY
DIFFERENT USER and we can give the user ID,

Then we compare the role in SUIM for the T-code and we will assign a role to the user based on his
requirement

And we will close the ticket

Tcode to check the APP SERVER DETAILS – SM51

TO CHECK USER IN WHICH SYSTEM - SM04

SU53

ST01 – OLD

STAUTHTRACE

Checks to debug the issue

1. SUIM – tcode assigned to user r not

2. Check required tcode’ s in assigned toles in PFCG
3. And Profile generation, parameters & Authorization tab is yellow color or in green color
4. SU56
5. PFUD : MASS USER COMPARISION

Background Jobs:
PRNG_COMPRESS_TIMES-- Removes duplicate roles assigned to user

PFCG_TIME_DEPENDENCY- User master comparison, and cleans up the expired profiles

GRAC_PFCG_AUTHORIZATION_SYNC - Authorization synch

SAPPROFG_NEW - MASS PROFILE GENERATION (SUPC)

EAM_MASTERDTATA_SYNCH-Decentralized to pull all the data.

Using trace will get custom tcode authorization objects.

EAM log synch & EAM work flow synch- to pull Centralized data

RFC & Trusted RFC

Trusted systems can log onto other R/3 Systems without using a password.

NORMAL RFC WE HAVE TO PROVIDE THE PASSWORD

S_START for webdynpro services

S_SERVICE for OData services

For business role we need to provide connector group not single connector.

SM30 for table maintainance.

Table for called & calling tcodes table: TCDCOUPLES

Important

RSAU_READ_LOG - Manual FF logs will be pulled using tcodes

SLG1 - Logs

SM01 - TO LOCK & UNLOCK TCODES

S_USER_TCD: It allows the security user to add tcodes in menu tab. For remaining it will show

authorization errors.

SU24_history or USOBX_C- You can see change done for SU24 & SU22 (Who added tcode & objects

& values in su24)

In SUIM or in PFCG you can see change document for roles.

SE01 - COMBINATION OF SE09 & SE10 (TRANSPORT ORGANIZER)

SE09 - WORKBENCH REQUEST

SE10- CUSTOMIZATION REQUEST

SCC1 - MOVE CHANGES FROM ONE CLIENT TO ANOTHER WITH IN THE SYSTEM(DEV)

STMS_IMPORT-CHANGES FROM DEV TO QA

Activities: Table:

TACT: COMPLETE LIST OF ACTIVITES IN SYSTEM

TACTZ : List of authorization objects

TSTC: List of TCODE in the server or system & IT SPROGRAMME (SE93)

TSTCT: TEXTS FOR TCODES

TSTCA - Mandatory auth objects for tcode

SE93 : Minimum mandatory authorization object for tcode

SU24: Relationship b/w Authorization objects & tcodes

SM12: Users with access SM12, transaction code have the ability to remove the lock entries when two
processes are searching for the same resource.

SE03 : the number of users who and all are working on a particular ROLE. By providing ACGR in the
object selection criteria.

ROLE DEPENDENCY: EO70 & EO71-To check the transport status in QA or PROD

Authorization group : SM30 table maintenance

Authorization group is used to give access to table

SE54 is the to create custom auth group.

TDDAT: To check what all the tables available in one authorization group

Auth group :

SC : USR TABLES (Tables start with SC will store all the USR contents: USR02,USR40)

SS: AGR Tables (In the SS tables all the data will be stored which will start with AGR, EG:
AGR_AGRS,AGR_1251,AGR_DEFINE, AGR_TCODE)
ACTIVITY TEXT
01 Add or Create
02 Change
03 Display
04 Print, edit messages
05 Lock
06 Delete
07 Activate, generate
08 Display change documents
09 Display prices
OA Check Documents for Process
OB Status Change in Substitute
10 Post
11 Change number range status
12 Maint.and gen.change document
13 Initialize number levels
14 Field select.:Generate screen
15 Field select.:Assign table
16 Execute
17 Maintain number range object
18 Deliveries from coll. proc.
19 Invoices from coll. proc
20 Transport without translation
21 Transport
22 Enter, Include, Assign
23 Maintain
24 Archive
25 Reload

Role: Role is container of Tcodes ,authorizations , authorization objects and its filed values

Difference B/W single role and derived role: Single role is role which contains Tcodes and its
authorizations and its authorization objects,

We add or delete new Tcodes in a single role

Derived role is which is inherited all the properties from another role, we cant add r remove tcodes in
derived role

Master role is also single role in which we maintain tcodes and its authorizations but we wont provides
its field values, When it is added in inheritance then only it will be come an master role…

S_TABU_DIS:

we will provide access through Auth group, by adding multiple tables in that group.

ACTVT: 03

USRO2

AGR_1251

Auth group: SS, SC

S_TABU_NAM

If you want to provide access for only specific tables then we can add those tables in the field value

ACTVT: 03

TABLE: USR01, USR40 ETC

S_TABU_CLI:

You can allow tables to access the cross clients within the system

EX: If u have two clients with in the system, Then 200 client changes will affect 210 client in the system

S_TABU_LIN:

Line oriented authorization can be given

By using this auth object you can restrict the tables accerss at row level or colomn level.
Critical TCODES:

SE01T SU21, SU20, SM30, SM51- LIST OF SAP SYSTEMS

SE09, SEO1, SM59- RFC DESTINATION

SE10, SU01, PFCG, SCC4

SU20-Authorization field maintenance.

STMS_IMPORT, SM36, SE11, SE14, SM12 & SM12

SE38(Table edit access) & SA38 (Table Display access)

S_TRANSPORT → STMS_IMPORT(Tcode) he can do transports to other environments

S_USER_AUT (Authorizations: Role Check)

They can create, change delete the roles & have ability to delete modify the auth profiles.

S_USER_PRO: (Authorizations profile) - Have ability to assign delete modify the auth profiles

S_USER_AGR

S_USER_GRP - user will get the access to user maintenance/administration.

S_BDC_MONI(SM30) – To delete or release the background jobs

STMS – to move changes to product (S_TRNSPRT)

S_PROGRAM – To run ABAP reports/programs via SA38

S_DEVELOP – To control ABAB objects are debug access