We need to create the RFC communication user when one SAP system wants to communicate with another SAP system or an external system needs to access the SAP system. These users might be granted SAP_ALL and SAP_NEW profiles. But this method has the potential security issue. This user account can be abused for some other purpose in the production system and doesn’t adhere to the company security policy.
This post will help to guide our audience how to build the minimized role for the RFC communication user.
Read more…
Roles are collections of activities which allow a user to use one or more business scenarios of an organization. The integrity of business data is also ensured by the assignment of roles. SAP application server contains two stacks. One is ABAP and the other one is Java. The two stacks have different role management concepts. Therefore, there are three types of role management in SAP.
- ABAP Authorization Roles
- J2EE / UME Authorization Roles
- Portal Roles
Below landscape shows how these roles locate in different SAP systems.
Read more…
SAP offers a broad range of security mechanisms and services to meet the highest demands for data integrity, protection, and confidentiality – and to support authentication, authorization, and secure information exchange.
From below illustration, there are three types of securities: network security, application security and physical security. SAP covers the first two security topics and part of the third one. The last one will partially rely on data center.
Read more…
When reading, changing, deleting business sensitive data from database using OPEN SQL, the system doesn’t perform any authority check. The developer must consider the security aspect of the custom development in order to keep the unauthorized user out of the important business data.
SAP systems within the SAP NetWeaver platform perform authorizations using a role-based identity management approach. To access business objects or execute SAP transactions, a user requires corresponding authorizations, as business objects or transactions are protected by authorization objects. The authorizations represent instances of generic authorization objects and are defined depending on the activity and responsibilities of the employee. The authorizations are combined in an authorization profile that is associated with a role. The user administrators then assign the corresponding roles using the user master record, so that the user can use the appropriate transactions for his or her tasks. Visit below link to find more on SAP Authorization Concept.
Read more…
The SAP system categorizes users into several types for different purposes as shown below:
Dialog ‘A’
A normal dialog user is used by one person only for all types of logon.
During a dialog logon, the system checks for expired and initial passwords and provides an option to change the password.
Multiple dialog logons are checked and logged if necessary.
System ‘B’
You use a user of type System for communication without dialog within one system (for RFC or CPIC service users) or for background processing within one system.
Dialog logon is not possible.
A user of this type is excluded from the general settings for password validity. Only the user administrator can change the password using transaction SU01 (Goto -> Change Password).
Read more…