Role adjustments for technical SAP users – how to handle authorizations safely and effectively

SAST Blog: Role adjustments for technical SAP users – how to handle authorizations safely and effectively.Technical SAP users that have extensive authorizations like SAP_ALL pose a heightened security risk. Vulnerabilities can endanger interfaces and paralyze processes. As such, external auditors are intensifying their focus on authorization management. One of our customers – a company in the energy sector – recently faced the challenge of having to restrict the authorizations of its technical users (batch processing/RFC interfaces).

 

Insufficiently protected SAP users pose a hazard.

Our experiences in numerous consulting projects show a clear trend: all too often, technical SAP users are not protected sufficiently. A high risk is posed by the abuse of RFC interfaces, for example.

An ideal authorization consists of a minimum of objects and values that are checked in a constant process. There are also dynamic application cases in practice, however, where it is not always clear which additional roles will be needed in the future. We therefore differentiate between two scenarios:

1. Static object usage
In this case, future needs can be determined by analyzing past usage.

2. Dynamic object usage
When users with dynamic object usage are involved, it is unclear which additional permissions these user will receive in future. In this case, it is possible to connect additional applications through the same interface, to start a query of completely new objects.

Two simple steps to the solution – not just for customers from the energy sector.

We first selected according to both scenarios.

Step 1: Select technical SAP users with static object usage.

In the future, this user will carry out the same activities that it has performed in the past.

By analyzing the authorization trace data (transaction STAUTHTRACE, ST01), we could identify which authorization objects the user needs and remove those that aren’t needed from the single or composite role.

Excerpt from transaction “STAUTHRACE – System Trace for Authorization Checks”:

SAST Blog: Role adjustments for technical SAP users – how to handle authorizations safely and effectively.
Excerpt from the log of recorded trace data, showing which objects the technical user used in the selected period:

SAST Blog: Role adjustments for technical SAP users – how to handle authorizations safely and effectively.

The next step involves enhancing the new role with only those RFC authorization objects and their values that are absolutely necessary, instead of granting extensive authorizations or even full authorizations:

SAST Blog: Role adjustments for technical SAP users – how to handle authorizations safely and effectively.

Our recommendation: Separate technical users should be created for each scenario (batch processing/RFC interfaces); collective users should be avoided because they have extensive authorizations which can also be misused. Nonetheless, collective users are used often in practice.

Step 2: Restrict technical SAP users with dynamic object usage.

Particularly when business functions are used, SAP Basis authorization objects and transactions are assigned simply and directly.

If extensive authorizations are exploited, the following critical authorization objects can pose serious problems:

– S_TABU_DIS / S_TABU_NAM (access to tables)
– S_DATASET (access to files in directories on the application server)
– S_USER_GRP (maintenance of user master records)
– S_USER_AGR (maintenance of authorization roles)
– S_DEVELOP (ABAP development)
– S_RFC (remote function call)
– S_ADMI_FCD (system administration)

Our customer from the energy sector had clear targets as to which objects needed to be restricted in the production system to reduce risks. Therefore, it was important that these objects never be given full authorization. To ensure this, each object needed to be set to “Inactive” or “Display restricted” in production systems.

  1. Creating a role based on the “SAP_ALL” profile:

SAST Blog: Role adjustments for technical SAP users – how to handle authorizations safely and effectively.

  1. Restricting the affected objects by deactivating the authorization object S_DEVELOP:

SAST Blog: Role adjustments for technical SAP users – how to handle authorizations safely and effectively.

In transaction “PFCG – Role Maintenance”, the object “S_DATASET” allows deletion and modification of files in all directories – it was set to inactive as a result:

SAST Blog: Role adjustments for technical SAP users – how to handle authorizations safely and effectively.

The SAST SUITE enables mass analyses and role assignment virtually at the touch of a button.

With this best cases project, we support our customers’ conversion of technical users in the hypercare phase. Any errors that occur during batch processing or in the RFC interfaces were closely monitored in the initial days of the changeover and were corrected quickly, using on a smart fallback procedure.

In addition to the standard SAP solutions, our customer from the energy sector relied on the SAST SUITE to ensure an efficient execution. This software made it possible to simplify the process significantly, from the first analysis to going live. Thanks to the SAST SUITE, users could be analyzed on a large scale and roles created at the touch of a button, without any disturbances to regular operations. In addition to the tremendous time savings, the procedure also delivered a significant reduction in risk through conflict-free authorization roles.

Are you interested in optimizing the role adjustment process for technical SAP users? We can help! Visit our website or e-mail us.

Maximilian Hauer (SAST SOLUTIONS)
Maximilian Hauer (SAP Security Consultant, SAST SOLUTIONS)

 

What else might interest you:

Speed up development of framework and application authorization concepts for SAP ERP and S/4HANA

SoD-Free User Management via Web Services