S 4.262 Configuration of additional SAP authorisation checks

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

An SAP system allows you to change the preconfigured authorisation checks (see S 2.342 Planning of SAP rights). Authorisation checks may be disabled. Additional authorisation checks may also be performed. These capabilities must be taken into consideration within the framework of authorisation planning. In general, consideration should be given to the following when changing the authorisation checks:

Disabling authorisation checks

Disabling existing authorisation checks may pose a threat to the security of the SAP system, since this also disables access controls. The effects of disabling a check on the security of the system must be examined carefully before disabling the check.

References to additional information can be found in S 2.346 Use of the SAP documentation.

Creating transactions to start programs or generate reports

Programs can be started and reports generated using transaction SE38 (ABAP Editor), for example. Not every program or report is assigned a transaction code, though. If users are to be provided with certain programs or reports, it is recommended to make them available using a transaction. The advantage is that access to the transaction and therefore to the program or report can be protected using S_TCODE type authorisations. In addition, access to transaction SE38 can be blocked, since it can be used to execute any code in principle.

It must also be considered when using this method that the authorisations created by the Profile Generator to call programs or reports must be maintained continuously. For this, the authorisations derived from the S_PROGRAM authorisation object must be modified in the role authorisation profiles according to the authorisation plan.

Use of parameter transactions

Parameter transactions can be created to define values or ranges of values for the call parameters regarding transactions. Access to the newly created parameter transactions (transaction SU93) can then be restricted using custom authorisations (authorisation object S_TCODE).

Here, it is important to take into consideration that parameter transactions are not suitable for being used as a security method for restricting access to the functions of the transaction or to data. In general, access to programs, reports, or tables, for example, always needs to be restricted using the corresponding authorisation object (S_PROGRAM for programs and reports, S_TABU_DIS for tables).

Modifying the ABAP authorisation groups

So-called authorisation groups can be defined for programs, reports, and tables. This allows grouping of authorisations so that access to the programs, reports, or tables of a group can be controlled using a single authorisation object.

The following must be taken into consideration when using ABAP authorisation groups:

References to additional information on the configuration of authorisation groups can be found in S 2.346 Use of the SAP documentation.

Additional custom authorisation objects

If the company or government agency has developed its own (ABAP) programs or has modified the program code of existing programs, authorisation checks may also be enabled for the new authorisation objects defined by the company or government agency. In order for the Profile Generator to take into account these new authorisation objects, their check indicators must be defined and modified accordingly using transaction SU24. Such changes may only be made within the framework of the change management processes.

Documenting changes

All changes to authorisation checks must be documented.

Review questions:

© Federal Office for Information Security. All rights reserved.