Thursday, 10 May 2007

Direct table maintenance - SE16

This check is a SAP Security Check you can enter into t-code SUIM to either find users or roles or profiles that have this access.

Access description:A user with this access can maintain all tables directly.

Authorization object 1: S_TABU_DIS
Field 1: ACTVT
Value 1: 1 or 2
Value 2: *
Authorization object 2: S_TCODE
Field 1: TCD
Value 1: SE16

Risk description:Users can erroneously or maliciously maintain entries in tables directly .This is a risk because if you maintain an entry in a table via SE16 and not via the proper transaction code then the program that was written to maintain this table is not activated and entries in dependent tables are not maintained and the data in the entry is not validated.

So who are allowed to have this access? Nobody should have it for all tables as shown in the Object 1, Field 2 above. Some peoeple can ave this access in a development system for tables within their functional area where they are experts. But nobody should have this access in a productive system.

Why is this such a big deal? This is in order to ensure the integrity of the database. If tables are maintained directly and another table that is dependent on this entry is not upated the entire system can fail to work. So only maintain tables via transactions. they are tried and tested and errors are minimized that way.

Monday, 30 April 2007

SAP Password

On most SAP installations the user authentication is based on simple user name and password that the user has to know.

Password settings for SAP are stored in the server parameters.

The parameter values can be read via the report RSPARAM.
The relevant one to the length of the password is "login/min_password_lng".

The system default value is 8 which means that untill this value is changed there is a minimum on the length of passwords of 8 characters.

You can change the value via transaction RZ11.

After you change this value you will need to bounce the system for the change to take effect.
Requiring a password of a certain minimum length raises the security because a longer password is more difficult to guess and it will take longer to find it in a brute force attack.
Below is a table of the number of possible passwords with a certain length (if we only use a-z and:

1 character give 36 possibilities
2 characters give 1'296 possibilities
3 characters give 46'656o possibilities
4 characters give 1'679'616 possibilities
5 characters give 60'466'176 possibilities
6 characters give 2'176'782'336 possibilities
7 characters give 78'364'164'096 possibilities
8 characters give 2'821'109'907'456 possibilities
9 characters give 101'559'956'668'416 possibilities
10 characters give 3'656'158'440'062'980 possibilities
This illustrates that a password of 8 characters, which is standard many places now, has more than a thousand times more options than a passsword of 6 characters, which was standard many places some years ago.
Now, go and make sure that your server has a password requirement that is up to date.

Saturday, 28 April 2007


The most important SAP security item to get rid of or, if that is not possible monitor, is the profile SAP_ALL.

This profile contains all authorization objects with the * value in all fields.

If a user has this profile attached have no restrictions in his actions.
A user with this profile is GOD.

The risk is that users with this profile can perform any action they like. They can create a new vendor with their personal bank account as vendor bank account, then they can process an invoice from that vendor and pay it, and that way they pay from the company's bank account into their own. And if they are a bit smart they delete the log file afterwards.
This will take some time to investigate.

Who can have this?
Nobody can have this. Perhaps the users SAP* and DDIC can be tolerated to have it.

Friday, 27 April 2007

Batch administrator

This check is a SAP Security Check you can enter into t-code SUIM to either find users or roles or profiles that have this access.

Access description:
A user with this access can maintain all batch jobs in the client.

Authorization object 1: S_BTCH_ADM
Value 1: Y
Authorization object 2: S_TCODE
Field 2: TCD
Value 2: SM37

Risk description:
Users can erroneously or maliciously delete, reschedule or re-run batch jobs that are not intended for this.
This is a risk because running some jobs twice might generate inaccurate financial numbers, delaying a job might delay a job that has to be run at a certain time for example depreciation of assets or other month end procedures.

So who are allowed to have this access?
So all in all only users that are experts within the functional area of the batch-job should be allowed to maintain it. Because only experts will know the consequences of modifying a jobs settings.

Why is this such a big deal?
This is all in order to ensure that only proper production jobs are run in the production environment. Only when we are sure of that can we trust the information that we extract from the system.


Introduction to the blog

Hello dear reader.

I would like to introduce myself but mostly this blog to you.

I am a freelance SAP Security consultant, who have worked with SAP Security and authorizations and audit since the autumn of 2000.
I have worked with clients in a variety of countries, but mostly in Europe. I have worked with clients in a variety of industries including Oil and Gas exploration, pharmaceuticals, utilities, transports and logistics and many others.

This blog is my little way of raising awareness of good SAP security practises.
Many practitioners of security keep their information a secret, but I believe that the information in itself is not secret. What creates value to a customer is the effort to use this information to do some good in their company. Because of this I have no problem publishing all I know.
On this blog I will aim to publish some good tips on how to increase the security of a SAP system and add a human touch to the explanation behind it.

If you have any questions or comments please feel free to speak up either in the comments to this post or to a more relevant post. Getting a dialog about SAP security would be great to raise the quality of this blog.