- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- HCM Critical
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
HCM Critical
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-20-2009 6:20 PM
Hello All - I am working on Risk assessment for our HCM module. My company HR analysts already started working on HCM.....
We are on ECC 6.0 we are using roles that are about 5/6 years old, we have all modules except HR on one instance. We have pretty wide open roles on system. I am working on assessing the time/effort to remediate existing Security to get HCM in to play.
Some of the things which are on top my mind are table mainentance/remediating developer access/Basis/BA's...I am thinking I will touch all roles which have:
S_TABU_DIS
S_TABU_CLI
S_DEVELOP
S_PROGRAM
S_TRANSPRT
S_DATASET and so on
And transactions like SM30,SE11-SE16,SE38, SE80,....
Also we have SRM/BW/PI on separate land scape, do I have to remediate security on those systems too? Do you think users with RFC authorizations are critical?
What do you think, am I taking the right path? Can you please suggest me a game plan? what are the other critical things I should look for?
I know there are many auditors and security consultants in this group, I will very much appreciate your thoughts!
Thanks All in Advance!
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-24-2009 3:15 AM
Hi,
My best solution is to create authorization groups for table maintenance and restrict access. Visit the below link:
http://help.sap.com/saphelp_46c/helpdata/en/35/26b17fafab52b9e10000009b38f974/content.htm
Once the authorization groups are created, you can assign the groups to specific users, so that they will only have access to table maintenance.
http://help.sap.com/saphelp_47x200/helpdata/en/a7/5134d2407a11d1893b0000e8323c4f/content.htm
Further, you can restrict assigning these roles to limited users.
Regarding the RFC authorization, please post back with the auth objects, for which you are giving the access. If they are the same as mentioned above, it depends on the tasks that the RFC users are performing.
Rgds,
Raghu
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-26-2009 6:38 PM
Hello Raghu Garu!
Its been a while I saw your postings, I am one of your student at VC. Thank Q for suggestion.
Hello All - Have a question whenever I post anything regarding HCM, I get very poor response dont know why...Moderators-I hope this is one place stop for all modules right?
I did not see any other security forums for HCM in here...please suggest if I am posting in wrong place....or we need to pull HCM experts to our group!
Thanks.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-26-2009 7:36 PM
Hi AJ,
Yes, sometimes it is a bit of a pity that one cannot mirror threads both to the technical and the functional forum. Because duplicate or multiple posting makes a mess of the forums and the search, it is not allowed - so you need to choose the most appropriate forum and stick to it and your question.
If you ask a question with enough details and follow-up on it to provide more details or progress as you go along, then nice mods will usually make the effort of moving it to another forum to add other aspects when the discussion drifts that way.
Specifically regarding your question: I think HCM is a coincidence which brings legal requirements with it (also for patching...) and is not the most important reason to secure your system from them non-HR "stronger" system authorizations if you already have "all modules implemented except HCM"...
Regarding Raghu's post, please take note that the documentation linked to relates to release 46C, but the object S_DEVELOP has subsequently been changed including it's fields and how programs interpret the fields and the values they have...
There is also a migration tool to migrate the old S_DEVELOP to the new S_DEVELOP authorizations.
There are also other objects you might want to take a closer look into - it is not as simple as just S_DEVELOP, S_TABU_DIS and S_RFC and their values. Finding them all is a massive task, which is why most gurus will recommend that you build a real role based on approved entry points (in the menu) and pull in the authorizations which it needs from SU24 for the activities and special fields and org levels for the org fields. Try to keep the maintenance and manuals down to an absolute minimum and do not mix 2 roles to be dependent on each other, as they concequently cannot survive on their own...
It will make a mess!
I am glad to discuss specific object further in detail, but I think we need to agree to this security principle first.
> ....or we need to pull HCM experts to our group!
Yes, that would be more than welcome. I know some of the folks from other functional and technical areas also contribute here and take an interest in security. This should be encouraged (not only for the forums...).
Cheers,
Julius
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-10-2009 8:38 PM
Hi Juluis - I am bit lost in assessing risk, as I told you before I am working on it bcoz we have plans to get HCM on ERP and not as different instance. Few other Basis folks are working to assess on OS level, I am looking at following things...
-Pull all roles which have S_TABU_DIS/S_DEVELOP/S_TRANSPRT/S_PROGRAM not maintained.
-All roles which have table maintaining tcodes like SM30/SM31...SE11/SE12/..(I am sure this tcodes share above auth objects)
-User with admin profiles SAP_ALL/SAP_NEW...(system/service/communication users....)
-RFC users.
--Users with system admin profile like (S_A.SYSTEM)...
I am sure that I am touching all critical areas....
Please suggest if you know anything on top of your head...
Security Gurus and Auditors, you guys are my last rescue.....points + I will also buy you something you like when I meet you anytime...Promise
Thanks in Advance.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2009 9:01 AM
Hi,
You should also check up the below items, Deloitte usually checks the below points in auditing.
1. Z-tables not assigned to an authorization group
2. Use of SAP standard roles
3. Database lock authorizations
4. Maintain profile parameters
5. Batch administrator rights (SM35)
6. Use another user ID during background processing(object S_BTCH_NAM)
7. Maintain external operating system commands
8. Access to CCMS Alert Monitor
9. Also check the values for object S_C_FUNCT. It provides indirect access to calling abap programs i.e. access like SA38.
Regards,
Gowrinadh
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2009 3:24 PM
Hi Gowrinadh - Appreciate your reply, Points you referred will definately help in regular audit stand point...my hunt now is specific to HCM critical activities. I will look into S_C_FUNCT as you suggested.
Thanks Again!
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2009 7:35 PM
Please go through the below link
http://help.sap.com/saphelp_erp2005/helpdata/en/44/22b6659d955cd8e10000000a1553f6/frameset.htm
As per the documentation the authorization object P_ASRCONT is important in HCM.
Regards,
Gowrinadh
- SAP Managed Tags:
- Security
