Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

skills of Security Consultant

Former Member
0 Kudos

Hi,

I'm new to SAP security.just i need to know what skills a typical sap security consultant/administrator should posses?

1 ACCEPTED SOLUTION

jurjen_heeck
Active Contributor
0 Kudos

Where to begin, it can be quite a lot, depending on which side of security you want to operate. Auditing/role and user maintenance/security implementation etc.

Some thoughts:

At the very least the contents of SAP course ADM940 should be understood completely and ADM950 and ADM960 are needed to certify. See the SAP education site for these courses' contents. Basically you should understand and be able to maintain the security concept(s) used within SAP.

Analytical skills are very important to translate functional specs into technical designs vice versa. A security consultant often has a kind of bridging role between the technical guys on one side and the key users on the other and you'll need to speak both the technical and the business language. Besides that you have to be able to analyse the security already in place in a system as new installations are (probabely) in the minority.

When designing security you'll also find yourself hindered by the fact that a lot of project members whose information you need will not judge security as something important and/or urgent. That means that you'll have to work hard to get your information in time to design and build roles etc. Also constantly judging and weighing this information can be tiresome. I tends to be a bit of a solitairy job, even in big projects. You're the one that 'creates the stupid error messages'.

I also think it's almost impossible to do security design without good spreadsheet skills.

Jurjen

16 REPLIES 16

jurjen_heeck
Active Contributor
0 Kudos

Where to begin, it can be quite a lot, depending on which side of security you want to operate. Auditing/role and user maintenance/security implementation etc.

Some thoughts:

At the very least the contents of SAP course ADM940 should be understood completely and ADM950 and ADM960 are needed to certify. See the SAP education site for these courses' contents. Basically you should understand and be able to maintain the security concept(s) used within SAP.

Analytical skills are very important to translate functional specs into technical designs vice versa. A security consultant often has a kind of bridging role between the technical guys on one side and the key users on the other and you'll need to speak both the technical and the business language. Besides that you have to be able to analyse the security already in place in a system as new installations are (probabely) in the minority.

When designing security you'll also find yourself hindered by the fact that a lot of project members whose information you need will not judge security as something important and/or urgent. That means that you'll have to work hard to get your information in time to design and build roles etc. Also constantly judging and weighing this information can be tiresome. I tends to be a bit of a solitairy job, even in big projects. You're the one that 'creates the stupid error messages'.

I also think it's almost impossible to do security design without good spreadsheet skills.

Jurjen

Former Member
0 Kudos

Welcome to SDN, SAP security and (now also moved to) the Security Forum!

Former Member
0 Kudos

hey,

I appreciate your answer, but still make it very clear to you..i would like to part of SAP role and user maintenance/SAP Security Implementation.my doubt is ,it is enough to be good in following

transaction for a good SAP Security guy :SU01,PFCG,SU56,SU53,SU3,PFUD,SUPC,SU10,SU02,SU03,RZ10,SM01.

OR else we need to have knowledge more than this TRX.

could you please give a clear picture.

I know it is a silly question but you answer really helps me.

Thanks in advance!

Regards,

naveen

Edited by: naveen m on Mar 11, 2008 6:21 AM

0 Kudos

The answer is NO , only knowing how to use listed trx is NOT ebnough to be a security admin /consultant.

There is much more to learn before you can strat.

suggestion: buy authoorisation made easy and (amazone.com) and go to SAP courses ADM940/950/960

0 Kudos

>

> I appreciate your answer, but still make it very clear to you..i would like to part of SAP role and user maintenance/SAP Security Implementation.my doubt is ,it is enough to be good in following

> transaction for a good SAP Security guy :SU01,PFCG,SU56,SU53,SU3,PFUD,SUPC,SU10,SU02,SU03,RZ10,SM01.

That will only get you as far as 'the guy behind the keyboard', the one executing tasks to build roles designed by others. So for user and role maintenance you'd get reasonably far with just knowledge of these transactions but you'd also need to know the principles and data structures behind SAP authorizations to become a pro.

However, to take part in security design is a different objective and is more about understanding what to do and why, rather than knowing how to build the stuff. As I said, the three SAP course are a good starting point and with some (years of) experience you can become a 'good SAP security guy'.

Look at a career path like: 1: -> user administration, 2: -> role administration, 3: -> security team member in implementation 4: -> security guy

Besides that you can also have a look at specializing, for instance BI security, portal security, HR security (with ESS/MSS) etc. Those skills increase your market value.

Basically, I agree with Auke's NO. Just learning which buttons to push will not get you there but it is a good start.

Jurjen

Former Member
0 Kudos

hi,

Thanks for your prompt reply.

Is it mandatory for an security guy to know the critical transaction of all function module?

If yes, where can get this info about critical transaction.

0 Kudos

>

> Is it mandatory for an security guy to know the critical transaction of all function module?

> If yes, where can get this info about critical transaction.

Don't you think that would be impossible? All function modules? Going for the Guinness Book?

It is more important to work together with the functional consultants and the key users in a project/company as SOD is module-, company- and processdependent. The functional consultants are the specialists in their respective fields and they should know the module-specific authorization (im)possibilities as well as critical combinations and other risks.

It does help if you know the security for SAP basis and that is taught in ADM940.

If you search the forums you'll notice that requests for SOD matrixes are seldom answered.

I think you should concentrate on acquiring skills, not knowledge. Skills will help you to get to the knowledge when needed.

Good luck!

Jurjen

Former Member
0 Kudos

hi

Well said Jurjen! Would you like to throw light on something important which you forget to mention in earlier reply for an SAP security aspirant before closing the thread.

.

Thanks a lot!

Regards,

Naveen

0 Kudos

>

> Well said Jurjen! Would you like to throw light on something important which you forget to mention in earlier reply for an SAP security aspirant before closing the thread.

How do you want me to guess what I forgot? Tell me what more you want to know.

0 Kudos

Naveen,

I wrote a post a while back on activities which security consultants often participate and what I believe a well rounded security consultant should have knowledge in. It goes well beyond remembering transactions, though ADM940->950->960 are a good start.

Former Member
0 Kudos

ha ha ...tried phishing method to get the secrets(flopped)..;-)

Actually,In my first interview..my interviewer asked me what are all the critical auth.object? ..my doubt is what i need to say ?...bcoz more or less all auth.object are critical only if assigned to wrong user.

What you say on this?

Regards,

Naveen

0 Kudos

>

> Actually,In my first interview..my interviewer asked me what are all the critical auth.object? ..my doubt is what i need to say ?...bcoz more or less all auth.object are critical only if assigned to wrong user.

Well, that would have been a correct answer. There are some objects like S_TABU_DIS and S_DEVELOP which are considered critical in any installaton.

I do not have such a list for you. If you use the search functionality in this forum and search for critical AND objects in the last year you'll find some threads with objects, transactions and useful links.

Jurjen

0 Kudos

If your interviewer asked you what "all" the critical objects are then they are dumb & your answer was correct.

Run SU21 and have a look at the objects in the BC* classes - these start with S_ read the notes about them and understand what they control & you will soon see which ones are critical.

As a start you can look at

S_USER*

S_LOG_COM

S_RZL_ADM

S_DEVELOP

S_TABU_DIS

S_RFC

there are loads more and many from a business like F_BKPF_BUP

Former Member
0 Kudos

Hi Naveen,

Pls see this link...It is very useful...

http://www.sapsecurityonline.com/r3_security/r3_security.htm

Regards

Rajesh..

Former Member
0 Kudos

Thanks Alex for the link!

Can any one explain about Sec Process?

Regards,

Naveen

Former Member
0 Kudos

Can anyone explain about SAP security process?

Thanks in advance!

Regards,

Naveen