03-10-2008 11:03 AM
Hi,
I'm new to SAP security.just i need to know what skills a typical sap security consultant/administrator should posses?
03-10-2008 11:35 AM
Where to begin, it can be quite a lot, depending on which side of security you want to operate. Auditing/role and user maintenance/security implementation etc.
Some thoughts:
At the very least the contents of SAP course ADM940 should be understood completely and ADM950 and ADM960 are needed to certify. See the SAP education site for these courses' contents. Basically you should understand and be able to maintain the security concept(s) used within SAP.
Analytical skills are very important to translate functional specs into technical designs vice versa. A security consultant often has a kind of bridging role between the technical guys on one side and the key users on the other and you'll need to speak both the technical and the business language. Besides that you have to be able to analyse the security already in place in a system as new installations are (probabely) in the minority.
When designing security you'll also find yourself hindered by the fact that a lot of project members whose information you need will not judge security as something important and/or urgent. That means that you'll have to work hard to get your information in time to design and build roles etc. Also constantly judging and weighing this information can be tiresome. I tends to be a bit of a solitairy job, even in big projects. You're the one that 'creates the stupid error messages'.
I also think it's almost impossible to do security design without good spreadsheet skills.
Jurjen
03-10-2008 11:35 AM
Where to begin, it can be quite a lot, depending on which side of security you want to operate. Auditing/role and user maintenance/security implementation etc.
Some thoughts:
At the very least the contents of SAP course ADM940 should be understood completely and ADM950 and ADM960 are needed to certify. See the SAP education site for these courses' contents. Basically you should understand and be able to maintain the security concept(s) used within SAP.
Analytical skills are very important to translate functional specs into technical designs vice versa. A security consultant often has a kind of bridging role between the technical guys on one side and the key users on the other and you'll need to speak both the technical and the business language. Besides that you have to be able to analyse the security already in place in a system as new installations are (probabely) in the minority.
When designing security you'll also find yourself hindered by the fact that a lot of project members whose information you need will not judge security as something important and/or urgent. That means that you'll have to work hard to get your information in time to design and build roles etc. Also constantly judging and weighing this information can be tiresome. I tends to be a bit of a solitairy job, even in big projects. You're the one that 'creates the stupid error messages'.
I also think it's almost impossible to do security design without good spreadsheet skills.
Jurjen
03-10-2008 12:01 PM
03-11-2008 5:11 AM
hey,
I appreciate your answer, but still make it very clear to you..i would like to part of SAP role and user maintenance/SAP Security Implementation.my doubt is ,it is enough to be good in following
transaction for a good SAP Security guy :SU01,PFCG,SU56,SU53,SU3,PFUD,SUPC,SU10,SU02,SU03,RZ10,SM01.
OR else we need to have knowledge more than this TRX.
could you please give a clear picture.
I know it is a silly question but you answer really helps me.
Thanks in advance!
Regards,
naveen
Edited by: naveen m on Mar 11, 2008 6:21 AM
03-11-2008 6:37 AM
The answer is NO , only knowing how to use listed trx is NOT ebnough to be a security admin /consultant.
There is much more to learn before you can strat.
suggestion: buy authoorisation made easy and (amazone.com) and go to SAP courses ADM940/950/960
03-11-2008 7:21 AM
>
> I appreciate your answer, but still make it very clear to you..i would like to part of SAP role and user maintenance/SAP Security Implementation.my doubt is ,it is enough to be good in following
> transaction for a good SAP Security guy :SU01,PFCG,SU56,SU53,SU3,PFUD,SUPC,SU10,SU02,SU03,RZ10,SM01.
That will only get you as far as 'the guy behind the keyboard', the one executing tasks to build roles designed by others. So for user and role maintenance you'd get reasonably far with just knowledge of these transactions but you'd also need to know the principles and data structures behind SAP authorizations to become a pro.
However, to take part in security design is a different objective and is more about understanding what to do and why, rather than knowing how to build the stuff. As I said, the three SAP course are a good starting point and with some (years of) experience you can become a 'good SAP security guy'.
Look at a career path like: 1: -> user administration, 2: -> role administration, 3: -> security team member in implementation 4: -> security guy
Besides that you can also have a look at specializing, for instance BI security, portal security, HR security (with ESS/MSS) etc. Those skills increase your market value.
Basically, I agree with Auke's NO. Just learning which buttons to push will not get you there but it is a good start.
Jurjen
03-11-2008 10:04 AM
hi,
Thanks for your prompt reply.
Is it mandatory for an security guy to know the critical transaction of all function module?
If yes, where can get this info about critical transaction.
03-11-2008 10:15 AM
>
> Is it mandatory for an security guy to know the critical transaction of all function module?
> If yes, where can get this info about critical transaction.
Don't you think that would be impossible? All function modules? Going for the Guinness Book?
It is more important to work together with the functional consultants and the key users in a project/company as SOD is module-, company- and processdependent. The functional consultants are the specialists in their respective fields and they should know the module-specific authorization (im)possibilities as well as critical combinations and other risks.
It does help if you know the security for SAP basis and that is taught in ADM940.
If you search the forums you'll notice that requests for SOD matrixes are seldom answered.
I think you should concentrate on acquiring skills, not knowledge. Skills will help you to get to the knowledge when needed.
Good luck!
Jurjen
03-11-2008 10:44 AM
hi
Well said Jurjen! Would you like to throw light on something important which you forget to mention in earlier reply for an SAP security aspirant before closing the thread.
.
Thanks a lot!
Regards,
Naveen
03-11-2008 10:59 AM
>
> Well said Jurjen! Would you like to throw light on something important which you forget to mention in earlier reply for an SAP security aspirant before closing the thread.
How do you want me to guess what I forgot? Tell me what more you want to know.
03-11-2008 11:41 AM
03-11-2008 11:42 AM
ha ha ...tried phishing method to get the secrets(flopped)..;-)
Actually,In my first interview..my interviewer asked me what are all the critical auth.object? ..my doubt is what i need to say ?...bcoz more or less all auth.object are critical only if assigned to wrong user.
What you say on this?
Regards,
Naveen
03-11-2008 11:50 AM
>
> Actually,In my first interview..my interviewer asked me what are all the critical auth.object? ..my doubt is what i need to say ?...bcoz more or less all auth.object are critical only if assigned to wrong user.
Well, that would have been a correct answer. There are some objects like S_TABU_DIS and S_DEVELOP which are considered critical in any installaton.
I do not have such a list for you. If you use the search functionality in this forum and search for critical AND objects in the last year you'll find some threads with objects, transactions and useful links.
Jurjen
03-11-2008 11:53 AM
If your interviewer asked you what "all" the critical objects are then they are dumb & your answer was correct.
Run SU21 and have a look at the objects in the BC* classes - these start with S_ read the notes about them and understand what they control & you will soon see which ones are critical.
As a start you can look at
S_USER*
S_LOG_COM
S_RZL_ADM
S_DEVELOP
S_TABU_DIS
S_RFC
there are loads more and many from a business like F_BKPF_BUP
03-11-2008 12:08 PM
Hi Naveen,
Pls see this link...It is very useful...
http://www.sapsecurityonline.com/r3_security/r3_security.htm
Regards
Rajesh..
03-11-2008 12:10 PM
Thanks Alex for the link!
Can any one explain about Sec Process?
Regards,
Naveen
03-12-2008 10:13 AM
Can anyone explain about SAP security process?
Thanks in advance!
Regards,
Naveen