Change management SAP Security

Posted by Marta Ortona on Feb 18, 2022 12:00:00 AM

Are you an auditor? Or an IT manager who wants to monitor the data of his own SAP systems? 

 

Is it possible to assign privileges without leaving traces or almost?

 

SAP Audit Security

 

That’s why you need to know what are the potential risks in the SAP system and how you can mitigate them!

 

 

How do authorizations in SAP work? 

It isn't easy to describe in few words. I'll try!

 

Anything that is not explicitly authorized is denied. It's not possible to say you can’t do this or that. It's only possible to say I authorize you to do something (with some exceptions) 

 

SAP authorizations are assigned to users. Every user when accessing the system (SAP logon) receives in his authorization buffer the list of all his assigned permissions

 

Through SU56 transaction it's possible to display the list of all the permissions in the SAP user buffer.

 

Is it possible to assign SAP_ALL without leaving a trace?

Yes, it may be possible, there are different ways. Sometimes there are very few tracks to find them. 

 

One of these is through SAP standard transport mechanism (also called TMS Transport Management System). This is a way of bringing developments or changes to the system, from development to production system. Technically they are files that are exported from one machine and imported into the other.

 

There are no default approval mechanisms (even if you can activate them).

 

So?

 

  • Do you control the content of the change request that reach the productive environment? 
    • Yeah, this kind of attribution can be hidden. Once in production, there are no changes to user roles or permissions. I simply receive SAP_ALL.
  • Do you control that in the custom code there are no backdoors that allow you to assign this type of permission directly in the user buffer? 

 

Disclaimer!

The aim of this article is not to give an easy way to overcome rules or restrictions. 

 

On the contrary, it is to focus on aspects, sometimes unknown, which could jeopardize the data contained in SAP systems.  

 

In order to mitigate these risks, you must first identify and classify them.

 

How could you mitigate this risk?

Today it becomes unthinkable, especially for some realities, to check manually thousands of change requests or millions of code lines modified, developed, or imported by third parties.

 

We asked for an help to Antonio Piazza, Sales Manager Virtual Forge Italia (now Onapsis)

 

[Massimo] Antonio, tell us in two words who you are and what you do!

 

[Antonio] I have worked for more than ten years in computer security; I am the Italian reference of Virtual Forge solutions since a year

 

[Massimo] Antonio, in your experience, is it conceivable to control these situations manually?

 

[Antonio] I'd say so, but with severe limitations. For example:

  1. In this case we have mentioned only this kind of vulnerabilities to control. But this is not the only problem.
  2. Furthermore, how many people in SAP companies have such vertical skills
  3. What could be the cost and, above all, the effectiveness of these checks carried out manually?

 

[Massimo] You're right. Then what do you recommend? 

 

[Antonio] When it is not possible to carry out these controls manually, we recommend to adopt our solutions that is the Virtual Forge Suite (now Onapsis), consisted of three souls:  

  1. Code Security
  2. System Security
  3. Transport Security

 

They are autonomous packages. They can be used individually or together. They allow to check, in case of Transport Security, all the change request which pass through the systems verifying their contents through a series of controls (more than 200) defined within the system. 

 

In this way an automatic control takes place and the operator that executes the transport sees immediately the criticalities (without having to analyze each package manually). The system also allows to configure sophisticated approval workflows.

 

But the circle in this case ends with the Code Security; where we analyze the SAP development language by looking for critical patterns. Attention, not only code's security (i.e. directory traversal, hard-coded, missing authority-check, command injection) but also developments' robustness and performance. 

 

[Massimo] Thank you Antonio. But you have references in Italy?

 

[Antonio] Yes, we already have references. Since 2018 we are present also in Italy and we believe that in the coming years as already abroad, there will be a strong need for these control tools. 

 

[Massimo] Thank you Antonio! 

 

Ehi, you have come this far, what are you waiting to verify that this has not happened in your system. You can also check retroactively since the content of the change request is tracked in SAP! 

 

Blog post originally translated from: https://www.aglea.com/blog/sap_all-in-produzione-senza-traccia

 

 

 

 

 

 

 

 

Topics: ABAP, programmazione sicura, sicurezza codice ABAP

Subscribe Here!

Blog Aglea, cosa puoi trovare?

Ogni mercoledì pubblichiamo articoli, interviste e documenti relativi alla security SAP.

Cosa puoi trovare:

  • Suggerimenti su come mettere in sicurezza i sistemi SAP
  • Come fare a … (How To)
  • Checklist
  • Gli errori comuni che spesso vengono fatti in ambito Security SAP
  • Interviste con esperti del settore
  • Chi è AGLEA quale è la nostra vision security SAP

Recent Posts

Post By Topic

See all