ADM900
.
PARTICIPANT HANDBOOK VIRTUAL LIVE CLASSROOM
. Course Version: 10 Course Duration: 2 Day(s) Material Number: 50117500
Duplication is prohibited.
Duplication is prohibited.
SAP System Security Fundamentals
SAP Copyrights and Trademarks
© 2013 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. ●
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
●
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.
●
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
●
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or
●
Oracle is a registered trademark of Oracle Corporation
●
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
●
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.
●
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
●
●
Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.
●
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.
●
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.
●
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company.
Duplication is prohibited.
Duplication is prohibited.
other countries.
All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
Duplication is prohibited.
Duplication is prohibited.
© Copyright . All rights reserved.
iii
Duplication is prohibited.
Duplication is prohibited.
iv
© Copyright . All rights reserved.
VLC About This Handbook About This Handbook This handbook provides you with basic information for attending your virtual live classroom session. Adobe Connect Support Information Web and audio support is available by: ●
Pressing *0 from within the audio-conferencing
●
Calling the support hotline numbers listed below
●
Emailing the PGI support hotline below
Global PGI Support Hotline for SAP Education (24/7) Tel: +1 800-368-1945 Tel: +1 719-234-7915 Note: After dialing in, press option 2 for technical support. You will then be presented with two options – press 1 for Audio support, or press 2 for Web support. Email:
[email protected]
Ideally you want to be in a private room when participating in a synchronous (live) event. In reality, you ³N¤õ,ÿKâ4ÑŁ0/XHWWÐ]ıµÎí³¸±Òo‹@/¹YÌ*)UµÉ•p|ð‘iØüÖs+AË· èØV0`˙ÝʲˆØe³'=Ëk˜H1XT)*õ\DQ~·7Dë=ËŁÏÒÒó¹só@łÝI¿-¢.c¶RŒ:2¾J†G~oÙnZıÞƒ‹„Áár[¨§òRTÅà&¸MmåîG�j@ñ:ÁJ†‰v o
Create an inspirational office/studio to work in
●
Use a comfortable chair
●
Use well designed and functional computer peripherals
●
³N¤Ó,ÿW²4�Ł>/ H˙WÝ]ŸµÎí½¸ýÒ`‹]@.¹DÌX*)U«ÉÒprð⁄i�÷Ö<+A˺ úØ0/˙fiÊžˆše¨'<Ë.˜H1XPTp*é\^QX~±7ë'ËÜÏ ÒÒóüsµIłÀIí-ï.d¶_Œ˘:*¾Q†X~HoÄnXı“ƒ‡„ÇáhG¨ôòž
Before your online class: ● Tell co-workers you will be in class (send e-mail) ●
Post a sign indicating when you will be free again (when class is over)
●
Use a headset instead of your computer speakers to minimize disruption of others
●
Ignore people who try to get your attention
●
Turn off the ringers / alerts on telephone, pager, and cell phone
●
Turn off e-mail and instant message alerts
●
Remove other distractions lying on your desktop
●
Keep a glass of water at your desk
Teleconferencing ground rules: Use the mute button or press *6
●
●
Do not place call on hold
© Copyright . All rights reserved.
v
Duplication is prohibited.
Duplication is prohibited.
Setting up your Learning Environment
●
Use the "Raise hand" icon in the Attendee List: My Status to indicate you want to ask a question
●
Identify yourself before speaking, when not called on
●
Charge the batteries for your cordless handset
●
If possible use a land line instead of your cell phone
Minimum Hardware Requirements ●
●
●
PC with 1 GHz processor or higher. Minimum 1 GHz processor recommended for screen sharing. You may be asked to share their screen during hands-on exercise portion of virtual class. 17 inch or larger monitor is recommended, set at 1024 X 768. Larger monitor and 1024 X 768 setting will make presentation and system screens easier to read. Phone with Headset/Microphone or Speakerphone feature – to maximize student listening and comfort during presentation and demonstration portions of the course.
Software Requirement A complete list of supported Operating Systems, browsers and additional requirements for Adobe® Acrobat® Connect™ can be found at: www.adobe.com/products/acrobatconnectpro/systemreqs Sample Email to Notify Others You Are in a Virtual Class
%ÿ�û¨g<7Bó“˙⁄»l%ªx”Ÿ£Õ¢C~Ł-Û3îÉ]A}4Î Today I will be participating in an online class from my desk. I will be online from approximately 9:30 a.m. to 5:30 p.m. EST. I would appreciate it if you would not disturb me during this time. If you have an %ÿ�Ö¨o<;Bä“_⁄±l+ª`”‚£’¢S~⁄-Ë3øÎ]}{ [¥ßäÉʱ¹Kzfl¦ "C˙¡ð−‚Oo„ºÿ׃{E©Ö';! wvqü‡9üÎLïpA"<²µ™˛÷Á-Âä´bí iTþqÙ‹¹ôMã.¹:q'„F ŠÏgÆËJ)U .íá fiNwÀšþS:"†fàð‰QŽfíh¨#-®Ý@�˝³à^î¥"îuáÙÏ”Ó(ñŒı⁄yÑ”#·‡º] Best regards, Getting the Most Out of Your Session Session Guidelines ●
●
Participate and prepare to be called on by name.
●
Use the “Raise Hand” icon if you have an immediate question or comment.
●
Be patient waiting for a response to your chat messages.
●
vi
Turn off email, phones, instant messaging tools, and clear other distractions away from your training area.
If you leave the program, please use the “Step Away” status icon in the Attendee List pod to let your instructor know when you leave and remember to clear it when you return.
© Copyright . All rights reserved.
Duplication is prohibited.
Duplication is prohibited.
This is a sample of an email you can send to your colleagues and manager when you are taking an online %ÿ�ܨm<#Bó“H⁄½ldª4”T£’¢‡
About This Handbook This handbook is intended to complement the instructor-led presentation of this course, and serve as a source of reference. It is not suitable for self-study. Typographic Conventions American English is the standard used in this handbook. The following typographic conventions are also used.
This information is displayed in the instructor’s presentation
Demonstration
Procedure
Hint
Related or Additional Information
Facilitated Discussion
User interface control
Example text
Window title
Example text
© Copyright . All rights reserved.
vii
Duplication is prohibited.
Duplication is prohibited.
Warning or Caution
Duplication is prohibited.
Duplication is prohibited.
viii
© Copyright . All rights reserved.
Contents xi
Course Overview
1
Unit 1:
2 19
Lesson: Review Security Fundamentals Unit 2:
20 27 35 42 63 77
Unit 3:
Duplication is prohibited.
Infrastructure Security Lesson: Review Network Topology Lesson: Enable Secure Network Communication (SNC) Lesson: Enable Secure Socket Layer (SSL)
Unit 5:
210 233 235
242
Duplication is prohibited.
Unit 4:
162 174 189
241
Advanced User Administration Topics Lesson: Implement Central User Administration (CUA) Exercise 4: Distribute User Data with CUA Lesson: Work with Directory Services Lesson: Describe SAP Governance, Risk, and Compliance (GRC) 10.0 Exercise 5: Run Reports and View Dashboards Lesson: Work with Identity Management
137 143
209
Basic User Administration AS ABAP and AS Java Lesson: Implementing Basic User Administration AS ABAP Exercise 1: Create Users in AS ABAP Exercise 2: Work with Roles Lesson: Implementing Basic User Administration AS Java Exercise 3: Implement User and Group Administration
78 95 100 107
161
Security Fundamentals
Single Sign on in SAP Systems Lesson: Implementing Single Sign-On (SSO) in SAP Systems Exercise 6: Check Logon Procedure of ICF Service Exercise 7: Activate HTTP Security Sessions
Unit 6:
Security Monitoring with SAP Solution Manager Lesson: Monitoring and Analyzing Security with SAP Solution Manager
© Copyright . All rights reserved.
ix
Duplication is prohibited.
Duplication is prohibited.
x
© Copyright . All rights reserved.
Course Overview TARGET AUDIENCE This course is intended for the following audiences: ●
Technology Consultant
●
Executive
Duplication is prohibited.
Duplication is prohibited.
© Copyright . All rights reserved.
xi
Duplication is prohibited.
Duplication is prohibited.
xii
© Copyright . All rights reserved.
UNIT 1
Security Fundamentals
Lesson 1 Review Security Fundamentals
2
UNIT OBJECTIVES ●
Ensure computer security
Duplication is prohibited.
Duplication is prohibited.
© Copyright . All rights reserved.
1
Unit 1 Lesson 1 Review Security Fundamentals
LESSON OVERVIEW This lesson describes the security threats to a system and its security safeguards. It also explains how to categorize the security measures to secure the system environment. Business Example You need to have a basic understanding of the security threats to a system and the security measures that should be implemented. For this reason, you require the following knowledge: ●
An understanding of computer security
●
An understanding of security policies An understanding of security measures and the necessary steps to establish a secure system environment
LESSON OBJECTIVES After completing this lesson, you will be able to: ●
Ensure computer security
Introductions Instructor Introduction Student Introduction ●
Your name and company name
●
Part of business and project you represent
●
SAP release currently implemented or implementing
●
Status of project
●
What products or services your company provides
●
Class expectations
Session Best Practices ●
-
●
2
Phones Place your phone on mute except when talking to the instructor to eliminate background noise for other participants Access email and web sites only during breaks and after completion of exercises
© Copyright . All rights reserved.
Duplication is prohibited.
Duplication is prohibited.
●
Lesson: Review Security Fundamentals
●
●
Managing Questions: -
Use the Q and A pod to ask questions electronically
-
Review the Ask a Question icon in My Status
-
Ask for verbal questions at different points in lecture and demonstrations
-
Some questions will be parked until later
Discussions on the Phone: -
Instructor will act as a moderator
-
Speak clearly and loud enough so everyone can hear
-
Only one conversation at a time
More Session Best Practices ●
Be prompt returning from breaks and lunch -
Be considerate of and respect your fellow students -
Remember every person learns at a different speed
-
Remember each student in class has a different SAP experience level
Additional Information Documentation Website: http://help.sap.com PGI Support Contact Information: Press *0 from within the audio conference Mail to:
[email protected] PGI Support hotline numbers: 1-800-368-1945 OR 1-800-234-7915 Note: Press option 2 for technical support and then press 1 for audio support or 2 for web support
Computer Security Concepts Safeguards, threats, and goals are closely related. Threats compromise certain security goals, whereas safeguards protect your system against certain threats. As a result, when implementing security, you need to consider the safeguards with reference to the goals and the threats. Security requirements for sensitive business data arise due to the following reasons: ●
Protection of intellectual property
●
Legal issues and contracts
●
Trust relationship with business partners
© Copyright . All rights reserved.
3
Duplication is prohibited.
Duplication is prohibited.
●
Restart times will be posted in meeting room
Unit 1: Security Fundamentals
●
Continuous business operations
●
Protection of image
●
Correctness of data
Security can optimize administration processes in the following ways: Reduce the number of password resets when using Single Sign-On (SSO)
●
●
Use digital signatures for approval processes
Some interesting facts from the 2010/2011 Computer Crime and Security Survey conducted by the Computer Security Institute (CSI): ●
●
●
●
●
Respondents reported markedly fewer financial fraud incidents than in previous years, with only 8.7 percent of respondents saying they had seen this type of incident during the covered period. Of the approximately half of respondents who experienced at least one security incident last year, fully 45.6 percent of them reported they’d been the subject of at least one targeted attack. Respondents said that regulatory compliance efforts have had a positive effect on their security programs. By and large, respondents did not believe that the activities of malicious insiders accounted for much of their losses due to cybercrime. 59.1 percent believe that no such losses were due to malicious insiders. Only 39.5 percent could say that none of their losses were due to non-malicious insider actions. Slightly over half (51.1 percent) of the group said that their organizations do not use cloud computing. Ten percent, however, say their organizations not only use cloud computing, but have deployed cloud-specific security tools.
The source of the data is CSI (http://www.gocsi.com). The aim of this survey is to raise the level of security awareness, as well as help determine the scope of computer crime in the United States. System Security Goals The following goals are achieved through security measures: ●
Availability
●
Authentication
●
Authorizations
●
Confidentiality
●
Integrity
●
Non-repudiation
In detail, these goals entail:
4
© Copyright . All rights reserved.
Duplication is prohibited.
Duplication is prohibited.
●
Malware infection continued to be the most commonly seen attack, with 67.1 percent of respondents reporting it.
Lesson: Review Security Fundamentals
●
Availability Availability ensures that the users can access their resources whenever they need them. When determining your requirements with reference to the availability of resources, you should consider the costs that result from unplanned downtime, for example, loss of customers, costs for unproductive employees, and overtime. Some damage cannot fully be factored in terms of money, for example, loss of reputation.
●
Authentication Authentication determines the real identity of the user. You can use the following authentication mechanisms in a system environment:
●
-
Authentication using user ID and password
-
Authentication using smart card
-
Authentication using a smart card and PIN
Authorization Authorization defines the rights and privileges of the identified user. It also determines the functions that a user can access. The application must be programmed to check whether or not a user is authorized before that user can access a particular function. Confidentiality Confidentiality ensures that the user’s history and communication is kept confidential. Information and services need to be protected from unauthorized access. The authorizations to read, change, or add information or services must be granted explicitly to only a few users and other users must be denied access. If you post something on the Internet, the confidentiality of information is at risk.
●
Integrity Integrity ensures that the user information, which has been transmitted or stored, has not been altered. Programs and services should execute successfully and provide accurate information. As a result, people, programs, or hardware components should not modify programs and services.
●
Nonrepudiation Repudiation is the process of denying that you have done something, whereas nonrepudiation ensures that people cannot deny their actions.
© Copyright . All rights reserved.
5
Duplication is prohibited.
Duplication is prohibited.
●
Unit 1: Security Fundamentals
Security Threats and Goals
The threats shown in the figure are only a set of commonly known threats. A major security threat is social engineering where sensitive information is exposed casually or picked up without going through the correct channels. Case Study – Social Engineering Threats The case study is a good example, which shows the proper procedures that should be maintained for a secure environment. A security consultant was asked to visit a large company and evaluate the security lapses in the company. The man with whom the consultant was supposed to work was quite busy and left the consultant alone, saying he would be back soon. After an hour, the consultant walked down to the computer room but could not get in because it was a secure room. When another employee arrived and swiped his own access card, the consultant was let into the computer ™z,”Ùš!{ñ`†8d While inside the secure room, the consultant saw a note card next to the terminal with the administrator password written on it; he logged on to the server. The consultant worked on the computer for about 45 minutes. Then, an employee said that he and his coworkers were going out to lunch. The consultant was left alone in the computer room for another hour. The security consultant finished his work and returned to the desk of the man with whom he was supposed to work. The man was apologetic and asked the consultant to return the next day. The security consultant replied that he was already finished working and that the company had numerous security lapses. When considering security, do not think only of system attacks. Any untrained employee could also be a risk by performing unexpected or inappropriate system activities.
6
© Copyright . All rights reserved.
Duplication is prohibited.
Duplication is prohibited.
Figure 1: Security Threats and Goals
Lesson: Review Security Fundamentals
Examples of security threats: ● Accidents Unexpected system activities may occur if the system is handled by an inexperienced employee. ●
Environmental threats Environmental threats, such as earthquakes, might compromise the availability of the system.
●
System penetration Systems are penetrated when an unauthorized person gains access to them by guessing accounts and passwords.
●
Authorization violation A person can violate authorizations and penetrate a system by misusing the current authorizations that were allocated or stolen. With some authorizations, the hacker is allowed to access the operating system, which allows transport of information and access to other operating system functions.
●
Planting of programs
●
Tampering of data This occurs when a hacker grabs a connection and communicates with both the client and the server. After the hacker has grabbed the connection, the hacker can change the data.
●
Code injection The dynamic nature of websites causes security holes which can be used to gain elevated access privileges to sensitive page-content, session cookies, and a variety of other information maintained by the browser. Cross Site Scripting (XSS) attacks are a special form of code injection. Another code injection technique is a Structured Query Language (SQL) injection. An SQL injection attack consists of insertion or injection of a SQL query through the input data from the client to the application.
●
Denial of service A denial of service attack brings down the server and makes the server unavailable. There are several ways to make the server unavailable, such as cutting the network cable, physically destroying the server, or unplugging the server from the network.
●
Repudiation A buyer could repudiate the fact that he or she purchased an item from an online store.
●
Message flooding A hacker can deny service by flooding the system with messages so that the system cannot respond.
●
Masquerading
© Copyright . All rights reserved.
7
Duplication is prohibited.
Duplication is prohibited.
A hacker may gain access to a system and plant a program to access the computer. For example, a hacker might use the program source code to create a new user to break into the system, or a hacker might eavesdrop without being detected.
Unit 1: Security Fundamentals
A person can masquerade as another user. ●
Spoofing Programs can be written to modify the Internet Protocol (IP) address of the source of the Transmission Control Protocol/Internet Protocol (TCP/IP) packet and trick the network because the true IP identity is concealed or disguised and looks like the packet is coming from within the network. This process is known as spoofing.
●
Buffer overflow An application can receive data that the application is not expecting or not prepared to receive. As a result, unpredictable results occur. This is known as buffer overflow and can lead to vulnerability within the server.
●
Phishing Acquiring sensitive information such as usernames, passwords, or credit card details by masquerading as a trustworthy entity is known as phishing.
Duplication is prohibited.
Duplication is prohibited.
Threats in Client-Server Communication
Figure 2: Threats in Client-Server Communication
Due to the open and exposed communication architecture, client-server communication is vulnerable to attacks. The client communicates with the server across the network, where attackers can eavesdrop, capture, and manipulate data. At the back-end system, applications and the operating system may contain security holes where attackers can take advantage. The threats shown in the figure also apply to the client. In most cases, clients are more difficult to control than servers.
8
© Copyright . All rights reserved.
Lesson: Review Security Fundamentals
Communication in Open Networks
Figure 3: Communication in Open Networks
Duplication is prohibited.
Duplication is prohibited.
On the Internet, there are several threats to consider because there are various components over which you have no control. The threats on the Internet are as follows: Network components of Internet Service Provider (ISP)
●
●
Domain Name System (DNS) servers
●
Landscape of the communication partner
Threats in the digital world are similar to threats in the real world and are dangerous. Threats in the digital world are dangerous due to the following reasons: ● The attacks can be automated. ●
The attacks can be executed remotely.
●
The attacks can be performed by people with little knowledge of technology.
© Copyright . All rights reserved.
9
Unit 1: Security Fundamentals
Security Safeguards
Figure 4: Safeguards
The figure shows a list of security safeguards. Types of Security Safeguards
Duplication is prohibited.
Duplication is prohibited.
Figure 5: Types of Security Safeguards
Security safeguards can be categorized as follows: ● Technical safeguards, such as firewalls, cryptographic algorithms, and certificates ●
Organizational safeguards, such as rules or guidelines
●
Physical safeguards, such as fire detection, secured rooms, and buildings
To prevent physical damage, you should establish the following measures:
10
© Copyright . All rights reserved.
Lesson: Review Security Fundamentals
●
Secure the buildings
●
Secure the server rooms
●
Lock the servers
●
Use underground wires
●
Install security cameras around the building
●
Define policies to lock doors
Figure 6: Technical Safeguards
There are measures available for most of the threats that have been described earlier. The figure does not represent all the possible threats and measures. It shows an example of how you can use security measures against various potential threats. An important aspect of technical security is to regularly install security patches for applications and operating systems that are provided by vendors. Even though many security lapses can be fixed, customers and users still need to update their systems regularly.
© Copyright . All rights reserved.
11
Duplication is prohibited.
Duplication is prohibited.
Technical Safeguards
Unit 1: Security Fundamentals
Security Policies
A company or an organization needs to define a general security policy. From this general security policy, a detailed IT security policy is derived. The documents that describe the security configuration of specific components in the system landscape are then created. Security Implementation Cycle
Figure 8: Security Implementation Cycle
The figure shows how you can implement security. Analyze the risks to determine the security requirements and then look at the threats that are relevant. Determine the vulnerability to those threats and the appropriate safeguards for the threats.
12
© Copyright . All rights reserved.
Duplication is prohibited.
Duplication is prohibited.
Figure 7: Security Policies
Lesson: Review Security Fundamentals
As part of the risk analysis, conduct the following activities: ● Determine your security requirements with reference to availability, confidentiality, and integrity of data. ●
Identify the threats that could compromise your security.
●
Determine the relevance of a threat to your company (vulnerability).
●
Determine the measures or safeguards to protect your system (after you know the risks).
●
Measure the associated risk of a threat and the cost of securing your system against the risk. As a result, you can make a cost-benefit analysis.
The risk analysis process leads to creating Standard Operation Procedures (SOPs) and implementing safeguards. Prioritize the safeguards, if there are constraints against implementing all of the safeguards at one time. The security implementation cycle leads to monitoring, implementation, and education. This is not a linear process but a circular process with continuous enhancements. System upgrades and landscape changes mean that you must adapt your security measures accordingly and continuously.
Duplication is prohibited.
Duplication is prohibited.
Note: Security is an on-going process. You need to reassess your security policy regularly.
INTERACTIVE ELEMENT: Breakout Rooms 1. List the security measures implemented in your system environment. . . . . . . . . . .
LESSON SUMMARY You should now be able to: ●
Ensure computer security
© Copyright . All rights reserved.
13
Unit 1: Security Fundamentals
Duplication is prohibited.
Duplication is prohibited.
14
© Copyright . All rights reserved.
Unit 1 Learning Assessment
1. Employee X works in ABC Company and meets employee Y who works in PQR Company. They discuss some internal issues of ABC Company. Which threat does employee X pose to ABC Company? Choose the correct answer. X
A Spoofing
X
B Code injection
X
C Social engineering
X
D Authorization misuse
Choose the correct answer. X
A Structured Query Language (SQL) injection
X
B Cross Site Scripting (XSS)
X
C Spoofing
X
D Message flooding
Duplication is prohibited.
Duplication is prohibited.
2. _________ is a process to modify the Internet Protocol (IP) address of the source of the Transmission Control Protocol/Internet Protocol (TCP/IP) packet.
3. What are the various reasons for implementing security?
4. List the measures that you can take to prevent physical damage to systems.
5. Identify five threats to system security.
© Copyright . All rights reserved.
15
Unit 1: Learning Assessment
6. List the categories of security safeguards. Give examples for each category.
Duplication is prohibited.
Duplication is prohibited.
16
© Copyright . All rights reserved.
Unit 1 Learning Assessment - Answers
1. Employee X works in ABC Company and meets employee Y who works in PQR Company. They discuss some internal issues of ABC Company. Which threat does employee X pose to ABC Company? Choose the correct answer. X
A Spoofing
X
B Code injection
X
C Social engineering
X
D Authorization misuse
Choose the correct answer. X
A Structured Query Language (SQL) injection
X
B Cross Site Scripting (XSS)
X
C Spoofing
X
D Message flooding
3. What are the various reasons for implementing security? Some reasons to implement security are: protection of intellectual property, legal issues and contracts, trust relationship with business partners, continuous business operations, protection of company image, and correctness of data. 4. List the measures that you can take to prevent physical damage to systems. Some measures that you can take to prevent physical damage to systems are: secure the buildings, secure the server rooms, lock the servers, use underground wires, install security cameras around the building, and define policies to lock doors.
© Copyright . All rights reserved.
17
Duplication is prohibited.
Duplication is prohibited.
2. _________ is a process to modify the Internet Protocol (IP) address of the source of the Transmission Control Protocol/Internet Protocol (TCP/IP) packet.
Unit 1: Learning Assessment - Answers
5. Identify five threats to system security. Some threats to system security are: penetration, authorization violation, planting, denial of service, and repudiation. 6. List the categories of security safeguards. Give examples for each category. Categories of security safeguards are: technical safeguards such as firewalls, organizational safeguards such as rules or guidelines, and environmental safeguards such as fire detection.
Duplication is prohibited.
Duplication is prohibited.
18
© Copyright . All rights reserved.
UNIT 2
Basic User Administration AS ABAP and AS Java
Lesson 1 Implementing Basic User Administration AS ABAP Exercise 1: Create Users in AS ABAP Exercise 2: Work with Roles
20 27 35
Lesson 2 Implementing Basic User Administration AS Java Exercise 3: Implement User and Group Administration
42 63
●
Implement user administration concept
●
Describe the authorization concept
●
Change login parameters and user information
●
Configure the User Management Engine (UME)
●
Describe user and group administration
●
Explain Java authorization concept
© Copyright . All rights reserved.
Duplication is prohibited.
Duplication is prohibited.
UNIT OBJECTIVES
19
Unit 2 Lesson 1 Implementing Basic User Administration AS ABAP
LESSON OVERVIEW This lesson explains the implementation of user administration in Application Server ABAP (AS ABAP). Business Example
20
●
An understanding of user administration
●
An understanding of user types and user groups
●
An understanding of authorization objects and authorization checks
●
An understanding of menus and authorizations in role maintenance
●
An understanding of users and roles
●
An understanding of login parameters
LESSON OBJECTIVES After completing this lesson, you will be able to: ●
Implement user administration concept
●
Describe the authorization concept
●
Change login parameters and user information
© Copyright . All rights reserved.
Duplication is prohibited.
Duplication is prohibited.
The users of the SAP system require user IDs with the appropriate authorizations to log on to the system. As an administrator, you need to set up user IDs for each user in the system. For this reason, you require the following knowledge:
Lesson: Implementing Basic User Administration AS ABAP
Basics of User Administration
Figure 9: Users in the SAP Environment
In an SAP environment, the term user usually means user ID. People log on to operating systems, database, or the SAP system using a user/password combination. Operating systems, database, and SAP systems usually have different authorization concepts. If a user name and password combination is created in an SAP system for a user, this does not mean that it is possible to log on to the operating system of a host with the same user name and password combination. However, it is possible that identical user name and password combinations are created for SAP systems and operating systems.
Note: SAP work processes process the user requests. All these work processes use a common user to access the database. This lesson deals exclusively with SAP users that are used to log on to a client of an ABAPbased SAP system. Users and authorization data are client dependent. Access to the operating system level of the application server and database server must be protected. Otherwise, it might not be possible to use the SAP systems or the data could be damaged.
© Copyright . All rights reserved.
21
Duplication is prohibited.
Duplication is prohibited.
The concepts of user master record and authorization are important to obtain a better understanding of SAP systems.
Unit 2: Basic User Administration AS ABAP and AS Java
Users and Authorizations
22
You can log on to a client of an SAP system if you know the user name and password of a user master record, and if the user type is authorized for the logon type. For example, it is not possible to log on with a communication or system user in the dialog process. In an SAP system, there is an authorization check every time a transaction is called. If you attempt to start a transaction for which you are not authorized, the system rejects the logon and displays an appropriate error message. If you start a transaction for which you have authorization, the system displays the initial screen of this transaction. Depending on the transaction called, you enter data and perform actions on this screen. There may be additional authorization checks to protect the data and actions.
© Copyright . All rights reserved.
Duplication is prohibited.
Duplication is prohibited.
Figure 10: Users and Authorizations
Lesson: Implementing Basic User Administration AS ABAP
User Master Record
User authorizations are assigned using roles (and sometimes through manual profiles, for example, SAP_NEW). The authorizations are combined in roles and the roles are entered in the user master record.
User Type
Figure 12: User Types
The user type is an important property of a user. The following user types are available for different purposes: Dialog
●
© Copyright . All rights reserved.
23
Duplication is prohibited.
Duplication is prohibited.
Figure 11: User Master Record
Unit 2: Basic User Administration AS ABAP and AS Java
The Dialog user type is used for all logon types by just one person. During a dialog logon, the system checks for expired or initial passwords, and the user has the opportunity to change his or her password. Multiple dialog logons are checked and logged in the system. ●
System The System user type is used for dialog-free communication within a system, for background processing within a system, or for Remote Function Call (RFC) users for various applications. The applications accessed using RFC include Application Link Enabling (ALE), Workflow, Transport Management System, and Central User Administration. It is not possible to use this type of user for a dialog logon. Users of this type are exempt from the usual settings for the validity period of a password. Only user administrators can change the password.
Note: For more information about the incorrect user type for the UME communication user, see SAP Note 622464.
●
Communications Data The Communications Data user type is used for dialog-free communication between systems. It is not possible to use this type of user for a dialog logon. The usual settings for the validity period of a password apply to users of this type. Service The Service user type is a dialog user that is available to a larger, anonymous group of users. In general, you should assign only highly restricted authorizations to users of this type. Service users are used, for example, for anonymous system access using an Internet Transaction Server (ITS) or Internet Communication Framework (ICF) service. The system does not check for expired or initial passwords during logon. Only the user administrator can change the password. Multiple logons are permitted.
●
Reference The Reference user type is a general user and is not specific to a particular person. It is similar to the service user. You cannot use a reference user to log on. A reference user is used only to assign additional authorizations. You can assign a reference user to a dialog user using the Roles tab page.
User Group User groups are used to distribute user maintenance among several user administrators or for mass maintenance of user data. A user group for authorization checks is required if you want to divide user maintenance among several user administrators. Only the administrator who has the authorization for this group can maintain users of this group. If you leave the field empty, the user is not assigned to any group. This means that any user administrator allowed to maintain any group can maintain the user. This assignment is part of the logon data in the user master record. For mass maintenance of user data (transaction SU10), users could be assigned to a user group on the Groups tab page. Assignments that you make on the Groups tab page are not
24
© Copyright . All rights reserved.
Duplication is prohibited.
Duplication is prohibited.
●
Lesson: Implementing Basic User Administration AS ABAP
used for the authorization checks that are specified on the Logon Data tab page using the User Group field. This is purely a grouping that is suitable for mass maintenance. User groups can be created in transaction Maintain User Groups (SUGR).
INTERACTIVE ELEMENT: Chat 1. Take 5 minutes and write some responses to the following question in your Participant Handbook: What are the different user types available in the SAP system and for what purpose are they used? . . . . . . . .
.
User Maintenance To start user maintenance (transaction SU01), choose Tools
Logon data This tab page contains details such as password, validity period of the user, and user type. For further information about the password rules for special users, see SAP Note 622464.
●
Secure Network Communications (SNC) This tab page contains the security functions (external product) that are not directly available, but have been prepared in SAP systems. Note the usage regulations for the country in which you want to use this function.
© Copyright . All rights reserved.
25
Duplication is prohibited.
Duplication is prohibited.
.
Unit 2: Basic User Administration AS ABAP and AS Java
Hint: The SNC tab page is not automatically displayed in every version of transaction SU01. This depends on the product/system/release and the Support Package (SP) level. This tab page becomes visible when you are using SNC and have activated the profile parameter snc/enable. For more information about using network security products, see SAP Note 66687.
●
Defaults This tab page displays the default values, such as the default printer and the logon language.
●
Parameters This tab page displays the user-specific values for standard fields in SAP systems.
●
Roles and Profiles This tab page displays the roles and profiles assigned to the user.
●
Groups This tab page is used for grouping users for mass maintenance. Personalization This tab page is used for applying personal settings. Some transactions require personal settings that affect the appearance of a particular transaction code. These settings can be stored (prepopulated) using personalization objects on this tab page.
Note: The SAP application developer decides whether and when the personalization functions are available. There is no special Customizing switch that the customer has to activate. For SAP programs, any subsequent programming of this function is always a modification. As a result, subsequent programming of this function is rarely implemented in practice.
●
License Data This tab page is used to specify the contractual user type of the user. The license data is required for system measurement.
When creating a user, you must maintain at least the following input fields: Last name on the Address tab page
●
●
26
Initial password and identical repetition of password on the Logon Data tab page
© Copyright . All rights reserved.
Duplication is prohibited.
Duplication is prohibited.
●
Unit 2 Exercise 1 Create Users in AS ABAP
Business Example You need to create new users. Create a user in client 100 with the name ADMIN<##>, where <##> is your group number. 1. Log on to client 100 in your SAP system, and create a user (master record) with the name ADMIN<##>. 2. Maintain the first and last names of the user. 3. Assign the user an initial password. Make sure that you use the correct upper and lower case. Assign the password to User Group for Authorization Check SUPER. 4. Enter a default value for the logon language for the user (for example, EN or DE). 5. Save the user master record.
Duplication is prohibited.
Duplication is prohibited.
© Copyright . All rights reserved.
27
Unit 2 Solution 1 Create Users in AS ABAP
Business Example You need to create new users. Create a user in client 100 with the name ADMIN<##>, where <##> is your group number. 1. Log on to client 100 in your SAP system, and create a user (master record) with the name ADMIN<##>. a) Run transaction SU01. b) On the User Maintenance: Initial Screen, enter the name ADMIN<##> in the User field, and choose the Create pushbutton.
28
a) On the Address tab page, enter the names in the Last name and First name fields. 3. Assign the user an initial password. Make sure that you use the correct upper and lower case. Assign the password to User Group for Authorization Check SUPER. a) On the Logon Data tab page, enter the password in the Initial password field. b) Enter the password again in the Repeat password field. c) Enter SUPER in the User group field. 4. Enter a default value for the logon language for the user (for example, EN or DE). a) On the Defaults tab page, enter EN for English or DE for German in the Logon Language field. 5. Save the user master record. a) Save the changes.
© Copyright . All rights reserved.
Duplication is prohibited.
Duplication is prohibited.
2. Maintain the first and last names of the user.
Lesson: Implementing Basic User Administration AS ABAP
Authorization Objects and Authorization Checks
Figure 13: Authorization Object
In an ABAP-based SAP system, authorization objects protect actions and access to data. The authorization objects are delivered by SAP and are in SAP systems. To provide a better overview, authorization objects are divided into various object classes. Authorization objects allow complex checks that involve multiple conditions. The conditions allow a user to perform an action. The conditions are specified in authorization fields for the authorization objects and are AND linked for the check. Authorization objects and their fields have descriptive and technical names. In the example shown in the figure, the authorization object User Master Maintenance: User Groups (technical name: S_USER_GRP) contains two fields, Activity (technical name: ACTVT) and User Group in User Master Record (technical name: CLASS). The authorization object S_USER_GRP protects the user master record. An authorization object can include up to 10 authorization fields. An authorization is always associated with exactly one authorization object and contains the value for the fields for the authorization object. An authorization is a permission to perform a certain action in the SAP system. The action is defined on the basis of the values for the individual fields of an authorization object. For example, Authorization B in the figure for the authorization object S_USER_GRP allows the display of all user master records that are not assigned to the user group SUPER. Authorization A, however, allows the display of records for this user group. There can be multiple authorizations for one authorization object. SAP delivers some authorizations, but most authorizations are created specifically for the customer’s requirements.
© Copyright . All rights reserved.
29
Duplication is prohibited.
Duplication is prohibited.
To understand the ABAP authorization concept, you must have some knowledge of roles and authorization profiles in the user master record. You also need to understand how to create your own roles and authorizations.
Unit 2: Basic User Administration AS ABAP and AS Java
Authorization Check
Figure 14: Authorization Check
When the user calls a transaction, the system checks whether the user has an authorization in the user context that allows him or her to call the selected transaction. Authorization checks use the authorizations in the user context. If you assign new authorizations to the user, it may be necessary for this user to log on to the SAP system again to be able to use these new authorizations. (For more information, see SAP Note 452904 and the documentation for the parameter auth/new_buffering.) If the authorization check for calling a transaction was successful, the system displays the initial screen of the transaction. Depending on the transaction, the user can create data or select actions. When the user completes his or her dialog step, the data is sent to the dispatcher, which passes it to a dialog work process for processing. Authority checks (AUTHORITY-CHECK) that are checked during runtime in the work process are built into the coding by the ABAP developers for the data and actions that are to be protected. If the user context contains all required authorizations for the checks (return code = 0), the data and actions are processed and the next screen is displayed. Even if one authorization is missing, the data and actions are not processed and the user receives a message that his or her authorizations are insufficient. The value of the return code controls this step. In this case, the value of the return code is not equal to 0. All authorizations are permissions. There are no authorizations for prohibiting. Everything that is not explicitly allowed is forbidden. You can call this a positive authorization concept.
30
© Copyright . All rights reserved.
Duplication is prohibited.
Duplication is prohibited.
When a user logs on to a client of an SAP system, his or her authorizations are loaded in the user context. The user context is in the user buffer (in the main memory, query using transaction SU56) of the application server.
Lesson: Implementing Basic User Administration AS ABAP
Role Maintenance – Menus and Authorizations
Role maintenance (transaction PFCG, previously also called Profile Generator) simplifies the creation of authorizations and their assignment to users. In role maintenance, transactions that belong to the company’s point of view are selected. Role maintenance creates authorizations with the required field values for the authorization objects that are checked in the selected transactions. A role can be assigned to various users. Changes to a role, therefore, have an effect on multiple users. Users can be assigned various roles. Menu Layout
Figure 16: Menu Layout
© Copyright . All rights reserved.
31
Duplication is prohibited.
Duplication is prohibited.
Figure 15: Role Maintenance
Unit 2: Basic User Administration AS ABAP and AS Java
The user menu comprises role menu(s) and contains entries that are assigned to the user through the roles. Examples of such entries include transactions, URLs, and reports. You can access role maintenance with transaction PFCG or by choosing Tools[Ìj?ûBTAdministration[Ìj?ûBTUser Maintenance[Ìj?ûBTRole Administration[Ìj?ûBTRoles. Enter the name of the role, and choose Create or Change. Choose the Menu tab page. Select and change functions by adjusting the menu tree for the individual roles, as required. You can also insert or delete transactions into or from the tree structure. By choosing the function Report in the dropdown menu of the Insert pushbutton, you can integrate reports. In this case, role maintenance creates transaction codes (if they do not already exist) with which the reports can be called. By choosing the function Web address or file in the dropdown menu of the Insert pushbutton you can add Internet addresses or links to files (such as tables or text files). When integrating files, you must use storage paths instead of URLs. You can also specify Business Warehouse (BW) Web Reports and links to external mail systems and the Knowledge Warehouse (KW). In the change menus, you can create, move, delete, and rename directories and subdirectories, as required. You can use the function Drag & Drop in role maintenance. Authorization Profiles Generation
Duplication is prohibited.
Duplication is prohibited.
Figure 17: Generating Authorization Profiles
Role maintenance automatically creates the authorizations associated with the transactions specified in the menu tree. However, all authorization values must be manually checked and adjusted, if required, in accordance with the actual requirements and authorities. The system administrator is responsible for this task, together with the appropriate user department. When using organizational levels, you do not carry out maintenance directly in the field but by means of the Organizational Levels pushbutton (CTRL+F8). Choose the Authorizations tab page and then choose Display Authorization Data or Change Authorization Data pushbutton depending on the maintenance mode. Check the scope and contents of the authorizations.
32
© Copyright . All rights reserved.
Lesson: Implementing Basic User Administration AS ABAP
If the system has proposed these authorizations, a green traffic light in the authorization overview indicates that role maintenance has supplied at least one proposal for each authorization field. A yellow traffic light indicates that the authorization must be manually maintained after it has been created. Role maintenance does not provide a default value for the authorization. While accessing files, role maintenance cannot determine whether data access should only be read access or read and write access. Some fields appear in many authorizations. A number of important fields, are therefore, combined into organizational levels, such as the company code. If you maintain an entry for the organizational level using the Organizational Levels pushbutton, you can then maintain all the fields that appear there in one go. A red traffic light indicates an unmaintained organizational level. When all authorizations are maintained as required, the authorization profile can be generated by choosing Generate. After creation, this name cannot be changed. The authorizations are combined into profiles.
Note: The second character of the profile name must not be an underscore (_) (see SAP Note 16466).
Duplication is prohibited.
Duplication is prohibited.
The profiles must be entered in the user master record (by the role maintenance) for the authorizations to take effect for the user. This is called user master record comparison.
Users and Roles
Figure 18: Assigning Roles to Users
The assignment of users to roles is performed in the role maintenance transaction (transaction PFCG) or in the user maintenance transaction (transaction SU01). Choose the User tab page and the user IDs to be maintained. When selecting user IDs, the system uses the current date as the start of the validity period of the assignment and sets 31.12.9999 as the end date. You can change both values.
© Copyright . All rights reserved.
33
Unit 2: Basic User Administration AS ABAP and AS Java
Users can be linked to more than one role. This can be useful if some activities, such as printing, are to be permissible across roles. The assignment of roles to users does not automatically grant the corresponding authorizations to the users. To assign the authorizations, you must perform a user master record comparison, during which the profiles assigned to the roles are entered in the user master record. User Master Record Comparison
34
A user master record comparison determines whether authorization profiles should be added or removed from the current user based on his or her role assignment. During comparison, profiles are added to a user master record due to roles that have been added. If role assignments are manually or time-dependently removed, the corresponding authorization profiles are deleted from the user master record. The comparison can be individually performed for every role. Select the role in role maintenance. Choose the User tab page, and choose User comparison. In the dialog box that the system displays, choose Complete comparison. If multiple role assignments are to be updated, you can perform a corresponding comparison in role maintenance by choosing Utilities”ß0w §óÛMass comparison (transaction PFUD). You can individually specify the desired roles or update all assignments by entering the asterisk (*) character. You can also activate the periodic user master record comparison in role maintenance by choosing Utilities”ß0w §óÛMass comparison. Select the Schedule or check job for full reconciliation option. The system then displays a search window for the background job PFCG_TIME_DEPENDENCY. If it does not find a corresponding job, you can create a new one. The default value is that the comparison of all user master records takes place once every day.
© Copyright . All rights reserved.
Duplication is prohibited.
Duplication is prohibited.
Figure 19: User Master Record Comparison
Unit 2 Exercise 2 Work with Roles
Business Example Authorizations for users are created using roles and profiles. Administrators create the roles, and the system supports them by creating the associated authorizations. Task 1 Copy a role template and assign it to a user. 1. Choose the single role SAP_BC_ENDUSER that was delivered. Copy this completely to your role BC_ENDUSER<##>. 2. Check the transactions assigned for the user menu with this role. 3. Check the authorizations for the role and maintain open authorizations, if necessary. 4. Assign the role to user ADMIN<##>, and save your settings.
Task 2 Check the user ADMIN<##>. 1. Log on to the SAP system with the user ADMIN<##> and your chosen password. Check whether the user can execute the transactions you assigned.
© Copyright . All rights reserved.
35
Duplication is prohibited.
Duplication is prohibited.
5. Perform a user comparison.
Unit 2 Solution 2 Work with Roles
Business Example Authorizations for users are created using roles and profiles. Administrators create the roles, and the system supports them by creating the associated authorizations. Task 1 Copy a role template and assign it to a user. 1. Choose the single role SAP_BC_ENDUSER that was delivered. Copy this completely to your role BC_ENDUSER<##>. a) Run transaction PFCG.
c) Choose the Copy Role pushbutton. d) Enter BC_ENDUSER<##> in the to role field in the Query dialog box that appears. e) Choose the Copy all pushbutton. 2. Check the transactions assigned for the user menu with this role. a) On the initial screen of transaction PFCG, choose the Change pushbutton. Alternatively, choose Role»T{$½tÖÃChange for the role BC_ENDUSER<##>. b) On the Menu tab page, choose the Search pushbutton. c) Expand Basis Functions. 3. Check the authorizations for the role and maintain open authorizations, if necessary. a) On the Authorizations tab page, choose the Change Authorization Data pushbutton. b) Check the authorizations for the role and maintain open authorizations, if necessary. For example, choose the yellow traffic light pushbutton and confirm the system query (whether full authorization should be assigned with Execute). c) On the Change Roles: Authorizations screen, choose the Generate pushbutton and save the profile settings. d) Accept the proposed profile name in the process. Confirm the message and exit from the Change Roles: Authorizations screen. Note: You do not need to save again because this was already performed with the Generate function. 4. Assign the role to user ADMIN<##>, and save your settings.
36
© Copyright . All rights reserved.
Duplication is prohibited.
Duplication is prohibited.
b) On the Role Maintenance screen, enter SAP_BC_ENDUSER in the Role field.
Lesson: Implementing Basic User Administration AS ABAP
a) On the User tab page, enter ADMIN<##> in the User ID field. b) Save your settings. A user master comparison has not yet been performed, however, (next subtask). If the user ADMIN<##> does not exist, create a user with this name in transaction SU01 in a new session. 5. Perform a user comparison. a) Choose the User Comparison pushbutton and then choose the Complete comparison pushbutton. b) Exit and go back to the initial screen for PFCG, and save the data. Task 2 Check the user ADMIN<##>. 1. Log on to the SAP system with the user ADMIN<##> and your chosen password. Check whether the user can execute the transactions you assigned. a) Log on to the SAP system with the user ADMIN<##>. b) Switch to the user menu, and execute some of the assigned transactions.
Duplication is prohibited.
Duplication is prohibited.
© Copyright . All rights reserved.
37
Unit 2: Basic User Administration AS ABAP and AS Java
Login Parameters
Figure 20: System Parameters for User Logons 1
The following questions are considered when dealing with login parameters: ● Which system settings can be used to influence logon behavior? ●
How can errors and problems be analyzed?
You can set the minimum length for passwords with the parameter login/min_password_lng. The parameters login/min_password_digits, login/min_password_letters, login/ min_password_lowercase, login/min_password_ uppercase, and login/ min_password_specials specify the minimum number of digits, letters (number of upper and lower case), or special characters that a password must contain. The parameter login/password_expiration_time specifies the number of days after which ëÒj*d®²Ð|Ù¹¡çyë?<‹Ž½T¬©íÇwÃq,ï‹ûšûä˚‚àhrÛ¯tÇe?)Š%s‰?š„ß²,›f˚þ>1¥5¿ló™>‡EéògiÛ‘¢D9Jâ…¨‘ ˇ…ø˙q)�-½þÛ…›-ö%^ý÷Š„g£¡·Wc0, the user does not need to change his or her password. The general rules for a password that cannot be deactivated are as follows: A password must not begin with “?” or “!”.
●
●
A password must not be the keyword pass.
Hint: The setting that determines that users must create a new password that differs from the previous five passwords they have entered is no longer mandatory. You can use the parameter login/password_history_size to set the history from between 1 and 100. The proposed standard value remains 5. You can define additional password restrictions in the table USR40. SAP Web Application Server 6.20 and 6.40 offered the parameters login/password_max_new_valid and login/ password_max_reset_valid. They specified how long an initial password for a newly created
38
© Copyright . All rights reserved.
Duplication is prohibited.
Duplication is prohibited.
This section deals with authorizations in the SAP system from an operational point of view.
Lesson: Implementing Basic User Administration AS ABAP
user or a password that was reset by an administrator was valid. With SAP NetWeaver AS 7.0, they have been replaced by parameter login/password_max_idle_initial.
Hint: The parameter login/password_max_idle_initial indicates the maximum length of time during which an initial password (a password that the user administrator selects) remains valid if it is not used. Once this period expires, the password can no longer be used for authentication. The user administrator can reactivate the password logon by assigning a new initial password.
Caution: If you are using a Basis release prior to 6.20, the system may behave in a manner you do not expect with the parameters login/password_max_reset_valid and login/password_max_new_valid. Check SAP Note 450452 beforehand to see which settings are possible for your particular release level.
With the parameter login/min_password_diff, the administrator can determine the number of different characters a new password must possess in comparison with the old one when users change their passwords. This parameter does not take effect when a new user is created or passwords are reset (initial password). System Parameters for User Logons 2/2
Figure 21: System Parameters for User Logons 2
© Copyright . All rights reserved.
39
Duplication is prohibited.
Duplication is prohibited.
Another new parameter in SAP NetWeaver AS 7.0 is login/password_ max_idle_productive. This indicates the maximum length of time a productive password (a password that the user chooses) remains valid when it is not used. Once this period expires, the password can no longer be used for authentication. The user administrator can reactivate the password logon by assigning a new initial password.
Unit 2: Basic User Administration AS ABAP and AS Java
You can set the number of failed logon attempts after which the SAP GUI is terminated using the parameter login/fails_to_session_end. If the user wants to try again, he or she must restart the SAP GUI. You can set the number of failed logon attempts after which a user is locked in the SAP system using the parameter login/fails_to_user_lock. The failed logon counter is reset after a successful logon attempt.
Hint: At midnight (server time), the users that were locked as result of incorrect logon attempts, are no longer automatically unlocked by the system (default value since SAP NetWeaver 7.0). You reactivate this automatic unlocking with the parameter login/failed_user_auto_unlock = 1. The administrator can unlock, lock, or assign a new password to users in user maintenance (transaction SU01). If the parameter login/disable_multi_gui_login is set to 1, a user cannot log on to a client more than once. This can be desirable for system security reasons. If the parameter is set to 1 and the user logs on again then the user has the option to continue with this logon and end any other logons in the system or terminate this logon. Users to whom this should not apply should be specified in the parameter login/multi_login_users. The insertion in the parameters should be separated with commas and with no spaces.
Duplication is prohibited.
Duplication is prohibited.
40
© Copyright . All rights reserved.
Lesson: Implementing Basic User Administration AS ABAP
LESSON SUMMARY You should now be able to: ●
Implement user administration concept
●
Describe the authorization concept
●
Change login parameters and user information
Duplication is prohibited.
Duplication is prohibited.
© Copyright . All rights reserved.
41
Unit 2 Lesson 2 Implementing Basic User Administration AS Java
LESSON OVERVIEW This lesson provides an overview about the User Management Engine (UME) and UME configuration. This lesson also presents the tools for the administration of users and groups. In addition, the lesson describes how authorizations control which functions are permitted for a user and the assignment of these authorizations to a user. Business Example
●
An understanding of UME data source(s) and parameters
●
An understanding of user and group administration
●
An understanding of UME roles and JEE security roles
Duplication is prohibited.
Duplication is prohibited.
You use Application Server ABAP (AS ABAP) and Application Server Java (AS Java)-based systems. You want to ensure consistent user master data within a heterogeneous system landscape. For this reason, you require the following knowledge:
LESSON OBJECTIVES After completing this lesson, you will be able to: ●
Configure the User Management Engine (UME)
●
Describe user and group administration
●
Explain Java authorization concept
Basics AS Java provides an open architecture supported by service providers for the storage of user and group data. The AS Java is supplied with the following service providers (user store): ● Database Management System (DBMS) provider This is used for storage in the system database. ●
Universal Description, Discovery and Integration (UDDI) provider This is used for storage using external service providers.
●
UME provider qÉ–d,•ÍýžP S57¨Ã|®úöu”›úeV®Y+−Cä,ÌUȱfÞ“š−5Up<˙ý¦þ