SAP - Administration.pdf
(
972 KB
)
Pobierz
Untitled Document
Overview ..................................................................................................................9–2
User Groups..............................................................................................................9–2
Profile Generator.......................................................................................................9–2
Recommended Policies and Procedures .............................................................9–3
User Administration...................................................................................................9–3
System Administration ..............................................................................................9–5
New User Setup.......................................................................................................9–7
Prerequisites .............................................................................................................9–7
Installing the Frontend Software–SAPgui .................................................................9–8
Adding Additional Systems .....................................................................................9–16
Setting Up a New User ...........................................................................................9–19
Maintaining a User ................................................................................................9–26
Resetting a Password...........................................................................................9–28
Locking or Unlocking a User ...............................................................................9–29
User Groups ..........................................................................................................9–31
How to Create a User Group ..................................................................................9–32
Deleting a User’s Session (Transaction SM04)..................................................9–33
How to Terminate a User Session ..........................................................................9–33
Maintaining a Table of Prohibited Passwords ...................................................9–34
System Administration Made Easy
9–1
Chapter 9: Nonscheduled User Administration Tasks
Overview
User administration is a serious function, not just a necessary administrative task because
security is at stake each time users access the system. Because the company’s financial and
other proprietary information is on the system, the administrator is subject to external
requirements and recommendations from the company’s external auditors, regulatory
agencies, and others. Users should consult with their external auditors for audit-related
internal control user administration requirements. Human Resources should be consulted if
the HR module is implemented or any sensitive personnel data is maintained on the system.
A full discussion on security and user administration is beyond the scope of this guidebook.
We have limited our discussion to a small subset of this issue. Manually creating and
maintaining security profiles and authorizations is also not covered.
User groups are created by an administrator to organize users into logical groups, such as:
Basis
Finance
Shipping
For additional information, refer to the section
User Groups
on page 9–31.
The Profile Generator
is a tool used to simplify the creation and maintenance of SAP
security. It reduces (but does not eliminate) the need for specialized security consultants.
The value of the Profile Generator
is more significant for smaller companies with limited
resources that cannot afford to have dedicated security administrators.
For additional information on the Profile Generator, see the
Authorizations Made Easy
guidebook.
9–2
Release 4.0B
Chapter 9: Nonscheduled User Administration Tasks
Recommended Policies and Procedures
User administration is a serious security and audit issue. Some of the tasks in this
guidebook are aimed at complying with common audit procedures. Obtaining proper
authorization and documentation should be a standard prerequisite for all user
administration actions.
User administration comprises the following:
The employee’s company ID number (for example, e0123456)
Last name, first initial, or first name, last initial
In a small company where names are often used as ID, it is common to use the
employee’s last name and first initial of the first name or the employee’s first name
and first initial of the last name (for example, jonesb
or
barbaraj).
Clearly identifiable user IDs for temporary employees and consultants.
Examples: T123456, C123456
The user’s manager should sign a completed user add-or-change form.
The form should indicate the required security, job role, etc., that defines how
security is assigned in your company.
If security crosses departments or organizations, the affected managers should also
approve.
If the user is not a permanent employee, or if the access is to be for a limited
duration, the time period and the expiration date should be indicated.
A periodic audit should be performed, where all approved authorizations are
verified against what was assigned to the user.
System Administration Made Easy
9–3
User ID naming conventions
Adding or changing a user
The forms should be filed by employee name or ID.
Chapter 9: Nonscheduled User Administration Tasks
Recommended Policies and Procedures
Users leaving the company or changing jobs
This is a particularly sensitive event. The policies and procedures for this event must
be developed in advance and be coordinated by many groups. As an example, see
the following table:
Group
Responsibility
Human Resources
Legal or personnel matters
External auditors
Internal control issues related to financial audit
IT
Procedures to terminate network access
Senior management
Policy approval
Employee’s manager
“Handover” or training period for the employee’s
replacement
The user’s manager should send a form or e-mail indicating that the employee is
leaving.
The user’s ID should be locked and the user assigned to the user group “term” for
terminated.
If the user’s ID is not required as a template, the security profiles assigned to the user
should be deleted (use transaction
SU01
and under the
Task profile
and
Profile
tabs, delete
the profiles).
Check Background Jobs (transaction
SM37
) for jobs scheduled under that user ID.
The jobs will fail when the user ID is locked or deleted.
If the user leaves one job for another and needs to maintain access for handover, this
handover should be documented.
The duration of the handover access must be defined and the expiration (
Valid to)
date
entered in the R/3 System.
All temporary employees or consultants should have expiration (
Valid to
) dates on their
user IDs.
Similar to banks, there should be a “secret word” that users could use to verify their
identity over the phone. This word would be used when the user needs their password
reset or their user ID unlocked.
9–4
Release 4.0B
To manage terminated employees:
Chapter 9: Nonscheduled User Administration Tasks
Recommended Policies and Procedures
Special user IDs
The two user IDs
SAP*
and
DDIC
should only be used for tasks that specifically
require either of those user IDs. Any user requiring similar “super user” security rights
should have a copy of the
SAP*
user security.
The security rights of
SAP*
and
DDIC
are extensive, dangerous, and pose a security risk.
Anyone requiring or requesting similar security rights should have a
very
valid reason
for the request. Convenience is
not
a valid reason. The security profile that serves as the
“master key” is
SAP_ALL,
and to a lesser degree,
SAP_NEW
.
The user ID
SAP*
should never be deleted. Instead, the password should be changed. If
the user ID
SAP*
is deleted, logon and access rights are gained by rights programmed
into the R/3 System. The user ID
SAP*
then gains security rights that you do not know
about and cannot control.
The user IDs
SAP*
and
DDIC
should have their passwords changed to prevent
unauthorized use of these special user IDs.
An external audit procedure checks the security of these two user IDs.
For medium- and large-size companies, granting developers
SAP*
equivalent security
rights in the development and test systems is usually inappropriate.
SAP*
equivalent
security in the production system is a security and audit issue and should be severely
limited.
User passwords
Parameters that define and restrict the user password are defined by entries in the
system profiles.
Recommended time period is no more than 90 days.
Minimum password length of five (5) characters should be set.
The table of “prohibited” passwords (USR40) should be maintained.
System Administration Made Easy
9–5
!
Passwords should be set to expire periodically.
User should be locked after three unsuccessful logon attempts.
Plik z chomika:
Inka_Czarna
Inne pliki z tego folderu:
SAP Tworzenie LSMW.pdf
(317 KB)
SAP Transaction Codes.pdf
(5015 KB)
SAP R3 Handbook.pdf
(11492 KB)
SAP R3 - System administration Made Easy.pdf
(17806 KB)
SAP MRP Made Easy.pdf
(2289 KB)
Inne foldery tego chomika:
BAPI FM
instrukcje SAP ERP
Programowanie ABAP
SAP ERP, moduły, kursy, instrukcje
SAP(1)
Zgłoś jeśli
naruszono regulamin