Security Optimization Self-Service

Transcription

Security Optimization Self-Service
SERVICE REPORT
Security Optimization Service
Analysis
Confidential
SAP System ID
XXX
Solution
TEST
Processed on
Release
Service Tool
SAP Service
Content Update
SAP Solution Manager AAA
7.10 SP 0014
ST-SER 720 SP 0000000000
Date of Session
Date of Report
Author
10.02.2016
10.02.2016
<NAME>
not activated
Session No.
Installation No.
Customer No.
2000000270255
0123456789
9876543210
This report contains confidential customer data and may be viewed only by SAP AGS employees, authorized SAP
partners, and customer employees. Do not distribute it to other parties.
Security Optimization Service
10.02.2016
1 SUMMARY ................................................................................................................................... 7
2 DETECTED ISSUES.......................................................................................................................... 8
3 SPECIAL FOCUS CHECKS................................................................................................................ 12
3.1 XXX CLIENT OVERVIEW ............................................................................................................................................. 12
3.2 ADDITIONAL SUPER USER ACCOUNTS FOUND (0022)................................................................................................... 12
4 AUTHENTICATION ....................................................................................................................... 14
4.1 PASSWORD LOGON IS AT L EAST PARTLY ALLOWED (0139)............................................................................................ 14
4.2 PASSWORD POLICY ................................................................................................................................................... 14
4.2.1 Password Complexity................................................................................................................................... 14
4.2.1.1 Minimum Password Length (0126) ............................................................................................................. 14
4.2.1.2 Trivial Passwords Are Not Sufficiently Prohibited (0125) ............................................................................. 14
4.2.2 Initial Passwords .......................................................................................................................................... 14
4.2.2.1 Users with Initial Passwords Who Have Never Logged On (0009) ................................................................ 14
4.2.2.2 Users with Reset Password Who Have Not Logged On (0140) ..................................................................... 15
4.2.3 Interval for Logon with Productive Password Is Too Long (AU081) ......................................................... 15
4.2.4 Interval for Password Change Is Too Long (0127) ..................................................................................... 15
4.2.5 Security Attack Indicated by Users Locked due to Incorrect Logon Attempts (0141) ............................. 15
4.3 GENERAL AUTHENTICATION ....................................................................................................................................... 16
4.3.1 Users Who Have Not Logged On for an Extended Period of Time (0010)................................................ 16
4.3.2 Security Critical Events for End Users Are Not Logged in the Security Audit Log (0136) ........................ 16
4.3.3 Interval After Which Inactive Users Are Logged Off Is Too Long (0137) .................................................. 16
4.3.4 Multiple Logons Using the Same User ID Is Not Prevented (0138) .......................................................... 16
4.3.5 Users - Other Than User Administrators - Are Authorized to Change Passwords (0121) ....................... 17
4.3.6 Users - Other Than User Administrators - Are Authorized to Lock/Unlock Users (0135)........................ 18
4.4 PASSWORD BASED A UTHENTICATION ADMITS PASSWORD A TTACKS (0591).................................................................... 19
4.5 SAP GUI SINGLE SIGN-ON (SSO).............................................................................................................................. 19
4.5.1 Password Logon Is Allowed to SNC Enabled Servers (0592) ..................................................................... 19
4.5.2 Users - Other Than User Administrators - Are Authorized to Maintain the Mapping of SNC Users to
SAP Users (0594) ................................................................................................................................................... 19
4.5.3 SAP User IDs Have More Than One SNC User Attached (0595) ................................................................ 20
4.6 SINGLE SIGN-O N (SSO) TICKET .................................................................................................................................. 21
4.6.1 Unspecified Accepting of SSO Tickets (0603) ............................................................................................. 21
4.6.2 Users - Other Than System Administrators - Are Authorized to Maintain Trusted SSO Ticket Issuing
Systems (0605) ...................................................................................................................................................... 21
4.7 CERTIFICATE SSO ..................................................................................................................................................... 22
4.7.1 External Authentication via Client Certificates (0621) .............................................................................. 22
4.7.2 Trusted Certification Authorities (0623)..................................................................................................... 22
4.7.3 Users - Other Than System Administrators - Are Authorized to Maintain Trusted CAs (0624) .............. 24
4.7.4 Users - Other Than System Administrators - Are Authorized to Maintain Table SNCSYSACL via SNC0
(0625)..................................................................................................................................................................... 25
4.7.5 Users - Other Than System Administrators - Are Authorized to Maintain Table SNCSYSACL via Table
Maintenance (0626).............................................................................................................................................. 26
4.7.6 Users - Other Than User Administrators - Are Authorized to Maintain the Mapping of X.509 Users to
SAP Users (0622) ................................................................................................................................................... 27
5 BASIS ADMINISTRATION AND BASIS AUTHORIZATIONS..................................................................... 29
5.1 BASIS ADMINISTRATION ............................................................................................................................................ 29
5.1.1 Gateway and Message Server Security (BA076)........................................................................................ 29
5.1.1.1 Gateway Security (BA078) .......................................................................................................................... 29
Gateway Access Control Lists (BA081) ............................................................................................................... 29
5.1.2 Users - Other Than System Administrators - Are Authorized to Maintain System Profiles (0152) ........ 29
5.1.3 Users - Other Than System Administrators - Are Authorized to Start/Stop Application Servers (0154) 30
5.1.4 Users - Other Than System Administrators - Are Authorized to Start/Stop Work Processes (0156)...... 31
5.1.5 Users - Other Than System Administrators - Are Authorized to Lock/Unlock Transactions (0157) ....... 32
Summary
Confidential
2/143
Security Optimization Service
10.02.2016
5.1.6 Users - Other Than System Administrators - Are Authorized to Maintain Other User's Lock Entries
(0159)..................................................................................................................................................................... 33
5.1.7 Users - Other Than System Administrators - Are Authorized to Maintain Own Lock Entries (0166) ..... 34
5.1.8 Users - Other Than System Administrators - Are Authorized to Delete or Reprocess Broken Updates
(0161)..................................................................................................................................................................... 35
5.1.9 Users - Other Than System Administrators - Are Authorized to Activate a Trace (0163) ....................... 36
5.1.10 System Profiles Are Not Consistent (0153)............................................................................................... 37
5.1.11 No Timely Accurate Resolution of Erroneous Locks (0160)..................................................................... 37
5.1.12 Security Audit Log is not active (0170) ..................................................................................................... 37
5.1.13 System Recommendations (ABAP) (BA090) ............................................................................................. 38
5.1.14 Sending Trace Data to Remote Client (0169)........................................................................................... 38
5.2 BATCH I NPUT ........................................................................................................................................................... 38
5.2.1 No Timely Accurate Resolution of Failed Batch Input Sessions (0223) .................................................... 38
5.3 SPOOL & PRINTER .................................................................................................................................................... 38
5.3.1 Users - Other Than Spool Administrators - Are Authorized to Display Other Users Spool Requests
(0192)..................................................................................................................................................................... 38
5.3.2 Users - Other Than Spool Administrators - Are Authorized to Display Protected Spool Requests of
Other Users (0198) ................................................................................................................................................ 39
5.3.3 Users - Other Than Spool Administrators - Are Authorized to Display the TemSe Content (0193) ........ 40
5.3.4 Users - Other Than Spool Administrators - Are Authorized to Change the Owner of Spool Requests
(0194)..................................................................................................................................................................... 41
5.3.5 Users - Other Than Spool Administrators - Are Authorized to Redirect a Print Request to Another
Printer (0195) ........................................................................................................................................................ 42
5.3.6 Users - Other Than Spool Administrators - Are Authorized to Export a Print Request (0196)................ 43
5.4 BACKGROUND .......................................................................................................................................................... 44
5.4.1 Periodic Background Jobs Scheduled with User of Type Other Than 'SYSTEM' (0211) ........................... 44
5.4.2 Users - Other Than Background Administrators - Are Authorized to Schedule Jobs in SM36 (0212) .... 44
5.4.3 Users - Other Than Background Administrators - Are Authorized to Schedule Jobs in External
Commands (0213) ................................................................................................................................................. 45
5.4.4 Users - Other Than Background Administrators - Are Authorized to Schedule Jobs Under Another User
Id (0214)................................................................................................................................................................. 46
5.5 OS ACCESS .............................................................................................................................................................. 47
5.5.1 Users - Other Than System Administrators - Are Authorized to Define External OS Commands (0171)47
5.5.2 Users - Other Than System Administrators - Are Authorized to Execute External OS Commands (0172)
................................................................................................................................................................................ 48
5.5.3 Users - Other Than System Administrators - Are Authorized to View Content of OS Files with AL11
(0173)..................................................................................................................................................................... 49
5.6 OUTGOING RFC ....................................................................................................................................................... 50
5.6.1 Unexpected RFC Connections with Complete Logon Data Found (0254)................................................. 50
5.6.2 Users - Other Than System Administrators - Are Authorized to Administer RFC Connections (0255) ... 51
5.6.3 Users - Other Than System Administrators - Are Authorized to Maintain Trusting Systems (0268) ..... 51
5.7 INCOMING RFC........................................................................................................................................................ 52
5.7.1 Users Are Authorized to Run Any RFC Function (0241) ............................................................................. 52
5.7.2 Users - other than Key Users - are Authorized to Visualize All Tables via RFC (0245)............................. 53
5.7.3 Incoming RFC with Expired Password is Allowed (0234)........................................................................... 54
5.7.4 Users authorized for Trusted RFC (Object S_RFCACL) (0239) ................................................................... 54
5.7.5 Users authorized for Trusted RFC which can be called from any calling user (0248) ............................. 55
5.7.6 Unexpected Trusted System Connections Found (0238) ........................................................................... 56
5.7.7 Users - Other Than System Administrators - Are Authorized to Maintain Trusted Systems (0240)....... 57
5.7.8 RFC Security in the Service Marketplace (0247) ........................................................................................ 57
5.8 APPLICATION LINK ENABLING (ALE) ........................................................................................................................... 58
5.8.1 Users - Other Than System Administrators - Allowed to Maintain the ALE Distribution Model (0723) 58
5.8.2 Users - Other Than System Administrators - Allowed to Maintain the Partner Profile (0724)............... 58
6 CHANGE MANAGEMENT .............................................................................................................. 60
6.1 DATA & PROGRAM ACCESS ....................................................................................................................................... 60
6.1.1 Users - Other Than Key Users - Are Authorized to Start All Reports (0512)............................................. 60
Summary
Confidential
3/143
Security Optimization Service
10.02.2016
6.1.2 Users - Other Than Key Users - Are Authorized to Display All Tables (0513)........................................... 61
6.1.3 Users Are Authorized to Maintain All Tables (0514) ................................................................................. 61
6.1.4 Users - Other Than System Administrators - Are Authorized to Change the Authorization Group of
Tables (0515) ......................................................................................................................................................... 62
6.1.5 Users - Other Than Query Administrators - Are Authorized to Administer Queries (0517) .................... 63
6.1.6 Users Are Authorized to Execute All Function Modules (0520) ................................................................ 64
6.2 CHANGE CONTROL ................................................................................................................................................... 65
6.2.1 System Change Option Not Appropriately Configured in the Production System (0301) ....................... 65
6.2.2 Client Change Option Not Appropriately Configured (0302) .................................................................... 65
6.2.3 Users - Other Than System Administrators - Are Authorized to Change the System Change Option
(0303)..................................................................................................................................................................... 66
6.2.4 Users - Other Than System Administrators - Are Authorized to Change the Client Change Option
(0304)..................................................................................................................................................................... 67
6.2.5 Users - Other Than System Administrators - Are Authorized to Create New Clients (0305) .................. 68
6.2.6 Users Are Authorized to Delete Clients (0306)........................................................................................... 69
6.2.7 Users Are Authorized to Development in the Production System (0307) ................................................ 70
6.2.8 Users Are Authorized to Debug and Replace Field Values in the Production System (0308) ................. 71
6.2.9 Users Are Authorized to Perform Customizing in the Production System (0309).................................... 72
6.2.10 Users Are Authorized to Develop Queries in the Production System (0310) ......................................... 72
6.2.11 Execution of CATTs and eCATTs is Not Prevented by Client Settings (0311) ......................................... 73
6.2.12 Users Are Authorized to Execute CATTs in the Production System (0312)............................................. 74
6.2.13 Users Are Authorized to Execute eCATTs in the Production System (0313)........................................... 75
6.2.14 SAPgui User Scripting Is Enabled (0314) .................................................................................................. 76
6.2.15 Users Are Authorized to Use the Legacy Migration Workbench (0315) ................................................ 76
6.2.16 Users Are Authorized to Modify the Table Logging Flag for Tables (0318) ........................................... 77
6.3 DEVELOPMENT ......................................................................................................................................................... 78
6.3.1 Development Sources Are Not Scanned for Critical Statements (0335)................................................... 78
6.4 TRANSPORT CO NTRO L ............................................................................................................................................... 78
6.4.1 Users - Other Than Transport Administrators - Are Authorized to Change the TMS Configuration
(0341)..................................................................................................................................................................... 78
6.4.2 Users - Other Than Transport Administrators - Are Authorized to Start Imports to Production (0342) 79
6.4.3 Users - Other Than Transport Administrators - Are Authorized to Create and Release Transports
(0343)..................................................................................................................................................................... 80
6.4.4 Users Are Authorized to Approve Transports (0346)................................................................................. 81
6.4.5 Users - Other Than Transport Administrators - Are Authorized to Apply Patches (0363) ...................... 82
6.4.6 Transports Are Not Scanned for Viruses (0348)......................................................................................... 83
7 USER AUTHORIZATION................................................................................................................. 84
7.1 USER MANAGEMENT ................................................................................................................................................ 84
7.1.1 Users - Other Than the User Administrators - Are Authorized to Maintain Users (0002) ...................... 84
7.1.2 User Administrators Are Authorized to Change Their Own User Master Record (0003) ........................ 85
7.1.3 User Administrators Are Allowed to Maintain Users of Any Group (0004) ............................................. 85
7.1.4 User Master Data Is Not Regularly Synchronized with a Corporate LDAP Directory (0007) .................. 86
7.1.5 Users with Authorizations for User and Role/Profile/Authorization Maintenance (0008) ..................... 86
7.1.6 Reference Users Are Used (0011) ............................................................................................................... 87
7.1.7 Usage of 'Normal' Users as Reference Users Is Not Prohibited (0012) .................................................... 88
7.1.8 Users - Other Than User Administrators - Are Authorized to Access Tables with User Data (0013) ..... 88
7.1.9 Users - Other Than User Administrators - Are Authorized to Call Function Modules for User Admin
(0019)..................................................................................................................................................................... 89
7.2 SUPER USERS ........................................................................................................................................................... 90
7.2.1 Users Have Nearly All Authorizations (0023) ............................................................................................. 90
7.2.2 Unexpected Users Are Authorized to Change a Super User Accounts (0026).......................................... 91
7.2.3 Users with Profile SAP_NEW (0031) ........................................................................................................... 92
7.3 STANDARD USERS .................................................................................................................................................... 93
7.3.1 Not all profiles are removed from user SAP* (0042) ................................................................................. 93
7.3.2 User SAP* is neither locked nor expired (0043) ......................................................................................... 93
7.3.3 Usage of the hard coded user SAP* is not disabled (0046)....................................................................... 93
Summary
Confidential
4/143
Security Optimization Service
10.02.2016
7.3.4 User SAP*'s activities are not logged in the Security Audit Log (0047).................................................... 93
7.3.5 User DDIC's activities are not logged in the Security Audit Log (0050).................................................... 94
7.3.6 User EARLYWATCH's activities are not logged in the Security Audit Log (0060)..................................... 94
7.3.7 User TMSADM has the default password in some clients (0063)............................................................. 94
7.3.8 User TMSADM Exists in Clients Other Than Client 000 (0064) ................................................................. 94
7.4 ROLE & AUTHORIZATION MANAGEMENT .................................................................................................................... 95
7.4.1 Users Are Authorized to Maintain Roles Directly in the Production System (0072) ................................ 95
7.4.2 Users Are Authorized to Maintain Profiles Directly in the Production System (0073) ............................ 95
7.4.3 Users Are Authorized to Maintain Authorizations Directly in the Production System (0074) ................ 96
7.4.4 SAP Standard Roles Are Assigned to Users (0082) .................................................................................... 97
7.4.5 SAP Standard Profiles Are Assigned to Users (0083) ................................................................................. 97
7.4.6 Profiles on Long Time Locked Users (0089)................................................................................................ 98
7.5 AUTHORIZATIONS ..................................................................................................................................................... 98
7.5.1 Users Are Authorized to Disable Authorization Checks Within Transactions (0102) .............................. 98
7.5.2 Users Are Authorized to Call Any Transaction (0110) ............................................................................... 99
7.5.3 Users Are Authorized to Delete an Authorization Check Before Transaction Start (0111) ...................100
7.5.4 Global Disabling of Authority Checks Is Not Prevented (0104)...............................................................101
7.6 INTERNET COMMUNICATION FRAMEWORK (ICF)........................................................................................................101
7.6.1 Users - Other Than System Administrators - Are Authorized to Activate ICF Services (0655) ..............101
7.6.2 Users - Other Than System Administrators - Are Authorized to Access Table Authorization Group
&NC& (0663) .......................................................................................................................................................102
7.7 HTTP CLIENT ..........................................................................................................................................................103
7.7.1 Additional http Client Connections Found (0682)....................................................................................103
7.7.2 No Proxy Used to Connect to http Servers (0683) ...................................................................................103
7.7.3 No Authorization for S_SICF Required for http Client Access (0684)......................................................104
7.7.4 Client Proxy Does Not Require Client Authentication (0685) ..................................................................104
7.7.5 Additional http Connections with Full Logon Data Found (0687)...........................................................105
7.7.6 No Encryption of Outgoing http Communication (0688) ........................................................................105
7.8 INTERNET COMMUNICATION MANAGER (ICM)..........................................................................................................106
7.8.1 Users - Other Than System Administrators - Are Authorized to Administrate the ICM (0701) ............106
7.8.2 Users - Other Than System Administrators - Are Authorized to Display the http Server Cache (0705)
..............................................................................................................................................................................107
7.8.3 Users - Other Than System Administrators - Are Authorized to Configure the ICM Monitor (0706) ...108
7.8.4 ICM (Internet Communication Manager) Is Active (0704) ......................................................................109
7.9 PSE MANAGEMENT ...............................................................................................................................................109
7.9.1 Users - Other Than System Administrators - Are Authorized to Maintain the System PSE's (0711) ....109
7.9.2 J2EE Engines Allowed to Access the Application Server (0881) ..............................................................110
7.9.3 Users Authorized to Maintain the Sending Systems for User Replication (0864) .................................110
8 HUMAN RESOURCES...................................................................................................................112
8.1 HUMAN RESO URCES GENERAL C HECKS .....................................................................................................................112
8.1.1 Users - Other Than HR Administrators - Are Authorized to Maintain Table T77S0 (0922)...................112
8.1.2 Users - Other Than HR Administrators - Are Authorized to Maintain Tables for Organizational Data
(0923)...................................................................................................................................................................113
8.1.3 Users - Other Than HR Administrators - Are Authorized to Read the Infotype Change Log (0924) .....114
8.1.4 Users - Other Than HR Administrators - Are Authorized to Read HR Tables with Person Related Data
(0925)...................................................................................................................................................................115
8.1.5 Users - Other Than HR Administrators - Are Authorized to Change HR Tables with Person Related Data
(0926)...................................................................................................................................................................116
8.1.6 Users - Other Than HR Administrators - Are Authorized to Maintain Client Dependent HR Customizing
(0927)...................................................................................................................................................................117
8.1.7 Users - Other Than HR Administrators - Are Authorized to Run All HR Transactions (0928) ...............118
8.1.8 Users - Other Than HR Administrators - Have Broad Authorization on HR Reports (0929)..................119
8.2 PERSONAL ADMINISTRATION ...................................................................................................................................120
8.2.1 Users - Other Than HR Administrators - Are Authorized to Read HR Master Data (0936) ...................120
8.2.2 Users - Other Than HR Administrators - Are Authorized to Change Master Data without Double
Verification (0937) ..............................................................................................................................................121
Summary
Confidential
5/143
Security Optimization Service
10.02.2016
8.3 PAYROLL ...............................................................................................................................................................122
8.3.1 Users - Other Than HR Administrators - Are Authorized to Read Payroll Results (0946) .....................122
8.3.2 Users - Other Than HR Administrators - Are Authorized to Maintain Personnel Calculation Schemas
(0947)...................................................................................................................................................................123
8.3.3 Users - Other Than HR Administrators - Are Authorized to Release a Payroll Run (0950) ...................123
8.3.4 Users - Other Than HR Administrators - Are Authorized to Delete Payroll Results (0951) ...................124
9 APPENDIX .................................................................................................................................126
9.1 GENERAL INFORMATION ABO UT THE SAP SECURITY OPTIMIZATION SERVICE ..................................................................126
9.2 RATING OVERVIEW .................................................................................................................................................127
9.3 CUSTOMIZING OF REPORT O UTPUT T ABLES ...............................................................................................................134
9.4 USED QUESTIONNAIRE ............................................................................................................................................134
10 APPENDED QUESTIONNAIRE - SAP NETWEAVER APPLICATION SERVER ABAP.....................................135
10.1 CLIENTLIST (0000)...............................................................................................................................................135
10.2 PRINT THE USER D ATA (ALL CHECKS)......................................................................................................................135
10.3 USER AUTHORIZATIONS ........................................................................................................................................135
10.3.1 User Segregation (0004) .........................................................................................................................135
10.3.2 Powerful Users .........................................................................................................................................135
10.3.2.1 Super Users (0021)................................................................................................................................. 135
10.3.2.2 System Administration ........................................................................................................................... 136
10.3.2.2.1 System Administrators (0151) ......................................................................................................... 136
10.3.2.2.2 Background Administrators (0217) .................................................................................................. 136
10.3.2.2.3 Spool Administrators (0191) ............................................................................................................ 136
10.3.2.2.4 Transport Administrators (0351) ..................................................................................................... 136
10.3.2.3 User Administration ............................................................................................................................... 137
10.3.2.3.1 Super User Administrators (0025) ................................................................................................... 137
10.3.2.3.2 User Administrators (0001) ............................................................................................................. 137
10.3.2.3.3 Role & Auth Administrators (0071) .................................................................................................. 137
10.3.2.4 Batch Input Administrators (0224) .......................................................................................................... 138
10.3.2.5 Key Users (0511) .................................................................................................................................... 138
10.3.2.6 Query Administrators (0516) .................................................................................................................. 138
10.3.3 Trusted RFC users which can be called by any calling user (0249) .......................................................138
10.4 RFC CONNECTIONS ..............................................................................................................................................139
10.4.1 Trusting Systems (Outgoing) (0271) .......................................................................................................139
10.4.2 Trusted Systems (Incoming) (0246) ........................................................................................................139
10.4.3 RFC Connections with Complete Logon Data (0251).............................................................................139
10.5 SYSTEMS A LLOWED TO ISSUE TRUSTED SSO TICKETS (0602) ....................................................................................139
10.6 TRUSTED CERTIFICATION AUTHORITIES (CAS) FROM WHICH CERTIFICATES ARE ACCEPTED (0629)...................................140
10.7 SCAN OF TRANSPORTS (0348)...............................................................................................................................140
10.8 SCAN OF SOURCE CODE (0335).............................................................................................................................140
10.9 USE OF THE J2EE E NGINE (0771)..........................................................................................................................140
11 APPENDED QUESTIONNAIRE - SAP HUMAN CAPITAL MANAGEMENT ................................................141
11.1 HCM ADMINISTRATORS (0921)............................................................................................................................141
12 APPENDED QUESTIONNAIRE - CUSTOMER DEFINED AUTHORIZATION CHECKS ...................................142
12.1 CUSTOMER DEFINED AUTHORIZATION (9000).........................................................................................................143
Summary
Confidential
6/143
Security Optimization Service
10.02.2016
1 Summary
Severe critical security issues were found in your system.
See the information in the following sections.
The SAP Security Optimization service is a comprehensive support service that identifies security risks for your
SAP system and helps you to determine the appropriate measures to protect it from these risks.
Objective of the SAP Security Optimization Service
The objectives of SAP Security Optimization are:
- To analyze the technical configuration of your SAP system for security risks
- To provide recommendations for implementing measures to mitigate security risks
- To provide a compressed overview of the implemented security level
- To enable you to protect your business systems from typical security risks
The security checks of SAP Security Optimization are performed for the following security aspec ts:
- Availability: ensuring that a system is operational and functional at any given moment
- Integrity: ensuring that data is valid and cannot be compromised
- Authenticity: ensuring that users are who they claim to be
- Confidentiality: ensuring that information is not accessed by unauthorized persons
- Compliance: ensuring that the system security setup is in accordance with established guidelines
Scope of SAP Security Optimization
SAP Security Optimization includes a collection of several hundred checks. These checks identify security
vulnerabilities in the current setup and configuration of mySAP technology. The checks are performed on the SAP
software layer. For a security analysis of the underlying operating system and database, consult your vendor; for a
security analysis of the network, contact your preferred network security provider.
The SAP Security Optimization service cannot cover customer-specific aspects that require a detailed on-site
analysis, such as the following checks:
- Segregation of duties for business-critical processes
- Security organization (organizational security)
- Security administration processes (operational security)
For a complete overview of existing security risks to your business system, the topics listed above have to be
taken into consideration. SAP's Security Consulting Team can assist you with individual on-site consulting
services to obtain guidance on aspects of security.
The following list provides an overview of the selected checks that are decisive for the severe critical ("RED")
rating of this service.
ABAP-SPECIFIC TOPICS
Check Name
Security Audit Log is not active (0170)
Additional Super User Accounts Found (0022)
Users Are Authorized to Debug and Replace Field Values in the Production System (0308)
Users Are Authorized to Maintain All Tables (0514)
Users Are Authorized to Execute All Function Modules (0520)
System Change Option Not Appropriately Configured in the Production System (0301)
Summary
Confidential
7/143
Security Optimization Service
10.02.2016
2 Detected Issues
The following list gives you an overview of all checks in the SAP Security Optimization service that are rated with
a high risk:
Action Items
*** Special Focus Checks ***
22 Additional Super User Accounts Found (0022)
*** Authentication ***
*** Password Policy ***
Password Complexity
Trivial Passwords Are Not Sufficiently Prohibited (0125)
Initial Passwords
Users with Initial Passwords Who Have Never Logged On (0009)
Users with Reset Password Who Have Not Logged On (0140)
Interval for Password Change Is Too Long (0127)
*** General Authentication ***
Users - Other Than User Administrators - Are Authorized to Change Passwords (0121)
Users - Other Than User Administrators - Are Authorized to Lock/Unlock Users (0135)
*** SAP GUI Single Sign-On (SSO) ***
Users - Other Than User Administrators - Are Authorized to Maintain the Mapping of SNC Users to SAP Users
(0594)
*** Single Sign-On (SSO) Ticket ***
Unspecified Accepting of SSO Tickets (0603)
Users - Other Than System Administrators - Are Authorized to Maintain Trusted SSO Ticket Issuing Systems
(0605)
*** Certificate SSO ***
Users - Other Than System Administrators - Are Authorized to Maintain Trusted CAs (0624)
Users - Other Than System Administrators - Are Authorized to Maintain Table SNCSYSACL via SNC0 (0625)
Users - Other Than System Administrators - Are Authorized to Maintain Table SNCSYSACL via Table
Maintenance (0626)
Users - Other Than User Administrators - Are Authorized to Maintain the Mapping of X.509 Users to SAP Users
(0622)
*** Basis Administration and Basis Authorizations ***
*** Basis Administration ***
33 Users - Other Than System Administrators - Are Authorized to Maintain System Profiles (0152)
33 Users - Other Than System Administrators - Are Authorized to Start/Stop Application Servers (0154)
279 Users - Other Than System Administrators - Are Authorized to Start/Stop Work Processes (0156)
26 Users - Other Than System Administrators - Are Authorized to Lock/Unlock Transactions (0157)
11625 Users - Other Than System Administrators - Are Authorized to Maintain Other User's Lock Entries (0159)
11618 Users - Other Than System Administrators - Are Authorized to Delete or Reprocess Broken Updates
(0161)
11730 Users - Other Than System Administrators - Are Authorized to Activate a Trace (0163)
System Profiles Are Not Consistent (0153)
Security Audit Log is not active (0170)
*** Spool & Printer ***
11726 Users - Other Than Spool Administrators - Are Authorized to Display Other Users Spool Requests (0192)
11726 Users - Other Than Spool Administrators - Are Authorized to Display Protected Spool Requests of Other
Users (0
Detected Issues
Confidential
8/143
Security Optimization Service
10.02.2016
Action Items
11726 Users - Other Than Spool Administrators - Are Authorized to Display the TemSe Content (0193)
11726 Users - Other Than Spool Administrators - Are Authorized to Change the Owner of Spool Requests (0194)
11726 Users - Other Than Spool Administrators - Are Authorized to Redirect a Print Request to Another Printer
(0195)
11726 Users - Other Than Spool Administrators - Are Authorized to Export a Print Request (0196)
*** Background ***
Periodic Background Jobs Scheduled with User of Type Other Than 'SYSTEM' (0211)
11748 Users - Other Than Background Administrators - Are Authorized to Schedule Jobs in SM36 (0212)
32 Users - Other Than Background Administrators - Are Authorized to Schedule Jobs in External Commands
(0213)
11746 Users - Other Than Background Administrators - Are Authorized to Schedule Jobs Under Another User Id
(0214)
*** OS Access ***
32 Users - Other Than System Administrators - Are Authorized to Define External OS Commands (0171)
11728 Users - Other Than System Administrators - Are Authorized to View Content of OS Files with AL11 (0173)
*** Outgoing RFC ***
Unexpected RFC Connections with Complete Logon Data Found (0254)
11486 Users - Other Than System Administrators - Are Authorized to Administer RFC Connections (0255)
11620 Users - Other Than System Administrators - Are Authorized to Maintain Trusting Systems (0268)
*** Incoming RFC ***
11791 Users Are Authorized to Run Any RFC Function (0241)
274 Users - other than Key Users - are Authorized to Visualize All Tables via RFC (0245)
1271 Users authorized for Trusted RFC which can be called from any calling user (0248)
Unexpected Trusted System Connections Found (0238)
11620 Users - Other Than System Administrators - Are Authorized to Maintain Trusted Systems (0240)
*** Application Link Enabling (ALE) ***
11618 Users - Other Than System Administrators - Allowed to Maintain the ALE Distribution Model (0723)
11738 Users - Other Than System Administrators - Allowed to Maintain the Partner Profile (0724)
*** User Authorization ***
*** User Management ***
11602 Users - Other Than the User Administrators - Are Authorized to Maintain Users (0002)
1393 User Administrators Are Authorized to Change Their Own User Master Record (0003)
300 User Administrators Are Allowed to Maintain Users of Any Group (0004)
11561 Users with Authorizations for User and Role/Profile/Authorization Maintenance (0008)
Usage of 'Normal' Users as Reference Users Is Not Prohibited (0012)
11747 Users - Other Than User Administrators - Are Authorized to Access Tables with User Data (0013)
11734 Users - Other Than User Administrators - Are Authorized to Call Function Modules for User Admin (0019)
*** Super Users ***
111 Unexpected Users Are Authorized to Change a Super User Accounts (0026)
14 Users with Profile SAP_NEW (0031)
*** Standard Users ***
Usage of the hard coded user SAP* is not disabled (0046)
*** Role & Authorization Management ***
11575 Users Are Authorized to Maintain Roles Directly in the Production System (0072)
11564 Users Are Authorized to Maintain Profiles Directly in the Production System (0073)
Detected Issues
Confidential
9/143
Security Optimization Service
10.02.2016
Action Items
49 Users Are Authorized to Maintain Authorizations Directly in the Production System (0074)
SAP Standard Roles Are Assigned to Users (0082)
SAP Standard Profiles Are Assigned to Users (0083)
*** Authorizations ***
41 Users Are Authorized to Disable Authorization Checks Within Transactions (0102)
24 Users Are Authorized to Call Any Transaction (0110)
11 Users Are Authorized to Delete an Authorization Check Before Transaction Start (0111)
*** Change Management ***
*** Data & Program Access ***
11636 Users - Other Than Key Users - Are Authorized to Start All Reports (0512)
171 Users - Other Than Key Users - Are Authorized to Display All Tables (0513)
30 Users Are Authorized to Maintain All Tables (0514)
11620 Users - Other Than System Administrators - Are Authorized to Change the Authorization Group of Tables
(0515)
11727 Users - Other Than Query Administrators - Are Authorized to Administer Queries (0517)
11735 Users Are Authorized to Execute All Function Modules (0520)
*** Change Control ***
System Change Option Not Appropriately Configured in the Production System (0301)
24 Users - Other Than System Administrators - Are Authorized to Change the System Change Option (0303)
24 Users - Other Than System Administrators - Are Authorized to Change the Client Change Option (0304)
24 Users - Other Than System Administrators - Are Authorized to Create New Clients (0305)
24 Users Are Authorized to Delete Clients (0306)
67 Users Are Authorized to Development in the Production System (0307)
11695 Users Are Authorized to Debug and Replace Field Values in the Production System (0308)
29 Users Are Authorized to Perform Customizing in the Production System (0309)
11741 Users Are Authorized to Develop Queries in the Production System (0310)
*** Transport Control ***
38 Users - Other Than Transport Administrators - Are Authorized to Change the TMS Configuration (0341)
24 Users - Other Than Transport Administrators - Are Authorized to Start Imports to Production (0342)
239 Users - Other Than Transport Administrators - Are Authorized to Create and Release Transports (0343)
18 Users - Other Than Transport Administrators - Are Authorized to Apply Patches (0363)
*** Internet Communication Framework (ICF) ***
281 Users - Other Than System Administrators - Are Authorized to Activate ICF Services (0655)
11747 Users - Other Than System Administrators - Are Authorized to Access Table Authorization Group &NC&
(0663)
*** http Client ***
Additional http Client Connections Found (0682)
Additional http Connections with Full Logon Data Found (0687)
No Encryption of Outgoing http Communication (0688)
*** Internet Communication Manager (ICM) ***
280 Users - Other Than System Administrators - Are Authorized to Administrate the ICM (0701)
280 Users - Other Than System Administrators - Are Authorized to Display the http Server Cache (0705)
280 Users - Other Than System Administrators - Are Authorized to Configure the ICM Monitor (0706)
*** PSE Management ***
32 Users - Other Than System Administrators - Are Authorized to Maintain the System PSE's (0711)
Detected Issues
Confidential
10/143
Security Optimization Service
10.02.2016
Action Items
11669 Users Authorized to Maintain the Sending Systems for User Replication (0864)
*** Human Resources ***
*** Human Resources General Checks ***
11619 Users - Other Than HR Administrators - Are Authorized to Maintain Table T77S0 (0922)
11619 Users - Other Than HR Administrators - Are Authorized to Maintain Tables for Organizational Data (0923)
11636 Users - Other Than HR Administrators - Are Authorized to Read the Infotype Change Log (0924)
11747 Users - Other Than HR Administrators - Are Authorized to Read HR Tables with Person Related Data
(0925)
11618 Users - Other Than HR Administrators - Are Authorized to Change HR Tables with Person Related Data
(0926)
11618 Users - Other Than HR Administrators - Are Authorized to Maintain Client Dependent HR Customizing
(0927)
2 Users - Other Than HR Administrators - Are Authorized to Run All HR Transactions (0928)
11634 Users - Other Than HR Administrators - Have Broad Authorization on HR Reports (0929)
*** Personal Administration ***
11663 Users - Other Than HR Administrators - Are Authorized to Read HR Master Data (0936)
11657 Users - Other Than HR Administrators - Are Authorized to Change Master Data without Double
Verification (0937)
*** Payroll ***
11627 Users - Other Than HR Administrators - Are Authorized to Read Payroll Results (0946)
11618 Users - Other Than HR Administrators - Are Authorized to Maintain Personnel Calculation Schemas
(0947)
11618 Users - Other Than HR Administrators - Are Authorized to Release a Payroll Run (0950)
11686 Users - Other Than HR Administrators - Are Authorized to Delete Payroll Results (0951)
Recommendation: Look at the list of the action items above very carefully and decide if anything on this
list needs to be adjusted in your environment.
First, read the complete report, and then decide for each check whether it is advisable for you to change
the current situation. Sometimes you will find out that your current situation is sufficient, even if checks are
rated with a medium or even high risk. Since every SAP implementation is different, you have to adjust this
general report to your particular situation.
Detected Issues
Confidential
11/143
Security Optimization Service
10.02.2016
3 Special Focus Checks
3.1 XXX Client Overview
The following table lists clients that are available in the analyzed system and clients that have been specified in
the questionnaire for analysis.
Client Not
Analyzed
Clients
Clients
Available in Requested in
the System Questionnaire
000
All Users Valid Users
000
001
Locked
Users
Outdated
Users
634
614
18
2
457
456
1
0
002
002
2.238
2.205
33
0
004
004
19.222
19.090
9
123
200
200
771
619
152
0
779
762
17
0
211
Clients that are not analyzed are highlighted in yellow.
For several key figures, the analysis is restricted to the clients specified in the questionnaire.
Recommendation: Review the list and check whether the analyzed clients fulfill your needs.
3.2 Additional Super User Accounts Found (0022)
In this system, the following super user accounts were found that were not mentioned in the questionnaire. (These
are the users having the profile SAP_ALL).
All super user accounts that were found in your system are REMOVED from all the following checks. This means
that checks that report 5 authorized users, for example, actually have 5 users and ALL super user accounts
authorized for your system. Keep this in mind when you look at all other checks below.
Client User
Type Last Name
First Name
Department
User
Group
000
AANYONE
A
Anyone
Amanda
IT
SUPER
000
ADMIN
A
Administrator
General
IT
SUPER
000
DDIC
A
DDIC
DDIC
IT
000
FF1
A
Fighter
Fire
IT
SUPER
000
FF2
A
Fighter
Fire
IT
SUPER
000
SAP*
A
000
SAPSUPPORT
A
Support
SAP
IT
EXTERN
000
WF_BATCH
B
BATCH
WF
IT
000
Count :
7
[0%]
002
ADMIN
A
Administrator
General
IT
002
DDIC
A
DDIC
DDIC
IT
002
FF1
A
Fighter
Fire
IT
SUPER
002
SAP*
A
002
SAPSUPPORT
A
Support
SAP
IT
EXTERN
002
WF_BATCH
B
BATCH
WF
IT
002
Count :
5
[0%]
004
ADMIN
A
Administrator
General
IT
004
DDIC
A
DDIC
DDIC
IT
004
FF1
A
Fighter
Fire
IT
004
SAP*
A
Special Focus Checks
Confidential
SUPER
SUPER
SUPER
12/143
Security Optimization Service
10.02.2016
Client User
Type Last Name
First Name
Department
User
Group
004
SAPSUPPORT
A
Support
SAP
IT
EXTERN
004
WF_BATCH
B
BATCH
WF
IT
004
Count :
5
[0%]
200
ADMIN
A
Administrator
General
IT
200
DDIC
A
DDIC
DDIC
IT
200
FF1
A
Fighter
Fire
IT
SUPER
200
SAP*
A
200
SAPSUPPORT
A
Support
SAP
IT
EXTERN
200
WF_BATCH
B
BATCH
WF
IT
200
Count :
5
[0%]
SUPER
Evaluated Risk - High
Recommendation:
Use the Profile Generator (transaction PFCG) to correct roles and transactions. Use transaction SU02
(Maintain Profiles) or transaction SU03 (Maintain Authorizations) to correct profiles and authorizations,
depending on your environment. You can use the authorization information system (SUIM) to check the
results. For this check, we recommend that you examine the roles or profiles that include the authorization
objects listed below.
Special Focus Checks
Confidential
13/143
Security Optimization Service
10.02.2016
4 Authentication
4.1 Password Logon Is at Least Partly Allowed (0139)
Logging on with passwords is at least partially allowed. Allow all users to log on with their password
(login/disable_password_logon = 0), or at least special groups that are described in the parameter
login/password_logon_usergroup.
Recommendation:
If you are not using Single Sign-On (SSO), at least think about implementing an SSO solution. To further
increase the security of your systems, prevent users from logging on with their passwords .
4.2 Password Policy
If password login is allowed for specific instances only, the password policy is checked only for these instances.
4.2.1 Password Complexity
4.2.1.1 Minimum Password Length (0126)
PARAMETER: LOGIN/MIN_PASSWORD_LNG
Rating
Instance
Current Value(s)
Recommended Value
All instances
6
8
Evaluated Risk - Medium
The current system settings allow a password length of less than 8 characters.
This allows weak passwords. Attackers may successfully recover these passwords and gain unauthorized access
to the system.
Recommendation: Assign a minimum value of 8 to the profile parameter login/min_password_lng.
4.2.1.2 Trivial Passwords Are Not Sufficiently Prohibited (0125)
Parameter
Description
Current Value
Recommendation
USR40 Entries
Number of entries in USR40
0
100
Evaluated Risk - High
No entries are maintained in table USR40. This table is used for preventing passwords from being guessed easily.
In this table you could exclude your company name, your town, your products, and so on. You can use the
wildcard ("*") for generic entries.
Recommendation:
Maintain at least 100 values in table USR40.
4.2.2 Initial Passwords
4.2.2.1 Users with Initial Passwords Who Have Never Logged On (0009)
Client
Initial Passwords [%]
000
7
002
9
004
32
200
7
Evaluated Risk - High
Recommendation:
Check why so many users have initial passwords. Ask these users to change their passwords using the
profile parameter login/password_change_for_SSO, for example. Or delete these users if they do not need
access to the SAP system.
You can use report RSUSR200 of the User Information System (transaction SUIM) to identity users with
Authentication
Confidential
14/143
Security Optimization Service
10.02.2016
initial passwords.
4.2.2.2 Users with Reset Password Who Have Not Logged On (0140)
Client
Reset Passwords [%]
002
11
Evaluated Risk - High
Recommendation:
Check why so many users have passwords that have been reset. Ask them to change their passwords
with, for example profile parameter login/password_change_for_SSO. Or delete these users if they do not
need access to the SAP system.
4.2.3 Interval for Logon with Productive Password Is Too Long (AU081)
PARAMETER: LOGIN/PASSWORD_MAX_IDLE_PRODUCTIVE
Rating
Instance
Current Value
Recommended Value
All instances
0
>0
Evaluated Risk - Medium
As of SAP NetWeaver 7.00, SAP supports this parameter to encourage your users to create more secure
passwords.
Recommendation: Activate profile parameter login/password_max_idle_productive.
This parameter specifies the maximum period for which a productive password (a password chosen by the
user) remains valid if it is not used. After this period has expired, the password can no longer be used for
authentication purposes.
For more information, see:
SAP Note 327917 - New user types as of Release 4.6C
SAP Note 862989 - New password rules as of SAP NetWeaver 2004s (NW ABAP 7.0)
Online Help – Profile Parameters for Logon and Password (Login Parameters)
4.2.4 Interval for Password Change Is Too Long (0127)
PARAMETER: LOGIN/PASSWORD_EXPIRATION_TIME
Rating
Instance
Current Value
Recommended Value
All instances
0
30
Evaluated Risk - High
You are currently using a password change interval of more than 120, or you have deactivated this option
completely.
Recommendation: Change the profile parameter login/password_expiration_time to 30 (or at least not
higher than 60, and definitely not to 0 (disabled)).
4.2.5 Security Attack Indicated by Users Locked due to Incorrect Logon
Attempts (0141)
Client
% locked incorrect logon SAP* or DDIC locked?
000
1X
200
1X
Evaluated Risk - Medium
SAP* or DDIC users are locked because of incorrect logon attempts or at least 5% of your users are locked in one
client.
Recommendation:
Check who is causing these incorrect logon attempts to attack your system or who cannot remember their
Authentication
Confidential
15/143
Security Optimization Service
10.02.2016
password.
4.3 General Authentication
4.3.1 Users Who Have Not Logged On for an Extended Period of Time (0010)
Client
User [%]
000
86
002
49
004
65
200
90
Evaluated Risk - Medium
Recommendation:
A large number of users have not logged on to the SAP system in the last 2 months. Determine the reason
for this. Either there are users registered in the SAP system who never use the system, or there are users
in your system who are no longer in your company. Since the SAP license is user-based, we recommend
that you check this and either delete or lock some of the users. You can use report RSUSR200 of the User
Information System (transaction SUIM) to identity users with initial passwords.
4.3.2 Security Critical Events for End Users Are Not Logged in the Security
Audit Log (0136)
Client
Logging
000
Deactivated
002
Deactivated
004
Deactivated
200
Deactivated
Evaluated Risk - Medium
Recommendation:
Use transaction SM19 to activate logging of failed logon attempts for all your users in all clients. It is then
possible to find out who performed which action, and how to detect an unauthorized logon attempt.
4.3.3 Interval After Which Inactive Users Are Logged Off Is Too Long (0137)
PARAMETER: RDISP/GUI_AUTO_LOGOUT
Rating
Instance
Current Value
Recommended Value
All instances
36000
1800
Evaluated Risk - Medium
If you deactivate this parameter by setting it to '0' or if you use a value higher than 1 hour, it is likely that users
who are no longer in the office remain logged on. If you do not use screen savers at all workstations, this could
result in other users accessing these workstations to get to unauthorized information.
Recommendation: Set this value to 1800 or 3600, for example, to reduce this risk as far as possible. Also,
do not automatically log off users who have been idle for only a few minutes.
4.3.4 Multiple Logons Using the Same User ID Is Not Prevented (0138)
PARAMETER: LOGIN/DISABLE_MULTI_ GUI_LOGIN
Rating
Instance
Current Value
Recommended Value
All instances
0
1
Sharing user accounts does not allow you to trace security violations and may result in users having too many
authorizations.
Authentication
Confidential
16/143
Security Optimization Service
10.02.2016
Recommendation: Set this value to '1' so that each user has to log on with a different account.
4.3.5 Users - Other Than User Administrators - Are Authorized to Change
Passwords (0121)
The following users are allowed to change and reset passwords. This is very risky because all these users could
change the password and log on themselves with any user. The only consequence is that the "real user" would no
longer be able to log on, because the password has been changed. This results in the password being reset
because there is a chance that the "real user" might think they have forgotten the correct password.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation: Use the Profile Generator (transaction PFCG) to correct roles and transactions. Use
transaction SU02 (Maintain Profiles) or transaction SU03 (Maintain Authorizations) to correct profiles and
authorizations, depending on your environment. You can use the authorization information system (SUIM)
to check the results. For this check, we recommend that you examine the roles or profiles that include the
Authentication
Confidential
17/143
Security Optimization Service
10.02.2016
authorization objects listed below.
Authorization Objects:
Object 1: S_TCODE with TCD=SU01 or TCD=OIBB or TCD=OOUS or TCD=OPF0 or TCD=OPJ0 or
TCD=OVZ5 [as well as all relevant parameter transactions]
Object 2: S_USER_GRP with ACTVT=05
4.3.6 Users - Other Than User Administrators - Are Authorized to Lock/Unlock
Users (0135)
Unauthorized system access because it is possible to unlock any user. In addition, interfaces may malfunction
which results in the connected user being locked.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation: Use the Profile Generator (transaction PFCG) to correct roles and transactions. Use
transaction SU02 (Maintain Profiles) or transaction SU03 (Maintain Authorizations) to correct profiles and
authorizations, depending on your environment. You can use the authorization information system (SUIM)
to check the results. For this check, we recommend that you examine the roles or profiles that include the
Authentication
Confidential
18/143
Security Optimization Service
10.02.2016
authorization objects listed below.
Authorization Objects:
Object 1: S_TCODE with TCD=SU01 or TCD=OIBB or TCD=OOUS or TCD=OPF0 or TCD=OPJ0 or
TCD=OVZ5 [as well as all relevant parameter transactions]
Object 2: S_USER_GRP with ACTVT=05
4.4 Password Based Authentication Admits Password Attacks
(0591)
You have deactivated SNC (snc/enable=0) or at least do not use it for the authentication of SAP GUI users since
there are no SNC entries in the table USRACL.
SNC enables external authentication and therefore allows a higher security level for your system (by using smart
cards with user credentials, for example).
Since your system allows password authentication, a password attack is still possible (although you can minimize
this risk by enforcing a password policy).
4.5 SAP GUI Single Sign-On (SSO)
4.5.1 Password Logon Is Allowed to SNC Enabled Servers (0592)
PARAMETER: SNC/ACCEPT_INSECURE_ GUI
Rating
Instance
Current Value
Recommended Value
All instances
1
0
You are still allowing access to the system without SSO, even though you have enabled SNC on the server. This
means that passwords are still vulnerable to attack.
Recommendation: Check whether it is really necessary to allow authentication by means of passwords. At
least change this parameter to '0' for general purposes, and to '1' (or, even better, to 'U') on the central
instance for administration purposes.
4.5.2 Users - Other Than User Administrators - Are Authorized to Maintain the
Mapping of SNC Users to SAP Users (0594)
If user mapping can be maintained, access as a different user is possible. This is very critical in an SSO
environment.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
Authentication
Confidential
19/143
Security Optimization Service
10.02.2016
Client User
Type Last Name
First Name
Department
User
Group
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation: Use the Profile Generator (transaction PFCG) to correct roles and transactions. Use
transaction SU02 (Maintain Profiles) or transaction SU03 (Maintain Authorizations) to correct profiles and
authorizations, depending on your environment. You can use the authorization information system (SUIM)
to check the results. For this check, we recommend that you examine the roles or profiles that include the
authorization objects listed below.
Authorization Objects:
Object 1: S_TCODE with TCD=SM30 or TCD=SM31 [as well as all relevant parameter transactions]
Object 2: S_TABU_DIS with ACTVT=02 DICBERCLS=SCUS
Object 3: S_USER_GRP with ACTVT=02
4.5.3 SAP User IDs Have More Than One SNC User Attached (0595)
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
Authentication
Confidential
20/143
Security Optimization Service
10.02.2016
Client User
Type Last Name
First Name
Department
User
Group
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
The table above contains all SNC names that are allowed to log on with more than one SAP user.
Recommendation:
To reduce risk, limit the number of these users.
4.6 Single Sign-On (SSO) Ticket
4.6.1 Unspecified Accepting of SSO Tickets (0603)
Client
Further System
002
ABC
002
Count:
Count
1
Evaluated Risk - High
The system found that you accept SSO tickets from more systems than specified in the questionnaire.
Recommendation:
Check the entries in table TWPSSO2ACL by using transaction SE16 or SM30 or STRUSTSSO2. Table
TWPSSO2ACL contains all systems from which you accept SSO tickets.
4.6.2 Users - Other Than System Administrators - Are Authorized to Maintain
Trusted SSO Ticket Issuing Systems (0605)
Table TWPSSO2ACL contains all systems that are trusted issuers of SSO tickets. Therefore, only system
administrators must be authorized to maintain this table. Otherwise the problem arises that more systems could
be entered from here.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
Authentication
Confidential
21/143
Security Optimization Service
10.02.2016
First Name
Department
User
Group
Doe
John
IT
SUPER
A
Mustermann
Max
IT
SUPER
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Client User
Type Last Name
004
Count :
843
[4%]
200
JDOE
A
200
MMUSTERM
200
Evaluated Risk - High
Recommendation: Use the Profile Generator (transaction PFCG) to correct roles and transactions. Use
transaction SU02 (Maintain Profiles) or transaction SU03 (Maintain Authorizations) to correct profiles and
authorizations, depending on your environment. You can use the authorization information system (SUIM)
to check the results. For this check, we recommend that you examine the roles or profiles that include the
authorization objects listed below.
Authorization Objects:
Object 2: S_TCODE with TCD=SM30 or TCD=SM31 or TCD=SE16 or TCD=SE16N [as well as all relevant
parameter transactions]
Object 2: S_TABU_DIS with ACTVT=02 DICBERCLS=SS
Object 3: S_RZL_ADM with ACTVT=01
Object 4: S_ADMI_FCD with S_ADMI_FCD=NADM
4.7 Certificate SSO
4.7.1 External Authentication via Client Certificates (0621)
External authentication by means of client certificates to log on to your system is enabled. Therefore, the system
performs the following checks to try to reduce the vulnerability of the corresponding settings.
4.7.2 Trusted Certification Authorities (0623)
You currently trust the following certification authorities (CA):
(This can be changed in transaction STRUST.)
Name
Category Description Distinguished name
Flag
valid
from
valid
until
DTELEKOM TEST
Deutsche
CN=Deutsche Telekom Test Root CA 1,
Telekom Test OU=Trust Center Deutsche Telekom, O=TRoot CA 1
Systems Enterprise Services GmbH, C=DE
20061122 20141122
DTELEKOM USER
Deutsche
Telekom
OnlinePass
CA
19990709 20190709
ENTRUST
SERV
CN=Entrust.net Secure Server Certification
Entrust.net
Authority, OU=(c) 1999 Entrust.net Limited,
Secure Server
OU=www.entrust.net/CPS incorp. by ref.
CA
(limits liab.), O=Entrust.net, C=US
19990525 20190525
ENTRUST
TEST
Entrust PKI
OU=Entrust PKI Demonstration Certificates,
Demonstration
O=Entrust, C=US
CA
20010907 20210907
USER
Entrust.net
Secure
Personal
Server CA
19991012 20191012
ENTRUST
CN=Deutsche Telekom Root CA 1, OU=TTeleSec Trust Center, O=Deutsche Telekom
AG, C=DE
CN=Entrust.net Client Certification Authority,
OU=(c) 1999 Entrust.net Limited,
OU=www.entrust.net/Client_CA_Info/CPS in
corp. by ref. limits liab., O=Entrust.net, C=US
Authentication
Confidential
22/143
Security Optimization Service
10.02.2016
Name
Category Description Distinguished name
EQUIFAX
CA
Flag
valid
from
valid
until
Equifax
Secure CA
OU=Equifax Secure Certificate Authority,
O=Equifax, C=US
19980822 20180822
SAPTRUST SERV
SAP Server
CA
CN=SAPNetCA, OU=SAPNet, O=SAP-AG,
C=DE
19980504 20150718
SAPTRUST USER
SAP Passport CN=SAP Passport CA, O=SAP Trust
CA
Community, C=DE
20000718 20150718
SAP_WP
SAP
CN=mySAP.com Workplace CA (dsa),
Workplace CA
O=mySAP.com Workplace, C=DE
(DSA)
20000101 20380101
TCTRUSTC CA
TC
TrustCenter
Class 2 CA II
20060112 20251231
TCTRUSTC ICA
TC
CN=TC TrustCenter Class 2 L1 CA XI,
TrustCenter
OU=TC TrustCenter Class 2 L1 CA, O=TC
Class 2 L1 CA
TrustCenter GmbH, C=DE
XI
20091103 20251231
TCTRUSTC ISRV
TC
TrustCenter
SSL CA I
CN=TC TrustCenter SSL CA I, OU=TC
TrustCenter SSL CA, O=TC TrustCenter
GmbH, C=DE
20080815 20130214
TCTRUSTC SERV
TC
TrustCenter
Class 2 CA
EMAIL=certificate@trustcenter.de, OU=TC
TrustCenter Class 2 CA, O=TC TrustCenter
for Security in Data Networks GmbH,
L=Hamburg, SP=Hamburg, C=DE
19980309 20110101
TCTRUSTC TEST
TC
TrustCenter
Class 0 CA
EMAIL=certificate@trustcenter.de, OU=TC
TrustCenter Class 0 CA, O=TC TrustCenter
for Security in Data Networks GmbH,
L=Hamburg, SP=Hamburg, C=DE
19980309 20110101
TCTRUSTC USER
TC
TrustCenter
Class 1 CA
EMAIL=certificate@trustcenter.de, OU=TC
TrustCenter Class 1 CA, O=TC TrustCenter
for Security in Data Networks GmbH,
L=Hamburg, SP=Hamburg, C=DE
19980309 20110101
THAWTE
SERV
EMAIL=server-certs@thawte.com,
Thawte Server CN=Thawte Server CA, OU=Certification
CA
Services Division, O=Thawte Consulting cc,
L=Cape Town, SP=Western Cape, C=ZA
19960801 20201231
THAWTE
TEST
Thawte Test
CA
CN=Thawte Test CA Root, OU=TEST TEST
TEST, O=Thawte Certification, SP=FOR
TESTING PURPOSES ONLY, C=ZA
19960801 20201231
VERIC1G1
CA
VeriSign
OU=Class 1 Public Primary Certification
Class 1 Public
Authority, O="VeriSign, Inc.", C=US
Primary CA
19960129 20280801
CA
VeriSign
Class 1 Public
Primary CA 2nd
generation
19980518 20280801
VERIC1G3
CA
CN=VeriSign Class 1 Public Primary
VeriSign
Certification Authority - G3, OU="(c) 1999
Class 1 Public
VeriSign, Inc. - For authorized use only",
Primary CA OU=VeriSign Trust Network, O="VeriSign,
3rd generation
Inc.", C=US
19991001 20360716
VERIC2G1
CA
VeriSign
OU=Class 2 Public Primary Certification
Class 2 Public
Authority, O="VeriSign, Inc.", C=US
Primary CA
19960129 20280801
VERIC2G2
CA
VeriSign
OU=VeriSign Trust Network, OU="(c) 1998
Class 2 Public
VeriSign, Inc. - For authorized use only",
Primary CA -
19980518 20280801
VERIC1G2
SERV
CN=TC TrustCenter Class 2 CA II, OU=TC
TrustCenter Class 2 CA, O=TC TrustCenter
GmbH, C=DE
OU=VeriSign Trust Network, OU="(c) 1998
VeriSign, Inc. - For authorized use only",
OU=Class 1 Public Primary Certification
Authority - G2, O="VeriSign, Inc.", C=US
Authentication
Confidential
23/143
Security Optimization Service
Name
10.02.2016
Category Description Distinguished name
2nd
generation
Flag
valid
from
valid
until
OU=Class 2 Public Primary Certification
Authority - G2, O="VeriSign, Inc.", C=US
VERIC2G3
CA
CN=VeriSign Class 2 Public Primary
VeriSign
Certification Authority - G3, OU="(c) 1999
Class 2 Public
VeriSign, Inc. - For authorized use only",
Primary CA OU=VeriSign Trust Network, O="VeriSign,
3rd generation
Inc.", C=US
VERIC3G1
CA
VeriSign
OU=Class 3 Public Primary Certification
Class 3 Public
Authority, O="VeriSign, Inc.", C=US
Primary CA
19960129 20280801
CA
VeriSign
Class 3 Public
Primary CA 2nd
generation
19980518 20280801
VERIC3G3
CA
CN=VeriSign Class 3 Public Primary
VeriSign
Certification Authority - G3, OU="(c) 1999
Class 3 Public
VeriSign, Inc. - For authorized use only",
Primary CA OU=VeriSign Trust Network, O="VeriSign,
3rd generation
Inc.", C=US
19991001 20360716
VERISIGN
TEST
VeriSign Trial CN=VeriSign Trial Secure Server Test Root
Secure Server CA, OU=For Test Purposes Only. No
Test Root CA assurances., O="VeriSign, Inc.", C=US
20050209 20250208
VERIC3G2
OU=VeriSign Trust Network, OU="(c) 1998
VeriSign, Inc. - For authorized use only",
OU=Class 3 Public Primary Certification
Authority - G2, O="VeriSign, Inc.", C=US
19991001 20360716
4.7.3 Users - Other Than System Administrators - Are Authorized to Maintain
Trusted CAs (0624)
If more people are allowed to maintain the trusted certification authorities (CA), the risk arises that fake CAs are
trusted as well.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
Authentication
Confidential
24/143
Security Optimization Service
10.02.2016
Client User
Type Last Name
First Name
Department
User
Group
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation: Use the Profile Generator (transaction PFCG) to correct roles and transactions. Use
transaction SU02 (Maintain Profiles) or transaction SU03 (Maintain Authorizations) to correct profiles and
authorizations, depending on your environment. You can use the authorization information system (SUIM)
to check the results. For this check, we recommend that you examine the roles or profiles that include the
authorization objects listed below.
Authorization Objects:
Object 1: S_TCODE with TCD=STRUST [as well as all relevant parameter transactions]
Object 2: S_RZL_ADM with ACTVT=01
Object 3: S_ADMI_FCD with S_ADMI_FCD=NADM
4.7.4 Users - Other Than System Administrators - Are Authorized to Maintain
Table SNCSYSACL via SNC0 (0625)
Table SNCSYSACL contains the SNC name of all ITS AGates that are allowed to pass a user certificate to the
system for authentication. Everybody who is allowed to maintain this table can create backdoor access by means
of an unauthorized ITS AGate to the SAP system.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
Authentication
Confidential
25/143
Security Optimization Service
10.02.2016
Client User
Type Last Name
First Name
Department
User
Group
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation: Use the Profile Generator (transaction PFCG) to correct roles and transactions. Use
transaction SU02 (Maintain Profiles) or transaction SU03 (Maintain Authorizations) to correct profiles and
authorizations, depending on your environment. You can use the authorization information system (SUIM)
to check the results. For this check, we recommend that you examine the roles or profiles that include the
authorization objects listed below.
Authorization Objects:
Object 1: S_TCODE with TCD=SNC0 [as well as all relevant parameter transactions]
Object 2: S_TABU_DIS with ACTVT=02, DICBERCLS=SCUS
Object 3: S_TABU_CLI with CLIIDMAINT=X
Object 4: S_ADMI_FCD with S_ADMI_FCD=NADM
4.7.5 Users - Other Than System Administrators - Are Authorized to Maintain
Table SNCSYSACL via Table Maintenance (0626)
Table SNCSYSACL contains the SNC name of all ITS AGates that are allowed to pass a user certificate to the
system for authentication. Everybody who is allowed to maintain this table can create backdoor access by means
of an unauthorized ITS AGate to the SAP system.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
Authentication
Confidential
26/143
Security Optimization Service
10.02.2016
Client User
Type Last Name
First Name
Department
User
Group
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation: Use the Profile Generator (transaction PFCG) to correct roles and transactions. Use
transaction SU02 (Maintain Profiles) or transaction SU03 (Maintain Authorizations) to correct profiles and
authorizations, depending on your environment. You can use the authorization information system (SUIM)
to check the results. For this check, we recommend that you examine the roles or profiles that include the
authorization objects listed below.
Authorization Objects:
Object 1: S_TCODE with TCD=SM30 or TCD=SM31 [as well as all relevant parameter transactions]
Object 2: S_TABU_DIS with ACTVT=02, DICBERCLS=SCUS
Object 3: S_TABU_CLI with CLIIDMAINT=X
Object 4: S_ADMI_FCD with S_ADMI_FCD=NADM
4.7.6 Users - Other Than User Administrators - Are Authorized to Maintain the
Mapping of X.509 Users to SAP Users (0622)
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
Authentication
Confidential
27/143
Security Optimization Service
10.02.2016
Client User
Type Last Name
First Name
Department
User
Group
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation: Use the Profile Generator (transaction PFCG) to correct roles and transactions. Use
transaction SU02 (Maintain Profiles) or transaction SU03 (Maintain Authorizations) to correct profiles and
authorizations, depending on your environment. You can use the authorization information system (SUIM)
to check the results. For this check, we recommend that you examine the roles or profiles that include the
authorization objects listed below.
Authorization Objects:
Object 1: S_TCODE with TCD=SM30 or TCD=SM31 [as well as all relevant parameter transactions]
Object 2: S_TABU_DIS with ACTVT=02 DICBERCLS=SCUS
Object 3: S_USER_GRP with ACTVT=02
If user mapping can be maintained, access as a different user is possible. This is very critical in an SSO
environment.
Authentication
Confidential
28/143
Security Optimization Service
10.02.2016
5 Basis Administration and Basis Authorizations
5.1 Basis Administration
5.1.1 Gateway and Message Server Security (BA076)
5.1.1.1 Gateway Security (BA078)
Gateway Access Control Lists (BA081)
PARAMETERS: GW /SEC_INFO GW /REG_INFO
Rating Instance
Error Condition
All instances
gw/reg_info and gw/sec_info are defined
REG_INFO
Rating Instance
Error Condition
ldcixx_XXX_22
P TP=*
ldai4xx_XXX_22
P TP=*
ldai2xx_XXX_22
P TP=*
ldai3xx_XXX_22
P TP=*
ldai1xx_XXX_22
P TP=*
File does not exist (default)
SEC_INFO
Rating Instance
Error Condition
File does not exist (default)
ldcixx_XXX_22
ldai4xx_ XXX_22
ldai2xx_XXX_22
ldai3xx_XXX_22
ldai1xx_XXX_22
Recommendation: The profile parameters gw/sec_info and gw/reg_info provide the file names of the
corresponding access control lists. These access control lists are critical to controlling RFC access to your
system, including connections to RFC servers. You should create and maintain both access control lists,
which you can do using transaction SMGW. For more information, see
"Configuring[http://help.sap.com/saphelp_nw74/helpdata/en/48/b2096b7895307be10000000a42189b/cont
ent.htm["Configuring Connections between SAP Gateway and External Programs Securely"] on SAP Help
Portal.
5.1.2 Users - Other Than System Administrators - Are Authorized to Maintain
System Profiles (0152)
This authorization allows security-critical system profile parameters to be disabled, otherwise the system might not
be able to restart due to an incorrect configuration.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
Basis Administration and Basis Authorizations
Confidential
29/143
Security Optimization Service
10.02.2016
Client User
Type Last Name
First Name
Department
User
Group
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation:
Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03
(Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can
use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles
that include the authorization objects listed below.
Authorization objects:
Object1: S_TCODE with TCD=RZ10 [as well as all relevant parameter transactions]
Object2: S_RZL_ADM with ACTVT=01
5.1.3 Users - Other Than System Administrators - Are Authorized to Start/Stop
Application Servers (0154)
The system might be unavailable due to unauthorized starting and stopping of servers.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
Basis Administration and Basis Authorizations
Confidential
30/143
Security Optimization Service
10.02.2016
Client User
Type Last Name
First Name
Department
User
Group
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation:
Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03
(Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can
use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles
that include the authorization objects listed below.
Authorization objects:
Object1: S_TCODE with TCD=RZ03 [as well as all relevant parameter transactions]
Object2: S_RZL_ADM with ACTVT=01
5.1.4 Users - Other Than System Administrators - Are Authorized to Start/Stop
Work Processes (0156)
Unauthorized process administration can result in inconsistencies in processing.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
Basis Administration and Basis Authorizations
Confidential
31/143
Security Optimization Service
10.02.2016
Client User
Type Last Name
First Name
Department
User
Group
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation:
Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03
(Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can
use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles
that include the authorization objects listed below.
Authorization objects:
Object1: S_TCODE with TCD=SM04 or TCD=SM50 or TCD=SM51 [as well as all relevant parameter
transactions]
Object2: S_ADMI_FCD with S_ADMI_FCD = PADM
5.1.5 Users - Other Than System Administrators - Are Authorized to
Lock/Unlock Transactions (0157)
Risk of unavailability of transactions due to incorrect configuration, or access to locked transactions might be
possible.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
Basis Administration and Basis Authorizations
Confidential
32/143
Security Optimization Service
10.02.2016
Client User
Type Last Name
First Name
Department
User
Group
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation:
Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03
(Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can
use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles
that include the authorization objects listed below.
Authorization objects:
Object1: S_TCODE with TCD=SM01 [as well as all relevant parameter transactions]
Object2: S_ADMI_FCD with S_ADMI_FCD = TLCK
5.1.6 Users - Other Than System Administrators - Are Authorized to Maintain
Other User's Lock Entries (0159)
Inconsistencies due to incorrect deletion of locks are possible.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
Basis Administration and Basis Authorizations
Confidential
33/143
Security Optimization Service
10.02.2016
Client User
Type Last Name
First Name
Department
User
Group
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation:
Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03
(Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can
use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles
that include the authorization objects listed below.
Authorization objects:
Object1: S_TCODE with TCD=SM12 [as well as all relevant parameter transactions]
Object2: S_ENQUE with S_ENQ_ACT = * or S_ENQ_ACT=ALL or S_ENQ_ACT = DLFU
5.1.7 Users - Other Than System Administrators - Are Authorized to Maintain
Own Lock Entries (0166)
Inconsistencies due to incorrect deletion of locks are possible.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - Medium
Basis Administration and Basis Authorizations
Confidential
34/143
Security Optimization Service
10.02.2016
Recommendation:
Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03
(Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can
use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles
that include the authorization objects listed below.
Authorization objects:
Object1: S_TCODE with TCD=SM12 [as well as all relevant parameter transactions]
Object2: S_ENQUE with S_ENQ_ACT = * or S_ENQ_ACT=ALL or S_ENQ_ACT = DLOU
5.1.8 Users - Other Than System Administrators - Are Authorized to Delete or
Reprocess Broken Updates (0161)
Inconsistencies due to incorrect deletion or reprocessing of updates are possible.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation:
Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03
(Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can
use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles
Basis Administration and Basis Authorizations
Confidential
35/143
Security Optimization Service
10.02.2016
that include the authorization objects listed below.
Authorization objects:
Object1: S_TCODE with TCD=SM13 [as well as all relevant parameter transactions]
Object2: S_ADMI_FCD with S_ADMI_FCD = UADM
5.1.9 Users - Other Than System Administrators - Are Authorized to Activate a
Trace (0163)
Low system performance due to activated SQL trace (ST01).
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation:
Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03
(Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can
use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles
Basis Administration and Basis Authorizations
Confidential
36/143
Security Optimization Service
10.02.2016
that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD = ST01 or ST05 [as well as all relevant parameter transactions]
Object 2: S_ADMI_FCD with S_ADMI_FCD = ST0M
5.1.10 System Profiles Are Not Consistent (0153)
Evaluated Risk - High
The profiles in your system are not synchronized. At least one profile has differences between the database and
the file system version.
Recommendation:
Import the profile from all active servers to get the latest state that is currently used into the database. As of
now, ONLY update by using transaction RZ10, and try to activate all changes in the file system soon
afterwards.
Inconsistency flag
X
Parameter
Parameter enque/table_size is different
5.1.11 No Timely Accurate Resolution of Erroneous Locks (0160)
Client
Unremoved Locks Older Than 2 Days
000
10
Evaluated Risk - Medium
Locks may stay in the database after users terminate their sessions incorrectly. This may result in inconsistencies
and other lock issues if nobody maintains old locks and perhaps removes them if an error occurs.
Recommendation:
Always look for old locks in your system. You can do this by using transaction SM12. If you find locks that
are older than 1 day or from yesterday, ask the users what might have caused these locks so that you can
prevent them in future. Finally, if you discover that the locks no longer need to be in the system, delete
them.
5.1.12 Security Audit Log is not active (0170)
The Security Audit Log provides for long-term data access. The audit files are retained until you explicitly delete
them.
Among others, you can record the following information:
- Successful and unsuccessful dialog logon attempts
- Successful and unsuccessful RFC logon attempts
- RFC calls to function modules
- Changes to user master records
- Successful and unsuccessful transaction starts
- Changes to the audit configuration
Other checks within the SOS related to the Security Audit Log:
- Normal Users Are Not Logged in the Security Audit Log (0136)
- User SAP*'s activities are not logged in the SAL (0047)
- User DDIC's activities are not logged in the SAL (0050)
- User SAPCPIC's activities are not logged in the SAL (0055)
- User EARLYWATCH's activities are not logged in the SAL (0060)
- Logging of OSS User Activities in the SAL? (0533)
Evaluated Risk - High
Rating
Instance
Current Value
Recommended
Value
All instances
0
1
Recommendation to customize the Security Audit Log.
Basis Administration and Basis Authorizations
Confidential
37/143
Security Optimization Service
10.02.2016
Settings:
- Activate the profile parameter rsau/enable.
- Set the profile parameter rsau/selection_slots to its maximum value of 10.
- Activate the profile parameter rsau/user_selection.
Filter:
- Use one filter to log critical events for all users in all clients.
- Use other filters to log everything for critical users such as SAP* and support users, including FireFighter
users.
- Use the remaining filters to log events in special cases.
5.1.13 System Recommendations (ABAP) (BA090)
System Recommendations is not used for this system.
Recommendation: SAP strongly recommends applying important security fixes as soon as possible.
The 'System Recommendations' application provides a detailed recommendation regarding which SAP
security notes (ABAP and non-ABAP) should be implemented based on the actual status of the system and
the notes already implemented. This is a mandatory prerequisite for setting up a strong security patch
process. For more information, refer to http://service.sap.com/sysrec .
5.1.14 Sending Trace Data to Remote Client (0169)
PARAMETER: RDISP/ACCEPT_REMOTE_TRACE_LEVEL
Rating
Instance
Current Value
Recommended Value
All instances
1
0
Evaluated Risk - Medium
The parameter rdisp/accept_remote_trace_level allows that the system provides trace data to a remote client.
Recommendation:
Deactivate the profile parameter if you do not need trace data at a remote client.
5.2 Batch Input
5.2.1 No Timely Accurate Resolution of Failed Batch Input Sessions (0223)
Client
Failed BI Sessions Older Than 2 Days
002
8
Evaluated Risk - Medium
Batch input is a frequently used technique for importing data into the SAP system. This is done on a regular basis.
As productive data is imported into the SAP system, it is necessary to check all failed batch input sessions so that
no data is lost.
Recommendation:
Always check whether failed batch input sessions exist by using transaction SM35 on a regular basis and
correct them.
5.3 Spool & Printer
5.3.1 Users - Other Than Spool Administrators - Are Authorized to Display
Other Users Spool Requests (0192)
This authorization allows unauthorized access to sensitive data contained in spool requests.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
Basis Administration and Basis Authorizations
Confidential
38/143
Security Optimization Service
10.02.2016
Client User
Type Last Name
First Name
Department
User
Group
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation:
Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03
(Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can
use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles
that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD = SP01 or SP01O [as well as all relevant parameter transactions]
Object 2: S_ADMI_FCD with S_ADMI_FCD = SP01 or SP0R
Object 3: S_SPO_ACT with SPOACTION = BASE and DISP and SPOAUTH = * or __USER__
5.3.2 Users - Other Than Spool Administrators - Are Authorized to Display
Protected Spool Requests of Other Users (0198)
This authorization allows unauthorized access to sensitive data contained in protected spool requests.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
Basis Administration and Basis Authorizations
Confidential
39/143
Security Optimization Service
10.02.2016
First Name
Department
User
Group
Doe
John
IT
SUPER
A
Mustermann
Max
IT
SUPER
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Client User
Type Last Name
000
Count :
581
[92%]
002
JDOE
A
002
MMUSTERM
002
Evaluated Risk - High
Recommendation:
Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03
(Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can
use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles
that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD = SP01 or SP01O [as well as all relevant parameter transactions]
Object 2: S_ADMI_FCD with S_ADMI_FCD = SP01 or SP0R
Object 3: S_SPO_ACT with SPOACTION = BASE and DISP and SPOAUTH = * or __USER__
5.3.3 Users - Other Than Spool Administrators - Are Authorized to Display the
TemSe Content (0193)
This authorization allows unauthorized access to sensitive data contained in spool requests.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
Basis Administration and Basis Authorizations
Confidential
40/143
Security Optimization Service
10.02.2016
Client User
Type Last Name
First Name
Department
User
Group
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation:
Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03
(Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can
use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles
that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD = SP11 or TCD = SP12 [as well as all relevant parameter transactions]
Object 2: S_TMS_ACT with STMSACTION = REA and (STMSOWNER = GRP or OCL) and
STMSOBJECT = SPOOL*
5.3.4 Users - Other Than Spool Administrators - Are Authorized to Change the
Owner of Spool Requests (0194)
This authorization allows unauthorized access to sensitive data contained in spool requests after the ownership
has been changed.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
Basis Administration and Basis Authorizations
Confidential
41/143
Security Optimization Service
10.02.2016
First Name
Department
User
Group
Doe
John
IT
SUPER
A
Mustermann
Max
IT
SUPER
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Client User
Type Last Name
002
Count :
577
[26%]
004
JDOE
A
004
MMUSTERM
004
Evaluated Risk - High
Recommendation:
Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03
(Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You c an
use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles
that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD = SP01 [as well as all relevant parameter transactions]
Object 2: S_ADMI_FCD with S_ADMI_FCD = SP01 or SP0R
Object 3: S_SPO_ACT with SPOACTION = USER
5.3.5 Users - Other Than Spool Administrators - Are Authorized to Redirect a
Print Request to Another Printer (0195)
This authorization allows unauthorized access to sensitive data after a request has been redirected.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
Basis Administration and Basis Authorizations
Confidential
42/143
Security Optimization Service
10.02.2016
Client User
Type Last Name
First Name
Department
User
Group
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation:
Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03
(Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can
use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles
that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD = SP01 [as well as all relevant parameter transactions]
Object 2: S_ADMI_FCD with S_ADMI_FCD = SP01or SP0R
Object 3: S_SPO_ACT with SPOACTION = REDI
5.3.6 Users - Other Than Spool Administrators - Are Authorized to Export a
Print Request (0196)
This authorization allows unauthorized access to sensitive data after the spool request has been exported.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
Basis Administration and Basis Authorizations
Confidential
43/143
Security Optimization Service
10.02.2016
First Name
Department
User
Group
Doe
John
IT
SUPER
A
Mustermann
Max
IT
SUPER
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Client User
Type Last Name
004
Count :
843
[4%]
200
JDOE
A
200
MMUSTERM
200
Evaluated Risk - High
Recommendation:
Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03
(Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can
use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles
that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD = SP01 [as well as all relevant parameter transactions]
Object 2: S_ADMI_FCD with S_ADMI_FCD = SP01or SP0R
Object 3: S_SPO_ACT with SPOACTION = DOWN
5.4 Background
5.4.1 Periodic Background Jobs Scheduled with User of Type Other Than
'SYSTEM' (0211)
Percentage of jobs
38
Evaluated Risk - High
Periodic background jobs must be scheduled under an anonymous user ID,for example Batchuser, and not under
the ID of an individual. If an ID of an individual is used for background jobs and at some point the user is deleted
or locked, background processing would be affected. Therefore, an anonymous user ID is necessary.
In your system, more than 20% of the periodic background jobs are scheduled under a non-anonymous user ID.
5.4.2 Users - Other Than Background Administrators - Are Authorized to
Schedule Jobs in SM36 (0212)
Unauthorized background administration can result in:
- Inconsistencies
- Loss of information
- Unauthorized execution of critical programs
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
Basis Administration and Basis Authorizations
Confidential
44/143
Security Optimization Service
10.02.2016
Client User
Type Last Name
First Name
Department
User
Group
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation:
Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03
(Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can
use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles
that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD=SM36 [as well as all relevant parameter transactions]
Object 2: S_BTCH_ADM with BTCADMIN=Y OR
Object 3: S_BTCH_JOB with JOBACTION = RELE
5.4.3 Users - Other Than Background Administrators - Are Authorized to
Schedule Jobs in External Commands (0213)
This authorization allows unauthorized execution of external programs or commands.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
Basis Administration and Basis Authorizations
Confidential
45/143
Security Optimization Service
10.02.2016
Client User
Type Last Name
First Name
Department
User
Group
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation:
Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03
(Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can
use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles
that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD=SM36 [as well as all relevant parameter transactions]
Object 2: S_BTCH_ADM with BTCADMIN=Y or S_BTCH_JOB with JOBACTION = RELE
Object 3: S_RZL_ADM with ACTVT=01
5.4.4 Users - Other Than Background Administrators - Are Authorized to
Schedule Jobs Under Another User Id (0214)
This authorization allows you to execute critical reports using another user. The security issue is that this user has
more authorization than your own user has. This means using this user you may be able to run critical reports that
you otherwise would not be authorized to do.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
Basis Administration and Basis Authorizations
Confidential
46/143
Security Optimization Service
10.02.2016
Client User
Type Last Name
First Name
Department
User
Group
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation:
Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03
(Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can
use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles
that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD=SM36 [as well as all relevant parameter transactions]
Object 2: S_BTCH_NAM with BTCUNAME <> ' '
Object 3: S_BTCH_ADM with BTCADMIN=Y or S_BTCH_JOB with JOBACTION = RELE
5.5 OS Access
5.5.1 Users - Other Than System Administrators - Are Authorized to Define
External OS Commands (0171)
Unauthorized maintenance of operating system commands can cause malicious commands to be executed.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
Basis Administration and Basis Authorizations
Confidential
47/143
Security Optimization Service
10.02.2016
Client User
Type Last Name
First Name
Department
User
Group
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation:
Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03
(Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can
use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles
that include the authorization objects listed below.
Authorization objects:
Object1: S_TCODE with TCD=SM69 [as well as all relevant parameter transactions]
Object2: S_RZL_ADM with ACTVT=01
5.5.2 Users - Other Than System Administrators - Are Authorized to Execute
External OS Commands (0172)
Unauthorized execution of dangerous operating system commands mostly as administrator on the application
server.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
Basis Administration and Basis Authorizations
Confidential
48/143
Security Optimization Service
10.02.2016
First Name
Department
User
Group
Doe
John
IT
SUPER
A
Mustermann
Max
IT
SUPER
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Client User
Type Last Name
004
Count :
843
[4%]
200
JDOE
A
200
MMUSTERM
200
Evaluated Risk - Medium
Recommendation:
Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03
(Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can
use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles
that include the authorization objects listed below.
Authorization objects:
Object1: S_TCODE with TCD=SM49 [as well as all relevant parameter transactions]
Object2: S_LOG_COM
5.5.3 Users - Other Than System Administrators - Are Authorized to View
Content of OS Files with AL11 (0173)
Unauthorized access to sensitive data stored in files at operating system level, for example /etc/passwd on UNIX
and interface files with sensitive data.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
Basis Administration and Basis Authorizations
Confidential
49/143
Security Optimization Service
10.02.2016
Client User
Type Last Name
First Name
Department
User
Group
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation:
Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03
(Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can
use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles
that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD=AL11 [as well as all relevant parameter transactions]
Object 2: S_ADMI_FCD with S_ADMI_FCD = ST0R
Object 3: S_DATASET with PROGRAM = RSWATCH0 ACTVT = 33
5.6 Outgoing RFC
5.6.1 Unexpected RFC Connections with Complete Logon Data Found (0254)
The following RFC destinations contain complete logon data. As these connections were not mentioned in the
questionnaire, we assume that they were not known to you. In special cases, a direct logon to the target system
without any further password check could be possible. Check these destinations in greater detail.
RFC Destination
RFC
Count Destinati Remote host
on type
Remot
Remote
Remot
e
port/syste
e
Remote user
syste
m number
client
m
0LO7HQP_DEST
3
pxxx.xxx.corp
23
001
RUSER
0MB85T3_DEST
3
pxxx.xxx.corp
23
001
RUSER
ABD
3
ldaxxx.xxx.corp
ABP
000
SAPCPIC
ABT
3
ldbxxx.xxx.corp
ABP
001
SAPCPIC
ABS
3
ldcxxx.xxx.corp
000
XUSER
ABP
3
10.11.12.13
001
SAPCPIC
C40CLNT001
3
ldexxx.xxx.corp
07
001
ALEREMOTE
C40CLNT751
3
07
751
ALEREMOTE
C50CLNT001
3
ldfxxx.xxx.corp
ldgxxx.xxx.corp
08
001
ALEREMOTE
32
ABP
*** The residuary
entries can be found
in the service
session. ***
426
Evaluated Risk - High.
There is at least one additional RFC connection with complete logon data.
Recommendation
Use report RSRFCCHK to analyze RFC destinations with complete logon information.
Ensure that the remote users have the correct user type (usually the user type "system" and not "dialog") and
have only restricted authorizations, as required.
Consider using the "Authorization for Destination", which you can set on the "Logon&Security" tab in transaction
SM59, to restrict the use of critical RFC destinations.
See SAP Note 1595582 “Deletion of temporary RFC destinations” to delete generated RFC destinations with a 32character GUID as RFC name.
Basis Administration and Basis Authorizations
Confidential
50/143
Security Optimization Service
10.02.2016
5.6.2 Users - Other Than System Administrators - Are Authorized to Administer
RFC Connections (0255)
Unauthorized access to other systems.
Malfunction of interfaces if invalid connection data is entered.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation:
Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03
(Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can
use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles
that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD=SM59
Object 2: S_ADMI_FCD with S_ADMI_FCD = NADM
Object 3: S_RFC_ADM with ACTVT NE 03
5.6.3 Users - Other Than System Administrators - Are Authorized to Maintain
Trusting Systems (0268)
This authorization allows users to maintain the trusting systems for outbound trusted RFC communication. A
trusted system can afterwards be used for trusted RFC.
Client User
Type Last Name
First Name
Department
User
Group
000
A
John
IT
SUPER
JDOE
Doe
Basis Administration and Basis Authorizations
Confidential
51/143
Security Optimization Service
10.02.2016
Client User
Type Last Name
First Name
Department
User
Group
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation:
Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03
(Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can
use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles
that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD=SMT2 [as well as all relevant parameter transactions]
Object 2: S_ADMI_FCD with S_ADMI_FCD = NADM
5.7 Incoming RFC
5.7.1 Users Are Authorized to Run Any RFC Function (0241)
An unauthorized remote execution of RFC functions with dialog users was detected. All of the following users are
authorized to access all SAP RFC-enabled function modules. This is very critical because there are very many
RFC-enabled function modules that can be called. In Release 4.6C, for example, there are approximately 14000
RFC-enabled function modules. Not all of them contain special authorization checks. All of the following users can
use some of these function modules without additional authorizations.
Client User
Type Last Name
First Name
Department
User
Group
000
A
John
IT
SUPER
JDOE
Doe
Basis Administration and Basis Authorizations
Confidential
52/143
Security Optimization Service
10.02.2016
Client User
Type Last Name
First Name
Department
User
Group
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation:
Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03
(Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can
use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles
that include the authorization objects listed below.
Authorization objects:
Object: S_RFC with RFC_NAME = *
5.7.2 Users - other than Key Users - are Authorized to Visualize All Tables via
RFC (0245)
Unauthorized access to sensitive data by means of RFC. The following users are authorized to access RFC
function modules, which allows them to retrieve all SAP tables. As this is a very critical authorization, assign it only
as required.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
Basis Administration and Basis Authorizations
Confidential
53/143
Security Optimization Service
10.02.2016
Client User
Type Last Name
First Name
Department
User
Group
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation:
Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03
(Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can
use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles
that include the authorization objects listed below.
Authorization objects:
Object 1: S_RFC with RFC_NAME=SDTX
Object 2:S_TABU_DIS with ACTVT=03 AND DICBERCLS=*
5.7.3 Incoming RFC with Expired Password is Allowed (0234)
PARAMETER: RFC/REJECT_ EXPIRED_PASSWD
Rating
Instance
Current Value
Recommended Value
All instances
0
1
Evaluated Risk - Medium
Recommendation:
Set the parameter rfc/reject_expired_passwd to 1 to detect the use of a user ID with an expired password.
IMPORTANT: Before you change this parameter, import SAP Note 622464 .
5.7.4 Users authorized for Trusted RFC (Object S_RFCACL) (0239)
Unauthorized use of trusted RFC connections. All of the following users are allowed to access the analyzed
system using a trusted system connection. We do not rate this check. Check whether the users really need this
authorization.
Basis Administration and Basis Authorizations
Confidential
54/143
Security Optimization Service
10.02.2016
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - Medium
Recommendation:
Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03
(Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can
use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles
that include the authorization objects listed below.
Authorization objects:
Object: S_RFCACL
Please try to specify the values for the "RFC_SYSID" and "RFC_CLIENT" fields for this authorization
object to prevent backdoor entries.
5.7.5 Users authorized for Trusted RFC which can be called from any calling
user (0248)
Unauthorized use of trusted RFC connections. All of the following users can be called using a trusted system
connection from any calling user.
Check whether the users really require this authorization.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
Basis Administration and Basis Authorizations
Confidential
55/143
Security Optimization Service
10.02.2016
Client User
Type Last Name
First Name
Department
User
Group
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation:
Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03
(Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can
use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles
that include the authorization objects listed below.
Authorization objects:
Object: S_RFCACL
Use specific values for the "RFC_USER" field instead of using a * value and consider using the 'same user'
option instead (field RFC_EQUSER=Y). In this case, you can either leave the "RFC_USER" field empty or
you can enter a value that is never used as a user ID (such as the character ').
5.7.6 Unexpected Trusted System Connections Found (0238)
RFC Destination
Count
ABD
ABS
ABP
ABT
C40
C70
C71
C72
C73
Count :
9
Basis Administration and Basis Authorizations
Confidential
56/143
Security Optimization Service
10.02.2016
Evaluated Risk - High.
You have defined more trusted systems than you specified in the questionnaire.
5.7.7 Users - Other Than System Administrators - Are Authorized to Maintain
Trusted Systems (0240)
This authorization allows users to maintain trusted systems. A trusted system can subsequently be used for
trusted RFC.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation:
Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03
(Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can
use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles
that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD=SMT1 [as well as all relevant parameter transactions]
Object 2: S_ADMI_FCD with S_ADMI_FCD = NADM
5.7.8 RFC Security in the Service Marketplace (0247)
RFC is a very critical issue for the security of an SAP installation. The following document explains how to set up
an authorization concept to secure the RFC connections in an SAP system landscape.
http://service. sap.com/~sapidb/011000358700004954232004E .
Basis Administration and Basis Authorizations
Confidential
57/143
Security Optimization Service
10.02.2016
5.8 Application Link Enabling (ALE)
5.8.1 Users - Other Than System Administrators - Allowed to Maintain the ALE
Distribution Model (0723)
Malfunction of ALE communication due to unauthorized changes.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation:
Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03
(Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can
use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles
that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD=BD64 [as well as all relevant parameter transactions]
Object 2: B_ALE_MODL with ACTVT = 01 or 02 and CUSTMODEL = *
5.8.2 Users - Other Than System Administrators - Allowed to Maintain the
Partner Profile (0724)
Malfunction of Application Link Enabling (ALE) communication due to unauthorized changes.
Basis Administration and Basis Authorizations
Confidential
58/143
Security Optimization Service
10.02.2016
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation:
Use the Profile Generator (PFCG) to correct roles. Use the transactionsSU02 (Maintain Profiles) and SU03
(Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can
use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles
that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD=WE20 [as well as all relevant parameter transactions]
Object 2: S_IDOCPART with ACTVT=01 or ACTVT=02 and EDI_TCD=WE20
Basis Administration and Basis Authorizations
Confidential
59/143
Security Optimization Service
10.02.2016
6 Change Management
6.1 Data & Program Access
6.1.1 Users - Other Than Key Users - Are Authorized to Start All Reports (0512)
Execution of critical function reports that do not contain any authorization checks.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation:
Use the Profile Generator (PFCG) to correct roles and transactions. Use transaction SU02 (Maintain
Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. You can use the authorization information system (SUIM) to check the results. For this check,
look at the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD=SE38 or TCD=SA38 or TCD=SC38 [as well as all relevant parameter
transactions]
Object 2: S_PROGRAM with P_ACTION=SUBMIT P_GROUP=*
Remark: We also search for the transaction codes used in parameter transactions defined in table TSTCP.
(This is done in every check in which object S_TCODE is checked.)
Any user who is authorized to call a transaction defined in table TSTCP that is based on transaction SA38
Change Management
Confidential
60/143
Security Optimization Service
10.02.2016
appears in this check if they also have authorization for the other objects checked.
6.1.2 Users - Other Than Key Users - Are Authorized to Display All Tables
(0513)
Unauthorized access to sensitive data.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation:
Use the Profile Generator (PFCG) to correct roles and transactions. Use transaction SU02 (Maintain
Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. You can use the authorization information system (SUIM) to check the results. For this check,
look at the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD=SE16 or TCD=SE16N or TCD=SE17 or TCD=SM30 or TCD=SM31 [as well
as all relevant parameter transactions]
Object 2: S_TABU_DIS with ACTVT=03 DICBERCLS=*
6.1.3 Users Are Authorized to Maintain All Tables (0514)
Unauthorized maintenance of sensitive data.
Change Management
Confidential
61/143
Security Optimization Service
10.02.2016
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation:
Use the Profile Generator (PFCG) to correct roles and transactions. Use transaction SU02 (Maintain
Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. You can use the authorization information system (SUIM) to check the results. For this check,
look at the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD=SE16 or TCD=SE16N or TCD=SE17 or TCD=SM30 or TCD=SM31 [as well
as all relevant parameter transactions]
Object 2: S_TABU_DIS with ACTVT=02 DICBERCLS=*
6.1.4 Users - Other Than System Administrators - Are Authorized to Change the
Authorization Group of Tables (0515)
Unauthorized access to data after change of authorization group.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
Change Management
Confidential
62/143
Security Optimization Service
10.02.2016
Client User
Type Last Name
First Name
Department
User
Group
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation:
Use the Profile Generator (PFCG) to correct roles and transactions. Use transaction SU02 (Maintain
Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. You can use the authorization information system (SUIM) to check the results. For this check,
look at the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD=SE17 or TCD=SM30 or TCD=SM31 [as well as all relevant parameter
transactions]
Object 2: S_TABU_DIS with ACTVT=02 DICBERCLS=SS
6.1.5 Users - Other Than Query Administrators - Are Authorized to Administer
Queries (0517)
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
Change Management
Confidential
63/143
Security Optimization Service
10.02.2016
Client User
Type Last Name
First Name
Department
User
Group
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation:
Use the Profile Generator (PFCG) to correct roles and transactions. Use transaction SU02 (Maintain
Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. You can use the authorization information system (SUIM) to check the results. For this check,
look at the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with (TCD=SQ02 or TCD=SQ03 or TCD=SQ10) [as well as all relevant parameter
transactions]
Object 2: S_QUERY with ACTVT=23
6.1.6 Users Are Authorized to Execute All Function Modules (0520)
Execution of critical function modules that do not contain any authorization checks.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
Change Management
Confidential
64/143
Security Optimization Service
10.02.2016
Client User
Type Last Name
First Name
Department
User
Group
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation:
Use the Profile Generator (PFCG) to correct roles and transactions. Use transaction SU02 (Maintain
Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. You can use the authorization information system (SUIM) to check the results. For this check,
look at the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD = SE37 [as well as all relevant parameter transactions]
Object 2: S_DEVELOP with ACTVT = 16 and S_DEVELOP with OBJTYPE = FUGR
6.2 Change Control
6.2.1 System Change Option Not Appropriately Configured in the Production
System (0301)
Threats that arise with the possibility of development in production systems:
- Malfunction of system due to programs that have not been tested properly
- Unauthorized data access with modified or self-developed programs
Evaluated Risk - High
Recommendation:
Set the System Change Option to 'Not modifiable' in SE06.
6.2.2 Client Change Option Not Appropriately Configured (0302)
Threats that arise with the possibility of development in production systems:
- Malfunction of system due to programs that have not been tested properly
- Unauthorized data access with modified or self-developed programs
Client
Modifiable
Type
000
O
S
002
O
T
004
O
T
200
O
T
Flags in table columns
Modifiable
X - Production client is modifiable
O - Non-production client is modifiable
- Client is not modifiable
Type
P - Production client
Change Management
Confidential
65/143
Security Optimization Service
10.02.2016
D - Demo
E - Education
S - SAP Standard
C - Customizing
T - Test
Evaluated Risk - Medium
Recommendation:
Set the Client Change Option to 'Not modifiable' in all clients in your production system.
6.2.3 Users - Other Than System Administrators - Are Authorized to Change the
System Change Option (0303)
Development is possible in the production system by all of the following persons.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation:
Use the Profile Generator (PFCG) to correct roles and transactions. Use transaction SU02 (Maintain
Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. You can use the authorization information system (SUIM) to check the results. For this check,
Change Management
Confidential
66/143
Security Optimization Service
10.02.2016
look at the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD=SE06 [as well as all relevant parameter transactions]
Object 2: S_CTS_ADMI with CTS_ADMFCT=INIT and CTS_ADMFCT=SYSC
Object 3: S_TRANSPRT with ACTVT=03 and TTYPE=*
6.2.4 Users - Other Than System Administrators - Are Authorized to Change the
Client Change Option (0304)
Development is possible in the productive client by all the following persons.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation:
Use the Profile Generator (PFCG) to correct roles and transactions. Use transaction SU02 (Maintain
Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. You can use the authorization information system (SUIM) to check the results. For this check,
Change Management
Confidential
67/143
Security Optimization Service
10.02.2016
look at the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD=SCC4 [as well as all relevant parameter transactions]
Object 2: S_TABU_DIS with ACTVT=02 DICBERCLS=SS
Object 3: S_TABU_CLI with CLIIDMAINT=*
Object 4: S_ADMI_FCD with S_ADMI_FCD=T000
6.2.5 Users - Other Than System Administrators - Are Authorized to Create New
Clients (0305)
Creating a new client means that logons are permitted with the hard-coded user SAP* unless this is prevented by
a profile parameter.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation:
Use the Profile Generator (PFCG) to correct roles and transactions. Use transaction SU02 (Maintain
Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. You can use the authorization information system (SUIM) to check the results. For this check,
Change Management
Confidential
68/143
Security Optimization Service
10.02.2016
look at the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD=SCC4 [as well as all relevant parameter transactions]
Object 2: S_TABU_DIS with ACTVT=01 DICBERCLS=SS
Object 3: S_TABU_CLI with CLIIDMAINT=*
Object 4: S_ADMI_FCD with S_ADMI_FCD=T000
6.2.6 Users Are Authorized to Delete Clients (0306)
All the following users have the authority to delete any of your clients- including the production one. In addition,
the default setting is that the T000 entry of the deleted client will not be deleted. Afterwards the hard-coded user
SAP* is available with the well-known password PASS, unless this is prevented by a profile parameter.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation:
Use the Profile Generator (PFCG) to correct roles and transactions. Use transaction SU02 (Maintain
Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. You can use the authorization information system (SUIM) to check the results. For this check,
Change Management
Confidential
69/143
Security Optimization Service
10.02.2016
look at the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD=SCC5 [as well as all relevant parameter transactions]
Object 2: S_TABU_CLI with CLIIDMAINT=X
6.2.7 Users Are Authorized to Development in the Production System (0307)
Threats that arise with the possibility of development in production systems:
- Malfunction of system due to programs that have not been tested properly
- Unauthorized data access with modified or self-developed programs
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation:
Use the Profile Generator (PFCG) to correct roles and transactions. Use transaction SU02 (Maintain
Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. You can use the authorization information system (SUIM) to check the results. For this check,
Change Management
Confidential
70/143
Security Optimization Service
10.02.2016
look at the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD=SE*
Object 2: S_DEVELOP with ACTVT=01 (create) or ACTVT=02 (change) and OBJTYPE=PROG
6.2.8 Users Are Authorized to Debug and Replace Field Values in the
Production System (0308)
Unauthorized access to data and functions, since any authorization checks can be bypassed with this
authorization. In addition, you can change data during processing, which may lead to inconsistent results.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation:
Use the Profile Generator (PFCG) to correct roles and transactions. Use transaction SU02 (Maintain
Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. You can use the authorization information system (SUIM) to check the results. For this check,
look at the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object 1: S_DEVELOP with ACTVT=02 (change) and OBJTYPE=DEBUG
Note: If you do not want to disable development in your system, you have to exclude the
OBJTYPE=DEBUG with ACTVT=02 from the profile and allow any other object type for S_DEVELOP. In
this way, development and debugging with visualization is still possible.
Change Management
71/143
Confidential
Security Optimization Service
10.02.2016
You can achieve this by linking 2 authorizations to the object S_DEVELOP. One with all object types
(except for "DEBUG") and all activities, and another one for the object type DEBUG only and all activities
(except for 02).
6.2.9 Users Are Authorized to Perform Customizing in the Production System
(0309)
System malfunction due to improperly tested Customizing.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation:
Use the Profile Generator (PFCG) to correct roles and transactions. Use transaction SU02 (Maintain
Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. You can use the authorization information system (SUIM) to check the results. For this check,
look at the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD=SPRO [as well as all relevant parameter transactions]
Object 2: S_TABU_DIS with ACTVT=02 (change) and DICBERCLS=*
6.2.10 Users Are Authorized to Develop Queries in the Production System
(0310)
Data access in queries or by using ABAP programs within queries.
Change Management
Confidential
72/143
Security Optimization Service
10.02.2016
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation:
Use the Profile Generator (PFCG) to correct roles and transactions. Use transaction SU02 (Maintain
Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. You can use the authorization information system (SUIM) to check the results. For this check,
look at the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with (TCD=SQ00 or TCD=SQ01) [as well as all relevant parameter transactions]
Object 2: S_QUERY with ACTVT=02 (change)
6.2.11 Execution of CATTs and eCATTs is Not Prevented by Client Settings
(0311)
Unauthorized data transfer into the SAP system. In addition, the system could be rendered unstable if testing
takes place during production operation. CATTs and eCATTs are very useful tools, but use them in the
development and test environment only.
Client
CATTs allowed
000
Type
S
002
X
T
004
X
T
200
X
T
Change Management
Confidential
73/143
Security Optimization Service
10.02.2016
Flags in table columns
CATTs allowed
X - CATTs and eCATTs allowed
- CATTs and eCATTs not allowed
Type
P - Production client
D - Demo
E - Education
S - SAP Standard
C - Customizing
T - Test
Evaluated Risk - Medium
Recommendation:
Disable the execution of CATTs and eCATTs, at least in the production client.
6.2.12 Users Are Authorized to Execute CATTs in the Production System (0312)
Unauthorized data transfer into the SAP system.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - Medium
Recommendation:
Use the Profile Generator (PFCG) to correct roles and transactions. Use transaction SU02 (Maintain
Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. You can use the authorization information system (SUIM) to check the results. For this check,
Change Management
Confidential
74/143
Security Optimization Service
10.02.2016
look at the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD=SCAT [as well as all relevant parameter transactions]
Object 2: S_DEVELOP with ACTVT=16 and OBJTYPE=SCAT
6.2.13 Users Are Authorized to Execute eCATTs in the Production System
(0313)
Unauthorized data transfer into the SAP system.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - Medium
Recommendation:
Use the Profile Generator (PFCG) to correct roles and transactions. Use transaction SU02 (Maintain
Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. You can use the authorization information system (SUIM) to check the results. For this check,
Change Management
Confidential
75/143
Security Optimization Service
10.02.2016
look at the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD=STWB_WORK or SECATT [as well as all relevant parameter transactions]
Object 2: S_DEVELOP with OBJTYPE=ECAT ACTVT=16
6.2.14 SAPgui User Scripting Is Enabled (0314)
PARAMETER: SAPGUI/USER_SCRIPTING
Rating
Instance
Current Value
Recommended Value
All instances
TRUE
FALSE
Evaluated Risk - Medium
As of SAP GUI 6.20, SAP supports this new parameter for all SAP R/3releases as of Kernel Release 3.1I. This
parameter enables you to log your front-end activities.
There is the possibility of misuse as it is possible to record sensitive data, for example when creating a new user
or changing a user's password.
Recommendation:
Omit the parameter sapgui/user_scripting or set it to FALSE.
For further information, please refer to SAP Note 480149.
6.2.15 Users Are Authorized to Use the Legacy Migration Workbench (0315)
With LSMW it is possible to develop ABAP coding, even in a closed system without any development
authorizations.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
Change Management
Confidential
76/143
Security Optimization Service
10.02.2016
Client User
Type Last Name
First Name
Department
User
Group
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - Medium
Recommendation:
Use the Profile Generator (PFCG) to correct roles and transactions. Use transaction SU02 (Maintain
Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. You can use the authorization information system (SUIM) to check the results. For this check,
look at the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with LSMW [as well as all relevant parameter transactions]
Object 2: B_LSMW with TCD = LSMW and ACTVT = 02 or 16 or 36
Object 3: B_LSMW_PRO with PROJECT = *
6.2.16 Users Are Authorized to Modify the Table Logging Flag for Tables (0318)
Lack of information for tracking unauthorized changes to Customizing.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - Medium
Change Management
Confidential
77/143
Security Optimization Service
10.02.2016
Recommendation:
Use the Profile Generator (PFCG) to correct roles and transactions. Use transaction SU02 (Maintain
Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. You can use the authorization information system (SUIM) to check the results. For this check,
look at the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD=SE11 or TCD=SE13 [as well as all relevant parameter transactions]
Object 2: S_DEVELOP with ACTVT=02 and OBJTYPE=TABT
6.3 Development
6.3.1 Development Sources Are Not Scanned for Critical Statements (0335)
Coding might contain certain statements (listed as "Critical Statements" in the Code Inspector results) that are
critical to security or endanger program stability.
Examples include:
- INSERT REPORT (ABAP command)
- EDITOR-CALL FOR REPORT (ABAP command)
- DELETE_USER_ON_DB (function module)
- BAPI_USER_* (function modules)
Evaluated Risk - Medium
Recommendation:
Run the Code Inspector on a regular basis. The Code Inspector is available, along with some security
checks, as of SAP Web AS 6.10.
6.4 Transport Control
6.4.1 Users - Other Than Transport Administrators - Are Authorized to Change
the TMS Configuration (0341)
Inconsistencies due to incorrectly configured CTS.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
Change Management
Confidential
78/143
Security Optimization Service
10.02.2016
Client User
Type Last Name
First Name
Department
User
Group
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation:
Use the Profile Generator (PFCG) to correct roles and transactions. Use transaction SU02 (Maintain
Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. You can use the authorization information system (SUIM) to check the results. For this check,
look at the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD = STMS [as well as all relevant parameter transactions]
Object 2: S_CTS_ADMI with CTS_ADMFCT = TABL
6.4.2 Users - Other Than Transport Administrators - Are Authorized to Start
Imports to Production (0342)
Misuse of CTS (Change and Transport System) to import insecure programs. Inconsistencies due to incorrect
usage of CTS.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
Change Management
Confidential
79/143
Security Optimization Service
10.02.2016
Client User
Type Last Name
First Name
Department
User
Group
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation:
Use the Profile Generator (PFCG) to correct roles and transactions. Use transaction SU02 (Maintain
Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. You can use the authorization information system (SUIM) to check the results. For this check,
look at the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD=STMS [as well as all relevant parameter transactions]
Object 2: S_CTS_ADMI with CTS_ADMFCT=IMPA or CTS_ADMFCT=IMPS
6.4.3 Users - Other Than Transport Administrators - Are Authorized to Create
and Release Transports (0343)
the Change and Transport System (CTS) has been used incorrectly to export tables with sensitive data.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation:
Use the Profile Generator (PFCG) to correct roles and transactions. Use transaction SU02 (Maintain
Change Management
Confidential
80/143
Security Optimization Service
10.02.2016
Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. You can use the authorization information system (SUIM) to check the results. For this check,
look at the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD=SE01 SE09 SE10 [as well as all relevant parameter transactions]
Object 2: S_TRANSPRT with ACTVT=01, 03 and 43 TTYPE=DTRA and TASK
6.4.4 Users Are Authorized to Approve Transports (0346)
Import of programs that have not been tested properly.
Note: This check should normally run in the Quality System. We assume that if the users have these
authorizations in the Productive System, they also have them in the Quality System.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Recommendation: Check the roles and profiles of the users in your QA system that are evaluated by this
check. Use the Profile Generator (PFCG) to correct roles and transactions. Use transaction SU02
(Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on
your environment. You can use the authorization information system (SUIM) to check the results. For this
Change Management
Confidential
81/143
Security Optimization Service
10.02.2016
check, look at the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD=STMS_QA [as well as all relevant parameter transactions]
Object 2: S_CTS_ADMI with CTS_ADMFCT=QTEA
6.4.5 Users - Other Than Transport Administrators - Are Authorized to Apply
Patches (0363)
System malfunction after import of patches. Functions were not tested properly.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation:
Use the Profile Generator (PFCG) to correct roles and transactions. Use transaction SU02 (Maintain
Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. You can use the authorization information system (SUIM) to check the results. For this check,
Change Management
Confidential
82/143
Security Optimization Service
10.02.2016
look at the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD=SPAM [as well as all relevant parameter transactions]
Object 2: S_TRANSPRT with TTYPE='PATC'
6.4.6 Transports Are Not Scanned for Viruses (0348)
Recommendation:
Currently, transports into your system are not scanned automatically to avoid the import of non-secure
programs. However, SAP provides a function for scanning the transports.
Review SAP Note 521087 for a description of how to set up a virus scanner for transport files, as these files are
normally stored in a proprietary and compressed SAP format.
Change Management
Confidential
83/143
Security Optimization Service
10.02.2016
7 User Authorization
7.1 User Management
7.1.1 Users - Other Than the User Administrators - Are Authorized to Maintain
Users (0002)
Only user administrators should be authorized to create users.
You have to prevent users gaining unauthorized system access by using another user's account and also prevent
interfaces malfunctioning if the interface user becomes invalid.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation: Use the Profile Generator (PFCG) to correct roles, or transactions SU02 (Maintain
Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. You can use the Authorization Info System (SUIM) to check the results. For this check we
recommend that you examine the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD=SU01, TCD=OIBB, TCD=OOUS, TCD=OPF0,
TCD=OPJ0, or TCD=OVZ5 [and all relevant parameter transactions]
Object 2: S_USER_GRP with ACTVT <> 03 (display) and
ACTVT <> 08 (displ. change documents) and
User Authorization
Confidential
84/143
Security Optimization Service
10.02.2016
ACTVT <> SPACE
7.1.2 User Administrators Are Authorized to Change Their Own User Master
Record (0003)
Avoid unauthorized maintenance of user accounts and assignment of authorizations.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation: Use the Profile Generator (PFCG) to correct roles, or transactions SU02 (Maintain
Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. You can use the Authorization Info System (SUIM) to check the results. For this check we
recommend that you examine the roles or profiles that include the authorization objects listed below.
Authorization object:
S_USER_GRP with ACTVT=02 (change) CLASS = <same as assigned to the user administrator>
7.1.3 User Administrators Are Allowed to Maintain Users of Any Group (0004)
If user administration is segregated, prevent unauthorized maintenance of users who belong to a user group that
the decentralized user administrator is not in charge of.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
User Authorization
Confidential
85/143
Security Optimization Service
10.02.2016
Client User
Type Last Name
First Name
Department
User
Group
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation: Use the Profile Generator (PFCG) to correct roles, or transactions SU02 (Maintain
Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. You can use the Authorization Info System (SUIM) to check the results. For this check we
recommend that you examine the roles or profiles that include the authorization objects listed below.
Authorization Objects:
Object 1: S_TCODE with TCD = SU01 or TCD = OIBB or TCD = OOUS or TCD = OPF0 or TCD = OPJ0 or
TCD = OVZ5 [as well as all relevant parameter transactions]
Object 2: S_USER_GRP with ACTVT = 02 (change) CLASS = *
7.1.4 User Master Data Is Not Regularly Synchronized with a Corporate LDAP
Directory (0007)
User master data can be synchronized with a corporate directory to avoid inconsistent data.
Recommendation: If you use a corporate directory, schedule the report RSLDAPSYNC_USER on a
regular basis. This ensures that all user master data is replicated from this corporate directory and is
always synchronized. Otherwise the data would not be synchronized as it is stored redundantly.
7.1.5 Users with Authorizations for User and Role/Profile/Authorization
Maintenance (0008)
User and role maintenance must be segregated so that user administrators cannot change their own
authorizations.
User Authorization
Confidential
86/143
Security Optimization Service
10.02.2016
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation: Use the Profile Generator (PFCG) to correct roles, or transactions SU02 (Maintain
Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. You can use the Authorization Info System (SUIM) to check the results. For this check we
recommend that you examine the roles or profiles that include the authorization objects listed below.
Remark: All users are listed who have authorization for check 0073, 0074, 0077, 0080, or 0081 (role and
profile management in a production system) and who are also user managers (check 0002).
7.1.6 Reference Users Are Used (0011)
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
User Authorization
Confidential
87/143
Security Optimization Service
10.02.2016
Client User
Type Last Name
First Name
Department
User
Group
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Avoid broad authorizations that are assigned indirectly by means of reference users.
Only use reference users in Internet scenarios to assign roles to users who need the same authorizations.
Do not use this as a general technique for assigning roles.
SUIM reports do not consider authorizations that are assigned by means of reference users.
7.1.7 Usage of 'Normal' Users as Reference Users Is Not Prohibited (0012)
Evaluated Risk - High
Recommendation: Avoid use of 'normal' users as reference users by setting a customizing switch.
For more information, see SAP Note 513694.
7.1.8 Users - Other Than User Administrators - Are Authorized to Access Tables
with User Data (0013)
Avoid dictionary attacks on passwords stored in table USR02.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
User Authorization
Confidential
88/143
Security Optimization Service
10.02.2016
Client User
Type Last Name
First Name
Department
User
Group
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation: Use the Profile Generator (PFCG) to correct roles, or transactions SU02 (Maintain
Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. You can use the Authorization Info System (SUIM) to check the results. For this check we
recommend that you examine the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD=SE16, TCD=SE16N, or TCD=SE17 [and all relevant parameter
transactions]
Object 2: S_TABU_DIS with DICBERCLS=SC ACTVT=03
7.1.9 Users - Other Than User Administrators - Are Authorized to Call Function
Modules for User Admin (0019)
Only user administrators should have authorizations to maintain users. Besides user maintenance in transaction
SU01, users can be changed by calling function modules.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
User Authorization
Confidential
89/143
Security Optimization Service
10.02.2016
Client User
Type Last Name
First Name
Department
User
Group
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation: Use the Profile Generator (PFCG) to correct roles, or transactions SU02 (Maintain
Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. You can use the Authorization Info System (SUIM) to check the results. For this check we
recommend that you examine the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD=SE37 [and all relevant parameter transactions]
Object 2: S_DEVELOP with OBJTYPE=FUGR ACTVT=03 OBJNAME=SUSB RSUSR002
OR
Object 1: S_TCODE with TCD=SE37 [and all relevant parameter transactions]
Object 2: S_DEVELOP with OBJTYPE=FUGR ACTVT=03 OBJNAME=SU_USER
Object 3: S_USER_GRP with ACTVT=01 (create), ACTVT=02 (change), or ACTVT=06 (delete)
Remark for Release 6.40: As of Basis Release 6.40, ACTVT=16 is needed instead of ACTVT=03 for
object S_DEVELOP in order to execute a function in SE37. If you are using a system with Basis Release
6.40 and a plug-in ST-A/PI_01E* or older, too many users might appear for this check.
7.2 Super Users
7.2.1 Users Have Nearly All Authorizations (0023)
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
User Authorization
Confidential
90/143
Security Optimization Service
10.02.2016
Client User
Type Last Name
First Name
Department
User
Group
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
No Evaluation
These users have more than 80% of all authorizations. They are "superusers."
Recommendation: Check which users have these authorizations and decide whether they really need
them.
7.2.2 Unexpected Users Are Authorized to Change a Super User Accounts
(0026)
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation: Use the Profile Generator (PFCG) to correct roles, or transactions SU02 (Maintain
Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. You can use the Authorization Info System (SUIM) to check the results. For this check we
User Authorization
Confidential
91/143
Security Optimization Service
10.02.2016
recommend that you examine the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD=SU01, TCD=OIBB, TCD=OOUS, TCD=OPF0, TCD=OPJ0, or TCD=OVZ5
[and all relevant parameter transactions]
Object 2: S_USER_GRP with ACTVT=02 (change) or ACTVT=05 and CLASS=SUPER
7.2.3 Users with Profile SAP_NEW (0031)
The profile SAP_NEW cumulates a lot of authorizations. Please use only the subprofile(s) of SAP_NEW
corresponding to your last release change. You should then update your own profiles as soon as possible and
remove the SAP_NEW profile.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation: Use the Profile Generator (PFCG) to correct roles, or transactions SU02 (Maintain
Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. You can use the Authorization Info System (SUIM) to check the results. For this check we
User Authorization
Confidential
92/143
Security Optimization Service
10.02.2016
recommend that you examine the roles or profiles that include the authorization objects listed below.
7.3 Standard Users
7.3.1 Not all profiles are removed from user SAP* (0042)
Client
SAP* with profiles
000
X
002
X
004
X
200
X
Evaluated Risk - Medium
Recommendation: Remove the profile(s) from the SAP* user and create another superuser to be used as
an emergency user.
Possible table values:
" ": SAP* has no profiles
"X": Profile SAP_ALL is used
"O": Another profile is used.
7.3.2 User SAP* is neither locked nor expired (0043)
Client
Not locked or expired
000
002
X
004
X
200
Evaluated Risk - Medium
Recommendation: The user SAP* is unlocked in at least one client. To prevent the usage of SAP*, lock
the user account or set an expiration date. Do not delete SAP*.
7.3.3 Usage of the hard coded user SAP* is not disabled (0046)
PARAMETER: LOGIN/NO_AUTOMATIC_ USER_SAPSTAR
Rating
Instance
Current Value
Recommended Value
All instances
0
1
Evaluated Risk - High
Recommendation: Set the profile parameter "login/no_automatic_user_sapstar" to 1.
Note: The user SAP* is needed for the client copy. Therefore, the parameter has to be changed back to 0
before the client copy is started - at least for the application server that you want to use for logging on to
the new client.
7.3.4 User SAP*'s activities are not logged in the Security Audit Log (0047)
Client
SAL activated
000
002
004
User Authorization
Confidential
93/143
Security Optimization Service
Client
10.02.2016
SAL activated
200
Evaluated Risk - Medium
Recommendation: Log the successful and (at least) the unsuccessful activities for the user SAP* in the
Security Audit Log.
Possible table values:
" ": No events are logged.
"S": Successful events are logged.
"U": Unsuccessful events are logged.
7.3.5 User DDIC's activities are not logged in the Security Audit Log (0050)
Evaluated Risk - Medium
Recommendation: Log the successful and (at least) the unsuccessful events for the user DDIC in the
Security Audit Log.
7.3.6 User EARLYWATCH's activities are not logged in the Security Audit Log
(0060)
Client
SAL activated
000
002
004
200
Evaluated Risk - Medium
Recommendation: Log at least the unsuccessful events for user EARLYWATCH in the Security Audit Log.
7.3.7 User TMSADM has the default password in some clients (0063)
Client
Password not changed
000
002
004
X
200
Evaluated Risk - Medium
Recommendation: Change the standard password for the TMSADM user. (For clients other than client 000, you
should delete the user instead.)
SAP Note 1414256 describes a support tool for changing the password for the TMSADM user in all systems of the
transport domain.
SAP Note 1552894 shows how to update the report RSUSR003 for showing the status of TMSADM user, too.
7.3.8 User TMSADM Exists in Clients Other Than Client 000 (0064)
Client
TMSADM exists
002
X
004
X
200
X
Evaluated Risk - Medium
Recommendation: Delete the TMSADM user for all clients except client 000.
User Authorization
Confidential
94/143
Security Optimization Service
10.02.2016
7.4 Role & Authorization Management
7.4.1 Users Are Authorized to Maintain Roles Directly in the Production System
(0072)
Roles, profiles, and authorizations must always be changed in the development system. Therefore, authorizations
for role and authorization maintenance do not need to be assigned in the productive system at all.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation: Use the Profile Generator (PFCG) to correct roles, or transactions SU02 (Maintain
Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. You can use the Authorization Info System (SUIM) to check the results. For this check we
recommend that you examine the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD=PFCG [and all relevant parameter transactions]
Object 2: S_USER_AGR with ACTVT=01 (create) or ACTVT=02 (change)
7.4.2 Users Are Authorized to Maintain Profiles Directly in the Production
System (0073)
Roles, profiles, and authorizations must always be changed in the development system. Therefore, authorizations
for role and authorization maintenance do not need to be assigned in the productive system at all.
User Authorization
Confidential
95/143
Security Optimization Service
10.02.2016
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation: Use the Profile Generator (PFCG) to correct roles, or transactions SU02 (Maintain
Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. You can use the Authorization Info System (SUIM) to check the results. For this check we
recommend that you examine the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD=SU02 [and all relevant parameter transactions]
Object 2: S_USER_PRO with ACTVT=01 (create) or ACTVT=02 (change) or ACTVT=06 (delete).
7.4.3 Users Are Authorized to Maintain Authorizations Directly in the
Production System (0074)
Roles, profiles, and authorizations must always be changed in the development system. Therefore, authorizations
for role and authorization maintenance do not need to be assigned in the productive system at all.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
User Authorization
Confidential
96/143
Security Optimization Service
10.02.2016
First Name
Department
User
Group
Doe
John
IT
SUPER
A
Mustermann
Max
IT
SUPER
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Client User
Type Last Name
000
Count :
581
[92%]
002
JDOE
A
002
MMUSTERM
002
Evaluated Risk - High
Recommendation: Use the Profile Generator (PFCG) to correct roles, or transactions SU02 (Maintain
Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. You can use the Authorization Info System (SUIM) to check the results. For this check we
recommend that you examine the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD=SU03 [and all relevant parameter transactions]
Object 2: S_USER_AUT with ACTVT=01 (create) or ACTVT=02 (change)
7.4.4 SAP Standard Roles Are Assigned to Users (0082)
Client
Count
000
45
002
472
004
1.139
200
37
Evaluated Risk - High
Recommendation: Only use predefined SAP roles as templates. Do not assign them to users due to the
number of authorizations assigned to standard SAP roles.
7.4.5 SAP Standard Profiles Are Assigned to Users (0083)
Client
Count
000
1
002
6
004
17
User Authorization
Confidential
97/143
Security Optimization Service
10.02.2016
Client
Count
200
1
Evaluated Risk - High
Recommendation: Only use predefined SAP profiles as templates. Do not assign them to users due to the
large number of authorizations assigned to standard SAP profiles.
7.4.6 Profiles on Long Time Locked Users (0089)
Client
Users Found
000
X
002
X
004
X
200
X
Evaluated Risk - Medium
Recommendation: We found users that have been locked for at least 180 days still with assigned profiles
in the marked clients. Remove profiles from users that have been locked for a long period of time
(especially if they have left the company). Unlocking a user can give access to broad authorizations.
7.5 Authorizations
7.5.1 Users Are Authorized to Disable Authorization Checks Within
Transactions (0102)
No user should have authorizations to disable authorization checks for any transaction.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
User Authorization
Confidential
98/143
Security Optimization Service
10.02.2016
Client User
Type Last Name
First Name
Department
User
Group
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation: Use the Profile Generator (PFCG) to correct roles, or transactions SU02 (Maintain
Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. You can use the Authorization Info System (SUIM) to check the results. For this check we
recommend that you examine the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE=SU24 [and all relevant parameter transactions]
Object 2: S_USER_GRP with ACTVT=* and CLASS=*
Object 3: S_DEVELOP with ACTVT=03 and OBJTYPE=SUSO
7.5.2 Users Are Authorized to Call Any Transaction (0110)
When all transactions are allowed to be started, access relies completely on authorization checks in the executed
report.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
User Authorization
Confidential
99/143
Security Optimization Service
10.02.2016
Recommendation: Use the Profile Generator (PFCG) to correct roles, or transactions SU02 (Maintain
Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. You can use the Authorization Info System (SUIM) to check the results. For this check we
recommend that you examine the roles or profiles that include the authorization objects listed below.
Authorization Object:
Object S_TCODE with field TCD =*
7.5.3 Users Are Authorized to Delete an Authorization Check Before
Transaction Start (0111)
In transaction SE93, a basic authorization check can be maintained for every transaction. Deleting this
authorization check could create security holes.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation: Use the Profile Generator (PFCG) to correct roles, or transactions SU02 (Maintain
Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. You can use the Authorization Info System (SUIM) to check the results. For this check we
User Authorization
Confidential
100/143
Security Optimization Service
10.02.2016
recommend that you examine the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD=SE93 [and all relevant parameter transactions]
Object 2: S_DEVELOP with OBJTYPE=TRAN and ACTVT = 02
7.5.4 Global Disabling of Authority Checks Is Not Prevented (0104)
Evaluated Risk - High
Table TOBJ_OFF does not contain deactivated authorization objects but the profile parameter
"auth/object_disabling_active" is set to "Y" nonetheless.
Recommendation: Set the profile parameter "auth/object_disabling_active" to "N". This means that
authorization checks cannot be deactivated globally by users who have the appropriate authorization.
7.6 Internet Communication Framework (ICF)
7.6.1 Users - Other Than System Administrators - Are Authorized to Activate
ICF Services (0655)
Access to ICF services after unauthorized activation.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
User Authorization
Confidential
101/143
Security Optimization Service
10.02.2016
Recommendation: Use the Profile Generator (PFCG) to correct roles, and/or transactions SU02 (Maintain
Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. With the Authorization Info System (SUIM) you can check the results. For this check you
should inspect the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD=SICF [and all relevant parameter transactions]
Object 2: S_ADMI_FCD = PADM
7.6.2 Users - Other Than System Administrators - Are Authorized to Access
Table Authorization Group &NC& (0663)
Tables which are not assigned to a specific table authorization group (see transaction SE54 or Table TDDAT) are
implicitly part of table authorization group &NC&. This table authorization group contains many tables including
critical tables.
Example: Access to table ICFSERVICE using standard table maintenance tools like SE16 could be misused to
find ICF services with anonymous access.
Therefore you should not give access to table authorization group &NC&. If you need access to specific tables you
can either assign these tables to a different table authorization group or you can grant authorizations individually
using authorization object S_TABU_NAM.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation: Use the Profile Generator (PFCG) to correct roles, and/or transactions SU02 (Maintain
Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. With the Authorization Info System (SUIM) you can check the results. For this check you
User Authorization
Confidential
102/143
Security Optimization Service
10.02.2016
should inspect the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD=SE16, TCD=SE16N, TCD=SE17, TCD=SM30, or TCD=SM31 [and all
relevant parameter transactions]
Object 2: S_TABU_DIS with ACTVT=03 DICBERCLASS=&NC&
7.7 http Client
7.7.1 Additional http Client Connections Found (0682)
HTTP Connection
Count
ABS_AWS_EC2
ABS_AWS_S3
RCC_GRID_ENGINE
INTEGRATION_DIRECTORY
TEST_ODATA_PO
ABPCLNT004_HTTP
ABTCLNT005_HTTP
ABDCLNT002_HTTP
EPIC_DUMMY
Count :
9
Evaluated Risk - High
Recommendation: There is at least one additional HTTP client connection not specified in the
questionnaire. We recommend that you check this connection.
Check the RFCDES table and search for entries with RFCTYPE = 'H' or 'G'.
7.7.2 No Proxy Used to Connect to http Servers (0683)
Client Connection without Proxy
Count
000
ABS_AWS_EC2
000
ABS_AWS_S3
000
RCC_GRID_ENGINE
000
INTEGRATION_DIRECTORY
000
TEST_ODATA_PO
000
*** The residuary entries can be found in the service session. ***
000
Count :
002
ABS_AWS_EC2
002
ABS_AWS_S3
002
RCC_GRID_ENGINE
002
INTEGRATION_DIRECTORY
002
TEST_ODATA_PO
002
*** The residuary entries can be found in the service session. ***
002
Count :
004
ABS_AWS_EC2
004
ABS_AWS_S3
004
RCC_GRID_ENGINE
004
INTEGRATION_DIRECTORY
9
9
User Authorization
Confidential
103/143
Security Optimization Service
10.02.2016
Client Connection without Proxy
Count
004
TEST_ODATA_PO
004
*** The residuary entries can be found in the service session. ***
004
Count :
200
ABS_AWS_EC2
200
ABS_AWS_S3
200
RCC_GRID_ENGINE
200
INTEGRATION_DIRECTORY
200
TEST_ODATA_PO
200
*** The residuary entries can be found in the service session. ***
200
Count :
9
9
Evaluated Risk - Medium
Recommendation: We found at least one connection to an HTTP server that does not use a proxy. A
proxy works as a security barrier between the internal network and the Internet and should always be used.
Check whether the proxy is globally maintained in table PPROXY_G. If not, use of the proxy must be
customized in the RFCDES table.
7.7.3 No Authorization for S_SICF Required for http Client Access (0684)
http client access without authorization check
Count
ABS_AWS_EC2
ABS_AWS_S3
RCC_GRID_ENGINE
INTEGRATION_DIRECTORY
TEST_ODATA_PO
ABPCLNT004_HTTP
ABTCLNT005_HTTP
ABDCLNT002_HTTP
EPIC_DUMMY
Count :
9
Evaluated Risk - Medium
Recommendation: We found at least one HTTP client connection that does not require authorization. You
should request authentication for all HTTP clients.
Check the customizing in table RFCDES.
7.7.4 Client Proxy Does Not Require Client Authentication (0685)
Client Connection without authentication
000
ABS_AWS_EC2
000
ABS_AWS_S3
000
RCC_GRID_ENGINE
000
INTEGRATION_DIRECTORY
000
TEST_ODATA_PO
000
*** The residuary entries can be found in the service session. ***
000
Count :
002
ABS_AWS_EC2
002
ABS_AWS_S3
002
RCC_GRID_ENGINE
9
User Authorization
Confidential
Count
104/143
Security Optimization Service
10.02.2016
Client Connection without authentication
002
INTEGRATION_DIRECTORY
002
TEST_ODATA_PO
002
*** The residuary entries can be found in the service session. ***
002
Count :
004
ABS_AWS_EC2
004
ABS_AWS_S3
004
RCC_GRID_ENGINE
004
INTEGRATION_DIRECTORY
004
TEST_ODATA_PO
004
*** The residuary entries can be found in the service session. ***
004
Count :
200
ABS_AWS_EC2
200
ABS_AWS_S3
200
RCC_GRID_ENGINE
200
INTEGRATION_DIRECTORY
200
TEST_ODATA_PO
200
*** The residuary entries can be found in the service session. ***
200
Count :
Count
9
9
9
Evaluated Risk - Medium
Recommendation: We found at least one connection for which the client proxy does not require
authentication. You should request authentication for all proxies.
Check whether proxy authorization is globally maintained in the PPROXY_G and PPROXY_C tables. If this
is not the case, use of the proxy must be customized in the RFCDES table.
7.7.5 Additional http Connections with Full Logon Data Found (0687)
HTTP connection
Count
ABS_AWS_EC2
ABS_AWS_S3
RCC_GRID_ENGINE
INTEGRATION_DIRECTORY
TEST_ODATA_PO
Count :
5
Evaluated Risk - High
Recommendation: We found HTTP connections with full logon data that were not specified in the
questionnaire. We recommend you check these HTTP connections.
7.7.6 No Encryption of Outgoing http Communication (0688)
http connection without encryption
Count
ABS_AWS_EC2
ABS_AWS_S3
RCC_GRID_ENGINE
INTEGRATION_DIRECTORY
TEST_ODATA_PO
Count :
5
User Authorization
Confidential
105/143
Security Optimization Service
10.02.2016
Evaluated Risk - High
Recommendation: We found at least one HTTP connection without SSL encryption. This can be
dangerous, especially if a password is required for authentication, because the user and password are not
transferred in encrypted format if SSL is not used. We recommend that you use SSL encryption for your
HTTP connections.
Check the connection settings in the RFCDES table.
7.8 Internet Communication Manager (ICM)
7.8.1 Users - Other Than System Administrators - Are Authorized to
Administrate the ICM (0701)
Unauthorized administration (such as start and stop) of Internet Communication Manager (ICM).
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation: Use the Profile Generator (PFCG) to correct roles, and/or transactions SU02 (Maintain
Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. With the Authorization Info System (SUIM) you can check the results. For this check you
User Authorization
Confidential
106/143
Security Optimization Service
10.02.2016
should inspect the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD=SMICM [and all relevant parameter transactions]
Object 2: S_ADMI_FCD with S_ADMI_FCD=PADM
7.8.2 Users - Other Than System Administrators - Are Authorized to Display the
http Server Cache (0705)
Unauthorized access to sensitive data.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation: Use the Profile Generator (PFCG) to correct roles, and/or transactions SU02 (Maintain
Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. With the Authorization Info System (SUIM) you can check the results. For this check you
User Authorization
Confidential
107/143
Security Optimization Service
10.02.2016
should inspect the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD=SMICM [and all relevant parameter transactions]
Object 2: S_ADMI_FCD with S_ADMI_FCD=PADM
7.8.3 Users - Other Than System Administrators - Are Authorized to Configure
the ICM Monitor (0706)
Unauthorized change of ICM services.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation: Use the Profile Generator (PFCG) to correct roles, and/or transactions SU02 (Maintain
Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. With the Authorization Info System (SUIM) you can check the results. For this chec k you
User Authorization
Confidential
108/143
Security Optimization Service
10.02.2016
should inspect the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD=SMICM [and all relevant parameter transactions]
Object 2: S_ADMI_FCD with S_ADMI_FCD=PADM
7.8.4 ICM (Internet Communication Manager) Is Active (0704)
Backdoor entry to the system via the Web Application Server.
PARAMETER: RDISP/START_ICMAN
Rating
Instance
Current Value
Recommended Value
All instances
true
FALSE
Recommendation: The Internet Communication Manager (ICM) is started on your system. Check whether
the ICM is used in your environment. If it is not used, deactivate the ICM by setting the profile parameter
rdisp/start_icman to false in order to reduce the risk.
7.9 PSE Management
7.9.1 Users - Other Than System Administrators - Are Authorized to Maintain
the System PSE's (0711)
Unauthorized access to system certificates.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
User Authorization
Confidential
109/143
Security Optimization Service
10.02.2016
Client User
Type Last Name
200
586
Count :
First Name
Department
User
Group
[76%]
Evaluated Risk - High
Recommendation: Use the Profile Generator (PFCG) to correct roles, and/or transactions SU02 (Maintain
Profiles)/SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. With the Authorization Info System (SUIM) you can check the results. For this check you
should inspect the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD=STRUST [and all relevant parameter transactions]
Object 2: S_ADMI_FCD with S_ADMI_FCD=NADM
Object 3: S_RZL_ADM with ACTVT=01
Object 4: S_TABU_DIS with ACTVT=02 and DICBERCLS=SS
7.9.2 J2EE Engines Allowed to Access the Application Server (0881)
J2EE SNC ID
Count
Count :
0000000003
Recommendation: These J2EE Engines are allowed to access the application server. Check the list.
7.9.3 Users Authorized to Maintain the Sending Systems for User Replication
(0864)
This authorization allows a user to maintain the access control list for sending systems. Currently, it is possible to
create users from a malicious external system.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
User Authorization
Confidential
110/143
Security Optimization Service
10.02.2016
Client User
Type Last Name
First Name
Department
User
Group
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation: Use the Profile Generator (PFCG) to correct roles and/or transactions SU02 (Maintain
Profiles) / SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. With the authorization info system (SUIM) you can check the results. For this check, you
should inspect the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE with TCD = SE16, SE17, SM30, or SM31 [and all relevant parameter transactions]
Object 2: S_TABU_DIS with ACTVT = 2 and DICBERCLS = SUSR
User Authorization
Confidential
111/143
Security Optimization Service
10.02.2016
8 Human Resources
8.1 Human Resources General Checks
8.1.1 Users - Other Than HR Administrators - Are Authorized to Maintain Table
T77S0 (0922)
Users having this authorization can change or deactivate the use of the authorization objects P_PERNR and
P_ORGIN in the HR application.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation: Use the Profile Generator (PFCG) to correct roles and/or transactions SU02 (Maintain
Profiles) / SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. With the authorization info system (SUIM) you can check the results. For this check you
Human Resources
Confidential
112/143
Security Optimization Service
10.02.2016
should inspect the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object 1: S_TABU_DIS with DICBERCLS = PS and ACTVT = 02
Object 2: S_TCODE with TCD = SE16, SE16N, SE17, SM30, or SM31 [and all relevant parameter
transactions]
8.1.2 Users - Other Than HR Administrators - Are Authorized to Maintain Tables
for Organizational Data (0923)
Users having this authorization can change the logging of infotypes and report starts. Also organizational HR data
tables such as T500P T501 or T503K can be changed.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation: Use the Profile Generator (PFCG) to correct roles and/or transactions SU02 (Maintain
Profiles) / SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. With the authorization info system (SUIM) you can check the results. For this check you
Human Resources
Confidential
113/143
Security Optimization Service
10.02.2016
should inspect the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object 1: S_TABU_DIS with DICBERCLS = PC and ACTVT = 02
Object 2: S_TCODE with TCD = SE16, SE16N, SE17, SM30, or SM31 [including all relevant parameter
transactions]
8.1.3 Users - Other Than HR Administrators - Are Authorized to Read the
Infotype Change Log (0924)
Users having this authorization can access infotype data without a specific authorization for infotypes.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation: Use the Profile Generator (PFCG) to correct roles and/or transactions SU02 (Maintain
Profiles) / SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. With the authorization info system (SUIM) you can check the results. For this check you
Human Resources
Confidential
114/143
Security Optimization Service
10.02.2016
should inspect the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object 1: S_PROGRAM with P_GROUP =RPUAUD00 and P_ACTION = SUBMIT
Object 2: S_TCODE with TCD = SE38 or SA38 or SC38 (and all relevant parameter transactions)
Object 3: S_DEVELOP ACTVT = 03
8.1.4 Users - Other Than HR Administrators - Are Authorized to Read HR Tables
with Person Related Data (0925)
Users with this authorization can read all HR tables with person-related data.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation: Use the Profile Generator (PFCG) to correct roles and/or transactions SU02 (Maintain
Profiles) / SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. With the authorization info system (SUIM) you can check the results. For this check you
Human Resources
Confidential
115/143
Security Optimization Service
10.02.2016
should inspect the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object 1: S_TABU_DIS = PA and ACTVT = 03
Object 2: S_TCODE = SE16, SE16N, SE17, SM30, or SM31 [and all relevant parameter transactions]
8.1.5 Users - Other Than HR Administrators - Are Authorized to Change HR
Tables with Person Related Data (0926)
Users with this authorization can change all HR tables with person-related data.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation: Use the Profile Generator (PFCG) to correct roles and/or transactions SU02 (Maintain
Profiles) / SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. With the authorization info system (SUIM) you can check the results. For this check you
Human Resources
Confidential
116/143
Security Optimization Service
10.02.2016
should inspect the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object 1: S_TABU_DIS = PA and ACTVT = 02
Object 2: S_TCODE = SE16, SE16N, SE17, SM30, or SM31 [including all relevant parameter
transactions]
8.1.6 Users - Other Than HR Administrators - Are Authorized to Maintain Client
Dependent HR Customizing (0927)
Users with this authorization can change client-dependent HR customizing.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation: Use the Profile Generator (PFCG) to correct roles and/or transactions SU02 (Maintain
Profiles) / SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. With the authorization info system (SUIM) you can check the results. For this check you
Human Resources
Confidential
117/143
Security Optimization Service
10.02.2016
should inspect the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object 1: S_TABU_DIS = PA AND PS and ACTVT = 02
Object 2: S_TCODE = SE16, SE16N, SE17, SM30, or SM31 [and all relevant parameter transactions]
8.1.7 Users - Other Than HR Administrators - Are Authorized to Run All HR
Transactions (0928)
Users with this authorization can call all HR transactions.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation: Use the Profile Generator (PFCG) to correct roles and/or transactions SU02 (Maintain
Profiles) / SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. With the authorization info system (SUIM) you can check the results. For this check you
Human Resources
Confidential
118/143
Security Optimization Service
10.02.2016
should inspect the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object1: S_TCODE = P*
Object2: P_TCODE = *
8.1.8 Users - Other Than HR Administrators - Have Broad Authorization on HR
Reports (0929)
This authorization gives broad authorization for HR Reports. The authorization objects P_ORGIN and P_PERNR
can be overruled with this authorization.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation: Use the Profile Generator (PFCG) to correct roles and/or transactions SU02 (Maintain
Profiles) / SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. With the authorization info system (SUIM) you can check the results. For this check you
Human Resources
Confidential
119/143
Security Optimization Service
10.02.2016
should inspect the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object1: P_ABAP = with REPID = * and COARS = 2
8.2 Personal Administration
8.2.1 Users - Other Than HR Administrators - Are Authorized to Read HR Master
Data (0936)
Users with this authorization can read the HR master data.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation: Use the Profile Generator (PFCG) to correct roles and/or transactions SU02 (Maintain
Profiles) / SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. With the authorization info system (SUIM) you can check the results. For this check you
Human Resources
Confidential
120/143
Security Optimization Service
10.02.2016
should inspect the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE = PA20 [and all relevant parameter transactions]
Object 2: P_ORGIN with AUTHC = R
Object 3: P_ORGXX with AUTHC = R (if AUTHSW ORGXX is set to 1 in table )
8.2.2 Users - Other Than HR Administrators - Are Authorized to Change Master
Data without Double Verification (0937)
Users with this authorization can change master data without verification through a colleague.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation: Use the Profile Generator (PFCG) to correct roles and/or transactions SU02 (Maintain
Profiles) / SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. With the authorization info system (SUIM) you can check the results. For this check you
Human Resources
Confidential
121/143
Security Optimization Service
10.02.2016
should inspect the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object 1: S_TCODE = PA30 [and all relevant parameter transactions]
Object 2: P_ORGIN with AUTHC = (D and ( E or S )) OR W
Object 3: P_ORGXX with AUTHC = R (if AUTHSW ORGXX = 1 in table T77S0)
8.3 Payroll
8.3.1 Users - Other Than HR Administrators - Are Authorized to Read Payroll
Results (0946)
Users with this authorization can read the HR payroll results.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation: Use the Profile Generator (PFCG) to correct roles and/or transactions SU02 (Maintain
Profiles) / SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. With the authorization info system (SUIM) you can check the results. For this check you
Human Resources
Confidential
122/143
Security Optimization Service
10.02.2016
should inspect the roles or profiles that include the authorization objects listed below.
Authorization objects:
Object1: P_PCLX = with AUTHC = 'R' and RELID = '*'
8.3.2 Users - Other Than HR Administrators - Are Authorized to Maintain
Personnel Calculation Schemas (0947)
Users having this authorization can maintain the HR personnel calculation schemas.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation: Use the Profile Generator (PFCG) to correct roles and/or transactions SU02 (Maintain
Profiles) / SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. With the authorization info system (SUIM) you can check the results. For this check you
should inspect the roles or profiles that include the authorization objects listed below.
Authorization Objects:
Object 1: P_TCODE with TCD = PE01
Object 2: S_TCODE with TCD = PE01 [and all relevant parameter transactions]
8.3.3 Users - Other Than HR Administrators - Are Authorized to Release a
Payroll Run (0950)
Users with this authorization can release a payroll run.
Human Resources
Confidential
123/143
Security Optimization Service
10.02.2016
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
000
Count :
581
[92%]
002
JDOE
A
Doe
John
IT
SUPER
002
MMUSTERM
A
Mustermann
Max
IT
SUPER
002
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Evaluated Risk - High
Recommendation: Use the Profile Generator (PFCG) to correct roles and/or transactions SU02 (Maintain
Profiles) / SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. With the authorization info system (SUIM) you can check the results. For this check you
should inspect the roles or profiles that include the authorization objects listed below.
Authorization Objects:
Object 1: P_TCODE with TCD = PA03
Object 2: S_TCODE with TCD = PA03 [and all relevant parameter transactions]
8.3.4 Users - Other Than HR Administrators - Are Authorized to Delete Payroll
Results (0951)
Users with this authorization can delete payroll results.
Client User
Type Last Name
First Name
Department
User
Group
000
JDOE
A
Doe
John
IT
SUPER
000
MMUSTERM
A
Mustermann
Max
IT
SUPER
000
USER1
A
Lastname_1
Firstname_1
LOB
LOB
000
USER2
S
Lastname_2
Firstname_2
LOB
LOB
000
USER3
B
Lastname_3
Firstname_3
LOB
LOB
Human Resources
Confidential
124/143
Security Optimization Service
10.02.2016
First Name
Department
User
Group
Doe
John
IT
SUPER
A
Mustermann
Max
IT
SUPER
USER1
A
Lastname_1
Firstname_1
LOB
LOB
002
USER2
S
Lastname_2
Firstname_2
LOB
LOB
002
USER3
B
Lastname_3
Firstname_3
LOB
LOB
002
Count :
577
[26%]
004
JDOE
A
Doe
John
IT
SUPER
004
MMUSTERM
A
Mustermann
Max
IT
SUPER
004
USER1
A
Lastname_1
Firstname_1
LOB
LOB
004
USER2
S
Lastname_2
Firstname_2
LOB
LOB
004
USER3
B
Lastname_3
Firstname_3
LOB
LOB
004
Count :
843
[4%]
200
JDOE
A
Doe
John
IT
SUPER
200
MMUSTERM
A
Mustermann
Max
IT
SUPER
200
USER1
A
Lastname_1
Firstname_1
LOB
LOB
200
USER2
S
Lastname_2
Firstname_2
LOB
LOB
200
USER3
B
Lastname_3
Firstname_3
LOB
LOB
200
Count :
586
[76%]
Client User
Type Last Name
000
Count :
581
[92%]
002
JDOE
A
002
MMUSTERM
002
Evaluated Risk - High
Recommendation: Use the Profile Generator (PFCG) to correct roles and/or transactions SU02 (Maintain
Profiles) / SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your
environment. With the authorization info system (SUIM) you can check the results. For this check you
should inspect the roles or profiles that include the authorization objects listed below.
Authorization Objects:
Object 1: S_TCODE = SE38 SA38 SC38 [and all relevant parameter transactions]
Object 2: S_PROGRAM with P_GROUP = RPUDEL20 and P_ACTION = SUBMIT
Object 3: S_DEVELOP with ACTVT = 03
OR
Object 1: S_TCODE = PU01 and P_TCODE = PU01 [and all relevant parameter transactions]
Object 2: P_ORGIN with AUTHC = W
Human Resources
Confidential
125/143
Security Optimization Service
10.02.2016
9 Appendix
9.1 General information about the SAP Security Optimization
Service
The following contains general information about SAP Security Optimization and will help you to understand and
apply the report.
How to read this report
The objective of this report is to document the vulnerabilities that have been detected by the SAP Security
Optimization service. Since we perform several hundred checks in this support service, only actual weaknesses
are listed in the report so that it is concise; checks with positive results are not included.
In some checks, unexpected users with critical authorizations are determined. If you have indicated in the
questionnaire that you want the user ID and the names of the users to be printed, they are listed in the findings of
these checks. To keep the report concise, note that no more than 30 users are listed - even if more users have
been found. If you want to determine all users who have this authorization, you can do so in transaction ST14. For
more information about using this transaction, see SAP Note 696478.
For each productive client analyzed, the maximum number of users printed is 20. For other clients (for example,
000 or 066), the maximum number of users printed for each client is 20 divided by the number of checked clients.
This ensures that examples of all clients are printed.
The number of counted users that we print is reduced by the number of superusers that we found in the system
(check 0022). Since superusers (users with the SAP_ALL profile) have all authorizations, they are printed only
once at the beginning of the report.
The user types in the report are as follows:
A = Dialog
C = Communication
B = System
S = Service
L = Reference
To enable you to identify major security weaknesses and to prioritize the measures to be implemented, an
evaluated risk is determined for each check. The evaluated risk is calculated by the severity and the probability of
a security violation.
The meaning of the evaluated risk is as follows:
- HIGH:
The severity is high and the probability is high or
The severity is high and the probability is medium or
The severity is medium and the probability is high
- Medium:
The severity is high and the probability is low or
The severity is medium and the probability is medium or
The severity is low and the probability is high
- Low:
The severity is medium and the probability is low or
The severity is low and the probability is medium or
The severity is low and the probability is low
How to implement the recommended security measures
To protect your SAP system from security violations, we recommend that you implement the measures proposed
in this report. To do so, proceed as follows:
1. Read this report carefully.
2. Double-check that the identified risks actually apply to your system. (Note that incomplete data in the
questionnaire can result in the report indicating more vulnerabilities than are actually in your system.)
3. Prioritize the risks and determine those that are acceptable for you.
4. Determine the effort to implement appropriate measures.
5. If required, perform a cost-benefit analysis before applying the measures.
6. Plan and implement the measures.
Do not implement the recommended measures without considering them first. Double-check the impact of the
recommended measures before applying them to your system. For example, implementing a new password policy
might be confusing to end users if they have not been notified about the new policy.
How to obtain support for the implementation
In some cases, you may not have the required resources to implement the recommended security measures. If
Appendix
Confidential
126/143
Security Optimization Service
10.02.2016
you need support when analyzing the results of the Security Optimization, as well as when determining and
implementing the appropriate measures, contact SAP's Security Consulting Team for on-site consulting via
SecurityCheck@sap.com.
How to review the effectiveness of the implemented measures
To prove the effectiveness of the implemented measures, you can request an additional complete SAP Security
Optimization check.
If you are supported by SAP Consulting during the implementation, our security consultants can perform individual
checks to prove the effectiveness on-site.
How to obtain additional security-related information
Recommendations and guidelines concerning the security of SAP systems are included in the SAP Security
Guide. This guide consists of three separate volumes, each with different levels of detail.
Volume I provides an overview of SAP's security services.
Volume II describes the services in detail.
Volume III contains security checklists.
For more information about these guides, see SAP Service Marketplace at http://service.sap.com/securityguide.
For additional security-related information, see SAP Service Marketplace at http://service.sap.com/security.
Concluding remark
SAP Security Optimization provides only a snapshot of the effectiveness of the implemented security measures.
Over time, however, every system faces changes that might impact your overall system security. We therefore
recommend that you run SAP Security Optimization at regular intervals.
9.2 Rating Overview
The following table provides an overview of the checks performed during this service.
Main
Chapter
Check
Special Focus
Checks
Additional Super User Accounts Found (0022)
Authentication
Password Complexity
Rating
Minimum Password Length (0126)
Trivial Passwords Are Not Sufficiently Prohibited (0125)
Initial Passwords
Users with Initial Passwords Who Have Never Logged On (0009)
Users with Reset Password Who Have Not Logged On (0140)
Interval for Logon with Productive Password Is Too Long (AU081)
Interval for Password Change Is Too Long (0127)
Too Many Invalid Logon Attempts Allowed Before a Session Is Terminated
(0132)
Too Many Incorrect Logon Attempts Allowed Before a User Is Locked (0133)
User Locks due to Failed Logon Attempts Are Automatically Released at
Midnight (0134)
Security Attack Indicated by Users Locked due to Incorrect Logon Attempts
(0141)
Users Who Have Not Logged On for an Extended Period of Time (0010)
Security Critical Events for End Users Are Not Logged in the Security Audit Log
(0136)
Interval After Which Inactive Users Are Logged Off Is Too Long (0137)
Users - Other Than User Administrators - Are Authorized to Change Passwords
(0121)
Appendix
Confidential
127/143
Security Optimization Service
10.02.2016
Main
Chapter
Rating
Check
Users - Other Than User Administrators - Are Authorized to Lock/Unlock Users
(0135)
SNC Users Do Not Have to Change Their Initial Password (0606)
Users - Other Than User Administrators - Are Authorized to Maintain the
Mapping of SNC Users to SAP Users (0594)
Unspecified Accepting of SSO Tickets (0603)
Users - Other Than System Administrators - Are Authorized to Maintain the
SSO Configuration (0604)
Users - Other Than System Administrators - Are Authorized to Maintain Trusted
SSO Ticket Issuing Systems (0605)
SSO Ticket Can Be Sent via an Unsecured Connection (0608)
Users - Other Than System Administrators - Are Authorized to Maintain Trusted
CAs (0624)
Users - Other Than System Administrators - Are Authorized to Maintain Table
SNCSYSACL via SNC0 (0625)
Users - Other Than System Administrators - Are Authorized to Maintain Table
SNCSYSACL via Table Maintenance (0626)
Users - Other Than User Administrators - Are Authorized to Maintain the
Mapping of X.509 Users to SAP Users (0622)
Basis
Administration
and Basis
Authorizations
Gateway and Message Server Security (BA076)
Kernel Patch Level (BA077)
Gateway Security (BA078)
Gateway Security Properties (BA079)
Enabling an Initial Security Environment (BA080)
Gateway Access Control Lists (BA081)
Message Server Security (BA083)
Separation of Internal and External Message Server Communication (BA084)
Message Server Administration Allowed for External Clients (BA085)
Message Server Access Control List (BA086)
Users - Other Than System Administrators - Are Authorized to Maintain System
Profiles (0152)
Users - Other Than System Administrators - Are Authorized to Start/Stop
Application Servers (0154)
Users - Other Than System Administrators - Are Authorized to Start/Stop Work
Processes (0156)
Users - Other Than System Administrators - Are Authorized to Lock/Unlock
Transactions (0157)
Users - Other Than System Administrators - Are Authorized to Maintain Other
User's Lock Entries (0159)
Users - Other Than System Administrators - Are Authorized to Maintain Own
Lock Entries (0166)
Users - Other Than System Administrators - Are Authorized to Delete or
Reprocess Broken Updates (0161)
Appendix
Confidential
128/143
Security Optimization Service
10.02.2016
Main
Chapter
Rating
Check
Users - Other Than System Administrators - Are Authorized to Activate a Trace
(0163)
System Profiles Are Not Consistent (0153)
Table TPFID Contains OS Passwords (0155)
No Timely Accurate Resolution of Erroneous Locks (0160)
No Timely Accurate Resolution of Broken Updates (0162)
Security Audit Log is not active (0170)
System Recommendations (ABAP) (BA090)
Sending Trace Data to Remote Client (0169)
No Timely Accurate Resolution of Failed Batch Input Sessions (0223)
Users - Other Than Batch Input Administrators - Are Authorized to Run Batch
Input Sessions in Dialog (0221)
Users - Other Than Batch Input Administrators - Are Authorized to Administer
Batch Input Sessions (0222)
Users - Other Than Spool Administrators - Are Authorized to Display Other
Users Spool Requests (0192)
Users - Other Than Spool Administrators - Are Authorized to Display Protected
Spool Requests of Other Users (0198)
Users - Other Than Spool Administrators - Are Authorized to Display the TemSe
Content (0193)
Users - Other Than Spool Administrators - Are Authorized to Change the Owner
of Spool Requests (0194)
Users - Other Than Spool Administrators - Are Authorized to Redirect a Print
Request to Another Printer (0195)
Users - Other Than Spool Administrators - Are Authorized to Export a Print
Request (0196)
Periodic Background Jobs Scheduled with User of Type Other Than 'SYSTEM'
(0211)
Users - Other Than Background Administrators - Are Authorized to Schedule
Jobs in SM36 (0212)
Users - Other Than Background Administrators - Are Authorized to Schedule
Jobs in External Commands (0213)
Users - Other Than Background Administrators - Are Authorized to Schedule
Jobs Under Another User Id (0214)
Users - Other Than System Administrators - Are Authorized to Define External
OS Commands (0171)
Users - Other Than System Administrators - Are Authorized to Execute External
OS Commands (0172)
Users - Other Than System Administrators - Are Authorized to View Content of
OS Files with AL11 (0173)
Unsecured Outgoing RFC Calls (0252)
SNC Protection for encrypted outgoing RFC calls (0253)
Unexpected RFC Connections with Complete Logon Data Found (0254)
Users - Other Than System Administrators - Are Authorized to Administer RFC
Connections (0255)
Unexpected Trusting System Connections Found (0267)
Appendix
Confidential
129/143
Security Optimization Service
10.02.2016
Main
Chapter
Rating
Check
Users - Other Than System Administrators - Are Authorized to Maintain Trusting
Systems (0268)
Remote Monitoring Function for the RFC Gateway Is Not Disabled (0269)
Permit-all simulation mode is active for the RFC gateway (0273)
Users Are Authorized to Run Any RFC Function (0241)
Users - other than Key Users - are Authorized to Visualize All Tables via RFC
(0245)
Incoming RFC with Expired Password is Allowed (0234)
Users authorized for Trusted RFC which can be called from any calling user
(0248)
Unexpected Trusted System Connections Found (0238)
Users - Other Than System Administrators - Are Authorized to Maintain Trusted
Systems (0240)
Users - Other Than System Administrators - Allowed to Maintain the ALE
Distribution Model (0723)
Users - Other Than System Administrators - Allowed to Maintain the Partner
Profile (0724)
User
Authorization
Users - Other Than the User Administrators - Are Authorized to Maintain Users
(0002)
User Administrators Are Authorized to Change Their Own User Master Record
(0003)
User Administrators Are Allowed to Maintain Users of Any Group (0004)
Users Are Not Assigned to User Groups (0005)
User Data Is Incomplete (0006)
Users with Authorizations for User and Role/Profile/Authorization Maintenance
(0008)
Usage of 'Normal' Users as Reference Users Is Not Prohibited (0012)
Users - Other Than User Administrators - Are Authorized to Access Tables with
User Data (0013)
Users - Other Than User Administrators - Are Authorized to Call Function
Modules for User Admin (0019)
Unexpected Users Are Authorized to Change a Super User Accounts (0026)
Users with Profile SAP_NEW (0031)
User SAP* has the default password in some clients (0041)
Not all profiles are removed from user SAP* (0042)
User SAP* is neither locked nor expired (0043)
User SAP* is not assigned to the user group SUPER (0044)
User SAP* has been deleted at least in one client (0045)
Usage of the hard coded user SAP* is not disabled (0046)
User SAP*'s activities are not logged in the Security Audit Log (0047)
User DDIC has the default password in some clients (0048)
Appendix
Confidential
130/143
Security Optimization Service
10.02.2016
Main
Chapter
Rating
Check
User DDIC Is Not Assigned to the User Group SUPER (0049)
User DDIC's activities are not logged in the Security Audit Log (0050)
User SAPCPIC has the default password in some clients (0051)
User SAPCPIC Is Neither Locked nor Expired (0052)
User SAPCPIC Not Assigned to the Group SUPER (0053)
User SAPCPIC Has More Authorizations Than Required (0054)
User EARLYWATCH has the default password (0056)
User EARLYWATCH Is Not Assigned to User Group SUPER (0058)
User EARLYWATCH Has More Authorizations Than Required (0059)
User EARLYWATCH's activities are not logged in the Security Audit Log (0060)
User TMSADM has the default password in some clients (0063)
User TMSADM Exists in Clients Other Than Client 000 (0064)
User TMSADM has more authorizations than required (0065)
Users Are Authorized to Maintain Roles Directly in the Production System
(0072)
Users Are Authorized to Maintain Profiles Directly in the Production System
(0073)
Users Are Authorized to Maintain Authorizations Directly in the Production
System (0074)
Users Are Authorized to Call Function Modules for Authorization, Role and
Profile Management (0087)
SAP Standard Roles Are Assigned to Users (0082)
SAP Standard Profiles Are Assigned to Users (0083)
Inconsistent Assignment of Generated Profiles (0084)
Unused Roles Are Found (0086)
Profiles on Long Time Locked Users (0089)
Users Are Authorized to Disable Authorization Checks Within Transactions
(0102)
Users Are Authorized to Disable Authorization Checks Globally (0105)
Users Are Authorized to Call Any Transaction (0110)
Users Are Authorized to Delete an Authorization Check Before Transaction
Start (0111)
Global Disabling of Authority Checks Is Not Prevented (0104)
Authority Check for Inbound RFC Connections Is Disabled (0106)
Authority Check for Inbound tRFC Connections Is Disabled (0107)
Users Comparison After Role Change Is Not Run in a Timely Accurate Manner
(0112)
Change
Management
Users - Other Than Key Users - Are Authorized to Start All Reports (0512)
Appendix
Confidential
131/143
Security Optimization Service
10.02.2016
Main
Chapter
Rating
Check
Users - Other Than Key Users - Are Authorized to Display All Tables (0513)
Users Are Authorized to Maintain All Tables (0514)
Users - Other Than System Administrators - Are Authorized to Change the
Authorization Group of Tables (0515)
Users - Other Than Query Administrators - Are Authorized to Administer
Queries (0517)
Users Are Authorized to Execute All Function Modules (0520)
System Change Option Not Appropriately Configured in the Production System
(0301)
Client Change Option Not Appropriately Configured (0302)
Users - Other Than System Administrators - Are Authorized to Change the
System Change Option (0303)
Users - Other Than System Administrators - Are Authorized to Change the
Client Change Option (0304)
Clients with an Entry in T000 but Without Any User Data (0319)
Users - Other Than System Administrators - Are Authorized to Create New
Clients (0305)
Users Are Authorized to Delete Clients (0306)
Users Are Authorized to Development in the Production System (0307)
Users Are Authorized to Debug and Replace Field Values in the Production
System (0308)
Users Are Authorized to Perform Customizing in the Production System (0309)
Users Are Authorized to Develop Queries in the Production System (0310)
Execution of CATTs and eCATTs is Not Prevented by Client Settings (0311)
Users Are Authorized to Execute CATTs in the Production System (0312)
Users Are Authorized to Execute eCATTs in the Production System (0313)
SAPgui User Scripting Is Enabled (0314)
Users Are Authorized to Use the Legacy Migration Workbench (0315)
Table Logging Is Not Enabled for Import (0317)
Users Are Authorized to Modify the Table Logging Flag for Tables (0318)
Development Sources Are Not Scanned for Critical Statements (0335)
Development Keys Exist in the Productive System (0338)
Users - Other Than Transport Administrators - Are Authorized to Change the
TMS Configuration (0341)
Users - Other Than Transport Administrators - Are Authorized to Start Imports
to Production (0342)
Users - Other Than Transport Administrators - Are Authorized to Create and
Release Transports (0343)
Users - Other Than Transport Administrators - Are Authorized to Apply Patches
(0363)
Web
Application
Server
Users - Other Than System Administrators - Are Authorized to Activate ICF
Services (0655)
Appendix
Confidential
132/143
Security Optimization Service
10.02.2016
Main
Chapter
Rating
Check
Users - Other Than System Administrators - Are Authorized to Access Table
Authorization Group &NC& (0663)
External Clients Are Allowed to Switch the Profile Level (0702)
Additional http Client Connections Found (0682)
No Proxy Used to Connect to http Servers (0683)
No Authorization for S_SICF Required for http Client Access (0684)
Client Proxy Does Not Require Client Authentication (0685)
Additional http Connections with Full Logon Data Found (0687)
No Encryption of Outgoing http Communication (0688)
Users - Other Than System Administrators - Are Authorized to Administrate the
ICM (0701)
Users - Other Than System Administrators - Are Authorized to Display the http
Server Cache (0705)
Users - Other Than System Administrators - Are Authorized to Configure the
ICM Monitor (0706)
External Clients Are Allowed to Switch the Trace Level (0703)
Users - Other Than System Administrators - Are Authorized to Maintain the
System PSE's (0711)
Users Authorized to Maintain the Sending Systems for User Replication (0864)
Human
Resources
Users - Other Than HR Administrators - Are Authorized to Maintain Table
T77S0 (0922)
Users - Other Than HR Administrators - Are Authorized to Maintain Tables for
Organizational Data (0923)
Users - Other Than HR Administrators - Are Authorized to Read the Infotype
Change Log (0924)
Users - Other Than HR Administrators - Are Authorized to Read HR Tables with
Person Related Data (0925)
Users - Other Than HR Administrators - Are Authorized to Change HR Tables
with Person Related Data (0926)
Users - Other Than HR Administrators - Are Authorized to Maintain Client
Dependent HR Customizing (0927)
Users - Other Than HR Administrators - Are Authorized to Run All HR
Transactions (0928)
Users - Other Than HR Administrators - Have Broad Authorization on HR
Reports (0929)
Users - Other Than HR Administrators - Are Authorized to Read HR Master
Data (0936)
Users - Other Than HR Administrators - Are Authorized to Change Master Data
without Double Verification (0937)
Users - Other Than HR Administrators - Are Authorized to Change their Own
Master Data (0939)
Users - Other Than HR Administrators - Are Authorized to Read Payroll Results
(0946)
Users - Other Than HR Administrators - Are Authorized to Maintain Personnel
Calculation Schemas (0947)
Users - Other Than HR Administrators - Are Authorized to Release a Payroll
Run (0950)
Appendix
Confidential
133/143
Security Optimization Service
10.02.2016
Main
Chapter
Rating
Check
Users - Other Than HR Administrators - Are Authorized to Delete Payroll
Results (0951)
9.3 Customizing of Report Output Tables
Listed Examples for:
Value
Number of users with critical permissions
CUSTOMER
Customer Defined Number
5
9.4 Used Questionnaire
Find the header data of the selected questionnaire in the table below.
If you have chosen to generate a report with an attached copy of the questionnaire, this copy is represented in the
following chapters.
Questionnaire Leading
Name
System
New at
10.02.2016
Last
Type Chang
by
SID = XXX
InstNo =
ABAP JDOE
0123456789
Change Change
Questionnaire GUID
Date
Time
10.02.2016 15:27:19 005056837A4F1EE5B3FEB15A4BAF9F93
Appendix
Confidential
134/143
Security Optimization Service
10.02.2016
10 Appended Questionnaire - SAP NetWeaver
Application Server ABAP
10.1 Clientlist (0000)
Purpose
To restrict the number of analyzed clients (not recommended).
Procedure
Enter all of your system clients that are to be examined.
You can also leave the table blank (recommended!), in which case all of the clients in your system will be
examined. The entry "ALL" as a wildcard for all clients is not supported for this selection.
IMPORTANT: For a complete security check, it is strongly recommended that you have ALL of your system
clients examined.
Background:
- Because larger SAP customers tend to divide authorizations among many different users, we have created
several different user groups below.
- If you are a smaller customer and only have super users and "normal users", answer the questions for super
users because they are automatically removed in all subsequent checks.
- If you divide up your users to an extent but not in as much detail as given in the questionnaire, enter the users in
one of the checks and copy the different users to the corresponding tables.
Client
000
002
004
200
10.2 Print the User Data (All Checks)
Procedure
If you want user data (first name, last name, and department of the user) to be printed in the report, select the
"Print User Data" field.
If you do not select this field, only the user name is printed.
When ST14 data is created, a parameter can be used to prevent user data (first and last name) from being sent to
SAP.
Print User Data?
Yes
SELECT IF USER DATA WANTED
No
X
10.3 User Authorizations
10.3.1 User Segregation (0004)
Procedure
If you have segregated your users in different user groups, select the field "User Segregation" in the table.
Segregation in User groups
Yes
Select checkbox if segregation is used
No
X
10.3.2 Powerful Users
10.3.2.1 Super Users (0021)
Procedure
List for each client the known super users. These are the users having the profile SAP_ALL.
- Please mention the users with user type "dialog", "service", "system" or "communication".
- If a super user exists in all clients, you can also insert "ALL" in the field "Client" instead of listing all clients
Client
User
Appended Questionnaire - SAP NetWeaver Application Server ABAP
Confidential
135/143
Security Optimization Service
Client
10.02.2016
User
10.3.2.2 System Administration
10.3.2.2.1 System Administrators (0151)
Procedure
For each client, list the known system administrators.
If a system administrator exists for all clients, you can also insert "ALL" in the field "Client" instead of listing all
clients.
Client
User
10.3.2.2.2 Background Administrators (0217)
Procedure
For each client, enter the known background administrators. If the background administrators are the same in all
clients, enter "ALL" in the field "Client".
Client
User
10.3.2.2.3 Spool Administrators (0191)
Procedure
For each client, enter the known spool administrators. If the spool administrators are the same in all clients, enter
"ALL" in the "Client" field.
Client
User
10.3.2.2.4 Transport Administrators (0351)
Procedure
For each client, enter the known Transport and SPAM Administrators. If the Transport and SPAM Administrators
are the same in all clients, enter "ALL" in the field "Client".
Client
User
Appended Questionnaire - SAP NetWeaver Application Server ABAP
Confidential
136/143
Security Optimization Service
Client
10.02.2016
User
10.3.2.3 User Administration
10.3.2.3.1 Super User Administrators (0025)
Procedure
For each client, list the known super user administrators. Super user administrators are the user administrators,
who are allowed to change users in the group SUPER (for example, SAP*, DDIC). We always check for super
users against the group SUPER.
If the same super user administrator exists for all clients, you can insert "ALL" in the field "Client" instead of listing
all clients.
Client
User
10.3.2.3.2 User Administrators (0001)
Procedure
For each client, list the known user administrators.
If the same user administrator exists for all clients, you can also insert "ALL" in the field "Client" instead of listing
all clients.
Client
User
10.3.2.3.3 Role & Auth Administrators (0071)
Procedure
For each client, enter the known role and authorization administrators. If the role and authorization administrators
are the same in all clients, enter "ALL" in the field "Client".
Client
User
Appended Questionnaire - SAP NetWeaver Application Server ABAP
Confidential
137/143
Security Optimization Service
10.02.2016
10.3.2.4 Batch Input Administrators (0224)
Procedure
For each client, enter the known batch input administrators. If the batch input administrators are the same in all
clients, enter "ALL" in the field "Client".
Client
User
10.3.2.5 Key Users (0511)
Procedure
For each client, enter the known key users. These users are allowed to start all reports and transaction and have
authorization to view all tables. If the key users are the same in all clients, enter "ALL" in the field "Client".
Client
User
10.3.2.6 Query Administrators (0516)
Procedure
For each client, enter the known query administrators. If the query administrators are the same in all clients, enter
"ALL" in the field "Client".
Client
User
10.3.3 Trusted RFC users which can be called by any calling user (0249)
Procedure
For each client, enter the known service users that can be called by any calling user using a trusted RFC
connection. If these service users are the same in all clients, enter "ALL" in the "Client" field.
Client
User
Appended Questionnaire - SAP NetWeaver Application Server ABAP
Confidential
138/143
Security Optimization Service
10.02.2016
10.4 RFC Connections
10.4.1 Trusting Systems (Outgoing) (0271)
Procedure
Enter the name of the outgoing RFC destinations from the systems defined as trusting systems in the table
RFCDES.
RFC Destination
10.4.2 Trusted Systems (Incoming) (0246)
Procedure
Enter the name of the incoming RFC destinations to the systems defined as trusted systems in the table
RFCSYSACL.
RFC Destination
10.4.3 RFC Connections with Complete Logon Data (0251)
Procedure
Enter the names of the RFC destinations that you have maintained with complete logon data in table RFCDES.
RFC Destination
10.5 Systems Allowed to Issue Trusted SSO Tickets (0602)
Procedure
Enter the names of the systems allowed to issue trusted SSO tickets. If the systems are the same in all clients,
enter "ALL" in the field "Client".
Client
System Name
Appended Questionnaire - SAP NetWeaver Application Server ABAP
Confidential
139/143
Security Optimization Service
10.02.2016
10.6 Trusted Certification Authorities (CAs) from which certificates
are accepted (0629)
Procedure
Enter the names of the trusted Certification Authorities (CAs) from which certificates are accepted.
Distinguished Name
10.7 Scan of Transports (0348)
Procedure
If you scan transports for malicious programs, as described in SAP Note521087, select the field "Transport Scan".
Do You Scan Transports?
Yes
Do you scan transports?
No
X
10.8 Scan of Source Code (0335)
Procedure
In the table, select the field "Code Scan" if you use the SAP Code Inspector to scan your code for critical
statements or function calls such as:
Critical statements:
- INSERT REPORT
- EDITOR_CALL FOR REPORT
- SYSTEM_CALL
Critical function modules:
- ADD_USERPROFILE
- DELETE_USER_ON_DB
- BAPI_USER_*
- SUSR_*
- PRGN_*
Do You Use the Code Inspector?
Yes
No
Do you use the Code Inspector?
X
10.9 Use of the J2EE Engine (0771)
Procedure
If you use the J2EE Engine of your SAP Web Application Server, select the field "J2EE Engine is Used" in the
table.
Do You Use the J2EE Engine?
Do you use the J2EE Engine?
Appended Questionnaire - SAP NetWeaver Application Server ABAP
Confidential
Yes
No
X
140/143
Security Optimization Service
10.02.2016
11 Appended Questionnaire - SAP Human Capital
Management
11.1 HCM Administrators (0921)
Procedure
For each client with an HR implementation, enter the known HR administrators. If the administrators are the same
in all clients, enter "ALL" in the "Client" field.
Client
User
Appended Questionnaire - SAP Human Capital Management
Confidential
141/143
Security Optimization Service
10.02.2016
12 Appended Questionnaire - Customer Defined
Authorization Checks
Purpose of this section
Maintain the IDs and titles of Customer Defined Authorization Checks as well as a White Lists of users and a
Check Description that is shown in the analysis report.
Prerequisite that the Check Definition of the Questionnaire can be processed in the managed system
The AddOn ST-A/PI is available on the managed system with release 01N SP01 or higher or with release 01N
and SAP Note 1608969.
Procedure
Step1: Maintain the check titles and a key for the criticality in the table below. HIGH stands for a high c riticality
and MEDIUM for a medium criticality.
Note that you can modify the Check IDs in the corresponding Questionnaire Session while this is not supported in
the Questionnaire document. In the session you can also add or delete IDs.
CHECK DEFINITION
Check ID
Check Title (max. 53 Char.)
Criticality (Key)
9000
Customer Defined Authorization
MEDIUM
Step 2: Enter users in the table below that are authorized for all Customer Define Authorization Checks and shell
be excluded from all findings. If you enter ALL in the column client the corresponding user exception is valid for all
clients.
WHITE LIST FOR ALL CUSTOMER DEFINED AUTH. CHECKS
Client
User
Example for a Customer Defined 'Authorization Check': The following table provides an example of an
authorization check definition. This example can be used when you enter your own definitions later on.
EXAMPLE FOR A CUSTOMER DEFINED 'AUTHORIZATION CHECK'
Authorization Object
Field
Value
S_DEVELOP
ACTVT
03
S_DEVELOP
DEVCLASS
STAB
S_DEVELOP
OBJNAME
RSTBPDEL
S_DEVELOP
OBJTYPE
PROG
S_TABU_CLI
CLIIDMAINT
X
S_TCODE
TCD
SA38
S_TCODE
TCD
SC38
S_TCODE
TCD
SE38
Step 3: For each Check ID in the table above you find a subchapter below. Each chapter consists of three tables,
called 'Authorization Check', 'White List' and 'Check Description'. If you have changed the Check Title in the table
above, this will not jet be represented in the sub chapter headings. However the Check ID is the leading figure and
the Check Description will be used in later questionnaires as well as in the analysis report.
The following steps 3a to 3c apply to each subchapter.
Step 3a - Authorizations to be Checked
To define the custom authorization checks in this questionnaire then maintain the corresponding 'Authorization
Check' tables. The following rules apply:
You can enter up to four different authorization objects that are linked with "AND" during the selection of the
authorized users. This means that all users are selected that have all of the authorizations specified.
In addition, you can enter any number of values for the "S_TCODE" authorization object that are linked with "OR"
to each other and with "AND" to the other authorization objects. This means that all users are selected that have
all of the authorizations specified and that are authorized for at least one transaction specified in the "S_TCODE"
Appended Questionnaire - Customer Defined Authorization Checks
Confidential
142/143
Security Optimization Service
10.02.2016
object.
The quality and consistency of your input is in your responsibility. No technical plausibility check is performed in
this session.
An example is given above.
Step 3b - White List:
Maintain users that are allowed to have the checked authorization in the White List. 'ALL' in column 'Client'
indicates that the user is valid for all clients.
Step 3c - Check Description:
You have the option to add a description that will be shown in the analysis report.
12.1 Customer Defined Authorization (9000)
AUTHORIZATION CHECK
Authorization Object
Field
Value
WHITE LIST
Client
User
CHECK DESCRIPTION
Check Description (max. 255 Char.)
Appended Questionnaire - Customer Defined Authorization Checks
Confidential
143/143