1. There should be a policy to change DDIC password or any Dialog user ids password after a regular interval of time.

You can set password expiration time through a profile parameter that will be discussed below in item .!. The policy should be stated in the "tandard #perating $rocedure and wor% instruction document for "&$ "ecurity. !. "ecurity &dministrator should at least 'uarterly chec% (eport (")"(**+ for the status of "&$ "tandard user ids and remediate incase of any discrepancies. +. The following &uthori,ation will be needed by "ecurity &dministrator to execute this (")"(**+ report. &uthori,ation ob-ect ".)"/(.&D0 with the value C12"TD$3D for the field ".&D0.&(/&. If the administrator does not own this authori,ation the following authori,ations are chec%ed instead which re'uire strong change authori,ations 4see notes 5151!+ and 5* +*5 for details67 ".T&8).DI" 9 &ctivity 9 *! and &uthori,ation :roup 9 "" ".T&8).C;I 9 < Client 0aintenance &llowed ".)"/(.:($ 9 &ctivity 9 *! and )ser :roup 9 ")$/(

Checking Profile Parameters For any operating company 8usiness and &udit re'uirement determines the values of the profile parameters. 8elow are the list and brief description of the various profile parameters that impact "&$ "ecurity and &udit and the best practices value that they might have to satisfy security and &udit re'uirement. Profile parameter login=min.password.lng login=min.password.digits login=min.password.letters login=min.password.specials login=min.password.diff login=password.expiration.time login=password.history.si,e &vailable as of "&$ @et3eaver 5** login=password.max.idle.productive &vailable as of "&$ @et3eaver 5** login=password.max.idle.initial &vailable as of "&$ @et3eaver 5** login=disable.multi.gui.login login=fails.to.session.end login=fails.to.user.loc% login=no.automatic.user.sapstar Description 0inimum length of password that user need to Input 0inimum number of digits that password should contain 0inimum number of letters that password should contain 0inimum number of special character that password should contain 0in. number of chars which differ between old and new password @umber of days after which password expires and should be changed @umber of old passwords that the system stores so that user cannot repeat old passwords @umber of days till which password used by user remain valid and after which that same password cannot be used for login 0aximum number of days for which initial password remains valid Disable multiple "&$ logons for same user id @umber of invalid login attempts until session end @umber of invalid login attempts until user loc% Control automatic login using "&$D with default password in the case when user master record of "&$D has been deleted 0aximum time in seconds after which :)I session will automatically logout $revents disabling of &uthori,ation ob-ects by transaction &)T1."3ITC1.#8E/CT" &ctivate or Deactivate Table logging in a client Expected Value > 1 1 1 ?* A* B

C*

5 1 + B 1

rdisp=gui.auto.logout auth=ob-ect.disabling.active

+C** @

rec=client

&;; 9 which means table logging activated in

Audit and Table Logs ;ogs can be used in troubleshooting any issue or identifying any threat to the "&$ system. Critical tables should be logged to see nobody does changes to these tables. 1. Security Audit Log7 &uditors li%e to see a configured "ecurity &udit log as it helps the security administrator in monitoring the "&$ system. "ecurity &udit log can be configured using "01AG can be displayed using "0!* and can be deleted using "01>. There are certain parameters that have to be enabled for configuring "ecurity &udit log. rsau=enable 9 "hould have value 1 rsau=max.dis%space=per.day or rsau=max.dis%space=per.file 7 /ither one should be set rsau="election.slots7 "hould be set to the value e'ual to the number of Filters needed.

!. Table Logging for Critical tables7 This is another item that &uditors scrutini,e carefully as there are certain tables that should be logged for changes in $roduction or should be set as @on 0odifiable. $lease ma%e sure (ec=Client is set to H&;;I to ensure table logging is activated in all the clients as previously discussed in item .!.

$lease chec% in transaction "/1+ that ;og Data Changes box is chec%ed or in table DD*A; for Field name ;#: value should be < for the following tables as best practice. 4You can use report (DDTDD&T.8C/ or (DD$(C12G too.6 T*** T**1 T&CTJ T@(# T#8E T"TC T"TC& #8E1 T"TC$ T8(: TDD&T T**A T* ! Clients Company Codes Kalid activities for each authori,ation ob-ect Definition of number range ob-ects &uthori,ation #b-ects Definition Transaction Code Definition Kalues for transaction code authori,ations #b-ect 1eaders )sed $arameters for transactions &uthori,ation :roups 0aintenance area for tables Fiscal Year Kariant $ayment Transactions

 8elow is the list of tables that the &uditors might chec% for 0odifiable or @on 0odifiable settings. It can be chec%ed via tLcode "/11 L? Tab Delivery and 0aintenance L? Field Data 8rowser=Table view 0aintenance or in table DD*!; L? Field name Table 0aintenance. 4You can use report (DDTDD&T.8C/ or (DD$(C12G too.6 T*** 4Clients6 T**1 4Company Codes6 T**A 4Fiscal year variants6 T8(: 4&uthori,ation :roups6 TDD&T 40aintenance area for tables6 T@(# 4Definition of number range ob-ects6 T#8E 4#b-ects6 Display=0aintenance &llowed Display=0aintenance &llowed Display=0aintenance @ot &llowed Display=0aintenance @ot &llowed Display=0aintenance @ot &llowed Display=0aintenance &llowed with (estrictions Display=0aintenance &llowed with (estrictions Display=0aintenance &llowed with (estrictions Display=0aintenance &llowed with (estrictions

T"TC 4"&$ Transaction codes6

T"TC& 4Kalues for transaction code auth6

System and Client Settings The Following "ystem Change #ption should be set for $roduction environment. You or your 8asis &dministrator can chec% or set it using "/*C L?"ystem Change #ption or by using transaction "CT".("38#** 1. :lobal "ettings7 @ot 0odifiable !. "oftware Component7 @ot 0odifiable +. @amespace = @ame (ange7 @ot 0odifiable The following client setting should be set in $roduction 1. Client (ole7 $roduction !. Changes and Transports for ClientL"pecific ob-ects7 @o changes allowed +. CrossLClient #b-ect Changes7 @o changes to (epository and crossLclient customi,ing ob-ects . Client Copier and comparison table7 @o #verwriting B. Catt and eCatt (estrictions7 Catt and eCatt not &llowed

aintaining !ser "roups It is a good practice to have )ser groups maintained for the user ids in your "&$ system. You can create )ser groups using tLcode "):(. It helps you as well as the &uditors when you have clear demarcation among all the IT users and the 8usiness users. For example in one of my pro-ectG we had the following user groups7 1. IT 8asis &dmin !. IT "ecurity &dmin +. IT 8atch &dmin . IT $roduction "upport 9 00G "DG FI etc. B. 8usiness users 9 (egional C. 8usiness users 9 #perating Company <G YG J etc. 5. Terminated user group >. Inactive user group A. "ystem user group 9 For "ystem user ids 1*. "uper )ser group 9 For "uper users li%e "&$DG DDIC etc &lso it will help if you have the same user group configured in Muality system. &uditors li%e to see your Muality system matches your $roduction system as much as possible. &ccess to maintain user group "uper should be tried to be restricted using &uthori,ation ob-ect ".)"/(.:($. For example if you have four "ecurity &dministrator in your team and not all need to maintain "uper user ids then restrict it from them.

Process for Super !ser ids and System ids There should be proper documentation on the process of how a "uper user id 4DDICG "&$D or Custom "uper user ids created with excessive access and critical transaction6 is given to the user. The following guidelines can help7 1. 3hoever re'uires this %ind of access should specify the exact reason why this is needed. 1e should also specify the dates for which he needs it. !. This %ind of access should be approved through the approval process in place. +. #pen the "uper user id for those many days and send the email with the user id and another email with the initial password. . 0a%e sure "ecurity &udit log is enabled for these user ids. B. #nce the user is doneG lock the super user id again and ta%e approval for the functionality that user has completed using this user id. "ecurity &udit log can help you with this. C. 0a%e sure you are preserving the documents related to activation of the "uper user id and the subse'uent documents of &udit log and its approval.
#ote$ &uditors might ta%e a sample of the number of times your "uper user ids were activated and as% for the various documents on them. Tip$ Do not use "&$D as your "uper user id. (emove "&$.&;; and "&$.@/3 &uthori,ation profiles from it and loc% it. Create your own "uper user id and activate it on the need and approval and then loc% it again after the -ob is completed.

&uditors also might li%e to see how passwords are maintained for "ystem user ids and how they are %ept "ecured. 0a%e sure there is process around the "ystem user ids as well.

Critical Transactions and Authori%ation ob&ects There are certain critical transactions that you should be careful about when giving in $roduction. Certain tL codes should only be given to the "ecurity teamG certain others only to the 8asis team and few that should be restricted to be assigned only on the "uper role that is only given through your "uper user id. 1. Critical transactions7 I will try to give the list of critical tLcodes and the role where it should have in $roduction or even Muality. This list can only be considered as starting point to loo% in your "&$ system and can vary depending on the business re'uirement of your company Critica l T' code ")*1 ")*1D (ole

"ecurity only This is the displayLonly variant of transaction ")*1 which can be added to other rolesG too. "ecurity only

")1* or ")1! $FC: /3JB or /3JC "):(G $F)D and ")I0 ")$C "T*1 "01A or "0!*

#nly Display in "ecurity only 4restrict ob-ect ".)"/(.&:(G allow activity *+ only6 "ecurity only

"ecurity only

"ecurity only "ecurity or 8asis "ecurity or 8asis only

")*! or ")*+ ")!* 9 ")!C "01> (J1* 9 (J11

"ecurity only 4now obsolete6

@obody should really need in $rod. ;oc% in $roduction

8asis only 8asis only

"&*1 "&I@T "CC 9 "CCA "CC; "/*1 or "/*+ or "/*C "/*A or "/1* or "CC1 "/*A 9 "/1+ "0*1 "01!G "01+ and "01 "0+C "0 A and "0CA

8asis only. ;oc% in $roduction 8asis only 8asis only. ;oc% in $roduction

8asis only. ;oc% in $roduction 8asis only. ;oc% in $roduction

@obody should need in $roduction. ;oc% in $roduction

@obody should need in $roduction. ;oc% in $roduction

"ecurity only 8asis only

8asis or 8ac%ground &dmin 8asis only. ;oc% in $roduction

"0BA

8asis only 4)se the new authori,ation ob-ect ".(FC.&D0 if you have to grant display authori,ations. "ee http7==help.sap.com=saphelp.nw5*=helpdata=en=> =d+eb 1A*ACC*! e1*******a1BB* b*=frameset.htm for details. "pool &dmin and 8asis 8asis only

"$*1 "$&DG "$&0 and "$&) "T0" and "T0".

8asis only. ;oc% in $roduction.

D D8D "@#T / "&+>G "C+>G "&+A or "/+> "0+*G "0+1 or "/1C 0&"" "/C&T T "/A+ "1D* "&(& 8asis only. 8asis only. ;oc% in $roduction.

"uper )ser role 4never use "/+> if "&+> is sufficient.6

"uper user role

"uper user role "uper user role

@obody should need in $roduction. ;oc% in $roduction @obody should need in $roduction. ;oc% in $roduction &rchive &dministrator

!. Critical Authori%ation ob&ects7 &s a general thumb ruleG be aware of all &uthori,ation ob-ects that start with ". li%e ".T&8).DI"G ".D/K/;#$ etc. 3henever you have to maintain them ma%e sure that you read the documentation on them and understand them before maintaining it. 8e careful with wildcarding D any field. 8elow we will loo% at few critical ones that should be added to roles with wise discretion.

".&D0I.FCD7 @ormally needed only by 8asis &dministrator. ".&$$;.;#:7 @obody should have delete access to &pplication logs.

".&(C1IK/7 Create and Change activity should be in your &rchive &dmin role only and given on your "uper user id with proper approvals. ".8DC.0#@I7 @ormally needed by 8asis Team but can be needed by functional team if they are using ;"03 to upload legacy data. ".8TC1.&D07 #nly needed by 8asis or 8ac%ground admin with value Y.

".8TC1.E#87 Depending on the policy if you want your end user to have access to release their -obsG you can give this access with (/;/. If they should have only access to schedule it then this authori,ation ob-ect is not needed. ".8TC1.@&07 #nly needed if you want a user to have access to run something in a bac%ground using a user id for which user himself does not have access.

".C&;/@D&(7 0aintain activity should not be needed anywhere except in your super user role. ".C;@T.I0$7 @eeded by only 8asis. ".CT".&D0I7 @eeded only by 8asis. ".C.F)@CT7 "hould not be needed by anybody except probably 8asis. ".D&T&"/T7 0aintained with caution. "hould not be wild carded for both &8&$ $rogram and File path. ".D/K/;#$7 &gain should be maintained with caution. 8eware of D/8):G $(#:G F):( ob-ect types. ".;#:.C#07 "hould only be in 8ac%ground or 8asis &dmin roles.

".$(#:(&07 It is a good practice to have your program or report chec% for ".$(#:(&0. If it does good to have this ob-ect maintained accordingly. ".$(#E/CT7 "hould not be really needed in any role in $roduction.

".M)/(Y7 Important to maintain or deactivate depending on if user need full access to -ust execute access to "M*1. ".(FC and ".(FC&C;7 @eeded on the roles given to "ystem id and wherever there is chec% for (FC. ".ICF can be used to grant authori,ation about who is allowed to use which (FC destination . You assign authori,ations for this authori,ation ob-ect in the calling system of an (FC connection. ".(J;.&D07 "hould not be really needed by anyone except 8asis.

"."$#.&CT and "."$#.D/K7 "hould be maintained carefully. @ormally only "pool &dmin or 8asis &dmin should need them. /nd users can have "$*! for which they do not need these

ob-ects. ".T&8).DI"7 "hould always be maintained with caution. &ctivity *! 4Change6 should be controlled with &uthori,ation group. ".T&8).C;I7 "hould not be needed by anybody except 8asis. ".TC#D/7 "hould be always chec%ed for range or wildcard D on the TCD field. ".T(&@"$(T7 @ot needed in any role except 8asis in $roduction. ".)"/(.D7 "hould not be needed in any role except "ecurity. )se the display activities *+ and *> if re'uired.6

Common Audit )bser*ations +hich should not occur in producti*e systems 1. /nd users or 8usiness users have D/8): access in $roduction. "ometimes even the D/8):L replace activity *1 is assigned. !. "ecurity has access to delete "ecurity &udit log files. +. )sers other than 8asis have access to modify Cross Client tables. . )sers other than 8asis have access to schedule and release any -obs under any user id. B. )sing N"&$./DIT functionality users can update tables even with "/1C@ 4"&$ has removed this function with note 1 !*!>1.6 C. "&$ "tandard user ids are not maintained properly. 5. $rofile parameters are not set properly. >. "ecurity &udit log is not implemented. A. Critical tables are not logged. 1*. @o formal process for )ser 0aintenance. 11. @o formal process for assigning "uper user ids. 1!. IT users having 8usiness functionality and vice versa. 1+. "ystem and Client settings are not secure. 1 . Termination process not properly followed. 1B. @o Formal Change Control process.