Technical structure
CHANGE TO A NEW ROLE APPROACH
User authentication is usually performed by entering a user name and password. This information is called user credentials and should only be known to the user, so that no third party can gain access to the system under a false identity. This post explains how a user's password protection can be circumvented and how to prevent it. SAP system legacy data The login data of a user, including password, are saved in the USR02 database table. However, the password is not in plain text, but encrypted as a hash value. For each user there are not only one but up to three generated password hashes. Different algorithms are used to calculate these values, but only the Salted SHA1 can be considered sufficiently safe. Table deduction USR02 The secure password hash is located in the fifth column of the pictured table deduction with the heading Password hash value. The corresponding data field in the column is called PWDSALTEDHASH. Weak Password Hash Risks You have a good and working permission concept that ensures that no processes or data can be manipulated or stolen. A potential attacker now has the ability to read out your database with the password hashes. The hash values are calculated using password crackers, which are available on the Internet at home, and the attacker now has a long list of user credentials. To damage your system, the user will now search for the appropriate permissions and perform the attack under a false identity. Identifying the actual attacker is virtually impossible. Check if your system is vulnerable too Your system generates the weak hash values if the login/password_downwards_compatibility profile parameter has an unequal value of 0.
A degree in computer science is usually a prerequisite and is now almost compulsory. Those who have been trained as IT specialists can take advantage of further training to become SAP Basis Administrators and thus position themselves particularly well on the job market. However, quite a few companies also offer to train employees to make them fit to work as SAP Basis Administrators.
SU53 Display authorization data
More security with less effort Internal employees often do not have the comprehensive know-how to know all relevant security risks. However, our security experts specialise in this. We use a standardised approach to determine your current security situation. Based on the analysis results, we show you where the security of your SAP systems can be improved and show you possible solutions. Focus your internal resources on your core business, while our experts will perform a customised audit on your SAP system to determine your security status. SAP Security Check - Our standardised approach (4-step model) Briefing: You register an interest in SAP Security Check. A consultant will contact you and discuss the details of the exam. They have the opportunity to clarify individual issues and to determine the focus of the security check. Data extraction: To ensure that your system is not affected by our audit, we export the relevant data manually or with the help of a data export tool. Analysis: Our security experts analyse the data, evaluate the results and prepare your report. Results: We will discuss the results of SAP Security Check with you. If safety deficiencies have been discovered, we will give recommendations for action on how to correct them. Optionally, you can ask our experts to solve your security risks in the short term. Your security risks become transparent Rapid assessment of your current SAP security status Detailed analysis and documentation Simple traffic light system enables overview of the results You can assess and prioritise the potential for danger for your company for every risk Know-how Transfer and recommendations for action You can easily communicate internally with the transparent and easily understandable final report You can close the relevant security gaps with our measures Optional: Eliminating security deficiencies Experts Our standardised approach enables us to assess the security of your SAP systems systematically and quickly. You do not need to build up authorisation expertise.
SAP Basis is the foundation of any SAP system. You can find a lot of useful information about it on this page: www.sap-corner.de.
If you want to skip the backgrounds and prefer a direct step-by-step guide, you can jump directly into the last section. Preparation For this workaround, you need access to both the source system and the BW system. In addition, they shall have the possibility to access the SE37 and execute functional modules there. Especially in production systems this is a very critical justification. So assume that you may need a Firefighter user for this action. Working in the BW system Now that the preparations have been completed, you have to call a FuBa on the BW system and on the source system, which solves the connection on the respective page. Beginning on the BW system, go into the transaction SE37 and call the function block "RSAR_LOGICAL_SYSTEM_DELETE": RSAR_LOGICAL_SYSTEM_DELETE Enter the required values here. The following table helps you fill in: Field Description I_LOGSYS The logical name of the source system. The name of the source system, as found in RSA1, will be entered here. In addition, this name can also be found in the DB table TBDLT. I_FORCE_DELETE Boolean, X = Delete despite error messages I_NO_TRANSPORT Boolean, X = This change should not be transported to subsequent systems I_NO_AUTHORITY Boolean, X = Ignore Permission Checks Work in the source system In the source system, go to transaction SE37 and call the function block "RSAP_BIW_DISCONNECT" : The descriptions of the fields are as follows. These can be found in the RSBASIDOC source system connection table Field Description I_BIW_LOGSYS The logical name of the BW system. In the RSBASIDOC table, find the correct value in the column "RLOGSYS". I_OLTP_LOGSYS The logical name of the source system. The column ‘SLOGSYS’ in the table RSBASIDOC. I_FORCE_DELETE The logical name of the BW system. In the RSBASIDOC table, find the correct value in the column "RLOGSYS". Completion In the end, you have to call the respective function block in the BW and source system, fill in the parameters and execute the function block.
With "Shortcut for SAP Systems" a tool is available that greatly facilitates some tasks in the SAP basis.
DISASSEMBLE In this step, files are extracted from the corresponding OCS files and placed in the /usr/sap/trans/data (UNIX) directory.
The freeware Scribble Papers is a "note box" in which all kinds of data can be stored. It takes in typed texts as well as graphics and entire documents. The data is then organised in folders and pages.
BUILDING OVERARCHING EXPERT TEAMS WITH SAP basis INVOLVEMENT To reduce organisational friction points as well as to optimally handle selected topics, it is recommended to set up expert teams with the participation of the SAP basis.