Security strategy.docx
《Security strategy.docx》由会员分享,可在线阅读,更多相关《Security strategy.docx(11页珍藏版)》请在冰豆网上搜索。
Securitystrategy
Index
1Overview3
2SecurityapproachforECCImplementation4
3UserNamingstandards7
4ProfileNamingstandards8
5RoleNamingstandards9
6Testing10
7Tools12
8AppendixA:
Assumptions13
9AppendixB:
TerminologyandAcronyms13
1Overview
ThisdocumentdescribesthebasicsecuritysetupfortheimplementationofECC6.0.
Theprimeobjectivesofsecuritystrategyare:
▪ThetasksbasedoneachJobroleareperformedbytheusersinthenewlyimplementedECC6.0
ThisdocumentemphasisesandoutlinesthefollowingelementsrelatedtoSAPSecurityduringSAPImplementation:
▪SecurityapproachforECCupgrade
▪UserNamingstandards
▪ProfileNamingstandards
▪RoleNamingstandards
▪Testing
▪Tools
▪Assumptions
▪TerminologyandAcronyms
2SecurityapproachforECCImplementation
WithECC6.0ImplementationtheuserscanperformthetasksbasedontheirassignedJobrole.Enhancedfunctionalitywouldnotbeaddressedduringthisphase.
Thissectionwouldcoverthedesign,approach,Tasksandotheritems.
▪ECCSecuritydesign
oThesecuritydesignisbasedonRolesandaccesstoapplicationwouldbecontrolledusingsingle/compositerolesassignedtousers.
oTheRolebasedaccessshallestablishSAPsecurity,closelyaligned,tobusinessprocessesthatareestablishedbyfunctional/businessteams.
oSAPProfilegenerator(PFCG)isaprimarytoolwhichisusedtocreateandmaintainroles.
oApictorialrepresentationofthenewdesignwillbeasfollows:
▪ApproachforSecurityImplementation
SecurityImplementationwillbeasfollows:
oAuthorizationchecks
▪InitiallysuperusersneedtoprovidelistofJobrolesandassociatedtasks,BasedonthetasklistFunctionalteamshallderivethetransactions.
▪Authorizationobjectsaretobeprovidedinthebelowexcelformatbysecurityteamandinturnfunctionalteamswouldprovidewithcorrectvalues.
▪Additionalauthorizationobjectsshallbedeactivatedinindividualroles.Whenanewfunctionalityisrequired,theseobjectscanbeactivatedasdesired.
▪AuthorizationRoleandProfilenamingwouldbeinlinewithHerculesstandards.
▪CheckalldisplayrolesandmakesuretoadjusttheactivitiestodisplaywhicharepopulatedaschangefromtransactionSU24.
▪Makesurealluserswouldhaveproperspoolaccess.
oSecuritysystemparameters
▪Systemparametersrelatedtosecurityneedtobereviewedandthenconfigured/changedasrequired.Listofparametersareavailableintheattachedfile.Thevaluesforthesamewouldbeagreeduponandimplemented.
oPasswordexceptionmaintenance
▪WerecommendfollowingspecificentriestobepartofUSR40table:
*TIAN*,*HERC**JIAN*,*LUZH*,*SUZH*,*FEIX*,*ZHAN*,*METH*,*COMB*,*HYDR*,*SPEC*,*FIBE*,*CHEM*,*VISI*,*DELA*,*PLAZ*,*WILM*.
oMaintenanceofSAPstandardsUserID’s
▪DefaultSAPuserIDSAP*willnotbeassignedwithanyrolesandshallbelocked.
▪DefaultSAPUserDDICisusedforapplyingNotes,supportpacksapplicationandotheradminactivities.Aftertheactivitythepasswordshouldbechangedandstoredinsafeplace.
▪SAP_ALLprofileshallnotbeassignedtoanyusers;thisprofileshallbereferenceprofileandnearcopywouldbeprovidedaccordingtorequestfortroubleshooting.
oTesting
▪Roleswillbetestedagainstthetestobjectives.
▪FunctionaltestingwillbedonealongwithIntegrationtestinginQT1forrepresentativerolesandusers.Testingiscoveredindetailinsection3.
oTransportchangesacrosslandscape
▪ChangestoRolesarenotrecordedautomatically,henceallactivitygroupsneedtobeassignedexplicitlytochangerequest.
▪AllrequiredchangestoroleswhichareidentifiedinfunctionalandsecuritytestingwouldbeimplementedonlyinDT1andtransportthemtofurthersystemsinlandscape.
▪SpecifictasksperformedacrossECC6.0landscape
oSpecifictasksinDT1:
▪UpongettingAuthorizationobjectvaluesfromfunctionalteams,RolesarepreparedbasedonHerculesnamingstandard.
▪Forfunctionaltesting,2-3userspertrackwouldbecreated.RespectivetrackFunctionalleadswouldconfirmtherequirementfortheID’salongwithroles.
▪Functionalteamleadsshallsuggestnewrolesandwouldbeconfirmedbyfunctionalteamleadsandsuperuserteamleads.
oSpecifictasksinQT1:
▪AllRolesshallbetransportedfromDT1toQT1.
▪SecuritytestingshallbecarriedoutusingtestID’swhichhaveaccessequivalenttojobroles.
▪UserID’swithcomprehensiveaccesscreatedinDT1forperformingfunctionaltestingshallbereplicatedinQT1withsameaccess.
▪IntegrationtestingwouldbeperformedbysuperusersusingtheabovesaiduserID’s.
▪RoleassignmenttouserswouldbetestedinQT1usingCATTbeforetransportingtoPT1.
oSpecifictasksPT1:
▪AllfinalizedroleswouldbetransportedfromDT1toECC6.0PT1aftertheupgrade.
▪AllroleassignmenttousersshallbecarriedoutusingCATT.Allrolesareregeneratedandusercomparisonshallbeperformed.
▪Anyadditionalsecurityrequestspostgo-liveshallbeaddressedbysecuritysupportteam.
▪Cutoverandgo-liveplan
oRolesthatneedtobeassignedtousersaretransportedfromDT1toECC6.0PT1aftertheImplementation.
oDatapreparation,cleansingandreadinesswillbecarriedoutbytherespectivesuperusersandprovidedasaninputtoCATTscript.
oCATTwillbeusedtoassignrolestousers
oSuperusersandfunctionalconsultantswillcheckandvalidateuserroleassignment
▪Whichrolesareassignedtowhichusers
▪Whichuserisassignedtowhichroles
oOverallKTstrategydocumentcoversKTplan.KeyactivitywouldbetocoverKTtothesupportteamandprovidethemwithrole/usermatrix.
3UserNamingstandards
▪TheUserIDlengthshouldbemaximum12characters.
▪LastnameshouldbepartofIDandcanbeupto9characters.
▪FirstnameInitial(1character)shouldbepartofID
▪MiddlenameInitial(1character)shouldbepartofID(or)Ifuserdoesnothavemiddlenamethenusezero“0”.
▪FormatAllowed:
<9CharofLast><1CharofFirst><1CharofMiddleorZero‘0’>
Examples:
Firstname
Middlename
Lastname
SAPID
Yan
Bin
Bian
bianyb
Yue
Bai
Bian
biany1
Ying
Bing
Bian
biany2
Xiao
---
Zu
zux0
Xi
---
Zu
zux1
Jie
Feng
Wang
wangjf
Jun
Feng
Wang
wangj1
▪UserIDshouldbeinlowercase.
▪IDshouldnotconsistofblankspacesandspecialcharacters.
▪FormalnamesshouldbeusedandtheyshouldmatchwithHRrecords.
4ProfileNamingstandards
▪AllProfilesarecreatedbasedonbelownamingconvention
ProfileName:
H@<7CharofJobroledescription><1Charofmodule>
ProfileDescription:
HTC:
<3Char><5Char><4Digitcode><8DigitnofromRole>
1Charofmodule
*F–Finance
*K–Controlling
*A-FixedAssets
*V–SD
*M–MM
*Q–QM
*I–PM
*L–WM
*C-PS/PP/EHS
*S-DEV/system
*P-HR/Pro.Sys
Representationof<3Char><5Char><4Digitcode>isgivenbelow
<3Char>
NHB/LOC/PLT
<5Char>
DescriptionofLOC/PLTin5Charformat(LUZHU,SUZHU.,etc.)....andifitsNHB(NoHierarchyBoundary)in<3Char>thenmaintainHTCC(HerculesTianpuChemicalCompany)
<4Digit>
CodeforLOC/PLT
▪ExamplegivenbelowforNHB/LOC/PLT:
ProfileName:
H@MTLMAMTM
ProfileText:
HTC:
NHBHTCCMATERIALMASTERMAINTAIN40000001
HTC:
LOCSUZHU4724MATERIALMASTERMAINTAIN40000001
HTC:
PLTLUZHU4723MATERIALMASTERMAINTAIN40000001
5RoleNamingstandards
▪Allrolesarecreatedbasedonbelownamingconvention:
RoleName:
T_<8digitnumber>_<10CharProfilename>
RoleDescription:
T<8digitnumber>HTC:
<3Char><5Char><4Digitcode>
[10Characterprofilenamehas@.Thisshouldbereplacedwith_whenusedintheRolename]
8Digitnumber
8Digitnumbershouldincrementby1numberforeverynewrolecreation
▪Howtofindthehighest8digitnumberfornextRolecreation?
Gototransaction/NSUIMandExpand“ChangeDocuments”andExecute“ForRoles”
Provideinputforthefield“RoleName”:
T*
Enter“Fromdate”:
Dateshouldbe1/2monthsoldfromcurrentdate.
SelecttheRadiobutton“Createanddeleteroles”underChangeDocuments.
Execute
SorttheOutputlistonthecolumn“Action”and
ConsideronlyRoleswhicharepartofhavingvalueNewRoleunderthecolumn“Action”Nowcheckthecolumns“RoleName”tofindoutthehighestnumberassignedforthelistedroles.
▪ExamplegivenbelowforNHB/LOC/PLTinRoledescription:
RoleName:
T_40000001_H_MTLMAMTM
RoleDesc:
T40000001HTC:
NHBHTCCMATERIALMASTERMAINTAIN
T40000001HTC:
LOCSUZHU4724MATERIALMASTERMAINTAIN
T40000001HTC:
PLTLUZHU4723MATERIALMASTERMAINTAIN
6Testing
Securitytestingistoensurethatrolesareintactwithoutauthorizationspilloverandadditionalauthorizationsareprovided.Securitytestingwouldbecarriedoutalongwithintegrationtesting.
▪UnitTesting
Testingoflowestlevelobjectsforfunctionalityandfitnessforuse.
Followingactivitieswillbecoveredaspartofunittesting:
oRoleswillbetestedagainstthetestobjectivesofeachjobrole.
oTestidsareassignedwithrolesbasedonJobrole.
Where
Tasks
How
Who
DT1andQT1
Roleswillbetestedagainstthetasksofeachjobrole
Manual
UpgradeSecurityTeam/Endusers/FunctionalConsultants
TestscriptswillbepreparedforUnitTesting
▪FunctionalTesting
AspartofFunctionaltesting,bothpositiveandnegativetestingwillbecarriedoutinQT1system.Toperformtestingweexpecttohavelistofcritical(high-risk)transactions,conflictingwiththeirrespectiveallowedtransactionsandlistofcriticalorglevels.
PositiveTesting
Primaryobjectivegoingforpos
升级会员 