Security strategyWord文档下载推荐.docx

1、 User Naming standards Profile Naming standards Role Naming standards Testing Tools Assumptions Terminology and Acronyms2 Security approach for ECC ImplementationWith ECC 6.0 Implementation the users can perform the tasks based on their assigned Job role. Enhanced functionality would not be addresse

2、d during this phase.This section would cover the design, approach, Tasks and other items. ECC Security designo The security design is based on Roles and access to application would be controlled using single / composite roles assigned to users.o The Role based access shall establish SAP security, cl

3、osely aligned, to business processes that are established by functional / business teams.o SAP Profile generator （PFCG） is a primary tool which is used to create and maintain roles.o A pictorial representation of the new design will be as follows: Approach for Security ImplementationSecurity Impleme

4、ntation will be as follows:o Authorization checks Initially super users need to provide list of Job roles and associated tasks, Based on the task list Functional team shall derive the transactions. Authorization objects are to be provided in the below excel format by security team and in turn functi

5、onal teams would provide with correct values. Additional authorization objects shall be deactivated in individual roles. When a new functionality is required, these objects can be activated as desired. Authorization Role and Profile naming would be in line with Hercules standards. Check all display

6、roles and make sure to adjust the activities to display which are populated as change from transaction SU24. Make sure all users would have proper spool access.o Security system parameters System parameters related to security need to be reviewed and then configured/changed as required. List of para

7、meters are available in the attached file. The values for the same would be agreed upon and implemented.o Password exception maintenance We recommend following specific entries to be part of USR40 table: *TIAN*, *HERC* *JIAN*, *LUZH*, *SUZH*, *FEIX*, *ZHAN*, *METH*, *COMB*, *HYDR*, *SPEC*, *FIBE*, *

8、CHEM*, *VISI*, *DELA*, *PLAZ*, *WILM*.o Maintenance of SAP standards User IDs Default SAP user ID SAP* will not be assigned with any roles and shall be locked. Default SAP User DDIC is used for applying Notes, support packs application and other admin activities. After the activity the password shou

9、ld be changed and stored in safe place. SAP_ALL profile shall not be assigned to any users; this profile shall be reference profile and near copy would be provided according to request for trouble shooting.o Testing Roles will be tested against the test objectives. Functional testing will be done al

10、ong with Integration testing in QT1 for representative roles and users. Testing is covered in detail in section 3.o Transport changes across landscape Changes to Roles are not recorded automatically, hence all activity groups need to be assigned explicitly to change request. All required changes to

11、roles which are identified in functional and security testing would be implemented only in DT1 and transport them to further systems in landscape. Specific tasks performed across ECC 6.0 landscapeo Specific tasks in DT1: Upon getting Authorization object values from functional teams, Roles are prepa

12、red based on Hercules naming standard. For functional testing, 2-3 users per track would be created. Respective track Functional leads would confirm the requirement for the IDs along with roles. Functional team leads shall suggest new roles and would be confirmed by functional team leads and super u

13、ser team leads.o Specific tasks in QT1: All Roles shall be transported from DT1 to QT1. Security testing shall be carried out using test IDs which have access equivalent to job roles. User IDs with comprehensive access created in DT1 for performing functional testing shall be replicated in QT1 with

14、same access. Integration testing would be performed by super users using the above said user IDs. Role assignment to users would be tested in QT1 using CATT before transporting to PT1.o Specific tasks PT1: All finalized roles would be transported from DT1 to ECC 6.0 PT1 after the upgrade. All role a

15、ssignment to users shall be carried out using CATT. All roles are regenerated and user comparison shall be performed. Any additional security requests post go-live shall be addressed by security support team. Cutover and go-live plano Roles that need to be assigned to users are transported from DT1

16、to ECC 6.0 PT1 after the Implementation.o Data preparation, cleansing and readiness will be carried out by the respective super users and provided as an input to CATT script.o CATT will be used to assign roles to userso Super users and functional consultants will check and validate user role assignm

17、ent Which roles are assigned to which users Which user is assigned to which roleso Overall KT strategy document covers KT plan. Key activity would be to cover KT to the support team and provide them with role / user matrix.3 User Naming standards The User ID length should be maximum 12 characters. L

18、ast name should be part of ID and can be up to 9 characters. First name Initial （1 character） should be part of ID Middle name Initial （1 character） should be part of ID （or） If user does not have middle name then use zero “0”. Format Allowed: 1 Char of Middle or Zero 0Examples:First nameMiddle name

19、Last nameSAP IDYanBinBianbianybYueBaibiany1YingBingbiany2Xiao-Zuzux0Xizux1JieFengWangwangjfJunwangj1 User ID should be in lower case. ID should not consist of blank spaces and special characters. Formal names should be used and they should match with HR records.4 Profile Naming standards All Profile

20、s are created based on below naming conventionProfile Name: H1 Char of moduleProfile Description: HTC:3 Char5 Char4 Digit codeDescription8 Digit no from Role1 Char of module*F Finance*K Controlling*A - Fixed Assets*V SD*M MM*Q QM*I PM*L WM*C - PS/PP/EHS*S - DEV / system*P - HR / Pro. SysRepresentati

21、on of is given belowNHB / LOC / PLTDescription of LOC / PLT in 5 Char format （LUZHU, SUZHU., etc.）. and if its NHB（No Hierarchy Boundary） in then maintain HTCC （Hercules Tianpu Chemical Company）4 DigitCode for LOC / PLT Example given below for NHB / LOC / PLT: HMTLMAMTMProfile Text:NHB HTCC MATERIAL

22、 MASTER MAINTAIN 40000001 HTC: LOC SUZHU 4724 MATERIAL MASTER MAINTAIN 40000001 PLT LUZHU 4723 MATERIAL MASTER MAINTAIN 400000015 Role Naming standards All roles are created based on below naming convention:Role Name: T_Role Description: T 10 Character profile name has . This should be replaced with

23、 _ when used in the Role name8 Digit number8 Digit number should increment by 1 number for every new role creation How to find the highest 8 digit number for next Role creation ?Go to transaction /NSUIM and Expand “Change Documents” and Execute “For Roles” Provide input for the field “Role Name”: T*

24、 Enter “From date”: Date should be 1 / 2 months old from current date. Select the Radio button “Create and delete roles” under Change Documents. ExecuteSort the Output list on the column “Action” and Consider only Roles which are part of having value New Role under the column “Action” Now check the

25、columns “Role Name” to find out the highest number assigned for the listed roles. Example given below for NHB / LOC / PLT in Role description: T_40000001_H_MTLMAMTMRole Desc : T 40000001 HTC:NHB HTCC MATERIAL MASTER MAINTAIN T 40000001 HTC: LOC SUZHU 4724 MATERIAL MASTER MAINTAIN PLT LUZHU 4723 MATE

26、RIAL MASTER MAINTAIN6 TestingSecurity testing is to ensure that roles are intact with out authorization spill over and additional authorizations are provided. Security testing would be carried out along with integration testing. Unit TestingTesting of lowest level objects for functionality and fitne

27、ss for use. Following activities will be covered as part of unit testing:o Roles will be tested against the test objectives of each job role.o Test ids are assigned with roles based on Job role.WhereTasksHowWhoDT1 and QT1Roles will be tested against the tasks of each job roleManualUpgrade Security T

28、eam/ End users / Functional ConsultantsTest scripts will be prepared for Unit Testing Functional TestingAs part of Functional testing, both positive and negative testing will be carried out in QT1 system. To perform testing we expect to have list of critical （high-risk） transactions, conflicting with their respective allowed transactions and list of critical org levels.Positive TestingPrimary objective going for pos