Security strategy.docx

1、Security strategy Index1 Overview 32 Security approach for ECC Implementation 43 User Naming standards 74 Profile Naming standards 85 Role Naming standards 96 Testing 107 Tools 128 Appendix A: Assumptions 139 Appendix B: Terminology and Acronyms 131 OverviewThis document describes the basic security

2、 setup for the implementation of ECC 6.0.The prime objectives of security strategy are: The tasks based on each Job role are performed by the users in the newly implemented ECC 6.0This document emphasises and outlines the following elements related to SAP Security during SAP Implementation: Security

3、 approach for ECC upgrade User Naming standards Profile Naming standards Role Naming standards Testing Tools Assumptions Terminology and Acronyms2 Security approach for ECC ImplementationWith ECC 6.0 Implementation the users can perform the tasks based on their assigned Job role. Enhanced functional

4、ity would not be addressed during this phase.This section would cover the design, approach, Tasks and other items. ECC Security designo The security design is based on Roles and access to application would be controlled using single / composite roles assigned to users.o The Role based access shall e

5、stablish SAP security, closely aligned, to business processes that are established by functional / business teams.o SAP Profile generator (PFCG) is a primary tool which is used to create and maintain roles.o A pictorial representation of the new design will be as follows: Approach for Security Imple

6、mentationSecurity Implementation will be as follows:o Authorization checks Initially super users need to provide list of Job roles and associated tasks, Based on the task list Functional team shall derive the transactions. Authorization objects are to be provided in the below excel format by securit

7、y team and in turn functional teams would provide with correct values. Additional authorization objects shall be deactivated in individual roles. When a new functionality is required, these objects can be activated as desired. Authorization Role and Profile naming would be in line with Hercules stan

8、dards. Check all display roles and make sure to adjust the activities to display which are populated as change from transaction SU24. Make sure all users would have proper spool access.o Security system parameters System parameters related to security need to be reviewed and then configured/changed

9、as required. List of parameters are available in the attached file. The values for the same would be agreed upon and implemented. o Password exception maintenance We recommend following specific entries to be part of USR40 table: *TIAN*, *HERC* *JIAN*, *LUZH*, *SUZH*, *FEIX*, *ZHAN*, *METH*, *COMB*,

10、 *HYDR*, *SPEC*, *FIBE*, *CHEM*, *VISI*, *DELA*, *PLAZ*, *WILM*.o Maintenance of SAP standards User IDs Default SAP user ID SAP* will not be assigned with any roles and shall be locked. Default SAP User DDIC is used for applying Notes, support packs application and other admin activities. After the

11、activity the password should be changed and stored in safe place. SAP_ALL profile shall not be assigned to any users; this profile shall be reference profile and near copy would be provided according to request for trouble shooting.o Testing Roles will be tested against the test objectives. Function

12、al testing will be done along with Integration testing in QT1 for representative roles and users. Testing is covered in detail in section 3.o Transport changes across landscape Changes to Roles are not recorded automatically, hence all activity groups need to be assigned explicitly to change request

13、. All required changes to roles which are identified in functional and security testing would be implemented only in DT1 and transport them to further systems in landscape. Specific tasks performed across ECC 6.0 landscapeo Specific tasks in DT1: Upon getting Authorization object values from functio

14、nal teams, Roles are prepared based on Hercules naming standard. For functional testing, 2-3 users per track would be created. Respective track Functional leads would confirm the requirement for the IDs along with roles. Functional team leads shall suggest new roles and would be confirmed by functio

15、nal team leads and super user team leads.o Specific tasks in QT1: All Roles shall be transported from DT1 to QT1. Security testing shall be carried out using test IDs which have access equivalent to job roles. User IDs with comprehensive access created in DT1 for performing functional testing shall

16、be replicated in QT1 with same access. Integration testing would be performed by super users using the above said user IDs. Role assignment to users would be tested in QT1 using CATT before transporting to PT1.o Specific tasks PT1: All finalized roles would be transported from DT1 to ECC 6.0 PT1 aft

17、er the upgrade. All role assignment to users shall be carried out using CATT. All roles are regenerated and user comparison shall be performed. Any additional security requests post go-live shall be addressed by security support team. Cutover and go-live plano Roles that need to be assigned to users

18、 are transported from DT1 to ECC 6.0 PT1 after the Implementation.o Data preparation, cleansing and readiness will be carried out by the respective super users and provided as an input to CATT script.o CATT will be used to assign roles to userso Super users and functional consultants will check and

19、validate user role assignment Which roles are assigned to which users Which user is assigned to which roleso Overall KT strategy document covers KT plan. Key activity would be to cover KT to the support team and provide them with role / user matrix.3 User Naming standards The User ID length should b

20、e maximum 12 characters. Last name should be part of ID and can be up to 9 characters. First name Initial (1 character) should be part of ID Middle name Initial (1 character) should be part of ID (or) If user does not have middle name then use zero “0”. Format Allowed: Examples:First nameMiddle name

21、Last nameSAP IDYanBinBianbianybYueBaiBianbiany1YingBingBianbiany2Xiao-Zuzux0Xi-Zuzux1JieFengWangwangjfJunFengWangwangj1 User ID should be in lower case. ID should not consist of blank spaces and special characters. Formal names should be used and they should match with HR records.4 Profile Naming st

22、andards All Profiles are created based on below naming conventionProfile Name: HProfile Description: HTC: 1 Char of module*F Finance*K Controlling*A - Fixed Assets*V SD*M MM*Q QM*I PM*L WM*C - PS/PP/EHS*S - DEV / system*P - HR / Pro. SysRepresentation of is given belowNHB / LOC / PLTDescription of L

23、OC / PLT in 5 Char format (LUZHU, SUZHU., etc.). and if its NHB(No Hierarchy Boundary) in then maintain HTCC (Hercules Tianpu Chemical Company)Code for LOC / PLT Example given below for NHB / LOC / PLT:Profile Name: HMTLMAMTMProfile Text: HTC:NHB HTCC MATERIAL MASTER MAINTAIN 40000001 HTC: LOC SUZHU

24、 4724 MATERIAL MASTER MAINTAIN 40000001 HTC: PLT LUZHU 4723 MATERIAL MASTER MAINTAIN 400000015 Role Naming standards All roles are created based on below naming convention:Role Name: T_Role Description: T HTC: 10 Character profile name has . This should be replaced with _ when used in the Role name8

25、 Digit number8 Digit number should increment by 1 number for every new role creation How to find the highest 8 digit number for next Role creation ?Go to transaction /NSUIM and Expand “Change Documents” and Execute “For Roles” Provide input for the field “Role Name”: T* Enter “From date”: Date shoul

26、d be 1 / 2 months old from current date. Select the Radio button “Create and delete roles” under Change Documents. Execute Sort the Output list on the column “Action” and Consider only Roles which are part of having value New Role under the column “Action” Now check the columns “Role Name” to find o

27、ut the highest number assigned for the listed roles. Example given below for NHB / LOC / PLT in Role description:Role Name: T_40000001_H_MTLMAMTMRole Desc : T 40000001 HTC:NHB HTCC MATERIAL MASTER MAINTAIN T 40000001 HTC: LOC SUZHU 4724 MATERIAL MASTER MAINTAIN T 40000001 HTC: PLT LUZHU 4723 MATERIA

28、L MASTER MAINTAIN6 TestingSecurity testing is to ensure that roles are intact with out authorization spill over and additional authorizations are provided. Security testing would be carried out along with integration testing. Unit TestingTesting of lowest level objects for functionality and fitness

29、for use. Following activities will be covered as part of unit testing:o Roles will be tested against the test objectives of each job role.o Test ids are assigned with roles based on Job role.WhereTasksHowWhoDT1 and QT1Roles will be tested against the tasks of each job roleManualUpgrade Security Team

30、/ End users / Functional ConsultantsTest scripts will be prepared for Unit Testing Functional TestingAs part of Functional testing, both positive and negative testing will be carried out in QT1 system. To perform testing we expect to have list of critical (high-risk) transactions, conflicting with their respective allowed transactions and list of critical org levels.Positive TestingPrimary objective going for pos