topic Re: basis? in Application Development and Automation Discussions

basis?

Former Member — Sat, 14 Apr 2007 04:04:54 GMT

hi all.,

wats the major diffnce between basis guy n security?

Re: basis?

Former Member — Sat, 14 Apr 2007 05:50:58 GMT

Hello,

Some yrs back thre was a very thin line of difference between system admin and security. Now the concept of Information Security Managent has changed drastically and a lot of emphasis is being given to this. Basically it deals with recognising threats towards information and taking protective measures in this regard.International standards has been formulated to provide a model for establishing,implementing, operating, monitoring,reviewing,maintaining and improving an Information Security MAnagement System(ISMS). ISO 270001 deals with these things.

To know about Security (not only relating to SAP but relating to Information system as a whole) pl visit :

www.stqc.nic.in

It feels good to see that SAP has intelligently taken care of this aspect.

Hope this throws some light on your querry.

Pl dont forget to award points suitably.

Regards

Re: basis?

Former Member — Sat, 14 Apr 2007 06:46:05 GMT

Hi Kamal,

From SAP Release 3.1G, SAP has continued to develop the Profile Generator to allow quicker development of authorization profiles. All authorizations should now be created using the Profile Generator, as most new functionality relies upon the assignment of roles to users rather than authorization profiles. It should be noted that assigning a role to a user will automatically assign the corresponding profile.

Benefits provided through the use of the profile generator to define authorization profiles include:

• reduced complexity and ease of use; and

• simplification of role and profile administration.

Mass maintenance of user access security design and structure can now be performed in the profile generator, which will significantly improve efficiency and accuracy of changes being made to a large number of records. When in the menu tab of the profile generator, transaction code names can be toggled on/off by selecting the magnifying glass icon in the top right of the tab.

SIGNIFICANT RISKS

• Unauthorized, or inappropriate, changes to user security resulting in excessive access, or

users not having access to perform functions.

• Authorization values may be inaccurately defined, granting inappropriate access to users.

• SAP standard delivered roles if allocated without configuration may not provide adequate organizational restrictions, or may contain transactions that the organization has deemed to be segregation of duties conflicts.

• Passwords provided to users by security administration staff are standard, or easily guessable, resulting in unauthorized users gaining access to the SAP system.

A significant amount of attention is currently focused on Section 302 (Disclosure) and Section 404 (Internal Controls) of <b>Sarbanes-Oxley Sections</b>. This is how Security has become a very bif concern for all the companies.

<b>Frequently used security T-codes</b>

SU01 Create/ Change User SU01 Create/ Change User

PFCG Maintain Roles

SU10 Mass Changes

SU01D Display User

SUIM Reports

ST01 Trace

SU53 Authorization analysis

Whereas a Basis Consultant will have to deal with Installations, Upgradation, Spool Administration, Etc....

Hope it helps.

Please award points if it is useful.

Thanks & Regards,

Santosh

Re: basis?

Former Member — Sat, 14 Apr 2007 16:50:39 GMT

hi,

need link about how transports are done within the system r between the system?what are all the transactions used for it?

Re: basis?

Former Member — Sun, 15 Apr 2007 07:38:10 GMT

Hi Kamal,

With in the system we use SCC1 tcode to copy transports form one client to other.

Across systems we use STMS as the tcode.

Hope it helps and also advice u to open a new thread as this is a solved thrd.

Award points for helpful answers

Br,

Sri

Re: basis?

Former Member — Mon, 16 Apr 2007 08:47:51 GMT

Kamal, in addition to what the previous posters have stated, there are also different skills required for security.

While there is a reasonable element of technical understanding needed, a security resource should also have an understanding of the major business processes, how SAP implements them, the main risks in each of and between them, and how the security mechanisms in SAP can be used as a control point to mitigate those risks.

Increasingly, a working knowledge of general IT controls and an understanding of compliance and control frameworks is necessary.