Community
Application Development and Automation Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

SAP Security - Negative Tests

Former Member

‎2008 Aug 21 9:32 AM

0 Likes
1,095

Hi gurus,

Our Security consultant has rolled out the security aspect of the implementation for our client. We have gone through a thorough UAT stage before moving the work to production. However, we still see some gaps in the security model which were pointed out by the client.

To avoid surprises like this in future, I would like to conduct negative tests on the security work we have done. Ideally, it can be conducted by a third party like KPMG, PWC or any other organization to avoid any bias.

I would be grateful if you can share your ideas around this subject.

Regards,

Abdul

2 REPLIES 2
Read only

Former Member

‎2008 Aug 22 11:27 AM

0 Likes
602

Hi Abdul,

When performing UAT tests in Quality system, I think users will be requested to perform both Positive and Negative testing of the Security roles that are assigned to their respective user ids.

I think Negative testing would be something like checking for authorizations to tcodes not assigned in the roles assigned to the users.

Also in most cases the users like to check if they are able to find the fields in the transactions and if they are able to get the right outputs. So a negative test would be like to go and check the fields and their values not assigned in the roles.

Regards,

Kiran Kandepalli.

Read only

Former Member

‎2008 Aug 22 11:58 AM

0 Likes
602

Hi Abdul,

Negative testing is a key part of the security testing process but is nothing that cannot be competently handled by experienced users, the security team and Internal Audit/Controls.

First of all you need to identify your control points. A controls framework owned by the client should be available as all the functional work and role definitions should refer to it at some point.

In that controls framework there will be things which map directly to your security build i.e. users cannot process data outside of their organisational unit.

You can use these control points or rules to create your -ve test cases and give you a list of what you need to test against. As you should use these for your build then it shouldn't be new info. It can be useful to get the client to define (or approve) the test cases too.

Example would be role 1 can only post to company code 1000. Your negative test would be to try & post a financial doc to comp code 2000

Another example would be that Sales Clerk can only raise a particular type of Sales Order. Your negative test would be to try to create an SO which they should not be authorised for. Failure to complete the -ve test is usually a pass.

You should also perform an application security review against your build prior to testing to make sure that there are no huge gaps like debug access in end user roles etc.

You can engage someone like the Big4 to perform negative testing but once they are engaged, they will want to get a whole load more work and probably try to pitch to rebuild etc. If you approach the negative testing in a logical manner & identify the right people to be involved in the process, there is no reason why you can't do the job as well as an external company.