Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Template for SAP Security Standard document

Former Member
0 Kudos

Hi SAP Gurus,

I was asked to overhaul our company's SAP Security Standards document. So Im hoping someone can give me a template on what information/data should be in the document?

5 REPLIES 5

Former Member
0 Kudos

Hi-

Sorry!

Before you are replied, I would like to know whether or not you are asking for standard operating procedures for a particular R/3 security process for production environmnet. If NOT, please elaborate you requirements a bit further.

Thanks,

Ashok

0 Kudos

Hi Ashok,

Thanks for responding to my query. Just to give you a background.

My company is asking me to review our SAP Security Standards document. But I think its better to create an entirely new document as the existing document doesnt have a flow. The information/data are everywhere. So I am looking for a template which I can use in creating our new SAP Security Standards document.

You may call it strategy, procedure or standards. I just need a template which I can build my document from.

Thanks again!

Regards,

Ruel

Former Member
0 Kudos

These documents are designed based on system landsacpe and architecture and business strategy flow. It is something company specific which needs to be made per your understaing only and moreover the best template to refer would be what you are currently with older version. So go ahead, introduce some new terminology and redesign the docs. I am not sure if anyone can provide you with the template in person over here. This will go against the rule set of this forum, I guess so.

You can expand your doc by your own in a systematic flow. Say for example-

Purpose

Scope

Reference

System Description

Specifications

System Design Architecture

Security features (Discuss All R/3 application level security within)

System Management

Change Control (Including all controls executed over defects/errors detected during development and maintenance of the system)

Cheers!

Ashok

Former Member
0 Kudos

Hello Ruel,

I have worked on creating similar documents for authorizations, So I can brief you on my experience and understanding of the same.

Any role design in your organization should be based in discussion with the business, and requirements should be gathered from them. You collate them in your overview document and categorize them on the following points:

- Name of Process, Subprocess, Activity, Master Data etc.

- SAP Transaction code

- Business relevance - Yes/No i.e. Function is necessary for the proper execution of the work or cosmetic (nice to have)

- Failure Consequence - High/Medium/Low based on the business process

- Testing requirements

- Activity Group - To group actvities for a role.

You base your role design on this document and any changes i.e. addition or removal of authorizations should be subject to this checklist and testing done accordingly.

You generate role description documents for your roles and maintain versions for the same provided you have a good DMS in place.

In the role description document you capture the role name, description, Version, change table,transactions assigned, Org element values etc.

You should have templates in place for testing both in case of positive and negative testing.

Your User Creation/Changes (role addition/removal) should be documented through proper approval procedures being followed. You should have a system in place for the same.

You should also have a good Change Management System in place which documents and helps in backtracking the changes made and transported to the production environment.

0 Kudos

Hmm, interesting comments. Is it really a Standard that you're after? Not wishing to ask if you like salt with your eggs but I assume we know the differences between Standard, Policy, Procedure? You'd be surprised with the number of so called Security experts /Consultants that can't articulate this. I have seen big 4 people who are meant to be delivering Policy but actually documenting a Standard, even Procedures

So are you looking at delivering a Standard per Application? You should also have a Generic App Security Standard.

Standard - you're looking to no more than 10-20 pages.

SAP hooks into several other documents so you should be explicitly referencing O/S and Database Standards.

Authenticating against SAP - that should be covered in Access Control Policy /Standard.

Encryption ....? Your encryption doc's and so on.

SAP sits on an O/S, so if you're an IBM house then you're looking at AIX. SAP would assume this as a pre-req. Database? You've got Oracle and if again you're an IBM house you follow DB2.

DB2 inherits numerous priv's from the underlying O/S. So if AIX is poorly configured, then DB2 inherits this. Of course there's a bunch of stuff that you can do from SYS* parameters etc.

I've just put together a bunch of stuff for an Org. The actual SAP piece is actually not that hard. The Procedure is a little more specific e.g. specific Install Accounts /Passwords that need to be changed, how you secure external interfaces.

Please let me know if you need anything further.

Cheers, N