SAP R/3 System
Parameters
This overview describes how security and controls can be
implemented through system parameters.
System parameters are used to maintain configuration over the operation
of the SAP system. System parameters may
define key settings for the whole system on which SAP runs, individual hosts
systems (e.g. configuration for only one of many application servers) or the
instances that are running on these servers. The majority of system parameters ensure that
SAP operates effectively on the customer’s preferred hardware, operating system
and database platforms. System
parameters also control how SAP operates and provides system wide control over
some aspects of Security. System
parameters are set using transaction RZ10. To make the parameters globally
effective set them in the default profile, DEFAULT.PFL. To make them
instance-specific, you must set them in the profiles of each application server
in your R/3 System. System parameters
can be reviewed with transaction TU02 or from the standard SAP report RSPARAM
using transaction SA38.
Incorrect Logon,
Default Clients and Default Start Menus
·
Login/fails_to_session_end
(default value - 3)
defines the number of times a user can
enter an incorrect password before the system terminates the logon attempt.
·
Login/fails_to_user_lock
(default value - 12)
the number of times a user can enter an
incorrect password before the system locks the user. If the system locks, an
entry is written to the system log, and the lock is released at midnight.
·
Login/failed_user_auto_unlock
(default value - 1)
unlocks users who are locked by logging
on incorrectly. The locks remain if the
parameter value is 0.
·
Login/system_client
This parameter specifies the default
client. This client is automatically filled in on the system logon screen.
Users can enter a different client.
·
Login/ext_security
Since release 3.0E, external security
tools such as Kerberos or Secude have managed R/3 System access. If this parameter is set, an additional
identification can be specified for each user (in user maintenance) where users
log on to their security system. To activate, set the value to X.
·
rdisp/gui_auto_logout
(default value - 0)
Maximum time allowed between input from
the GUI before the frontend is automatically logged out. The value is set in seconds and the value of
zero is used when this facility is not active.
·
Start_menu
This parameter specifies the default
start menu for all users and can be overwritten with the user-specific start
menu (transaction SU50). The default is S000, and this value can be set to any
other area menu code.
Password Security
System profile parameters define the minimum length of a
password and the frequency with which users must change passwords.
·
Login/min_password_lng
minimum password length. The minimum is
three characters and the maximum eight characters.
·
Login/password_expiration_time
number of days after
which a password must be changed. The parameter allows users to keep their
passwords without time limit and leaves the value set to the default, 0.
·
To prevent use of a certain password, enter it in
table USR40. Maintain this table with transaction SM30. In
USR40, you may also generically specify prohibited passwords.
There are two
wild-card characters:
–
? means a single character
–
* means a sequence of any combination characters
of any length
Examples:
–
123* in table USR40 prohibits any password that begins with the
sequence 123.
– *123* prohibits any
password that contains the sequence 123.
– AB? prohibits
passwords that begin with AB and have an additional character, such as ABA, ABB, and ABC.
Securing SAP* user
master record
·
login/no_automatic_user_sapstar
By default SAP is installed with a user
master record SAP*. This user has the
profile SAP_ALL with access to all transactions and programs in SAP. By default if this user master record is
deleted then SAP allows logon using SAP* and a password of ‘PASS’. Although the user master record does not
exist, SAP grants unrestricted system access privileges to SAP*. By setting this parameter value to ‘1’ this
‘backdoor’ access is blocked in the event the SAP* user master record is
deleted. Prior to version 4.0 this parameter was login/no_automatic_user_sap*.
Tracing Authorizations
•
Auth/check_value_write_on (default value - 0)
Authorization failures can be evaluated
immediately they occur by running transaction SU53. This functionality is only active if the
parameter is set to a value greater than zero in the system profile parameter.
•
Auth/authorization_trace (version 4.0B onwards -
default value - ‘N’)
When the parameter is set, any
authorization checks performed are validated against existing entries in table
USOBX. If the table does not contain the
transaction/authorization object combination, then a new entry is added to the
SAP reference table (i.e. USOBT not USOBT_C).
Due to significant performance issues, SAP does not recommend this
parameter being set in customer systems.
•
Auth/test_mode (version 4.0B onwards - default
value ‘N’)
When activated every authority check
starts report RSUSR400. However SAP
recommends not activating this parameter as the system is paralyzed if syntax
errors occur in running the report and it has a significant performance impact
.
Authority Check De-activation
•
Auth/no_check_on_sucode (version 3.0E to version
3.1H - default value ‘N’), Auth/no_check_on_tcode (version 4.0 onwards -
default value - ‘N’)
From release 3.0E, the system checks on
object S_TCODE. In upgrades from versions prior to 3.0E to set this flag to ‘Y’
to ensure that old profiles operate in the new system. By default, the function
is inactive.
The flag should not normally be switched
on because of the degradation in security that results.
• Auth/no_check_in_some_cases
(version 3.0F onwards -default value depends on release)
This parameter needs to be set to ‘Y’
for installation of the profile generator.
It defines the use of table USOBT in the authority checks undertaken and
allows authority checks to be disabled in individual transactions. Whilst SAP recommends switching off
unnecessary authority checks, the full impact of this should be considered
carefully.
• Auth/object_disabling_active
(default value -‘N’)
Whilst_no_check_in_some_cases allows
authority checks to be switched off in for individual transactions, this
parameter allows checks on individual objects to be switched off globally
within SAP. It is recommended that this
parameter is not set.
Number of Authorizations in User Buffers
•
Auth/auth_number_in_userbuffer
When a user logs onto SAP, the
authorizations contained in the user’s profiles are copied to a user buffer in
memory. The maximum number of
authorizations copied is set by this parameter.
The size of the buffer must always exceed the maximum number of
authorizations as authorization checks are made only against those in the
buffer.
The default value is 800, but this can
be set to between 1–2000. Refer to OSS
notes 84209 and 75908 for more detailed information regarding changes to the
size of the user buffer.
Transaction SU56 shows the contents of
the user’s user buffer and a total for all the authorizations in a user master
record.
Table, ABAP and RFC system parameters
•
Rec/client (default value - ‘N’)
The parameter switches automatic table
logging on. Images of the table before
and after are logged rather than just changes and so consideration to which
tables are to be logged and log volumes must be made before using this as part
of a control solution.
•
Auth/rfc_authority_check (default value - ‘1’)
The parameter determines how object
S_RFC is checked during RFC calls. The
object has three fields, activity, the name of the function being called and
the function group in which the function resides. The parameter defines whether S_RFC object is
checked and if so, whether the function group field is included in the
validation.
Value = 0, no check against S_RFC
Value = 1, check active but no check for
SRFC-FUGR
Value = 2, check active and check
against SRFC-FUGR
• Auth/system_access_check_off
(default value - ‘0’ - check remains active)
This parameter inactivates the automatic
authorization check for particular ABAP/4 language elements (file operations,
CPIC calls, and calls to kernel functions). This parameter ensures the downward
compatibility of the R/3 kernel.
Useful Transactions
• TU02 Shows current parameters for all
hosts and gives a history of changes to parameters
• RZ10 Maintain system parameters
• RZ11 View single system parameters and
their functional area.
• SU56 Shows all authorizations a user
has in their user master record and the total number. This is useful to
identify apparent authorization
failures caused by user buffer overflow.
Useful Reports
RSPARAM displays all system parameters set and
applicable to the system and instance in which it is run.
From version 4.0 the RSUSR003 report also shows the
settings for some of the critical password parameters. The report also shows identifies whether
SAP*, DDIC or CPIC have insecure passwords by comparing value of the encrypted
password field with the encrypted values of the standard shipped
passwords. It also shows whether the
SAP* user master record is absent from any clients.
