SAP Enterprise Ver 4.6 Test Scripts for Appln _and_amp; ITG Cont 2035

  • Greetings Team
    I have got a GIG that involves IT Auditing in the SAP 4.6 environment. I would appreciate if any comrade here shares the latest test scripts for application (parameters testing) and ITG controls related to SAP R/3.
    How is the market?

  • Hi
    Attached are the scripts( T-codes ) you may have to run for testing profile parameters in SAP.
    For profile parameters.
    T-Code - SA38
    Program to run- RSPARAM
    For Table value display
    SE16N and input table name
    Incorrect Logon, Default Clients and Default Start Menus
    ’ Login/fails_to_session_end (default value - 3)
    defines the number of times a user can enter an incorrect password before the system terminates the logon attempt.
    ’ Login/fails_to_user_lock (default value - 12)
    the number of times a user can enter an incorrect password before the system locks the user. If the system locks, an entry is written to the system log, and the lock is released at midnight.
    ’ Login/failed_user_auto_unlock (default value - 1)
    unlocks users who are locked by logging on incorrectly. The locks remain if the parameter value is 0.
    ’ Login/system_client
    This parameter specifies the default client. This client is automatically filled in on the system logon screen. Users can enter a different client.
    ’ Login/ext_security
    Since release 3.0E, external security tools such as Kerberos or Secude have managed R/3 System access. If this parameter is set, an additional identification can be specified for each user (in user maintenance) where users log on to their security system. To activate, set the value to X.
    ’ rdisp/gui_auto_logout (default value - 0)
    Maximum time allowed between input from the GUI before the frontend is automatically logged out. The value is set in seconds and the value of zero is used when this facility is not active.
    ’ Start_menu
    This parameter specifies the default start menu for all users and can be overwritten with the user-specific start menu (transaction SU50). The default is S000, and this value can be set to any other area menu code.
    Password Security
    System profile parameters define the minimum length of a password and the frequency with which users must change passwords.
    ’ Login/min_password_lng
    minimum password length. The minimum is three characters and the maximum eight characters.
    ’ Login/password_expiration_time
    number of days after which a password must be changed. The parameter allows users to keep their passwords without time limit and leaves the value set to the default, 0.
    ’ To prevent use of a certain password, enter it in table USR40. Maintain this table with transaction SM30. In USR40, you may also generically specify prohibited passwords.
    There are two wild-card characters:
    ? means a single character

    • means a sequence of any combination characters of any length
      123* in table USR40 prohibits any password that begins with the sequence 123.
      123 prohibits any password that contains the sequence 123.
      AB? prohibits passwords that begin with AB and have an additional character, such as ABA, ABB, and ABC.
      Securing SAP* user master record
      ’ login/no_automatic_user_sapstar
      By default SAP is installed with a user master record SAP*. This user has the profile SAP_ALL with access to all transactions and programs in SAP. By default if this user master record is deleted then SAP allows logon using SAP* and a password of ËœPASS’. Although the user master record does not exist, SAP grants unrestricted system access privileges to SAP*. By setting this parameter value to Ëœ1’ this Ëœbackdoor’ access is blocked in the event the SAP* user master record is deleted. Prior to version 4.0 this parameter was login/no_automatic_user_sap*.
      Tracing Authorisations
      ’ Auth/check_value_write_on (default value - 0)
      Authorization failures can be evaluated immediately they occur by running transaction SU53. This functionality is only active if the parameter is set to a value greater than zero in the system profile parameter.
      ’ Auth/authorization_trace (version 4.0B onwards - default value - ËœN’)
      When the parameter is set, any authorization checks performed are validated against existing entries in table USOBX. If the table does not contain the transaction/authorization object combination, then a new entry is added to the SAP reference table (i.e. USOBT not USOBT_C). Due to significant performance issues, SAP does not recommend this parameter being set in customer systems.
      ’ Auth/test_mode (version 4.0B onwards - default value ËœN’)
      When activated every authority check starts report RSUSR400. However SAP recommends not activating this parameter as the system is paralyzed if syntax errors occur in running the report and it has a significant performance impact .
      Authority Check De-activation
      ’ Auth/no_check_on_sucode (version 3.0E to version 3.1H - default value ËœN’), Auth/no_check_on_tcode (version 4.0 onwards - default value - ËœN’)
      From release 3.0E, the system checks on object S_TCODE. In upgrades from versions prior to 3.0E to set this flag to ËœY’ to ensure that old profiles operate in the new system. By default, the function is inactive.
      The flag should not normally be switched on because of the degradation in security that results.
      ’ Auth/no_check_in_some_cases (version 3.0F onwards -default value depends on release)
      This parameter needs to be set to ËœY’ for installation of the profile generator. It defines the use of table USOBT in the authority checks undertaken and allows authority checks to be disabled in individual transactions. Whilst SAP recommends switching off unnecessary authority checks, the full impact of this should be considered carefully.
      ’ Auth/object_disabling_active (default value -ËœN’)
      Whilst_no_check_in_some_cases allows authority checks to be switched off in for individual transactions, this parameter allows checks on individual objects to be switched off globally within SAP. It is recommended that this parameter is not set.

  • Good post NC … I needed that too 😄

  • Also thanking NC for an informative post, given the complexity of SAP 🙂

  • Team
    The post by Girihdar aka NC is pretty useful. This is an excellent example of our worldwide coordination.
    Bravo. NC.

  • Somewhat of a tangent, but is their an online resource for this type of stuff?
    Oracle has metalink, but you have to run the software to get an account … does SAP have something similar?

  • all
    i found this link pretty useful
    sapsecurityonline dot com
    gives lots of insight on sap security
    this apart the help dot SAP dot com is pretty good by itself

Log in to reply