Partner News
SecurityBridge Expands U.S. Partnerships With Taciti Consulting
SecurityBridge Expands U S Partnerships With Taciti Consulting Alliance
Combined Efforts Streamline SAP S 4HANA Transformations and Secure SAP Ecosystem
Taking the Taboo out of S_TABU Authorization Objects
When the average tech person hears about SAP Authorization objects, they naturally think of it as something that blocks them from accessing data in SAP.
There is SOME truth to that. But that is not the full story.
SAP Authorization Objects for SAP NetWeaver AS ABAP technologies are not just blockers. They are the ENABLER of access. The best practice is to grant it based on the concept of “Least Privilege” which some people associate with this Taboo label.
The “Least Privilege”
“Least Privilege” means that any user should be granted access on simple criteria:
- They should be granted access to EXACTLY what they need. This requires precision and expertise. You don’t want to grant PARTIAL access and end up with frustrated Users.
- They should be granted access to ONLY what they need. This also requires precision. It is too easy to over-assign access. Now, over-assigning access might work for a sandbox or training system, but once you move to the systems that are in the Dev-QA-Production path, there should never be an option to Over-assign access.
SAP has a seemingly endless number of Authorization Objects, but let’s focus on just 4 authorization objects that control access to data in Tables. These four Authorization objects start with “S_TABU_”
So, let's take the ‘Taboo’ out of these “S_TABU_” authorization objects:
– S_TABU_DIS is the original authorization object that grants access to SAP tables… but not to specific tables. It grants access to tables based on assignment to an Authorization Group.
- This authorization object relies on the proper Administration of the Authorization Group. The Authorization Group is the object that links the Users to the Tables. The Table-to-Group mappings are maintained in the TDDAT table.
- If a Table is NOT mapped to an Authorization Group, this creates a potential Access Vulnerability. Study the “default” Authorization Group that happens in this scenario. It is called “&NC&” It is important to know about &NC& two things:
- What tables are default mapped to &NC& (by not being mapped to an Authorization Group)
- What users have authorization to Authorization Group &NC&
- When your custom team creates a custom table (commonly known as a “Ztable”), make sure that the Ztable is assigned to a Table Authorization Group.
- TIP: Utilize a vendor product such as the SecurityBridge Platform that can identify and report on Tables that are NOT Assigned to an Authorization Group.
- S_TABU_DIS is not the only “S_TABU_nnn” authorization object. There are 3 MORE!
– S_TABU_NAM was introduced as an enhancement idea to S_TABU_DIS.
- With S_TABU_NAM you can grant access to a SPECIFIC table, based on the name of the table.
- If the system’s check on S_TABU_DIS is unsuccessful, in the function module VIEW_AUTHORITY_CHECK, for example, the authorization’s check on S_TABU_NAM will be in effect.
- SAP HELP offers this guidance for analyzing table authorizations for either a User or a Single Role: Run report SUSR_TABLES_WITH_AUTH (see SAP Note 1500054)
- SAP Note 1481950: Information on the new authorization check for generic table access: https://help.sap.com/docs/link-disclaimer?site=https://launchpad.support.sap.com/#/notes/1481950
- SAP Note 1541577: Impact of S_TABU_NAM in Risk Analysis and Remediation: https://help.sap.com/docs/link-disclaimer?site=https://launchpad.support.sap.com/#/notes/1541577
– S_TABU_CLI brought yet another dimension to the granting of access.
- Most of my readers are familiar with the concept of an SAP Client. But if you are not, think of the SAP Client concept as a way to separate data and actions on a single SAP server or a group of servers identified together under one SAP System ID (aka “SID”).
- On this SID, there will exist typically two or more “clients”. The ‘unseen’ client is the administrative client, numbered as ‘000’. SAP as a vendor will also provide a client 001 which can be used to clone other clients for the customer to use. The end users will typically log in to a client designated as the “Productive Client”.
- Find out more about SAP Clients –> ask me on Linkedin and I can cover that with you.
- So, as you might have guessed by now. . .S_TABU_CLI will allow or deny access based on which client you are logged in. This is important for what are called “multi-client” tables. When paired with S_TABU_DIS, S_TABU_CLI can give extra protection to these “multi-client tables.
– S_TABU_LIN is the most sophisticated of these table authorizations. It allows you to grant access based on specific ROW content within a table.
- A quick illustration is to think of a table that might contain records from multiple countries.
- Using S_TABU_LIN, a user can be granted access only to specific rows/records for allowed countries and denied access to rows/records from other countries.
- Similarly, you could think of any organizational structure or geographical element where this could be helpful. The most common in SAP are Country and Plant.
- NOTE: Some additional configuration is required to enable S_TABU_LIN. This is maintained in IMG (tcode:SPRO) –> System Administration –> Users and Authorizations –> Line-Oriented Authorizations –> Define Organizational Criteria (then also –> Activate Organizational Criteria)
Final Recommendations
Every SAP Authorization Object is rich in content and detail. The SAP Security Consultant must become familiar with Authorization Objects. There are too many to memorize them all. So, utilize transaction codes SU24, PFCG, and SUIM to get to know and understand how and where authorization objects are utilized. It is a vast field, but now you know 4 out of hundreds.
Another tip for all SAP implementations: Utilize a best-of-breed solution that can scan all your SAP NetWeaver AS ABAP environments to make sure that the Authorization Objects are properly utilized. This includes the associated TCodes, Roles, and Profiles, and the ABAP custom code with its Authority Checks. . .all of which are linked to Authorization Objects.
The solution that I recommend is the SecurityBridge Platform. It is SAP-certified, developed in SAP technology, made FOR SAP environments, and runs IN SAP. Ask for demo, I would be happy to help you get that on your schedule.
If you are interested in getting into the SAP Security Consulting field, please reach out to me on LinkedIn. I am easy to find, and just mention that you saw this article. We can take the conversation from there!
Reference links:
S_TABU_DIS – SAP HELP: https://help.sap.com/doc/saphelp_nw75/7.5.5/en-US/48/8dedbccaf43987e10000000a421937/frameset.htm
S_TABU_DIS, S_TABU_NAM, S_TABU_CLI – SAP Help (scroll down): https://help.sap.com/docs/SAP_Solution_Manager/bdd095d01c7941c8b5d4c27e04da7315/6970fb31c0174dd68a5c71c4df7fa410.html
S_TABU_CLI – SAP HELP: https://help.sap.com/docs/HR_RENEWAL/28cb35be3518492c9ac9786bb7cf468d/6404dd5321e8424de10000000a174cb4.html
S_TABU_LIN – SAP HELP: https://help.sap.com/docs/HR_RENEWAL/28cb35be3518492c9ac9786bb7cf468d/db03dd5321e8424de10000000a174cb4.html
SAP Note 1500054: https://launchpad.support.sap.com/#/notes/1500054
Posted by
Barry Snow
Find recent Security Advisories for SAP©
Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.
SAP Cybersecurity
5 Steps for Kick-starting Holistic SAP Security in 1 Day
SAP Security teams can kick start a comprehensive security platform and gain significant improvements already within a day What they need is a holistic platform
SAP Patch Management
SAP Vulnerability Management vs SAP Patch Management
This article explores the differences between the 2 processes and how they can help bolster the security of SAP systems
