Question:
Does anybody have a Security Project Plan which could be used in the Realization Phase of an SAP implementation. Just need one to make sure all tasks are covered. Implementing core R/3, BW(SEM), XI, SRM(with EBP) etc.
Answer:
Hi Guest01,
this is a somewhat high-level project plan that should fit your rather high-level description quite well:
1. Identify what you want to secure.
2. Secure it.
Have fun,
Marc
Answer:
Generic plan for Security by position
Security Development Purpose: - Develop SAP role based security
1.1 Role Development
1.1.1 Specify Role requirements
1.1.1.1 Evaluate current state to define baseline
1.1.1.2 Define security standards consistent with Company control policies
1.1.1.3 Pre-Configure SAP Profile Generator
1.1.1.4 Set Security Parameters
1.1.1.5 Configure session manager (table SSM_CUST and PRGN_CUST)
1.1.1.6 Conduct SAP Security training
1.1.1.7 Training on 4.7 Security Functionality
1.1.1.8 Define Business processes and map to SAP tcodes
1.1.1.9 Define Role naming standard to support Portal
1.1.1.10 Develop role menu standards for enterprise solution
1.1.1.11 Develop Role definitions based on tcode grouping
1.1.1.12 Translate old tcode to new EnjoySAP tcodes where desired
1.1.1.13 Identify additional Org Levels and create
1.1.1.14 Define Org level values ( Co. code, Plant, Sales Org, etc.)
1.1.1.15 Evaluate Macro SOD impacts
1.1.1.16 Re-adjust roles based on first pass SOD evaluation
1.1.2 Create requested roles in Development
1.1.2.1 Extract useful 4.0b data to input into 4.7
1.1.2.2 Load 4.0b data into 4.7
1.1.2.3 Create new roles, load tcodes, and Org level values
1.1.2.4 Configure Profile generator to for long-term maintenance
1.1.2.5 Unit Test in Development
1.1.2.6 Configure Profile generator to address missing authorizations
1.1.2.7 Adjust roles
1.1.2.8 Evalute SOD on stand-alone roles
1.1.2.9 Adjust roles based on SOD evaluation
1.1.2.10 Unit Test in Development
1.1.2.11 Adjust roles, test, repeat untill access is correct
1.1.3 Transport of the requested roles to staging
1.1.3.1 Create mass transport of targeted roled
1.1.3.2 Export and import to testing system
1.1.4 PD Profiles for HR Security
1.1.4.1 Define PD profile requirements for Org Structure limitations
1.1.4.2 Create PD Profiles
1.1.4.3 Unit test PD profiles in conjunction with HR roles
1.1.4.4 Transport PD profiles to testing environment
1.2 Define test scenarios for Positive and Negative Test
1.2.1 Positive Test Development
1.2.1.1 Use Configuration unit test scenarios if available or develop
1.2.1.2 Develop data requirements needed to perform tests
1.3 Load Requirements for Unit Test
1.3.1 Create Test data
1.3.1.1 Create test data to facilitate testing
1.3.2 Create Test Ids
1.3.2.1 Define Test Id requirements
1.3.2.2 Create Test Ids
1.3.2.3 Assign Access Roles and PD profiles
1.3.4 Develop procedures for testing
1.3.4.1 Define error documentation requirements
1.4 Role Testing
1.4.1 Functional Area Testing
1.4.1.1 Perform positive tests
1.4.1.2 Document security errors
1.4.1.3 Adjust roles and PFCG config to correct roles
1.4.1.4 Transport changes and retest
1.4.1.5 Recycle until completed
1.4.1.6 Perform Negative testing
1.4.1.7 Document security errors
1.4.1.8 Adjust roles and PFCG config to correct roles
1.4.1.9 Transport changes and retest
1.4.1.10 Recycle until completed
1.5 Integration Testing
1.5.1 Assign complete "as-used" roles to test ids
1.5.1.1 Define potential role combinations used in Production
1.5.1.2 Assign combinations to test Ids
1.5.1.3 Evaluate SOD's
1.5.1.4 Adjust role access to eliminate SOD if possible
1.5.1.5 Identify conflicts where roles cannot be adjusted
1.5.1.6 Remove roles to eliminate SOD
1.5.2 Role Testing
1.5.2.1 Negative test id for "bleed" through access
1.5.2.2 Adjust roles and PFCG config to correct roles where possible
1.5.2.3 Transport changes and retest
1.5.2.4 Recycle until completed
1.6 Integration Testing
1.6.1 Map roles to positions
1.6.1.1 Determine roles mapping to HR Org. Structure
1.6.2 Load Roles to positions
1.6.2.1 Load Relationship to AG in infotype 1001 for position
1.6.3 Map Users to positions
1.6.3.1 Determine current user’s position and map to SAP position
1.6.3.2 Determine user’s SAP ID
1.6.3.3 Create SAP User Id's
1.6.3.4 Load Ids to Position ( Infotype 0105 subtype 0001)
1.6.4 Load PD Profiles to Positions
1.6.4.1 Define PD Profile starting positions based on Org Mapping
1.6.4.2 Define and Request PD Profile Role creations
1.6.4.3 Create PD Profiles
1.6.4.4 Load PD Profiles to Positions Infotype 1017
1.6.5 Execute Automated process
1.6.5.1 Determine auto PD profile update days and config
1.6.5.2 Run RHPROFL0 to load user's access
1.6.5.3 Schedule PD Profile memory load report
1.6.5.4 Verify User's access
1.6.5.5 Verify T77UA load
1.6.5.6 Test Access
1.7 Production Preparation
1.7.1 Map roles to positions
1.7.1.1 Map SAP roles to Positions
1.7.1.2 Map Generic Roles to Org. Structure
1.7.1.3 Map PD Profiles to Position's Infotype 1017
1.7.2 Load Roles and PD Profiles to positions
1.7.2.1 Load Relationship to AG in infotype 1001 for position
1.7.2.2 Load PD Profile to Infotype 1017
1.7.3 Map Users to positions
1.7.3.1 Determine user’s position in SAP
1.7.3.2 Determine user’s SAP ID
1.7.3.3 Create SAP User Id's
1.7.3.4 Load Ids to Position ( Infotype 0105 subtype 0001)
1.7.5 Execute Automated process
1.7.5.1 Run RHPROFL0 to load user's access
1.7.5.2 Verify User's access
1.7.5.3 Verify T77UA load
1.7.5.4 Schedule RHPROLF0 to run daily
1.7.5.5 Schedule PFUD to run daily
1.7.5.6 Create Table Sync report and schedule to run daily
Answer:
Generic plan for Security by position
Security Development Purpose: - Develop SAP role based security
...
*huestel*
And I thought I was being sarcastic!
No, seriously, Guest01,
if you tell us more about your situation (e.g. you have just finished university and have been sold to the customer as security specialist vs. you are the project manager and want to check if the security specialist that had ben sold to you hasn't just finished university) and your scope (network/communications security, os/database/application security, disaster recovery etc.), I'm sure somebody here can come up with something helpful.
Have fun,
Marc