Data retrieval is normal in a management system. But what are the tools available in a SAP ERP system? Is it correct reporting in a transactional system?
What are the security impacts in doing corporate data reporting in SAP and how can they be mitigated? What is the SAP query survival manual?
There are several, depending on the needs, among the main there are the following:
We often clash with the question above. There are two distinct database modes:
The first designed to perform reporting, while the latest for data processing (not just for reading)
In the SAP product family there are many reporting solutions, for example SAP BW/BI Business Warehouse/Business Intelligence, SAP Business Objects and many others. Obviously, there are also third party software.
The conclusion is that if you need to analyze many data and produce many views (for each department), maybe you need to have a tool designed to do that job and you can’t use the company ERP. The latter has tools for reporting but is not designed to do this work.
Beyond the above said, and taking up the title, one of the most critical security aspects is represented from the queries SAP. There are actually no display-only transactions in this area.
Everything is controlled by an authorization object called S_QUERY.
This object, when present in user's permissions, determine whether SAP query transactions (SQ00 ed SQ01, see the following image), are display-only or allow you to change the queries' content.
Not only. The SAP queries' module has inside a small authorization concept in addition to that normally handled through roles (then through the use of the SAP generated profile, PFCG transaction).
This authorization model allows to manage query user groups (through SQ03 transactions).
Let's make an example
However, this is not enough.
Because if I disable the S_QUERY object I must include the user in one or more defined user query groups (this allows the user to see and execute queries in that/those groups). Usually query groups are structured by SAP module or corporate function.
Not so convenient as management! But this isn't over!
Once the user has been enabled to transaction, disabled the authorized object S_QUERY and included the user in the appropriate group, you will then assign the correct authorizations on the tables that the queries call.
This occurs through the authorization object S_TABU_DIS/S_TABU_NAM (where a group of tables or individual SAP tables can be authorized).
Therefore the tables to be authorized won't have a dedicated transaction, this authorization must be issued user by user or released by assigning it to the SQ00 transaction (granting users more permissions than expected).
Further consideration, read the note OSS 24578 - SAP Query: Authorizations.
The most effective solution we have seen over the years is:
Do you have to secure a system? There are not only queries, but many other SAP security aspects to manage and deal with.
Blog post originally translated from: https://www.aglea.com/blog/sap-query-security