Importance of user master record in SAP

-

Task 1.1 – Importance of user master record in SAP


User master record in SAP is used for assigned role to the user where user logging into the system based on their credential and the check which roles is assigned to him. But in case of user master record it is prerequisite for the user to logging into the system for checking their role. User master record is not fixed application rather it is customized based on client requirement like if user using central administration then we should maintain central system for maintain user master record. In SAP system, user master record is to be used for authorization of right and roles of individual. User master record is to be used for following kinds of authorization in user master record –
·         It is used for assign particular project to the user by creating user master record which is equipped with particular assignment to the user and their right for complete the assignment.
·         Authorisation to the user for protects their role which is assigned to him.
·         Also used for restrict the right of user in authorization.
·         It is also used for the security of the authorization. For example in big organisation there is lot of people worked with and each person have some different authorization and right to be provided based on their job role hence, in this situation it is necessary to assign the role in the manner which is working with proper safety and security of the organisation. In case of SAP, user manual record create generic ID and password which secure all the authorised ID based on their right at initial set up of SAP.
·         Right of user can be checked by executive from RSUSR003 report generated in SAP.
·         Security and internal control in SAP is also main factor, as SAP is fully integrated business system therefore there is also risk of internal fraud, if assignment of authority and right is not provided with due care hence, in SAP there is one system i.e. SAP GRC Risk analysis and remediation should be installed in risk to manage risk of segregation of duties.

User master record help to maintain users data in SAP database with their right, there authorisation and assignment assigned to the user. As we know for big organisation safety and security is one of the big issues, as big organisation operates their business in cross border with internal as well as external entity and user of organisation include eternal user like suppliers, customers and other personal who is out from the company server hence single loop  wholes in security system lead to big trouble for organisation therefore to reduce threats of theft of information and use of unauthorised right by any other user within the system company used master record which maintained user record by their component. User master record also helps to any updates about their assigned task by message to the group of user and individual user by secured manner. User master record is accessed by transaction SU01.

 

Task 1.2.1 – Special about default users


As we know that SAP in working creates some default account automatically, this cannot be deleted from the system. Default accounts include SAP*, DDIC, SAPCPIC and EARLYWATCH of which SAP* is super account of SAP R3. Client of SAP* is 000, 001 and 066 from released of 3.0D for all new client of SAP R3. SAP*b is created in all client of SAP automatically. As being super user, SAP* is used for administrative work of SAP. It is used to provide right to access to the SAP by online way. User from online mode or from remote location login to the SAP by SAP* hence there is more vulnerability about the default password of SAP*. Remote user by login into SAP from SAP*, can modify or reads the required information needed. By using cross client or modification of table we may change the data structure from remote location. If there is SAP* user id is missing then user may login by Su01. SAP is super account of the system hence being a super account it contains the information about the other account of SAP as well as user master record. SAP* cannot be deleted from the system but by creating another super user it can be deactivated for safety from vulnerability of system.

TASK1.2.2 – Suggested measure to secure SAP R3 from misuse

SAP* account is default account of SAP, which is super account for SAP R3. With the creation of default account there is also default password of the account is generated. Default password of SAP* is 06071992 PASS. Account created by default way includes SAP* cannot be from the system. As we know it is well known by all user about the default account of SAP* hence for safety of system we should take care of safety measure. For safety measure we should take care of some extra efforts i.e.
1.      Create new upper account with some difficult password and default super account SAP* should be deactivated. And manually created super account should be used in activate position. For activation of super account we should use the link oflogin/no_automatic_user_sap* or login/no_automatic_user_sapstar”.
2.      As some time executive thought SAP* account is deactivated, hence there is not threats of insecurity but this view will be very risky and considered as likelihood to threats. Other side change of password is also difficult for us. Hence to change the password we need to stop SAP system for time being. Hence in order to reduce threats of unauthorised use of SAP*, we should change the password even though it is deactivated. Also we should create complex password for manually created super user account. One more safety measure includes password should not be written anywhere. So for default account of SAP* we should take some extra efforts for safety.

TASK 2 – Ethical Behaviour of IS Professionals:

2.1.1 –Ethical Concerns of the case: In the case it is given that Helen is working as consultant about the Database management system. Mean while she is going to develop DBMS for one organisation, she believes that database should be sufficiently secured, whereas CEO of organisation believes in lesser security for it. Hence an ethical concern is about the point of IT personnel in this situation, “whether Helen should build the system as requested by CEO or refuses to build system?” In this kind of situation IT personnel should firstly guide to client about the threats and vulnerability from lower security in to database, how database is important for the organisation, why organisation should more care about the database and if DBMS is not properly secured then what kind of disaster may occurred with organisation. Even after all the understanding about the DBMS, CEO requested to build lesser security system then IT professional should have due care about the system development. As per information system security association (ISSA), IT personnel discharge their responsibility with honesty and diligence and also follow all applicable law about information system security. Therefore for following all IT security measure in the system, personnel should refuse to take the contract if entity have necessary to maintain the database in secured manner but if database security for the entity is not much important then IT professional may go ahead to build it. Here Helen believes that information is strongly sensitive hence proper security measure is necessary for the entity. In this situation Helen should refuse to build DBMS at lesser security.

2.1.2– In consultancy job of Helen, she have ethical dilemma about the security importance for the organisation. As per code of ethics issued by Australian computer society-
·         Every IT personnel should loyally serve to the society and community as whole.
·         It professional must serve the interest of society above the interest of individuals.
·         They must preserve the security of IT service.
·         They also advice to the client about the risk if any in security.
·         They should also maintain the privacy and confidentiality wherever necessary.
So as IT professional Helen should advice to the client. In the given scenario Helen advice to the CEO of company but they thought lesser security can handle it. When we look at the information, it is related to the medical and insurance record hence it is more important database for the organisation. Sensitivity of data is also very high. In this situation Helen should have to maintain the privacy as well, so it is advisable for Helen to refuse for building of system at lower security measure as it violation of code of ethics.

Task 2.2

2.2.1     – Ethical Concerns in the case: In the given case Fred working in state department of alcoholism and drug abuse, where agency conduct the programme for the alcohol addicted people to nullify their problem. In order to conduct the program, entity should have to maintain database about the client which includes name of client, their address, length of treatment provided to client, number of client return after treatment and  criminal record of the client. To manage the client record, entity gives access to Fred at agency’s computer. But after downloading all the data in the computer, Helen took that computer at home by CD. And after completion of work Helen leaves CD at home when he is going to office. Hence key ethical concerns about the case is –
·         Whether access provided to Fred is valid as per ACS professional ethics?
·         Whether agency should permit to Fred for took the data base at home for work?
·         Whether Fred has to take the entire data base at home?
·         Whether agency has maintained the proper care for safety of information?
In the given case information is about the medical treatment of client, their criminal record, treatment used on the client. And as per IT professional ethics medical treatment is one of the confidential information of the organisation. In order to maintain the medical information, agency should have to take extra care for security of information.

2.2.2. – In the given case organisation providing service which is covered in the medical treatment. As per the professional ethics of information technology, organisation should take extra security measure for the information related to Medical, Insurance and other information in which privacy and confidentiality needed. Professional ethics provided following guideline for maintain sensitive information in secured manner –

·         Information which is high importance for the organisation and which is considered as private should not share with any person.
·         Organisation should not permit any person to take information at home.
·         Accessing to private information should be provided to authorised person only.
·         All the secured information not shares with the non IT professional.
In the given case company provide accessing right to Fred even Fred is not authorised for accessing information. All the information of client file contains the information which is related to client’s privacy. And Responsibility to maintain private information of client in secured manner is with the entity. And for that organisation should use extra care. But in given case entity does not maintain any security measure. Even Fred take the entire database at home without information to the agency but no one in the agency is aware about it. And after completion of work Fred forget to bring information at office. Hence looking to the all scenario, it is very clear that organisation does not maintain information in secure manner. And organisation violate the professional ethics for IT security.

Task 3 – Top ten OWASP vulnerabilities and consequences for the organisation-

Top ten vulnerabilities of OWASP include following vulnerabilities –
-          Injection: One of the first ranked vulnerability of OWASP is injection which is vulnerable from poor error handling capacity of system. It is ranked as A1. For safety from zero day vulnerability organisation should separate un-trusted data from command and queries.
-          Authentication broken and management of session : This kind of vulnerabilities arise due to lower protection to the credential of the system, explosion of ID and password over URL and non availability of auto login facility in the system. For safety from this kind of vulnerability organisation should use strong efforts to avoid XSS flow and developers should have available single set of authentication control.
-          Cross site Scripting: This kind of vulnerability arise due to improper validation in the input and output page. In order reduce this kind of vulnerability organisation should use white list or positive validation into system.
-          Insecure reference directly: This kind of vulnerability arise due to direct access to the system. In order to reduce this kind of vulnerability, organisation should prevent insecure direct access in system.
-          Security mis-configuration: These kinds of vulnerability in the system arise due to improper security in system. Hence organisation should use secure configuration in servers. Security configuration should be regularly checked by the developers. In order to proper secured system it should be maintained if any defaults found.
-          Sensitive Data Exposure: Some of websites not able to protect sensitive information like credit card credential, password credential etc. Therefore sensitive information may be stealing by unauthorised person. In order to reduce this kind of vulnerability organisation should use encryption in transit of information, also used precaution while using this kind of information on browser.
-          Missing functional level access control: Almost all the websites verify the functional level access security the visibility of functional but actuality it should be verified at the time of access. Hence to reduce this kind of vulnerability, organisation should use extra care for the verification of access the information.
-          Cross site request forgery: In this kind of vulnerability attackers send HTTP request to browser for steal authentication problem. In this attack browser send the sensitive information to attackers. Hence to reduce this kind of vulnerability organisation should use token system for each HTTP request. And such token should be unique each time.
-          Using Component with known vulnerability:  Operating system with known vulnerability is also one of the risky things so organisation should organisation should fix the problem in next version of system
-          Invalidated redirects and forwards: Some web owners redirect to other pages without knowing security of that pages. Hence in order to reduce this kind of vulnerabilities organisation entity should check the security available on page before redirecting to other page.  

Comments

Post a Comment

Popular posts from this blog

Critical Analysis of the System Design Process System Design Process related to Project- “A Mine Facility”

-
Critical Analysis of the System Design Process System Design Process related to Project- “A Mine Facility”   Executive Summary: Here with this project study report we are going to learn about the system design process of a project with the use of theories and principles governing designing and development of system design. We try to learn about the conceptual and detail design development of a system and try to learn any defects generally remain in the system and the study of available options to overcome from the defects. 1.      A Brief Introduction about the report: The present study report explains the system design development about the mine facility being used by an organization and how the entire system design being developed. The report also study the theories and principles based on the system design being developed and detailed examination of the system design development, the problem faced in a development process and a r...
Read more

Quality Improvement Project

-
Image
For analysis of the case we have collaborate with health care professional who guide us to improve the process, effective utilization of organization resources and techniques used to project management. Quality improvement Action Plan: Production of every goods and delivery of every service required transformation process.   Transformation process is the process by which organization can improve the quality of service to provide best quality of service to their customer. The examination above has highlighted the part of operations in making and conveying the products and administrations created by an association for its clients. This segment presents the change model for breaking down operations, which speaks to the three parts of operations: inputs, process and output. Operations administration includes the deliberate course and control of the procedures that change assets (inputs) into completed merchandise or administrations for clients or customers (output). This essen...
Read more

Quality Improvment by Using Six Sigma

-
Image
Introduction: Here I have chosen the service industry in which the organization pertains is taken of hospitality business. The inn and cordiality industry is regularly seen as the most "worldwide" in the administration division. Henceforth, generous capital is put resources into outlining and enhancing inns every year. Then again, a key test for administration is accomplishing client fulfillment in an inexorably aggressive commercial center. Along these lines, the cordiality business, what's more, lodgings specifically, have seen expanding rivalry for high administration quality and client fulfillment. This is on account of the dominant part of lodgings are right now executing broad quality administration programs intended to enhance administration offerings and business sector maintenance. Enthusiasm for administration quality has expanded as of late, with a developing writing identifying with the use of total quality management (TQM) ideas in the administration b...
Read more