Automated Checking of SAP Security Permisisons
Configuring user security permissions in standard business applications (such as SAP systems) is difficult and error-prone. There are many examples of wrongly configured systems that are open to misuse by unauthorized parties.
To check permission files of a realistic size in a medium to large organization manually can be a daunting task which is of ten neglected.
We present research on construction of a tool which automatically checks the SAP configuration for security policy rules (such as separation of duty). The tool uses advanced methods of automated software engineering: The permissions are given as input in an XML format through an interface from the SAP system, the business application is described ba a diagram modeled with standard UML CASE (Computer-Aided Software Engineering) — tools and output as XMI, and our tool checks the permissions against the rules using an analyzer written in Prolog. Because of its modular architecture and its standardized interfaces, the tool can be easily adapted to check security constraints in other kinds of application software (such as firewall or other access control configurations).
Key wordsintegrity and internal control in financial systems automated configuration review security restraints
- [AJP95]M. Abrams, S. Jajodia, and H. Podell, editors. Information security: an integrated collection of essays. IEEE Computer Society Press, 1995.Google Scholar
- [Alt03]E. Alter. SAP permissions and business processes. Master’s thesis, TU Munich, 2003. In preparation.Google Scholar
- [GAR03]J. D. Guttman, A. L. Herzog, and J. D. Ramsdell. Information flow in operating systems: Eager formal methods. In Workshop on Issues in the Theory of Security (WITS’03). IFIP WG 1.7, ACM SIGPLAN and GI FoMSESS, 2003.Google Scholar
- [JCF+02]J. Jürjens, V. Cengarle, E. Fernandez, B. Rumpe, and R. Sandner, editors. Critical Systems Development with UML, number TUM-I0208 in TUM technical report, 2002. UML’02 satellite workshop proceedings.Google Scholar
- [JHC02]J.-M. Jézéquel, H. Hussmann, and S. Cook, editors. UML 2002 — The Unified Modeling Language, volume 2460 of Lecture Notes in Computer Science, Automated Checking of SAP Security Permissions 21 Dresden, Sept. 30–Oct. 4 2002. Springer-Verlag, Berlin. 5th International Conference.Google Scholar
- [JKS95]S. Jajodia, B. Kogan, and R. Sandhu. A multilevel-secure object-oriented data model. In S. Jajodia, and H. Podell, Information security: an integrated collection of essays. IEEE Computer Society Press, 1995 Abrams et al. [AJP95].Google Scholar
- [Jür02]J. Jürjens. UMLsec: Extending UML for secure systems development. In H. Hussmann, and S. Cook, UML 2002 — The Unified Modeling Language, Springer-Verlag, Berlin. Jezequel et al. [JHC02], pages 412–425.Google Scholar
- [Jür03]J. Jürjens. Secure Systems Development with UML. Springer-Verlag, Berlin, 2003. In preparation.Google Scholar
- [LBD02]T. Lodderstedt, D. Basin, and J. Doser. SecureUML: A UML-based modeling language for model-driven security. In H. Hussmann, and S. Cook, UML 2002 — The Unified Modeling Language, Springer-Verlag, Berlin. Jézéquel et al. [JHC02].Google Scholar
- [Obj02]Object Management Group. Meta-object facility, version 1.4. In OMG Specifications. OMG, April 2002.Google Scholar
- [Po192]W. Timothy Polk. Automated tools for testing computer systems vulnerability. In NIST Special Publications. National Institute of Standards and Technology, December 1992.Google Scholar
- [Pow02]Richard Power. 2002 CSI/FBI computer crime and security survey. Technical report, Computer Security Institute, Spring 2002.Google Scholar
- [RS01]A. Rosenthal and E. Sciore. Administering permissions for distributed data: Factoring and automated inference. In IFIP11.3 Conf. on Data and Application Security, 2001.Google Scholar
- [Sch03]Marillyn Aidong Schwaiger. Tool-supported analysis of business processes and SAP permissions, 2003. Study project, TU Munich. In preparation.Google Scholar
- [Wei95]C. Weissman. Penetration testing. In S. Jajodia, and H. Podell, Information security: an integrated collection of essays. IEEE Computer Society Press, 1995 Abrams et al. [AJP95], chapter 11, pages 269–296.Google Scholar