Advertisement

Automated Checking of SAP Security Permisisons

  • Sebastian Höhn
  • Jan Jürjens
Part of the IFIP International Federation for Information Processing book series (IFIPAICT, volume 140)

Abstract

Configuring user security permissions in standard business applications (such as SAP systems) is difficult and error-prone. There are many examples of wrongly configured systems that are open to misuse by unauthorized parties.

To check permission files of a realistic size in a medium to large organization manually can be a daunting task which is of ten neglected.

We present research on construction of a tool which automatically checks the SAP configuration for security policy rules (such as separation of duty). The tool uses advanced methods of automated software engineering: The permissions are given as input in an XML format through an interface from the SAP system, the business application is described ba a diagram modeled with standard UML CASE (Computer-Aided Software Engineering) — tools and output as XMI, and our tool checks the permissions against the rules using an analyzer written in Prolog. Because of its modular architecture and its standardized interfaces, the tool can be easily adapted to check security constraints in other kinds of application software (such as firewall or other access control configurations).

Key words

integrity and internal control in financial systems automated configuration review security restraints 

References

  1. [AJP95]
    M. Abrams, S. Jajodia, and H. Podell, editors. Information security: an integrated collection of essays. IEEE Computer Society Press, 1995.Google Scholar
  2. [Alt03]
    E. Alter. SAP permissions and business processes. Master’s thesis, TU Munich, 2003. In preparation.Google Scholar
  3. [BdVS02]
    P. Bonatti, S. De Capitani di Vimercati, and P. Samarati. An algebra for composing access control policies. ACM Transactions on Information and System Security, 5(1):1–35, February 2002.CrossRefGoogle Scholar
  4. [GAR03]
    J. D. Guttman, A. L. Herzog, and J. D. Ramsdell. Information flow in operating systems: Eager formal methods. In Workshop on Issues in the Theory of Security (WITS’03). IFIP WG 1.7, ACM SIGPLAN and GI FoMSESS, 2003.Google Scholar
  5. [JCF+02]
    J. Jürjens, V. Cengarle, E. Fernandez, B. Rumpe, and R. Sandner, editors. Critical Systems Development with UML, number TUM-I0208 in TUM technical report, 2002. UML’02 satellite workshop proceedings.Google Scholar
  6. [JHC02]
    J.-M. Jézéquel, H. Hussmann, and S. Cook, editors. UML 2002 — The Unified Modeling Language, volume 2460 of Lecture Notes in Computer Science, Automated Checking of SAP Security Permissions 21 Dresden, Sept. 30–Oct. 4 2002. Springer-Verlag, Berlin. 5th International Conference.Google Scholar
  7. [JKS95]
    S. Jajodia, B. Kogan, and R. Sandhu. A multilevel-secure object-oriented data model. In S. Jajodia, and H. Podell, Information security: an integrated collection of essays. IEEE Computer Society Press, 1995 Abrams et al. [AJP95].Google Scholar
  8. [Jür02]
    J. Jürjens. UMLsec: Extending UML for secure systems development. In H. Hussmann, and S. Cook, UML 2002 — The Unified Modeling Language, Springer-Verlag, Berlin. Jezequel et al. [JHC02], pages 412–425.Google Scholar
  9. [Jür03]
    J. Jürjens. Secure Systems Development with UML. Springer-Verlag, Berlin, 2003. In preparation.Google Scholar
  10. [LBD02]
    T. Lodderstedt, D. Basin, and J. Doser. SecureUML: A UML-based modeling language for model-driven security. In H. Hussmann, and S. Cook, UML 2002 — The Unified Modeling Language, Springer-Verlag, Berlin. Jézéquel et al. [JHC02].Google Scholar
  11. [Obj02]
    Object Management Group. Meta-object facility, version 1.4. In OMG Specifications. OMG, April 2002.Google Scholar
  12. [Po192]
    W. Timothy Polk. Automated tools for testing computer systems vulnerability. In NIST Special Publications. National Institute of Standards and Technology, December 1992.Google Scholar
  13. [Pow02]
    Richard Power. 2002 CSI/FBI computer crime and security survey. Technical report, Computer Security Institute, Spring 2002.Google Scholar
  14. [RS01]
    A. Rosenthal and E. Sciore. Administering permissions for distributed data: Factoring and automated inference. In IFIP11.3 Conf. on Data and Application Security, 2001.Google Scholar
  15. [Sch03]
    Marillyn Aidong Schwaiger. Tool-supported analysis of business processes and SAP permissions, 2003. Study project, TU Munich. In preparation.Google Scholar
  16. [Wei95]
    C. Weissman. Penetration testing. In S. Jajodia, and H. Podell, Information security: an integrated collection of essays. IEEE Computer Society Press, 1995 Abrams et al. [AJP95], chapter 11, pages 269–296.Google Scholar

Copyright information

© Kluwer Academic Publishers 2004

Authors and Affiliations

  • Sebastian Höhn
    • 1
  • Jan Jürjens
    • 1
  1. 1.Software & Systems Engineering, InformaticsTU MunichGermany

Personalised recommendations