Abstract
Configuring user security permissions in standard business applications (such as SAP systems) is difficult and error-prone. There are many examples of wrongly configured systems that are open to misuse by unauthorized parties.
To check permission files of a realistic size in a medium to large organization manually can be a daunting task which is of ten neglected.
We present research on construction of a tool which automatically checks the SAP configuration for security policy rules (such as separation of duty). The tool uses advanced methods of automated software engineering: The permissions are given as input in an XML format through an interface from the SAP system, the business application is described ba a diagram modeled with standard UML CASE (Computer-Aided Software Engineering) — tools and output as XMI, and our tool checks the permissions against the rules using an analyzer written in Prolog. Because of its modular architecture and its standardized interfaces, the tool can be easily adapted to check security constraints in other kinds of application software (such as firewall or other access control configurations).
Key words
Download to read the full chapter text
Chapter PDF
References
M. Abrams, S. Jajodia, and H. Podell, editors. Information security: an integrated collection of essays. IEEE Computer Society Press, 1995.
E. Alter. SAP permissions and business processes. Master’s thesis, TU Munich, 2003. In preparation.
P. Bonatti, S. De Capitani di Vimercati, and P. Samarati. An algebra for composing access control policies. ACM Transactions on Information and System Security, 5(1):1–35, February 2002.
J. D. Guttman, A. L. Herzog, and J. D. Ramsdell. Information flow in operating systems: Eager formal methods. In Workshop on Issues in the Theory of Security (WITS’03). IFIP WG 1.7, ACM SIGPLAN and GI FoMSESS, 2003.
J. Jürjens, V. Cengarle, E. Fernandez, B. Rumpe, and R. Sandner, editors. Critical Systems Development with UML, number TUM-I0208 in TUM technical report, 2002. UML’02 satellite workshop proceedings.
J.-M. Jézéquel, H. Hussmann, and S. Cook, editors. UML 2002 — The Unified Modeling Language, volume 2460 of Lecture Notes in Computer Science, Automated Checking of SAP Security Permissions 21 Dresden, Sept. 30–Oct. 4 2002. Springer-Verlag, Berlin. 5th International Conference.
S. Jajodia, B. Kogan, and R. Sandhu. A multilevel-secure object-oriented data model. In S. Jajodia, and H. Podell, Information security: an integrated collection of essays. IEEE Computer Society Press, 1995 Abrams et al. [AJP95].
J. Jürjens. UMLsec: Extending UML for secure systems development. In H. Hussmann, and S. Cook, UML 2002 — The Unified Modeling Language, Springer-Verlag, Berlin. Jezequel et al. [JHC02], pages 412–425.
J. Jürjens. Secure Systems Development with UML. Springer-Verlag, Berlin, 2003. In preparation.
T. Lodderstedt, D. Basin, and J. Doser. SecureUML: A UML-based modeling language for model-driven security. In H. Hussmann, and S. Cook, UML 2002 — The Unified Modeling Language, Springer-Verlag, Berlin. Jézéquel et al. [JHC02].
Object Management Group. Meta-object facility, version 1.4. In OMG Specifications. OMG, April 2002.
W. Timothy Polk. Automated tools for testing computer systems vulnerability. In NIST Special Publications. National Institute of Standards and Technology, December 1992.
Richard Power. 2002 CSI/FBI computer crime and security survey. Technical report, Computer Security Institute, Spring 2002.
A. Rosenthal and E. Sciore. Administering permissions for distributed data: Factoring and automated inference. In IFIP11.3 Conf. on Data and Application Security, 2001.
Marillyn Aidong Schwaiger. Tool-supported analysis of business processes and SAP permissions, 2003. Study project, TU Munich. In preparation.
C. Weissman. Penetration testing. In S. Jajodia, and H. Podell, Information security: an integrated collection of essays. IEEE Computer Society Press, 1995 Abrams et al. [AJP95], chapter 11, pages 269–296.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Kluwer Academic Publishers
About this chapter
Cite this chapter
Höhn, S., Jürjens, J. (2004). Automated Checking of SAP Security Permisisons. In: Jajodia, S., Strous, L. (eds) Integrity and Internal Control in Information Systems VI. IICIS 2003. IFIP International Federation for Information Processing, vol 140. Springer, Boston, MA. https://doi.org/10.1007/1-4020-7901-X_2
Download citation
DOI: https://doi.org/10.1007/1-4020-7901-X_2
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4020-7900-9
Online ISBN: 978-1-4020-7901-6
eBook Packages: Springer Book Archive