ADM950

Secure SAP System Management

.
.
PARTICIPANT HANDBOOK
INSTRUCTOR-LED TRAINING
.
Course Version: 19
Course Duration: 2 Day(s)
e-book Duration: 11 Hours 5 Minutes
Material Number: 50152615
SAP Copyrights, Trademarks and Disclaimers

© 2020 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/
corporate-en/legal/copyright/index.epx for additional trademark information and notices.
Some software products marketed by SAP SE and its distributors contain proprietary software components of other software
vendors.
National product specifications may vary.
This course may have been machine translated and may contain grammatical errors or inaccuracies.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or
warranty of any kind, and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials.
The only warranties for SAP SE or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional
warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation,
and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platform directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without
notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or
functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which
speak only as of their dates, and they should not be relied upon in making purchasing decisions.
Typographic Conventions

American English is the standard used in this handbook.

The following typographic conventions are also used.

This information is displayed in the instructor’s presentation

Demonstration

Procedure

Warning or Caution

Hint

Related or Additional Information

Facilitated Discussion

User interface control Example text

Window title Example text

© Copyright. All rights reserved. iii

© Copyright. All rights reserved. iv
Contents

vi Course Overview

1 Unit 1: Introduction to Internal Security Auditing

2 Lesson: Describing Security Auditing

15 Unit 2: Audit Information System (AIS) and the Audit Information

System Cockpit

16 Lesson: Configuring and Using the AIS

26 Lesson: SAP Solution for Managing the Audit
32 Lesson: Appendix: Performing a System Audit Using the Audit
Cockpit

39 Unit 3: User and Authorization Audit

40 Lesson: Customizing the Role Maintenance Tool

51 Lesson: Analyzing and Securing Users
63 Lesson: Describing Segregation of Duties and Critical Authorization
72 Lesson: Securing the System by Login-Related Parameters
80 Lesson: Describing the User Management Engine (UME) in SAP
NetWeaverAS for Java

87 Unit 4: Logs in AS ABAP

88 Lesson: Configuring and Using the Security Audit Log

99 Lesson: Monitoring AS ABAP Using Logs

122 Unit 5: Security in System Administration Tasks

123 Lesson: Securing System Administration Services

141 Lesson: Securing External System Access and RFC
Communications

151 Unit 6: Security in Change Management

152 Lesson: Securing Change Management

168 Lesson: Understanding Software Security Vulnerabilities

176 Unit 7: SAP Security Notes

177 Lesson: Consulting SAP Security Notes

183 Lesson: Appendix: Optimizing Security Using SAP Security
Optimizaton Self-Service
194 Lesson: Appendix: Implementing and Checking Technical Security
Recommendations

© Copyright. All rights reserved. v

Course Overview

TARGET AUDIENCE
This course is intended for the following audiences:

Technology Consultant

System Administrator

© Copyright. All rights reserved. vi

 UNIT 1 Introduction to Internal
Security Auditing

Lesson 1
Describing Security Auditing 2

UNIT OBJECTIVES

Describe security auditing

Describe the basics of SAP Access Governance

© Copyright. All rights reserved. 1

 Unit 1
Lesson 1
Describing Security Auditing

LESSON OVERVIEW
This lesson discusses the general goals of securing the SAP system landscape. This lesson
explains the need for appropriate system security and periodic audits of the system security
setup. This lesson provides an overview of the tools you use to set up security and security
monitoring. In addition, this lesson discusses the role maintenance tool and its primary
elements and functions. The role maintenance tool is a critical part of any security
implementation.

Note:
This lesson sets the expectations and framework of the class. This lesson provides
an overview of the topics covered and focuses on how to ensure that company
policies are implemented, rather than how to set up security and it provides
specific guidelines for system security issues.

Business Example
You need to assess, and then establish, enterprise data security in your SAP systems. Before
you start, you need to define your goals and plan your approach. Your specific goals will
depend, in part, upon which countries or jurisdictions your organization operates in and upon
what legal and regulatory requirements are mandated. You also need to know what
information and access you must secure. You must understand the effective approaches and
tools you need to use to accomplish these tasks. For this reason, you require the following
knowledge:

An understanding of goals for securing an enterprise application

An understanding of the purpose and procedures for conducting audits of your internal
system security

An understanding of how to outline the authorization and role maintenance process

An understanding of tools available for conducting audits of system security

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Describe security auditing

Describe the basics of SAP Access Governance

Goals for Securing an Enterprise Application

SAP offers comprehensive business solutions including SAP S/4HANA, as well as SAP
Business Suite and Business Suite on HANA, which contains several components such as:

© Copyright. All rights reserved. 2

 Lesson: Describing Security Auditing

SAP Enterprise Resource Planning (SAP ERP)

SAP Customer Relationship Management (SAP CRM)

SAP Supplier Relationship Management (SAP SRM)

SAP Supply Chain Management (SAP SCM)

SAP Product Lifecycle Management (SAP PLM)

SAP Cloud applications

SAP Mobile applications

Each of these solutions share certain common system security goals.

Figure 1: System Security Goals

In detail, these goals entail the following:

Availability
Availability ensures that the users can access their resources whenever they need them.
When determining your requirements with reference to the availability of resources, you
should consider the costs that result from unplanned downtime, for example, loss of
customers, costs for unproductive employees, and overtime. Some damage cannot fully
be factored in terms of money, for example, loss of reputation.
Authentication
Authentication determines the real identity of the user. You can use the following
authentication mechanisms in a system environment:

Authentication using user ID and password

Authentication using smart card

Authentication using a smart card and PIN

Authorization

© Copyright. All rights reserved. 3

Unit 1: Introduction to Internal Security Auditing

Authorization defines the rights and privileges of the identified user. It also determines
the functions that a user can access. The application must be programmed to check
whether or not a user is authorized before that user can access a particular function.
Confidentiality
Confidentiality ensures that the user’s history and communication is kept confidential.
Information and services need to be protected from unauthorized access. The
authorizations to read, change, or add information or services must be granted explicitly
to only a few users and other users must be denied access. If you post something on the
Internet, the confidentiality of information is at risk.
Integrity
Integrity ensures that the user information, which has been transmitted or stored, has
not been altered. Programs and services should execute successfully and provide
accurate information. As a result, people, programs, or hardware components should not
modify programs and services.
Nonrepudiation
Repudiation is the process of denying that you have done something, whereas
nonrepudiation ensures that people cannot deny their actions.

Each SAP application will be subject to both internal and external audit requirements. Many
organizations have policies which require that security and data security risks be identified,
documented and managed in order to avoid disruption of business activities, safeguard the
organizations reputation and to maintain compliance with specific regulatory requirements.

Figure 2: Regional Compliance Regulatory Examples

Compliance standards may be specific to a particular region or country or may be applicable

to multiple regions. For example, the Sarbanes-Oxley Act of 2002 (SOX) applies to the United
States, while the General Data Protection Regulation (GDPR) applies to all members of the
European Union.
SAP provides many solutions and applications to assist with Governance, Risk and
Compliance. These solutions are designed to help you identify and document risks, document
internal and external controls, and demonstrate compliance with specific regulatory
requirements. Furthermore, each SAP solution or application includes native security tools
and functions for use in securing access to system and business resources, managing users
and their security as well as technical and application audit logs.

© Copyright. All rights reserved. 4

 Lesson: Describing Security Auditing

For more information about the General Data Protection Regulation, see https://
wiki.scn.sap.com/wiki/download/attachments/473963058/2018_SITWDF_EU-
GDPR_cloud.pdf?version=2&modificationDate=1516013177000&api=v2 .

SAP Security Products, Features, and Services

Figure 3: SAP Security Products and Services

Each SAP system supports specific business needs and consists of various applications. You
must configure each application to meet the demands of your business environment and to
comply with applicable governmental regulations. Each SAP system must be sufficiently
secure, and user errors, negligence, or attempted manipulation of your systems must not
result in loss of information or processing time. The figure SAP Security Products, Features,
and Services shows the latest security products, features and services offered by SAP.
For more information about SAP security products, features, and services, see https://
www.sap.com/products/erp-financial-management/grc.html .

Security Audit Preparation

Preparation for a security audit is critical to establish and enforce the security policies of your
company. You must conduct a system audit to ensure that these security policies are
enforced in your SAP suite of products.

Questions to Consider When Conducting a System Security Audit

Are the roles assigned to the user consistent with the required activities of the user?

Are remote logon and assigned roles consistent with the required actions and activities?

Is security being monitored consistently?

How does the security administrator know when a security threat has occurred?

Is the role maintenance tool configured to provide maximum security?

Are critical applications and tables logged according to the business policies?

How is security involved in changes that are migrated to production?

Are the system authorizations required for each user implemented correctly?

Are users administered in accordance with corporate policies?

© Copyright. All rights reserved. 5

Unit 1: Introduction to Internal Security Auditing

Helpful Tools
The following tools can help you answer the questions that arise during a system security
audit:

Audit Information System (AIS)

User information system

System audit log

Technical Monitoring Alerts in SAP Solution Manager

Computer Center Management System (CCMS) alerts

Trace tools

Role maintenance tool

SAP solutions for Governance, Risk, and Compliance (GRC)

SAP Audit Management

Tools for Conducting Audits of System Security

You must exert a great deal of effort to implement appropriate security. SAP offers several
services to meet the security demands of an SAP system.
To use SAP services effectively, determine the security demands that apply specifically to
your system.
Analyze your requirements on each system and define your priorities.
Consider the following points of inquiry, among others:

Where is your system most vulnerable?

What information do you consider critical?

Where is critical information stored or transferred?

What security options can you use to protect your critical data and communications?

We recommend that you establish a security policy that reflects your requirements and
priorities. Your senior management and employees must support and encourage your
security policy. The security policy must be practiced company-wide, and must cover your
entire IT infrastructure, including your SAP systems. The security policy must involve all
security aspects that are important to your system.

Note:
For more information about how to ensure the required security for your SAP
system landscape, see the Security Guide in the SAP Help portal at http://
help.sap.com/nw74 .

This lesson discusses the security aspects that apply to users who have logged on to your
system. Our focus will include the following critical security aspects:

User authentication

© Copyright. All rights reserved. 6

 Lesson: Describing Security Auditing

Authorization protection

Auditing and logging

The SAP NetWeaver technical platform offers many standard features to enforce and validate
user security across these three critical aspects, as well as a suite of Access Governance
products and service offerings.
SAP NetWeaver offers the following features for user authentication:

Enforcement of password rules

Monitoring of unauthorized logon attempts

Reacting to unauthorized logon attempts

For user authentication, SAP offers password rules that users must follow. You actively
monitor authorized logon attempts. In addition, you actively react to unauthorized logon
attempts.
SAP NetWeaver offers the following features for authorization protection:

Authority checks using the ABAP syntax AUTHORITY_CHECK in source programs

Authority checks occur in all SAP systems.

Role maintenance tool (transaction PFCG)

A role maintenance tool helps to build authorizations.

User information system (transaction SUIM)

User Information System helps to research current authorizations and debug
authorization problems.

Trace tools (transaction ST01 or STAUTHTRACE

)
Trace tools help to perform an authorization-specific trace, which lists each authorization
object required for a specific function.

SAP NetWeaver offers the following features for auditing and logging:

Audit Information System (AIS)

The AIS supports both business audits and system audits. The AIS is a role-based solution
that provides online help for auditors and guides them through the process of conducting a
thorough audit.

Security audit log

The security audit log is primarily for the system auditor. The audit log, which is similar to
the system log, records actions and events that can be evaluated at a later time. Configure
the audit log to log the data that is most important to you.

Application and table logs

You use application logs and table logs as required to log specific actions that occur on
your system.

The most important factor in providing system security is your own security policy. Dedicate
sufficient time and resources to implement your security policy and to identify, procure and
implement the tools that are needed to enforce the level of security that you desire.
The security policy should answer the following questions:

© Copyright. All rights reserved. 7

Unit 1: Introduction to Internal Security Auditing

Who is responsible for your IT security?

What needs to be protected?

Who could possibly attack the system?

What is the risk posed by a potential attack?

Which protection mechanisms are required?

Which procedures are to be enforced?

How much protection can you afford?

Overview of SAP Access Governance

SAP Access Governance
In addition to the security functionality and reporting capabilities which are included standard
with SAP NetWeaver, SAP provides a suite of Access Governance products and services to
help ensure compliance with any relevant business, technical, legal, regulatory or policy
requirements relevant to the organization. These governance tools and services are delivered
utilizing a framework built upon best in class technology that supports:

Account Management

Access Management

Risk and Compliance Management

Authentication Management

SAP Access Governance products, tools and services can be integrated with SAP Enterprise
Risk and Compliance solutions in order to provide transparency and improved visibility of
access related risks and controls throughout the enterprise.

Objectives of Access Governance

Figure 4: Objective of Access Governance

SAP Access Governance represents a critical component of SAP’s overall Governance, Risk
and Compliance strategy. Most organizations have challenges centered around several

© Copyright. All rights reserved. 8

 Lesson: Describing Security Auditing

critical objectives that impact or severely limit their ability to effectively manage access
governance:

How do we manage digital identities effectively across hybrid IT environments?

How do we identify and remedy access issues and segregation of duty conflicts to
minimize overall risk?

How do we ensure timely, effective user provisioning and de-provisioning and reduce
manual tasks?

How do we ensure compliance with legal, regulatory and policy requirements and ensure
compliance?

How do we support the end user population to ensure that compliance requirements are
balanced with end user access needs?

Effective access governance must strike a delicate balance between providing users the
access they need and managing that user access in a compliant manner consistent with the
principles of access governance so as to minimize any risks associated with the access
granted. How users access the systems and resources needed to perform their job functions
is continually evolving to leverage new technologies and new digital platforms.
With these new platforms come new security and compliance challenges. Organizations need
end to end solutions that can support the identity lifecycle across multiple environments,
platforms, devices types and which support effective access governance processes and
procedures.

Key Elements of Access Governance

Figure 5: Key Elements of Access Governance

The key elements of a successful access governance strategy are outlined in the slide above
and include:

Risk Analysis

User Provisioning

Role Maintenance

Access Review

Monitoring Access

Risk analysis is critical to ensure that an organization understands the risks present in it’s
application environments and can identify when mitigating controls need to be put in place to

© Copyright. All rights reserved. 9

Unit 1: Introduction to Internal Security Auditing

mitigate those risks. Real time analysis capabilities need to be incorporated into the user
management process and the role management process.
The access provisioning and de-provisioning processes needs to be effective, efficient and
provide for all necessary review and approval. Risk should be identified before it is provisioned
into productive environments and mitigated with appropriate controls.
Role design and maintenance activities should support a business, activity and/or task based
design process that can be managed centrally and in a compliant fashion.
User access should be reviewed periodically through regular User Access Reviews. Access to
systems, functions and segregation of duties activities should be reviewed regularly to
minimize risk exposure.
Risk should be monitored regularly so that risk owners are aware of when and how often
critical access or segregation of duty access violations occur. Emergency access must be
managed and monitored to ensure compliance.
These capabilities should extend to the organizations application environment, whether it
operates on-premise, in the cloud, or both.

Comprehensive Access Control

Figure 6: Comprehensive Access Control

SAP Access Governance and Control delivers a suite of products and solutions that support
comprehensive access governance throughout the digital identity lifecycle. SAP products for
access governance include:

SAP GRC Access Control

SAP Identity Management

SAP Cloud Platform Identity Authentication Service

SAP Cloud Platform Identity Provisioning Service

SAP Cloud Identity Access Governance

Together these products enable organizations to implement a unified, enterprise approach to

access governance for all business applications, both on-premise and in the cloud. We will
discuss SAP Access Control in further detail in Unit 3.

© Copyright. All rights reserved. 10

 Lesson: Describing Security Auditing

LESSON SUMMARY
You should now be able to:

Describe security auditing

Describe the basics of SAP Access Governance

© Copyright. All rights reserved. 11

 Unit 1

Learning Assessment

1. Which of the following are goals for system security?

Choose the correct answers.

X A Non-repudiation

X B Confidentiality

X C Resource availability

X D All of the above

2. A secure operations strategy should address the areas of security compliance, secure
operations, secure setup, secure code, and infrastructure security.
Determine whether this statement is true or false.

X True

X False

3. Which of the following are key elements of an effective Access Governance strategy?
Choose the correct answers.

X A User access reviews

X B Monitoring transaction response time

X C Monitoring transaction usage

X D Risk analysis

4. Your Access Governance strategy only applies to on-premise deployments of SAP

solutions.
Determine whether this statement is true or false.

X True

X False

© Copyright. All rights reserved. 12

 Unit 1

Learning Assessment - Answers

1. Which of the following are goals for system security?

Choose the correct answers.

X A Non-repudiation

X B Confidentiality

X C Resource availability

X D All of the above

Non-repudiation, confidentiality, and resource availability are goals for system security.

2. A secure operations strategy should address the areas of security compliance, secure
operations, secure setup, secure code, and infrastructure security.
Determine whether this statement is true or false.

X True

X False

A secure operations strategy should address the areas of security compliance, secure
operations, secure setup, secure code, and infrastructure security.

3. Which of the following are key elements of an effective Access Governance strategy?
Choose the correct answers.

X A User access reviews

X B Monitoring transaction response time

X C Monitoring transaction usage

X D Risk analysis

User access reviews, monitoring transaction usage, and risk analysis are key elements of
an effective Access Governance strategy.

© Copyright. All rights reserved. 13

Unit 1: Learning Assessment - Answers

4. Your Access Governance strategy only applies to on-premise deployments of SAP

solutions.
Determine whether this statement is true or false.

X True

X False

Your Access Governance strategy does not only apply to on-premise deployments of SAP
solutions.

© Copyright. All rights reserved. 14

 UNIT 2 Audit Information
System (AIS) and the
Audit Information
System Cockpit

Lesson 1
Configuring and Using the AIS 16

Lesson 2
SAP Solution for Managing the Audit 26

Lesson 3
Appendix: Performing a System Audit Using the Audit Cockpit 32

UNIT OBJECTIVES

Review the Audit Information System (AIS)

Perform a system audit using the AIS

Describe SAP Audit Management

Understand how SAP Audit Management can support internal audit activities

Describe the audit structure

Perform a system audit using the Audit Cockpit

Display the audit logs

© Copyright. All rights reserved. 15

 Unit 2
Lesson 1
Configuring and Using the AIS

LESSON OVERVIEW
This lesson introduces you to the purpose, configuration, and usage of the Audit Information
System (AIS). This lesson explains the differences between a system audit and a business
audit, but focuses primarily on the system audit.
In this lesson, you will create an auditor end user.

Business Example
Your organization wants you to assess and ensure enterprise data security in your SAP
solutions. You need to use the AIS tools to conduct a thorough, structured audit of the system
security at your organization. Before using the AIS, you must understand its purpose and
scope, as well as how to set it up. For this reason, you require the following knowledge:

An understanding of the purpose of the AIS

An understanding of roles and authorizations in the AIS

An understanding of how to demonstrate the ability to navigate and use the AIS roles

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Review the Audit Information System (AIS)

Perform a system audit using the AIS

Elements of the AIS

The Audit Information System (AIS) is an auditing tool that you use to analyze security
aspects of your SAP system in detail. The AIS improves audit quality and rationalizes audit
methods. The AIS is a collection of programs and transactions provided by SAP. These
programs and transactions are organized in a role-based approach. The AIS is designed to
meet the auditing standards and requirements for both internal and external auditing.

© Copyright. All rights reserved. 16

 Lesson: Configuring and Using the AIS

Audit Environment and Tasks

Figure 7: Audit Environment and Tasks

An auditor must plan audits, execute both system and business audit tasks, perform an
analysis of the audit results and document and monitor audit findings. The AIS represents a
role based audit toolkit for the auditor in an SAP environment. These SAP delivered audit
roles provide access to business and system related audit data. Transactions and reports for
executing audit related tasks enable you to get the data and information you need to perform
either a functional audit, for example a Tax Audit, or a Technical System Audit. SAP software
is used around the world and through the development of the AIS SAP has delivered an audit
tool that can serve the needs of internal auditors, external auditors, tax auditors, and data
security and privacy officers.

AIS

Figure 8: Examples of Menus from AIS Roles

© Copyright. All rights reserved. 17

Unit 2: Audit Information System (AIS) and the Audit Information System Cockpit

The AIS consists of a series of Menu and Permission roles. Using a combination of these roles
an auditor can access all SAP structures, documents, configuration and components that
need to be analyzed.

Documentation in the User Menu

Figure 9: Documentation in the User Menu

The AIS includes various types of documentation, including documentation specifically for the
AIS, documentation from the SAP Library, documentation for the business area from the
Implementation Guide, and links to relevant Web addresses, such as http://support.sap.com .

Business Audit

Figure 10: Business Audit

© Copyright. All rights reserved. 18

 Lesson: Configuring and Using the AIS

AIS roles are divided into two major categories - system audits and business audits. A
business audit includes accounting, customer, vendors, asset, and tax audits. You can
download data to use for auditing. You can find more details about business audits in the
training course FIN900.
In this lesson, you work only with the system audit portion of the AIS.
The system audit is divided into following main areas:

General system

Users and authorizations

Repository and tables

Development History of the AIS

To work with the AIS, the auditor needs a user ID in the SAP system. The user master record
requires a wide range of display authorizations, and can be classified as a record for either an
informational user or a limited professional user.

Note:
The suggested license data for the audit user ID of the auditor can be an
informational or limited professional user.

A number of single roles are defined for the AIS.

Division of Single Roles

Single roles are divided into the following groups:

Menu roles (SAP_AUDITOR*)

Menu roles contain only menu items, and do not contain any authorizations.

Authorization roles (SAP_CA_AUDITOR*)

Authorization roles contain only authorizations, and do not contain any listed menu items.

Note:
SAP recommends that you copy the roles provided for the AIS to create
customer-specific roles for your auditors.

© Copyright. All rights reserved. 19

Unit 2: Audit Information System (AIS) and the Audit Information System Cockpit

AIS Roles Used for System Audit

Figure 11: AIS Menu Roles for System Audit

AIS Roles Used for System Audits

The system uses the following AIS roles, among others, for system audits:

System Audit (SAP_AUDITOR_SA)

Users and Authorizations Audit (SAP_AUDITOR_SA_CCM_USR)

Repository/Tables Audit (SAP_AUDITOR_SA_CUS_TOL)

The System Audit covers a wide range of tasks. It includes common security reports, which
are used to verify aspects of system administration tasks, for example, operating system,
instance parameters, and Remote Function Call (RFC) destinations. It also includes system
tasks performed by many users, such as background processing, printing, and change
request management.
The Users and Authorizations Audit provides several ways for you to ensure that you manage
users properly and to ensure a user’s authorizations correctly reflect the daily tasks the user
must perform. This audit includes the information system for reporting on users and
authorizations, role maintenance and common reports used to verify which users have what
access.
You use a Repository/Tables Audit to discover who has direct table access in production, as
well as the extent of that access. It also provides information on table logging, specifically
related to sensitive financial data. This audit also provides information on change documents
and their use in the SAP system.

© Copyright. All rights reserved. 20

 Lesson: Configuring and Using the AIS

Menu and Authorization Roles

Figure 12: Menu and Authorization Roles

The primary authorization role for the system auditor is

SAP_CA_AUDITOR_SYSTEM_DISPLAY. This role gives the auditor display access to almost
all system functions. However, it does not give access to all system administration functions.
Most companies have a policy that restrict access to system administration tasks. This policy
applies to auditors.
System auditors must start with the role SAP_CA_AUDITOR_SYSTEM_DISPLAY. If this role is
not sufficient, the auditor must work with the system administrator. If your organization
prefers to provide more access to the auditor, SAP provides the role
SAP_CA_AUDITOR_SYSTEM. This role provides broader access than
SAP_CA_AUDITOR_SYSTEM_DISPLAY does.
Each system audit components has a different menu role. The menu role provides access to
the transactions and reports that you need for a particular area.
The separation of menu roles from authorization roles for auditors simplifies the required
setup for an auditor. By creating separate menu roles, you divide the auditor role into the
exact tasks that the auditor needs to perform for this audit component area. For example, if
an auditor is auditing system services in production, the menu role SAP_AUDITOR_SA has
adequate transactions and reports for the auditor to perform a successful audit of system
services in production.
If an authorization change affects all three menu roles, the authorization change can be made
in a single role. Three menu roles make it easier to customize a user menu specifically for the
tasks that the auditor needs to perform. In addition to the roles that have been mentioned for
system audits, the SAP system includes roles for business audits. These roles are also divided
between menu roles and authorization roles.

Examples of Menu Roles for Business Audits

SAP_AUDITOR_BA_FI_AA
Tangible assets

SAP_AUDITOR_BA_MM

© Copyright. All rights reserved. 21

Unit 2: Audit Information System (AIS) and the Audit Information System Cockpit

Materials management

SAP_AUDITOR_BA_FI_GL
Closing

SAP_CA_AUDITOR_APPL, which is an authorization role for use with applications (except

SAP HR), is an example of an authorization role for business audits.
In addition to business roles, SAP provides a composite role, SAP_AUDITOR, which contains
every role in the AIS.

Recommendations for AIS Setup

It is simple to set up the AIS for a system audit.

AIS Setup Steps

A system administrator performs the following steps to set up AIS:

1. Copy the SAP roles to your own naming convention.

2. Update the roles.

3. Create a user.

4. Assign the roles you created to the audit user.

If you need to set up the AIS for both system and business audits, you may need to perform
some additional steps. One of the SAP roles, SAP_AUDITOR_ADMIN, contains everything that
you need to set up the AIS.
The role SAP_AUDITOR_ADMIN includes the following major tasks that you need to complete
during setup:

Copy the roles and create users using your own naming convention.

Set up online help with a link to the documentation server.

Maintain selection variables for business reports.

Activate a user exit for downloading data from SAP Financials.

© Copyright. All rights reserved. 22

 Lesson: Configuring and Using the AIS

Preparatory Work for Business Audit

Figure 13: Preparatory Work

To work with the AIS, perform the following prerequisites steps:

1. Maintain the AIS roles and set up user master records.

2. Set up online help.

3. Maintain selection variables.

4. Activate user exit SQUE0001, ABAP/4-Query – Private storage of data.

The AIS includes online help for each role. Often, you are linked from the role to online help
that explains SAP functions. For the role to work properly, you need to link AIS help to your
own documentation server.
Use the selection variables to provide input for SAP business and financial reports. Examples
of data setup in the selection variables include calendar year, chart of accounts, language,
posting period, and fiscal year.
The activation the user exit relates to downloaded FI query data. A subfunction of the AIS is to
download query data using a special file format, which is defined in an include for user exit
SQUE0001.
Start the queries as usual (for small datasets, online, and for large datasets, in the
background) and activate the Private file option. The query program writes the result data to
the TEMSE database under the ID that is derived from your user ID (dialog user or
background user). Therefore, only you can access this data. Start report RSQUEU01 to
download the results stored in the TEMSE database.

Note:
For more information about user exit, refer to SAP Note 129170.

© Copyright. All rights reserved. 23

Unit 2: Audit Information System (AIS) and the Audit Information System Cockpit

AIS Usage from a System Audit Perspective

Figure 14: Usage of AIS from a System Audit Perspective

After you set up the roles, you can begin using the AIS. After you log on with the auditor user
ID, you receive a user menu for all the AIS functions granted in your role.
After you set up the user menu, you can access everything you need to audit system services,
users, and the repository and tables. Throughout the rest of this course, you use this user
menu to gain access to all audit functions that you require.

ADM950 Lesson and Audit Functions Used

Process Audit Menu Folder in the Auditor Role

Configuring and Using Security Audit Tools System Audit

Controlling Access to Transaction Codes, Users and Authorizations

Tables, and Programs
Repository/Tables Audit

Using Logs to Monitor the Application Repository/Tables Audit

Customizing the Role Maintenance Utilities Users and Authorizations

in SAP
Repository/Tables

Securing User and Group Administration Users and Authorizations

Change Management and Security System Audit

Users and Authorizations

Securing System Administration Services Users and Authorizations

in Production Systems
System Audit

© Copyright. All rights reserved. 24

 Lesson: Configuring and Using the AIS

To use the AIS, log on as a user who has audit roles assigned. Work through each section of
the menu using the documentation to aid with your task. Often, reports already have variants
prepared to aid you in your research. Notice that many menu items in the AIS take you to
standard transaction codes in the SAP system.
After you complete the exercise for this lesson, you will have an audit user set up with the
roles required to perform a thorough system audit. When you log on as your audit user, you
can see the menu paths that are provided.

Setup for the Remainder of ADM950

For the remainder of this course, you have a user ID for an auditor and a user ID for a super
user. In addition, you have user IDs to be audited. For the majority of the course, you will be
logged on as your audit user.

Table 1: User ID Details

This table provides details about the user IDs that you use in this course.
User ID How Used
ADM950-## This is a super user that should only be used to build your audit
user. This user, which the trainer created before this course, has
broad access.
GRP##-AUDIT This is your audit user. You create this user ID and use it for all
further exercises and activities in the course.
FIADMGRP-## This is the finance administrator. You perform audits on this user.
HRADMGRP-## This is the human resources administrator. You perform audits
on this user.
SYSADMGRP-## This is the system administrator. You perform audits on this user.

More Information About AIS

SAP Note 451960 – AIS Role Concept/Installation Recommendations

SAP Note 100609 – AIS Installation for FI

SAP Note 129170 – AIS Download of Query Data

FIN900 – Auditing of Financial Business Processes in SAP

https://help.sap.com

LESSON SUMMARY
You should now be able to:

Review the Audit Information System (AIS)

Perform a system audit using the AIS

© Copyright. All rights reserved. 25

 Unit 2
Lesson 2
SAP Solution for Managing the Audit

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Describe SAP Audit Management

Understand how SAP Audit Management can support internal audit activities

SAP Audit Management

Figure 15: SAP Audit Management

There are many challenges when it comes to properly managing and analyzing the multiple
audits your company might be running. Examples of such challenges are as follows:

Audit working papers are either manual or documented in spreadsheets.

Inability to efficiently manage audit scheduling and planning activities, and to efficiently
use audit resources.

Difficulty in tracking plan completion, due to lack of time reporting.

SAP Audit Management provides and end-to-end audit management solution. The audit
department can use it to build audit plans, prepare audits, analyze relevant information,
document results, form an audit opinion, communicate results, and monitor progress.
In SAP Audit Management, the auditing process is divided up in to five phases:

Managing the audit activity

Planning the engagement

Performing the engagement

Communicating results

© Copyright. All rights reserved. 26

 Lesson: SAP Solution for Managing the Audit

Monitoring progress

Managing the Audit

Figure 16: Managing the Audit Image

SAP Audit Management allows auditors to provide reliable information on risk and the
adequacy of management responses. It drives increased efficiency and effectiveness into the
audit process, and provides a foundation for an integrated risk management approach. The
SAP Audit Management solution includes the following features:

State-of-art UI design to provide easy-to-use audit software, with complexity on demand.

Central data storage data model, covering end-to-end audit process with risk-based
approach.

Move from a functional audit solution approach to a collaborative software solution to

increase effectiveness of audit experts.

Unstructured data search to re-use available information.

Powerful working paper management.

Full mobile enablement.

Automated deployment on the cloud with SAP S/4HANA.

Leverage technology and big data to promote the audit efficiency.

© Copyright. All rights reserved. 27

Unit 2: Audit Information System (AIS) and the Audit Information System Cockpit

Audit Dashboards and UI

Figure 17: Audit Dashboards and UI

The tile-based home screen is easy to configure. In addition, to navigate from a tile, you can
get the tile with KPI, chart, or map. You can also customize your own tiles. This SAP Fiori
interface allows developers to create one screen for multiple devices (For example, PC, iPad,
smart phones) and take advantage of role-based authorizations that are part of the tool.

Planning the Audit

Figure 18: Planning the Audit

Audit planning is the initial phase of the auditing process. During this phase, the overall
strategies and focus areas for the organization are defined, the audit plan for the upcoming
audit period is prepared, and audit resources are arranged for the planned audits. Auditable
items, audits, and audit plans are created in this phase.

© Copyright. All rights reserved. 28

 Lesson: SAP Solution for Managing the Audit

Preparation and Resource Planning

Figure 19: Preparation and Resource Planning

In the audit preparation phase, the auditor develops and documents the audit work program
that achieves the audit engagement objectives. The auditor sets up the structure of the work
program, defines the detailed procedures for the audit, and obtains approval from the audit
manager before starting the audit. The audit manager receives the work program, reviews it,
and decides to approve or reject it.

Executing the Audit

Figure 20: Executing the Audit

The audit execution phase is when the actual auditing activities take place. In this phase,
auditors conduct interviews, gather information, record evidences, and prepare findings,
conclusions, and recommendations. SAP Audit Management supports these activities with:

Central data storage that is easy to access with search and analytics.

Evidence collection with collaborative mode.

Drag-and-drop working paper.

Document your work with work done notes.

© Copyright. All rights reserved. 29

Unit 2: Audit Information System (AIS) and the Audit Information System Cockpit

Managing Audit Results

Figure 21: Managing Audit Results

Following the completion of audit activities, audit results must be organized, analyzed and all
conclusions, findings and recommendations must be communicated to relevant
stakeholders.
Tasks executed in this phase include the following:

Creating, editing, and deleting audit reports

Reviewing audit reports

Issuing audit reports

Closing audit papers

SAP Audit Management provides standard reports with pre-defined templates which can be
used to streamline report creation.

Managing Follow-Up Activities

Figure 22: Managing Follow-Up Activities

In the follow-up phase, auditors evaluate the adequacy, effectiveness, and the timelines of
actions taken by management on reported findings and recommendations. In reviewing the
evaluation result, the auditor determines whether management has implemented the
recommendations or accepted the risk of not implementing them.

© Copyright. All rights reserved. 30

 Lesson: SAP Solution for Managing the Audit

Auditor activities during follow-up are as follows:

View the status and action items anytime and anywhere.

Monitor the progress and reflect them into the audit universe.

Collaborate audit issues with team members and stakeholders.

End-to-End Audit Management

Figure 23: End-to-End Audit Management

SAP Audit Management provides a comprehensive end-to-end solution for managing internal
audits across all phases of the audit process.

LESSON SUMMARY
You should now be able to:

Describe SAP Audit Management

Understand how SAP Audit Management can support internal audit activities

© Copyright. All rights reserved. 31

 Unit 2
Lesson 3
Appendix: Performing a System Audit Using
the Audit Cockpit

LESSON OVERVIEW
This lesson introduces the cockpit solution of AIS (Audit Information System Workplace). The
cockpit is a menu-based solution with some audit trail support. The lesson provides an
overview of the audit structures in the cockpit which is based on area menus. In addition, it
explains how to perform a system audit using the Audit Cockpit and display the audit logs.

Business Example
Your organization wants to conduct and keep a log on all its system audits. To do this, you
need to understand how to configure and use the Audit Cockpit.

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Describe the audit structure

Perform a system audit using the Audit Cockpit

Display the audit logs

Audit Information System Workplace and Audit Structure

Figure 24: Audit Information System Workplace

To perform an audit of an AS ABAP system, administrators and auditors can also use the
Audit Information System Workplace (transaction code SAIS ) besides AIS. This is a cockpit
solution for the AIS. In the cockpit, the existing role-based audit is replaced by a navigation
solution based on an area menu with audit trail support.
Audit structures in the cockpit are based on area menus which contain the SAP applications
and information required for the audit. You can create area menus using transaction code

© Copyright. All rights reserved. 32

 Lesson: Appendix: Performing a System Audit Using the Audit Cockpit

SE43, as shown in the figure Audit Information System Workplace. To reduce the time and
effort required to create an area menu, you can import existing roles (such as the SAP Auditor
roles) into the area menu, as shown in the figure Importing an Existing Role Into an Area
Menu. The audit structure name is the same name as the area menu The cockpit does not
contain any SAP-delivered audit structures at this time.

Figure 25: Importing an Existing Role Into an Area Menu

Note:
Unlike role menus in transaction PFCG, area menus cannot contain any links.

System Audit Using the Audit Cockpit

For an auditor to use the Audit Cockpit, you need a role with the transactions SAIS ,
SAIS_LOG, and (if required) SAIS_ADM. These are in addition to the standard audit
authorizations.
To perform the audit, execute the transaction SAIS and reference an audit structure and a
check number. Check numbers are identifiers for an audit activity that allow you to distinguish
between different audits. When you start the audit activity, the relevant area menu displays in
the cockpit and you (or another auditor) simply follow the menu and execute the transactions
or reports that you need.
Based on the result of the transaction or report, you can set the check status (as shown in the
figure Performing an Audit in the Audit Cockpit) and also enter a text note for future
reference.

© Copyright. All rights reserved. 33

Unit 2: Audit Information System (AIS) and the Audit Information System Cockpit

Figure 26: Performing an Audit in the Audit Cockpit

Audit Logs

Figure 27: Log Analysis

Log entries from the audit are written into the audit log. Once the audit completes, you can
use transaction code SAIS_LOG (shown in the figure Log Analysis) to display the audit log. On
this screen, you can switch between a short overview or detailed display. The short overview

© Copyright. All rights reserved. 34

 Lesson: Appendix: Performing a System Audit Using the Audit Cockpit

(ALV) contains an option to export the resulting HTML documents to your preferred local
format.

Figure 28: Log Display

Figure 29: Log Administration

If you need the log data later for reference, we recommend that you export the logs to an
archive destination before reorganizing them. With transaction code SAIS_ADM, you can
remove logs that were created before a given date for the selected audit structure and check
numbers. This transaction is shown in the figure Log Administration.

Authorization Object Supporting Menu-Based Audit Information System

Table 2: Authorization Object S_SAIS

Authorization Field Short Description

ACTVT Activity

© Copyright. All rights reserved. 35

Unit 2: Audit Information System (AIS) and the Audit Information System Cockpit

Authorization Field Short Description

AUDIT_NAME Audit Structure (Same as in Area Menu)

AUDIT_CNUM Check Number

Table 3: Permitted Activities

Code Description

16 Execute
65 Reorganize
70 Administer
71 Analyze

LESSON SUMMARY
You should now be able to:

Describe the audit structure

Perform a system audit using the Audit Cockpit

Display the audit logs

© Copyright. All rights reserved. 36

 Unit 2

Learning Assessment

1. What steps must a system auditor complete when setting up the AIS?
Arrange these steps into the correct sequence.

0 Assign the roles that you created to the audit user.

0 Create a user for the auditor.

0 Copy the SAP roles to your own naming convention.

0 Update the roles.

2. Which of the following are menu roles supporting system audit in AIS?
Choose the correct answers.

X A SAP_CA_AUDITOR_SYSTEM

X B SAP_AUDITOR_SA

X C SAP_AUDITOR_SA_CCM_USR

X D SAP_CA_AUDITOR_USER

X E SAP_AUDITOR_SA_CUS_TOL

3. What are the main areas in which you can perform an audit using the system audit roles in
AIS?
Choose the correct answers.

X A General system

X B Users and authorization

X C Operating system

X D Repository and tables

© Copyright. All rights reserved. 37

 Unit 2

Learning Assessment - Answers

1. What steps must a system auditor complete when setting up the AIS?
Arrange these steps into the correct sequence.

4 Assign the roles that you created to the audit user.

3 Create a user for the auditor.

1 Copy the SAP roles to your own naming convention.

2 Update the roles.

2. Which of the following are menu roles supporting system audit in AIS?
Choose the correct answers.

X A SAP_CA_AUDITOR_SYSTEM

X B SAP_AUDITOR_SA

X C SAP_AUDITOR_SA_CCM_USR

X D SAP_CA_AUDITOR_USER

X E SAP_AUDITOR_SA_CUS_TOL

3. What are the main areas in which you can perform an audit using the system audit roles in
AIS?
Choose the correct answers.

X A General system

X B Users and authorization

X C Operating system

X D Repository and tables

© Copyright. All rights reserved. 38

 UNIT 3 User and Authorization
Audit

Lesson 1
Customizing the Role Maintenance Tool 40

Lesson 2
Analyzing and Securing Users 51

Lesson 3
Describing Segregation of Duties and Critical Authorization 63

Lesson 4
Securing the System by Login-Related Parameters 72

Lesson 5
Describing the User Management Engine (UME) in SAP NetWeaverAS for Java 80

UNIT OBJECTIVES

Describe authorizations generated by the role maintenance tool

Verify the authorization default values for the role maintenance tool

Display users and user groups

Analyze user authorizations

Secure user SAP*

Describe segregation of duties and critical authorization

Check login-related parameters

Describe the User Management Engine (UME) and UME groups

© Copyright. All rights reserved. 39

 Unit 3
Lesson 1
Customizing the Role Maintenance Tool

LESSON OVERVIEW
This lesson provides an overview about the tools that the security administrator uses to
reduce the effort required for role maintenance. In addition, it discusses how to configure the
role maintenance tool (transaction PFCG). Configuring the role maintenance tool saves the
security administrator time and makes roles easier to manage and maintain.

Business Example
Role and authorization maintenance in SAP solutions use default values shipped by SAP.
These default values affect how the role maintenance tool (transaction PFCG) operates; they
also affect how security is checked at runtime. While creating roles, you realize that the
default values shipped by SAP do not always meet your needs. You find yourself making many
changes to the authorizations that the role maintenance tool (transaction PFCG) generates.
You have determined that the SAP default values do not meet your company requirements,
and you want to change those default values to meet your needs. For this reason, you require
the following knowledge:

An understanding of how to create authorization using the role maintenance tool

An understanding of how to customize the role maintenance tool in the SAP solutions

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Describe authorizations generated by the role maintenance tool

Verify the authorization default values for the role maintenance tool

Authorization and Role Maintenance Process

The role maintenance tool (transaction PFCG) is the primary tool that you use to manage and
control security access in all SAP systems.
To access the role maintenance tool, run transaction PFCGor on the SAP Easy Accessscreen,
choose Tools Administration User Maintenance Role Administration Roles.
Security administrators use the role maintenance tool to create and maintain all roles and
security access. An auditor must understand how the tool works, and how to evaluate
whether the tool is being used as effectively as possible.

Note:
This lesson does not focus on how to use the role maintenance tool. This lesson
describes how to evaluate the roles that have been created and how to ensure that
the tool is being used to provide roles that match the security policies of the
organization.

© Copyright. All rights reserved. 40

 Lesson: Customizing the Role Maintenance Tool

Components of the Role Maintenance Tool

Figure 30: Components of the Role Maintenance Tool

The role maintenance tool comprises the following major components:

Menu
The menu component contains the business view of what a user requires for the role. It
contains transaction codes, reports, web addresses, folders, and menu paths that the user
may need.

Authorizations
The authorizations component contains the actual authorization objects and values that
are required to support the menu. This component also contains the technical
authorization values that are required to support the business purpose of the role, as
described in the menu. In addition, the authorizations component includes the exact
organizational values that a user can access, such as sales organizations, cost centers,
plants, and divisions.

Users
The users component lists everyone who has a particular role. This component includes
SAP user IDs, positions, jobs, and other links from an organizational plan.

© Copyright. All rights reserved. 41

Unit 3: User and Authorization Audit

Menu Portion of a Role

Figure 31: Menu Portion of a Role

Use the Menu tab page to build the look and feel of the user menu. You use the Menu tab page
to build your own folders, use folders created by SAP, or create a combination of your folders
and SAP folders.
Organizations vary widely on how they use the menus. You can configure an SAP system so
that when a user logs on to the system, he or she sees the individual user menus that are
defined in the role. Alternatively, you can offer your users the standard menu provided by
SAP.

User Menu

Figure 32: User Menu

The user menu contains only the menu items that originate from the roles that are assigned
to the user. In contrast, the SAP standard menu lists all menu paths, even if the user does not
have access to an area in the menu path.

© Copyright. All rights reserved. 42

 Lesson: Customizing the Role Maintenance Tool

Note:
When you implement user menus, you can use several strategies, such as using
composite roles and using derived roles when possible.
For more information about the user menu and removing duplicates using table
SSM_CUST, refer to SAP Note 357693 (Redundancy Avoidance in Easy Access).

For example, consider a company with 500 plants. The role for the buyer is similar across all
500 plants. The primary difference between each buyer is which plant the buyer can access.
To implement security for this task, an organization can use derived roles or authorization
roles. If the organization uses authorization roles, every buyer has two roles.
The first role contains everything that is common to all plants, including the required menu
paths. The second role contains only access to authorization objects that include the plant
field. Each buyer has a role with values for a specific plant. If that plant changes, you must
update the role for that buyer.
When you prepare for an audit, it is acceptable for you to implement security without user
menus and with the SAP standard menu. The choice to implement user menus does not
affect the audit.
Authorization values are more useful to a system auditor because authorization values
provide the actual security for what a user executes. It is difficult to mandate that every
company must always implement menu roles. It is also difficult to mandate that all companies
must use user menus.
Because many applications use a non-traditional SAP user interface (SAPGUI), such as a
web-based interface, it makes sense to implement user menus. For example, if a user
accesses SAP through a portal, user menus help to refine and design a web page that grants
access to specific SAP transactions.

Note:
This course focuses on user menus, particularly when performing audit activities.

The AIS is implemented as a series of menu-driven roles. To maximize the use of the AIS, the
auditor needs to use the user menus that are provided with the AIS.

© Copyright. All rights reserved. 43

Unit 3: User and Authorization Audit

Authorization Default Values for the Role Maintenance Tool

Figure 33: Role Maintenance Tool

When roles are created and the authorizations are generated, transaction SU24 is read to
determine what authorization objects and authorization values are required for each item in
the menu and the default values for the authorizations are brought into the role maintenance
tool. Behind the scenes, the mapping of the authorization objects and transaction codes are
stored in some system tables, which are read by the system.
The default values for the authorizations are maintained in transaction SU24. The more
complete and accurate the values, the less maintenance is required by the security
administrator.

© Copyright. All rights reserved. 44

 Lesson: Customizing the Role Maintenance Tool

Usage of SU24

Figure 34: Usage of SU24

Authorization Default Values for the Role Maintenance Tool

Figure 35: Default Authorizations – Many are Yellow

Transaction SU24 assists a security administrator to reduce overall maintenance. The

security administrator uses transaction SU24 to ensure that the correct authorization objects
and values are used by default. When you generate a role, many authorizations have yellow
status by default. Yellow status means that there are no default values in the authorizations
and some manual work must be done to fill in the authorization values.

© Copyright. All rights reserved. 45

Unit 3: User and Authorization Audit

Sometimes, the authorizations that are generated by the role maintenance tool do not include
all the authorizations that you need. When this happens, you must manually add the required
authorization objects and adjust the authorizations.

Manual Addition of Authorizations

Figure 36: Manual Addition of Authorizations

Instead of having a security administrator insert authorizations manually or modifying default

SAP authorizations all the time, the administrator can maintain the authorization objects and
values in transaction SU24. From the security administrator's perspective, you want the role
maintenance tool to perform as much work as possible.
If you use the profile generator correctly with the help of the defaults in transaction SU24, you
save time and effort spent on authorization maintenance.

The security administrator uses transaction SU24 in the following situations:

To correct authorization objects that are not linked to the transaction codes correctly.

To correct authorization objects that have unacceptable default values.

To change default values so they are appropriate for all roles that use the transaction. This
means that the fields for which you allow different roles to have different values are left
blank.

You can use transaction SU24 to correct authorization objects that are incorrectly linked to
the transaction codes. Transaction SU24 can be helpful in fixing situations in which the default
authorization objects provided by transaction PFCGare not correct.

© Copyright. All rights reserved. 46

 Lesson: Customizing the Role Maintenance Tool

Example of When to Use Transaction SU24 (1)

Figure 37: Example of When to Use Transaction SU24 (1)

Run transaction CPH1in the menu. The authorization objects that are used by default for this
transaction include authorization objects S_TCODE, S_PROGRAM, and K_CBPR_SET. In your
environment, you also need authorization object G_800S_GSE. You need to either add this
authorization object manually or use transaction SU24 to have this authorization object used
by default (with specific values, if desired).
You can use transaction SU24 to correct authorization objects that have unacceptable default
values. For example, QIN is used as the default value in the Object type field for authorization
object B_USERSTAT. This default value is unacceptable; it should be QM1 instead. You either
make the change manually or use transaction SU24 to set QM1 as the default value.

© Copyright. All rights reserved. 47

Unit 3: User and Authorization Audit

Example of When to Use Transaction SU24 (2)

Figure 38: Example of When to Use Transaction SU24 (2)

You can use transaction SU24 to change default values to values that are always appropriate
for all roles that use the transaction. When you change default values in transaction SU24, you
make a change that affects all roles. You might need to leave some fields blank if there are
different values for each role.

Example of When to Use Transaction SU24 (3)

Figure 39: Example of When to Use Transaction SU24 (3)

© Copyright. All rights reserved. 48

 Lesson: Customizing the Role Maintenance Tool

Once you decide to use transaction SU24, you can change which authorization objects are
used by default and how default values are used in fields. The figure gives an example of how
to use transaction SU24 to change default field values.

Transaction SU24 Adjustment to Meet Your Needs

Figure 40: SU24 Adjustment to Meet Your Needs

To use transaction SU24 to change the default values for an authorization object in a
specific transaction code, perform the following steps:
1. Run transaction SU24.

2. Enter the transaction code for the affected value and choose the Execute button.

3. Choose Change field values.

4. In the Proposal field, update the values for the authorization object you want to change.

To find out who is responsible for the changes made to transaction SU24, perform the
following steps:
1. Run transaction SE16.

2. Enter USOTB_Cin the Table Name field.

3. Use values in the Modifier , ModDate, and ModTime fields to determine changes that have
occurred.

To view the changes made in transaction SU24, perform the following steps:
1. Run transaction SU24.

© Copyright. All rights reserved. 49

Unit 3: User and Authorization Audit

2. Enter a transaction code or authorization object that you want to research.

3. Choose the SAP Data button. This displays the SAP default values and highlights any rows
that have been changed from the defaults provided by SAP.

4. To see field values that have been changed, choose the Display Field Values button.

LESSON SUMMARY
You should now be able to:

Describe authorizations generated by the role maintenance tool

Verify the authorization default values for the role maintenance tool

© Copyright. All rights reserved. 50

 Unit 3
Lesson 2
Analyzing and Securing Users

LESSON OVERVIEW
This lesson provides an overview of how to manage security of users and how to review the
available reports and tools to research user authorization issues. In addition, this lesson
explains the separation of duties for security administrators and the segregation of duties for
end users.

Business Example
You need to demonstrate that your user administrators do not compromise system security.
In fact, you have to audit the security of all user data and group-related data in your
production system. For this reason, you require the following knowledge:

An understanding of how to identify problems using the User Information System

An understanding of how to identify insecure combinations of authorizations and analyze

authorization assignments in production systems using the User Information System

An understanding of how to structure security for SAP standard users SAP*, Data
Dictionary (DDIC), and SAP Early Watch

An understanding of how to examine change logs for user and group changes

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Display users and user groups

Analyze user authorizations

Secure user SAP*

The User Information System (SUIM)

The User Information System is a critical tool for debugging security-related problems, and
for quickly identifying how security is set up on any given system. The User Information
System is useful to both security administrators and auditors. The menu path from the SAP
standard menu is Tools Administration User Maintenance Information System .
The menu path from the auditor role is Users and Authorizations Audit Information System
Users and Authorizations . This lesson focuses on the menu path from the auditor role. Earlier,
you created an auditor role and included the SAP provided role,
SAP_AUDITOR_SA_BC_CCM_USR. Throughout this lesson, you use the menu path provided
by the SAP_AUDITOR_SA_BC_CCM_USR role.
The User Information System enables you to research by user, role, profile, or authorization
value. There are many ways to get to the same data. The information system allows you to
view the information from the perspective that interests you the most.

© Copyright. All rights reserved. 51

Unit 3: User and Authorization Audit

You can use the User Information System to obtain an overview of the authorizations and
users in your SAP system at any time using search criteria that you define, based on the
predefined reports. In particular, you can display lists of users to whom authorizations
classified as critical are assigned.

The User Information System reports for the following components:

User
Use this component to find details of users.

Roles
Use this component to find details of roles.

Profiles
Use this component to find details of profiles.

Authorizations
Use this component to find details of a specific authorization.

Authorization objects
Use this component to find details of authorization objects.

Transactions
Use this component to view transactions by users, profiles, or authorizations.

Comparisons
Use this component to compare users in one system or across systems.

Where-Used List
Use this component to find where an authorization object is used.

Change documents
Use this component to change documents for users, profiles, and authorizations.

Examples of User Reports in SUIM

The following sections give examples of some user reports in SUIM.

© Copyright. All rights reserved. 52

 Lesson: Analyzing and Securing Users

User Reports

Figure 41: Users with Specific Authorization Values

The User section is the best way to find out exactly which functions a user can access. You
can find users by their address data, the roles they have, specific access to a field, the
transaction codes they have, and how many incorrect logons a user has experienced. There
are many ways you can use User reports in the debugging process.
In this example, you need to know everyone who has access to authorization object
F_BKPF_BUK and everyone who has activity 01 (Create) for company code 1000. For this,
you need the report Users by Authorization Values .

To find users with specific authorization values, perform the following steps:
1. Access the report by choosing User Users by Authorization Values .

2. Enter the authorization object you want to research.

3. Choose the Entry values pushbutton.

4. For each field in the authorization object, enter the value you want to research.

5. Optionally, use the User ID alias field to limit which users to search.

One unique aspect of user reports is the ability to customize the reports to meet your
business needs. You use the customization of reports to ensure that you are following your
company’s business policies regarding segregation of duties. You look at a few business
scenarios to see how this report can help you research policies about segregation of duties.

© Copyright. All rights reserved. 53

Unit 3: User and Authorization Audit

Caution:
The lesson describes general examples of how these reports can aid in specific
policies about the segregation of duties that your company might have. Each
company is different, and each company implements SAP differently. Your
business users determine the critical transaction combinations. You must know
which types of reporting are possible and how the security administrator can set
up a report.

Logon Date and Password Change Report

Figure 42: User IDs with Initial Password

This figure provides an example of how to find user IDs that still have their initial password.

© Copyright. All rights reserved. 54

 Lesson: Analyzing and Securing Users

Figure 43: Summary or Output of User IDs with Initial Password Report

This report shows the user, the user group to which the user is assigned, who created the
user, when the user was created, and when the user last logged on. In this report, you see
many user IDs that are not used, which means that those users have never logged on. This
information can help you manage your SAP user licenses.
The Overview of Users reports are a fast and effective way to see the number of users, the
users currently active, and the users no longer required.

RSUSR002 Report

Figure 44: RSUSR002 Report

The Users by Complex Selection Criteria report (program rsusr002) enables you to search
users based on complex selection criteria. This report enables you to combine your search by
user group, role, profile, transaction code, authorization object, and authorization values. To
access this report from your AIS role, choose Users and Authorizations Audit Information
System Users and Authorizations User Users by Complex Selection Criteria . From the
AIS role, you can also find different variations of this report under Users Who Are Authorized ,
which is in the menu path shown in the figure entitled RSUSR002 Report.

© Copyright. All rights reserved. 55

Unit 3: User and Authorization Audit

As an example of how you can use this report, view the reports under the audit menu by
choosing Users and Authorizations Audit Users Who Are Authorized . You see a list of
reports in which each transaction code is linked to the same report, that is, the Users by
Complex Selection Criteria report (program RSUSR002). However, each transaction code
has a different input to the report. It is important to notice the different ways in which you can
use this report to assist in your research and debugging of authorization issues.

Role Reports
Role reports enable you to find roles by various criteria, that is, by user assignment,
transaction codes, and authorization values.
As an example of how to use role reports, you have a display role for the financial area.
Additionally, you have roles for the various tasks that financial clerks require. You have a role
for maintaining vendor data and another role for maintaining customer data.
Assume that the accounts payable clerk can normally display most of the financial data (from
the display role), and also that the accounts payable clerk maintains the vendor data. This
clerk has just made an update to a critical customer. The authorizations should not have
allowed this clerk to make that update. Use reports By User Assignment and By Transaction
Assignment to help you determine why this clerk was able to make the update.

Profiles
As roles are created, profiles must be generated to support the roles. If the profile naming
convention is clear, profile reports can help you debug problems by looking directly at the
profiles.

Authorizations
Authorization reports enable you to find information on specific authorizations. For example,
in SAP Human Resources, infotype 0008 is basic pay. You use the reports in Authorizations
to determine all authorizations that enable someone to maintain basic pay data.

Authorization Objects
Authorization object reports enable you to research an authorization object. Perhaps you
need to research how an authorization is used, perhaps you need documentation on an
authorization object, or perhaps you need to know which authorization objects protect a
specific field, such as cost center.

Transactions
Transaction reports enable you to see who has access to which transaction codes. You can
research by user, profile, and authorization.

© Copyright. All rights reserved. 56

 Lesson: Analyzing and Securing Users

Comparison Report Across Systems

Figure 45: Comparison Report Across Systems

Comparison reports enable you to compare users, roles, profiles, and authorizations.
Additionally, you can perform comparisons across systems.

Comparison Report

Figure 46: Comparison Report

The figure shows you how to compare two users within the same system, as well as across
systems.

Where-Used List
The Where-Used List reports enable you to research how profiles, authorizations, and
authorization objects are used. For example, you want to research one of the cost center
authorization objects, K_CSKS. With the help of this report, you can see where the object is
used by authorizations, profiles, users, and programs.

Change Documents
Use change documents to research who has changed users and how those users have been
changed.

© Copyright. All rights reserved. 57

Unit 3: User and Authorization Audit

Options for change documents for users are as follows:

Changes during a time period

Changes made by a specific user

Users created or deleted

Users that have been locked

Users with password changes

Authorization Analysis Tools

Figure 47: Analyzing Authorization Checks

If you encounter authorization errors in your system, or if you do not know which
authorizations are required to run a specific transaction or program, you can use the error
analysis tools shown in the figure Analyzing Authorization Checks to analyze these
authorization related problems:

Authorization error analysis functions (transaction codes SU53 and SU56)

System trace (transaction code STAUTHTRACEor ST01)

Authorization Error Analysis Functions

You can use transaction SU53 to analyze access errors that just occurred in your system. This
tool is typically run by the user or the security administrator. It provides the authorization
data of the user and the last failed authorization check or HR authorization check. This tool
also displays the context in which the check occurred (that is, the transaction, RFC function
module, or service).
By default, transaction SU53 displays a maximum of 100 failed authorization checks for each
work process, and displays records for (at most) the previous three hours. You can change
the number of authorization checks by setting the profile parameter auth/
su53_buffer_entries. If your system has many active users and many failed authorization
checks, the number of checks and the period that is covered may be smaller for any given
user.

© Copyright. All rights reserved. 58

 Lesson: Analyzing and Securing Users

Note:
For more information, see SAP Note 1671117 - SU53: Enhanced function and Web
Dynpro suitability.

Figure 48: SU53 Authorization Error Analysis

To see what authorizations are currently in the user buffer, a user can use transaction SU56 to
display all of his or her authorizations (or the authorizations of another user). You can also call
transaction SU53 and choose Goto Entered Authorization in User Buffer .
System Trace

© Copyright. All rights reserved. 59

Unit 3: User and Authorization Audit

Figure 49: System Trace for Authorization Checks

System or security administrators can also use the system trace tool (transaction
STAUTHTRACEor ST01) to debug any authorization issues. When the trace is activated, it
records each authorization object that is checked, and also records the fields and values of
the object. From the trace, you can see all checked authorization objects, the values which are
handed over to the check, and a return code. If the return code is 0, the authorization check is
successful.
To use the system trace, you must activate it in transaction STAUTHTRACEor ST01. When the
trace completes, you can analyze the results to see which authorization objects are being
checked and compare them with those assigned to the user.
The transaction code STAUTHTRACEprovides an optimized user interface for tracing
authorization checks. It works in the same way as the system trace in transaction code ST01,
however, the transaction STAUTHTRACEevaluates authorization checks only.

Note:
System trace increases work load in the system. Activate it only if necessary, and
be selective about who or what you trace. Deactivate system trace when you finish
tracing the activities of your user. As system trace is a system administration task,
we recommend that you restrict access to this transaction.

User SAP*
Securing SAP Standard Users
Clients 000, 001, and 066 are created when your SAP system is installed. Two special users
are defined in client 000. Since these users have standard names and standard passwords,
you must secure them against unauthorized use by outsiders who know of their existence.
The SAP system super user, SAP*, is the only user in the SAP system that does not require a
user master record. The master record is defined in the system code. SAP* has the password
PASS by default; it also has unlimited system access authorizations.
When you install your SAP system, a user master record is defined for SAP*. The presence of
an SAP* user master record deactivates the special properties of SAP*. It has only the
password and authorizations that are specified for it in the user master record.

© Copyright. All rights reserved. 60

 Lesson: Analyzing and Securing Users

To secure SAP* against misuse, SAP recommends that you change its password from the
standard PASS (after client copy). For security reasons, SAP recommends that you
deactivate SAP* and define your own super user (logon/no_automatic_user_sapstar).
DDIC is the maintenance user for the ABAP Dictionary and software logistics. The user master
record for user DDIC is automatically created for client 000 when you install your SAP
system. The system code allows user DDIC special privileges for certain operations, such as
transports.
To secure DDIC against unauthorized use, you must change the password for the user in the
client 000 at the end of the installation of your SAP system. Client 066 delivers the Early
Watch user and protects it using the password SUPPORT. SAP Early Watch experts use this
user, so do not delete it. This user should be used only for Early Watch functions (i.e.,
monitoring and performance).
Securing User SAP*
The SAP system has a default super user, SAP*, defined in client 000. A user master record is
defined for SAP* when the system is installed. However, SAP* is programmed in the system
kernel and does not require a user master record.

Several characteristics of user SAP* are as follows:

The user is not subject to authorization checks and, therefore, has all the authorizations.

In newly created clients, the user has the password PASS.

If a user master record exists for SAP*, then SAP* behaves like a normal user. It is subject
to authorization checks and its password can be changed.

Note:
If you want to deactivate the special properties of SAP*, set the system profile
parameter logon/no_automatic_user_sapstar to a value greater than zero. This is
the default as of NW Application Server 7.0. If this parameter is set, SAP* has no
special default properties. If there is no SAP* user master record, SAP* cannot be
used to log on. Set the parameter in the global system profile, DEFAULT.PFL, so
that it is effective in all instances of an SAP system.
Ensure that there is a user master record for SAP* even if you set the parameter.
Otherwise, resetting the parameter to the value 0 would once again allow you to
log on with SAP*, the password PASS, and unrestricted system authorizations.

To Deactivate User SAP*

SAP* is a known super user. SAP recommends that you deactivate user SAP* and replace it
with your own super user.

In the SAP* user master data, proceed as follows to deactivate user SAP*:

1. Create a user master record for SAP* in all new clients. Do not assign any roles or profiles
to this user.

2. Assign a new password to SAP* in client 000.

© Copyright. All rights reserved. 61

Unit 3: User and Authorization Audit

To Define a New Superuser

Perform the following steps to define a new super user:

1. To define a super user to replace SAP*, give the SAP_ALL profile to a user. SAP_ALL
contains all SAP authorizations, including any new authorizations released in the
SAP_NEW profile.

Hint:
SAP_NEW ensures upward compatibility of authorizations. The profile
ensures that users are not inconvenienced when a release or update includes
new authorization checks for functions that were previously unprotected.

LESSON SUMMARY
You should now be able to:

Display users and user groups

Analyze user authorizations

Secure user SAP*

© Copyright. All rights reserved. 62

 Unit 3
Lesson 3
Describing Segregation of Duties and Critical
Authorization

LESSON OVERVIEW
This lesson explains how to secure critical authorizations and control the program
development and debugging.

Business Example
Your company is reviewing security policies. You need to ensure that your company has
policies on segregation of duties (SoD), and you need to check whether those policies are
correctly implemented. For this reason, you require the following knowledge:

An understanding of SoD and critical authorization

An understanding of how to verify critical authorization

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Describe segregation of duties and critical authorization

Segregation of Duties and Critical Authorization

Figure 50: Segregation of Duties for Purchasing

In the example shown in the figure, if a user has access to execute transaction codes ME51N,
ME21N, MIGO, and MIRO, there is a problem with SoD that is a violation of the company policy
on SoD.

© Copyright. All rights reserved. 63

Unit 3: User and Authorization Audit

The following transaction codes used in purchasing help you to examine SoD:
ME51N
This transaction is used to create a purchase requisition.

ME21N
This transaction is used to create a purchase order.

MIGO
This transaction is used to create a goods receipt.

MIRO
This transaction is used to create an invoice.

Once your company designates a policy on SoD, you can use the report, List of Users with
Critical Authorizations.
To access the report on the SAP Easy Accessscreen, choose Users and Authorizations Audit
Information System Users and Authorizations User With Critical Authorizations .
You can configure this report to include the transaction codes and/or authorization objects
that interest you.

Analyzing Users with Critical Authorizations

Figure 51: List of Users with Critical Authorizations

List of Users with Critical Authorizations (report RSUSR008_009) can be found in SUIM.

© Copyright. All rights reserved. 64

 Lesson: Describing Segregation of Duties and Critical Authorization

Note:
The User Information System provides the RSUSR008_009_NEW report, which is
a system-dependent option to control SoD violations. SAP_RSUSR009 is a variant
provided by SAP that has some basic relevant critical authorizations.
Business templates for combinations of critical authorizations are not delivered in
SAP. To get these templates, and to control SoD violations across system
boundaries, SAP offers the SAP solutions for Governance Risk and Compliance
(GRC).

Note:
The RSUSR008_009_NEW report replaces the RSUSR008 and RSUSR009
reports.

The improvements offered by the report RSUSR008_009_NEW are as follows:

Differentiation between SAP defaults for critical data for different business
areas (Before these improvements were offered, you could only use and
change defaults collectively.)

Extended combination options for critical authorization data

Improved performance

Filter for the users to be displayed

More analysis options for users in the result list

Improved user-friendliness

You can continue to use the old reports RSUSR008 and RSUSR009 in versions
prior to SAP Web AS 6.40.

As of SAP Web AS 6.20, the RSUSR008_009_NEW report is provided with the

following support packages:
SAP Web AS 6.20, as of SAPKB62039

SAP Web AS 6.40, as of SAPKB64003

SAP Web AS 7.0 (without any support packages)

The List of Users with Critical Authorizations report (RSUSSR008_009) can be used to check
which users have critical authorizations, based on the critical authorization/combination
variants defined in the system.
The critical authorization variant is made up of the Authorization ID, and the ID contains
authorization data (authorization objects, fields, and values).
SAP delivers a critical authorization variant, SAP_RSUSR009, which contains some basic
critical authorizations. You can configure your own variants as well, based on the transaction
combinations that are critical for your company.

© Copyright. All rights reserved. 65

Unit 3: User and Authorization Audit

SAP Defaults for Critical Authorization Data

Figure 52: SAP Defaults for Critical Authorization Data

After you get the list of critical transaction code combinations from business users, you can
configure those combinations within the RSUSR008_009_NEW report.
RSUSR008_009_NEW report checks authorization object S_TCODE to see which transaction
codes a user can execute and/or checks for the authorization values. The security
administrator can create the authorization values to check whether the right authorization
values have been assigned. In addition to providing the authorization object, field, and value,
you need to provide an ID, for which you can choose any name.

Creating Critical Authorizations

Figure 53: Creating Critical Authorizations

© Copyright. All rights reserved. 66

 Lesson: Describing Segregation of Duties and Critical Authorization

The figure shows how to define critical authorizations and the associated authorization data.

Variant for Critical Authorizations

Figure 54: Defining Variant for Critical Authorizations

The figure shows how to combine the critical authorizations into a variant and how to perform
the evaluation with the new variant.

© Copyright. All rights reserved. 67

Unit 3: User and Authorization Audit

Defining Critical Combinations

Figure 55: Defining Critical Combinations

To maintain critical combinations, create a combination, and then assign the IDs of critical
authorizations to the combination. Using the RSUSR008_009_NEW report, then create a
variant for this combination.

© Copyright. All rights reserved. 68

 Lesson: Describing Segregation of Duties and Critical Authorization

Variant for Critical Combinations

Figure 56: Defining Variant for Critical Combinations of Authorizations

The figure shows how to create a variant for a critical combination.

Additional Selection Criteria

Use the Selection Criteria for Users group to define additional properties that must be fulfilled
by the users to be displayed. The possibility to use selection criteria for user makes analysis
quicker and more flexible.
During the evaluation of the result lists, the resulting differences are based on the type of
selection variant, which are used. For critical authorizations, the selected users are grouped
by the IDs of critical authorizations. To check which critical data an ID represents, choose the
name of the ID. To analyze the authorization data of a user master record, select the user by
double-clicking it. The other fields provide additional information about the user.
Use the Profiles and Roles buttons to display lists of profiles and roles assigned to the
selected users. All other functions are standard functions of the ALV Grid Control . Some
combinations of authorization objects can be critical or very sensitive.
For such critical combinations, the selected users are grouped according to the criticality.
Select a combination name to display the corresponding critical data. The other functions
correspond to those for critical authorizations.

Example of Critical Authorization: Program Development and Debugging

S_DEVELOP is the general authorization object for ABAP Workbench objects.

© Copyright. All rights reserved. 69

Unit 3: User and Authorization Audit

You use S_DEVELOP authorization object to grant access authorizations to the following
ABAP Workbench components:

ABAP development tools

ABAP Dictionary and Data Modeler

Screen Painter and Menu Painter

Function Library

Object Navigator and Info System

SAP Smart Forms

Form Builder

ABAP Debugger and Trace Tools

ABAP Dump Analysis

Enhancements

Switch Framework

Table 4: S_DEVELOP Authorization Object

The S_DEVELOP authorization object consists of the following fields:
Authorization Description

DEVCLASS Package
OBJTYPE Object Type
OBJNAME Object Name
P_GROUP Authorization group ABAP Program
ACTVT Activity

From a production perspective, be aware of everyone who has authorization object

S_DEVELOP. Normally, the authorization object S_DEVELOP is not required by anyone in
production. During production, be careful about the authorization objects that have the value
DEBUGin the Development object ID field.

Table 5: Setting up Debug Authorizations in Production

This table lists how you can set up debug authorizations in production:
Development object ID (OB- Activity (ACTVT) Description
JTYPE)
DEBUG 03 Display
DEBUG 02 Change field contents and
Goto statement
DEBUG 01 Display in system programs
and kernel debugging

Be aware of which users have debug authorization in production. Activity 02 is prohibited.

© Copyright. All rights reserved. 70

 Lesson: Describing Segregation of Duties and Critical Authorization

LESSON SUMMARY
You should now be able to:

Describe segregation of duties and critical authorization

© Copyright. All rights reserved. 71

 Unit 3
Lesson 4
Securing the System by Login-Related
Parameters

LESSON OVERVIEW
This lesson explains how to check and secure the system by login-related parameters. It also
discusses the authorization and security concepts for logon based on the login-related
parameters.

Business Example
Your company is reviewing security policies. You need to keep in mind which policies relate to
password control and other logon rules. You need to check valid authorization for the user ID.
For this reason, you require the following knowledge:

An understanding of how to outline critical logon-related profile parameters, and how to

manage those parameters

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Check login-related parameters

Examination of Logon-Related Parameters

Figure 57: Profile Parameters in RZ11

© Copyright. All rights reserved. 72

 Lesson: Securing the System by Login-Related Parameters

You can use several logon-related profile parameters to assist you in your security
implementation. These parameters are assigned by default to SAP values, which can be
changed by the system administrator.

Some examples of profile parameters include the following:

Password protection, including length and type of characters required

Enable or disable a user ID to log on more than one time

Automatic time-out for an inactive user

Number of failed logons until a session ends and a user is locked

There are various profile parameters which you can use to set logon rules. To display the
documentation for a parameter, specify the parameter name in the maintenance transaction
for profile parameters using transaction RZ11, and choose the Display button. On the next
screen, choose the Documentation button.

Note:
With every new release, SAP provides new functions in the security environment.
If your company upgrades to a new release, you can search it using the
transaction RZ11 for all the parameters starting with login*. A brand new
parameter may meet your security demand.

Table 6: Profile Parameters Used for Password Checks

Parameter Function
login/min_password_lng This parameter defines the minimum length of the
password.

login/min_password_digits This parameter defines the minimum number of digits

in the password.

login/min_password_letters This parameter defines the minimum number of let-

ters in the password.

login/min_password_specials This parameter defines the minimum number of spe-

cial characters in the password.

login/min_password_diff This parameter defines how many characters in the

new password should differ from the old password if
the user changes its password. This parameter does
not have any effect while creating new users or while
resetting passwords.

login/min_password_lowercase This parameter defines the minimum number of lower-

case characters in passwords.

login/min_password_uppercase This parameter defines the minimum number of up-

percase characters in passwords.

login/password_charset This parameter defines the characters that a pass-

word can consist of depending on the parameter log-
in/password_downwards_compatibility.

© Copyright. All rights reserved. 73

Unit 3: User and Authorization Audit

Parameter Function
login/password_expiration_time This parameter defines the validity period of pass-
words.

login/password_change_waittime This parameter defines the number of days since the

last password change until the user can change the
password again.

login/password_compli- This parameter checks if the passwords that are al-

ance_to_current_policy ready in use are compliant with the password rules.

login/password_change_for_SSO If the user logs on with Single Sign-On (SSO), this pa-
rameter checks whether the user must change its
password.

Table 7: Parameters Used for Multiple Logons

Parameter Function
login/disable_multi_gui_login This parameter controls the deactivation of
multiple dialog logons.

login/disable_multi_rfc_login This parameter controls the deactivation of

multiple Remote Function Call (RFC) logons.

login/multi_login_users This parameter controls the list of excepted

users (multiple logon).

Table 8: Parameters Used for Incorrect Logons

Parameter Function
login/fails_to_session_end This parameter defines the number of unsuc-
cessful logon attempts that a user can make
before the system prohibits any more logon
attempts. The default value is set to 3. You
can set it to any value between 1 and 99, in-
clusive.

login/fails_to_user_lock This parameter defines the number of unsuc-

cessful logon attempts that a user can make
before the system locks the user. The default
value is set to 12. You can set it to any value
between 1 and 99, inclusive.

login/failed_user_auto_unlock This parameter defines whether user locks

placed due to unsuccessful logon attempts
should be automatically removed at mid-
night.

© Copyright. All rights reserved. 74

 Lesson: Securing the System by Login-Related Parameters

Table 9: Parameters Used for Limited Validity of the Initial Password

Parameter Function
login/password_max_idle_initial This parameter defines the validity period of
unused initial passwords.

login/password_max_idle_productive This parameter defines the validity period of

unused productive passwords.

Table 10: Parameters Used to Turn Off Password Logon

Parameter Function
login/disable_password_logon This parameter controls the deactivation of password-
based logon.

login/password_logon_usergroup This parameter controls the deactivation of password-

based logon for specific user groups.

Table 11: Other Related Parameters

Parameter Function
login/no_automatic_user_sapstar This parameter controls the SAP* user.

login/system_client This parameter specifies the default client.

The default client is automatically filled in on
the system logon screen. Users can type in a
different client.

login/update_logon_timestamp This parameter specifies the exactness of the

logon time stamp.

rdisp/gui_auto_logout This parameter controls the number of sec-

onds until an inactive user is automatically
logged out by the system.

Note:
Transaction RSPFPARcan also be used to display the profile parameters.

© Copyright. All rights reserved. 75

Unit 3: User and Authorization Audit

Security Policy and Restricting the User Logon

Figure 58: Security Policy and Restricting the User Logon

Security Policy
Sometimes users require a different security policy for log on and passwords than the default
values. For example, powerful users such as administrators should have passwords with a
higher level of protection than standard users. Such users should be forced to change their
passwords more often or have more complex rules for their passwords. However, such
requirements, if applied widely, can cause an increase in help desk requests if you force
standard users to comply with such requirements.
Use this field to choose a security policy for the user. Otherwise the user uses the standard
security policy.

Defining Security Policies

Figure 59: Security Policy Definition (Transaction SECPOL)

With this procedure, you create security policies with attributes, for which you explicitly do
not want to use the default value. For example, you assign a new security policy called Digits,
and change, as described below, the standard value for the MIN_PASSWORD_DIGITS

© Copyright. All rights reserved. 76

 Lesson: Securing the System by Login-Related Parameters

attribute from 0 to 4. The new security policy Digits then uses the standard values for all
security policy attributes, with the exception of the MIN_PASSWORD_DIGITSattribute.

Note:
You can also create a security policy without defining attributes. This policy then
uses the default values for all security policy attributes.

1. Start the maintenance tool for security policies (transaction SECPOL).

2. In change mode, choose New Entries.

3. Enter a name in the Security Policy field and a description in the Short Text field.

4. Double-click the Attributes node.

5. Select the security policy, and double-click the Attributes node again. The change view for
attributes appears.

6. Choose New Entries.

7. In the Policy Attribute Name field, enter, for example using the input help a security policy
attribute and, in the Attribute Value field, a value.

8. Save you entries.

Assigning Security Policies to Users

The security policy could be assigned to a user by using the user maintenance tool
(transaction SU01), or assign it to multiple users using mass user maintenance (transaction
SU10). On the Logon Data tab, enter a security policy for the user, in the Security Policy field.

SAP Single Sign-On (SSO)

SAP SSO provides simple, secure access to IT applications for business users. It offers
advanced security capabilities to protect your company data and business applications. SAP
SSO provides the following key features and capabilities:

Simple and secure access

- Single sign-on for native SAP clients and web applications
- Single sign-on for mobile devices
- Support for cloud and on-premise landscapes

Secure data communication

- Encryption of data communication for SAP GUI
- Digital signatures
- FIPS 140-2 certification of security functions

Advanced security capabilities

- Two-factor authentication
- Risk-based authentication using access policies

© Copyright. All rights reserved. 77

Unit 3: User and Authorization Audit

- RFID-based authentication
- Hardware security module support

In addition to these capabilities, SAP SSO supports multiple authentication modes. The
modes include:

Single sign-on
- Authenticate once to an authentication server (Active Directory, AS ABAP, and so on).
- A security token confirms identity for each subsequent login to business applications.

Multiple sign-on
- User authenticates each time when accessing a business application.
- Authentication is performed against a central authentication server, not the business
application itself.

Multi-factor authentication
- In addition to knowledge of information (password), authentication requires a physical
element (possession of mobile phone, RSA SecurID card, and so on).

These key capabilities and supported authentication modes provide the framework for SAP
SSO to support authentication scenarios with Microsoft Windows and Windows Domain
security, authentication with SAP, and third party applications using X.509 digital certificates,
authentication across organization scenarios with Identity Federation using Security
Assertion Markup Language (SAML) and SAP SSO for Mobile Devices using SAP
Authenticator. For additional information on these supported scenarios go to http://
help.sap.com/nwsso.
There are various mechanisms for authenticating users on the SAP NetWeaver platform with
SSO. Examples of these mechanisms include the following:

User ID and password

Logon Tickets

Secure Network Communications (SNC)

Client certificates

Security Assertion Markup Language (SAML)

ava Authentication and Authorization Service (JAAS)

Examples of Login-Related SSO Parameters

login/accept_sso2_ticket
Permits/prevents logon with an SSO ticket.

login/create_sso2_ticket
Permits the generation of SSO tickets.

login/password_change_for_SSO
Mandatory password change when using SSO.

© Copyright. All rights reserved. 78

 Lesson: Securing the System by Login-Related Parameters

Note:
SAP recommends that customers do not implement new end-user single sign-on
solutions based on SAP Logon Tickets. SAP Logon Tickets are no longer
considered a strategic technology for SAP. They have transitioned into
maintenance mode and will not be extended or enhanced.
Customers should replace SAP Logon Ticket technology with industry and
technology standards such as Kerberos/SPNEGO, X.509 certificates and Security
Assertion Markup Language (SAML) tokens where technically possible.
Customers can use the SAP Single Sign-On solution which supports these
standards.
Refer to SAP Note 2117110 - Recommendation to Replace SAP Logon Tickets with
SAP Single Sign-On Solution
SSO mechanism and configurations are covered in the course ADM960 - SAP
NetWeaver Application Server Security.

Hint:
For a detailed explanation of the parameter settings for each supported scenario,
see the SAP SSO Implementation Guide: http://help.sap.com/download/
sapsso/secure_login_impl_guide_en.pdf

LESSON SUMMARY
You should now be able to:

Check login-related parameters

© Copyright. All rights reserved. 79

 Unit 3
Lesson 5
Describing the User Management Engine
(UME) in SAP NetWeaverAS for Java

LESSON OVERVIEW
This lesson describes the fundamental information about the User Management Engine
(UME) and explain the users and UME group concept in the SAP NetWeaver Application
Server for Java of a dual stack SAP system.

Business Example
Your company is running a dual stack system with both ABAP and Java. As a member of the
security team, you have to understand the UME and understand how the user and roles in
SAP NetWeaver AS for ABAP relate to those of SAP NetWeaver AS for Java.

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Describe the User Management Engine (UME) and UME groups

The User Management Engine

Figure 60: User Store And Data Sources

© Copyright. All rights reserved. 80

 Lesson: Describing the User Management Engine (UME) in SAP NetWeaverAS for Java

In many SAP solutions (for example, SAP Solution Manager 7.1), it is mandatory to use the
SAP NetWeaver Application Server for Java and the ABAP stack together. If you use both
ABAP and Java runtime environments together, the UME of the SAP NetWeaver AS for Java
points to a client of the ABAP system with help from the default UME.
SAP NetWeaver AS for Java provides an open architecture supported by service providers for
the storage of user and group data.
The SAP NetWeaver AS for Java is supplied with the following service providers (user store):

Database Management System (DBMS) provider

This is used for storage in the system database.

Universal Description, Discovery and Integration (UDDI) provider

This is used for storage using external service providers.

UME provider
This is used to provide connection of the integrated UME.

The DBMS and UDDI providers implement standards and therefore ensure that SAP
NetWeaver AS for Java is Java 2 Enterprise Edition (J2EE)-compliant. When SAP NetWeaver
AS for Java is installed, SAP’s own UME is always set up as the user store and is the preferred
choice for most SAP customers. The UME is the only way to flexibly set up and operate user
and authorization concepts.
Some important features of the UME are as follows:

The UME has its own administration console for administering users. It allows the
administrator to perform routine tasks of user administration, such as creating users and
groups, assigning roles, and other actions.

The UME provides security settings that can be used to define password policies, such as
minimum password length and the number of incorrect logon attempts before a user is
locked.

The UME uses an export or import mechanism by which user data can be exchanged with
other (SAP NetWeaver AS Java or external) systems.

The UME logs important security events, such as a user’s successful logons or incorrect
logon attempts, and changes to user data, groups, and roles.

Hint:
The communication between the UME and the ABAP user management in a dual
stack system is performed with the SAPJSF user. After an installation, the
SAPJSF user has the ABAP role SAP_BC_JSF_COMMUNICATION_RO, which
provides read access from the UME to the ABAP user management. To provide
write access to the user, add the role SAP_BC_JSF_COMMUNICATION.

© Copyright. All rights reserved. 81

Unit 3: User and Authorization Audit

UME Groups

Figure 61: UME Groups

Users created in ABAP can be seen in the UME and PFCG. If you assign a PFCG role to a user
in the ABAP system, you can see it in the UME group.
Additional information can be found in the SAP NetWeaver Application Server for Java
Security Guide by going to https://help.sap.com/saphelp_nw74/helpdata/en/57/
d8bfcf38f66f48b95ce1f52b3f5184/frameset.htm

LESSON SUMMARY
You should now be able to:

Describe the User Management Engine (UME) and UME groups

© Copyright. All rights reserved. 82

 Unit 3

Learning Assessment

1. When no default value is assigned to the authorization field of an authorization object in

SU24, the status of the authorization in the Profile Generator displays in red.
Determine whether this statement is true or false.

X True

X False

2. For which of the following tasks is it appropriate to use transaction SU24?

Choose the correct answers.

X A To correct authorization objects that have unacceptable default values

X B To assign an authorization group to a transaction

X C To change default values so that they are appropriate for all the roles that use the
same transaction

X D To correct authorization objects that are not linked to the transaction codes
correctly

3. Which of the following reports can be found in the User Information System?
Choose the correct answers.

X A User overview

X B Authorizations

X C Audit logs

X D Change documents

4. DDIC is the maintenance user for the ABAP Dictionary and software logistics.
Determine whether this statement is true or false.

X True

X False

© Copyright. All rights reserved. 83

Unit 3: Learning Assessment

5. Which of the following are characteristics of the default super user SAP*?
Choose the correct answers.

X A To secure SAP* against unauthorized use, delete the user from transaction SU01.

X B SAP* is not subject to authorization checks.

X C SAP* has the password PASS.

X D SAP* is programmed in the system kernel.

© Copyright. All rights reserved. 84

 Unit 3

Learning Assessment - Answers

1. When no default value is assigned to the authorization field of an authorization object in

SU24, the status of the authorization in the Profile Generator displays in red.
Determine whether this statement is true or false.

X True

X False

2. For which of the following tasks is it appropriate to use transaction SU24?

Choose the correct answers.

X A To correct authorization objects that have unacceptable default values

X B To assign an authorization group to a transaction

X C To change default values so that they are appropriate for all the roles that use the
same transaction

X D To correct authorization objects that are not linked to the transaction codes
correctly

3. Which of the following reports can be found in the User Information System?
Choose the correct answers.

X A User overview

X B Authorizations

X C Audit logs

X D Change documents

4. DDIC is the maintenance user for the ABAP Dictionary and software logistics.
Determine whether this statement is true or false.

X True

X False

© Copyright. All rights reserved. 85

Unit 3: Learning Assessment - Answers

5. Which of the following are characteristics of the default super user SAP*?
Choose the correct answers.

X A To secure SAP* against unauthorized use, delete the user from transaction SU01.

X B SAP* is not subject to authorization checks.

X C SAP* has the password PASS.

X D SAP* is programmed in the system kernel.

© Copyright. All rights reserved. 86

 UNIT 4 Logs in AS ABAP

Lesson 1
Configuring and Using the Security Audit Log 88

Lesson 2
Monitoring AS ABAP Using Logs 99

UNIT OBJECTIVES

Describe the Security Audit Log

Check the configuration of the Security Audit Log

Monitor applications in AS ABAP

Monitor the WebFlow (or workflow) log

Monitor data changes in tables

Monitor transports in the change and transport system

Monitor changes in user and authorizations

Monitor read access

© Copyright. All rights reserved. 87

 Unit 4
Lesson 1
Configuring and Using the Security Audit Log

LESSON OVERVIEW
This lesson describes the configuration and usage of the Security Audit Log. It gives examples
of how to use the log and what to look for when reading the log.
In addition, this lesson introduces the options for monitoring security alerts available with
Technical Monitoring via SAP Solution Manager, or from Computer Center Management
System (CCMS). In this class, we will focus on how to use the CCMS monitoring tools using
transaction RZ20 to monitor security-related alerts in one or more SAP systems.

Business Example
While auditing your system, you want to start by discovering the types of actions occurring on
the system. You are interested in logons by users, logons by remote users, and the start of a
specific transaction.
The security audit log can assist you in discovering the activities occurring on your SAP
system.
You can set up Security Auditing in AS ABAP and define filters to monitor specific clients or
individuals and include those system activities that interest you. With security auditing
enabled, auditors can use the AIS tools to investigate specific security problems or events.
You want to monitor the Security Audit Log within the context of your entire landscape. If
there are problems, you want to be alerted about them. Computer Center Management
System provides monitors that, when configured, raise alerts when certain events that
indicate when security-sensitive activity or security breaches occur.
Custom security monitors can watch for such activities across system boundaries and
throughout an entire solution landscape. For this reason, you require the following knowledge:

An understanding of the requirements for configuring the Security Audit Log

An understanding of how to read the security audit log

An understanding of how to use a security alert monitor in CCMS

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Describe the Security Audit Log

Check the configuration of the Security Audit Log

Introduction to the Security Audit Log

The Security Audit Log is designed for auditors who need to monitor the activities that occur
in the SAP system. By activating the audit log, you keep a record of the activities that you
consider relevant for auditing. You can then access this information for evaluation in an audit
analysis report.

© Copyright. All rights reserved. 88

 Lesson: Configuring and Using the Security Audit Log

The main objectives of an audit log are as follows:

To record security-related changes to the SAP system environment (for example, changes
to user master records)

To record information that provides a higher level of transparency (for example, successful
and unsuccessful logon attempts)

To record information that enables the reconstruction of a series of events (for example,
successful or unsuccessful transaction starts)

You can record the following information in the Security Audit Log:
Successful and unsuccessful dialog logon attempts

Successful and unsuccessful Remote Function Call (RFC) logon attempts

Remote Function Calls (RFCs) to function modules

Successful or unsuccessful transaction starts

Successful and unsuccessful report starts

Changes to user master records

Changes to audit configuration

Security Audit Log Architecture

Figure 62: Security Audit Logging

The Security Audit Log keeps a record of security-related activities in SAP systems. The SAP
system records this information daily in an audit file on each application server. To determine
what information is written to this file, the audit log uses filters that are stored in memory in a
control block.

© Copyright. All rights reserved. 89

Unit 4: Logs in AS ABAP

When an event occurs that matches an active filter (for example, a transaction start), the
audit log generates a corresponding audit message and writes it to the audit file. A
corresponding alert is also sent to the CCMS alert monitor. Details of the events are provided
in the Security Audit Log’s audit analysis report, as shown in the figure.

Caution:
SAP systems maintain their audit logs on a daily basis. The system does not
delete or overwrite audit files from previous days; it keeps the files until you
manually delete them.
Due to the amount of information that can accumulate, you must archive these
files on a regular schedule and delete the originals from the application server.
Use transaction SM18to archive or delete old audit log files.

Audit File and Audit Record

The audit files are located on the individual application servers. You define the name and
location of the files in the rsau/local/file profile parameter. When an event occurs that should
be audited, the system generates a corresponding audit record or message and writes it to
the file.

The audit record contains the following information (if it is known):

Event identifier (a three-character code)

SAP user ID and client

Terminal name

Transaction code

Report name

Time and date when the event occurred

Process ID

Session number

Miscellaneous information

You define the maximum size of the audit file in the rsau/max_diskspace/local profile
parameter. The default value is 1 megabyte (MB), or 1,000,000 bytes. When the maximum
size is reached, the auditing process stops.

Using the Audit Log and Configuring the Audit Log

The system administrator or the security administrator is responsible for configuring the
audit log. While the auditor can use the log to research logon attempts, transaction starts, and
other activities, the auditor normally cannot configure the Security Audit Log.

Note:
To observe the configuration, use your power user ADM950-##. To look at the log
from the perspective of the auditor, use the audit user GRP##-AUDIT

© Copyright. All rights reserved. 90

 Lesson: Configuring and Using the Security Audit Log

Users who work on the audit log have the following responsibilities:
The system administrator or the security administrator configures the audit log.

The system auditors and the security administrators use the audit log.

Security Audit Filters Configuration

Figure 63: Security Audit Filters Configuration

The system administrator or the security administrator defines the events you want to audit,
in filters. The SAP system stores this information control block, which is located in the
application server’s shared memory. The SAP system uses this information to determine
which audit messages should be written to the audit file.

Security audit filters consist of the following selection criteria:

Client

User

Audit class

Events

An audit class provides the following information:

Dialog logon

RFC/CPIC logon

RFC

Transaction start

Report start

User master change

© Copyright. All rights reserved. 91

Unit 4: Logs in AS ABAP

You can specify the weight of events to audit as follows:

Audit only critical

Audit severe and critical

Audit all events

You specify the information you want to audit in filters that you can either:
Create and save filters permanently in the database

Change filters dynamically on one or more application servers

If you decide to create and save filters permanently in the database by using static filters, all
of the application servers use identical filters to determine which events should be recorded in
the audit log. You have to define the filters only once for all application servers. You can also
define several different profiles that you can activate alternatively.

Note:
When using a static filter, you must restart the instance before the filter is set to
active.

You can dynamically change the filters that are used to select the events to audit. The system
distributes these changes to all active application servers. You do not need to restart the
instance for the filters to be active. Dynamic filters are not saved for reuse after the system
stops or starts.

Maintaining Static Filters

Table 12: Profile Parameters for Static Filters

To define static filters, set the following parameters:
Profile Parameters Description
rsau/enable This parameter enables the security audit
log.
rsau/max_diskspace/local This parameter defines the maximum space
to allocate for audit files.
rsau/selection_slots This parameter defines the number of filters
to allow for the Security Audit Log.

© Copyright. All rights reserved. 92

 Lesson: Configuring and Using the Security Audit Log

Configuring Dynamic Audit Filters

Figure 64: Dynamic Audit Filters Configuration

The figure shows the screen that is used to configure dynamic security audit filters.
Dynamic filters enable you to respond to real-time events in your system environment, setting
traps that can assist you in addressing a security problem. With dynamic filter, you can
dynamically change the filters used for selecting the events to audit. The system distributes
these changes to all active application servers.

Table 13: Profile Parameters for Dynamic Filters

To define dynamic filters, set the following parameters:
Profile Parameter Description
rsau/max_diskspace/local This parameter defines the maximum space
to allocate for audit files.
rsau/selection_slots This parameter defines the number of filters
to allow for the Security Audit Log.

Defining Filters
In filters, you define the events that the security audit log should record.

You can specify the following information in filters:

User and SAP system client

Audit class (for example, dialog logon attempts or changes to user master records)

Event (for example, critical or important)

© Copyright. All rights reserved. 93

Unit 4: Logs in AS ABAP

You can define filters that you can save in static profiles in the database (refer to the
procedure for maintaining static profiles), or you can define them dynamically for one or more
application servers (refer to the procedure for setting dynamic filters).

Audit Analysis Report

Figure 65: Running the Security Audit Report

The Security Audit Log generates an audit analysis report that contains audited activities. Use
the audit analysis report to analyze the events that have occurred and recorded on a local
server, a remote server, or all the servers in the SAP system.
The audit analysis report generated by the Security Audit Log is similar to the system log. You
can view the contents of the audit files from the audit analysis report. When viewing the audit
log, you can use the Detail Sel. button on the Events tab page to determine which specific
events to record. You can also use the Detail Sel. button to observe which events SAP
considers critical, severe, or noncritical.
When reading the Security Audit Log, you can use transaction SM20. The menu path in the AIS
is System Audit Top 10 Security Reports Security Audit Log Assessment .

Deleting Old Audit Files

The Security Audit Log saves its audits to a corresponding audit file on a daily basis.
Depending on the size of your SAP system and the filters specified, you may have an
enormous quantity of data within a short period of time.

Note:
SAP recommends that you archive your audit files on a regular basis and delete
the original files as necessary.

© Copyright. All rights reserved. 94

 Lesson: Configuring and Using the Security Audit Log

You can either delete the files from all application servers or only from the local server where
you are working. If an application server is not currently active, it will be included in the next
reorganization.

Perform the following steps to delete old audit files:

1. To access the Security Audit Log reorganization tool, on the SAP Easy Accessscreen,
choose Tools Administration Monitor Security Audit Log Reorganization (or
transaction SM18).

2. Enter the minimum age of the files to delete. The default value is 30 days.

Note:
The default value must be more than 3.

3. Select the To all active instances checkbox to delete the audit files from all application
servers. Do not select the checkbox if you want to delete only the files on the local
application server.

4. Select the Simulation only checkbox if you do not actually want to delete the files. In this
case, the action is only simulated.

5. Choose Program Execute.

The system deletes the corresponding audit files unless you choose to simulate. You receive a
list that shows how many files were deleted and how many were retained on each application
server.

Caution:
This process deletes only audit log files. It does not perform any other
administrative tasks such as archiving. If archives are necessary for future
references, you must manually archive the files before deleting them. You cannot
delete files that are less than three days old.

The Security Audit Log

The audit analysis report is divided into following sections:
Introductory information

Audit data

Statistical analysis

Contents

In the introductory information of the report, you find the selection options applied to the
audit file to generate the audit analysis report (for example, from date and time, to date and
time, users, and classes).
After the introductory information in the report, the audit data is shown. The audit data
contains information about each audit event found in the audit file that applies to your
selection criteria depending on your display configuration.

© Copyright. All rights reserved. 95

Unit 4: Logs in AS ABAP

The audit data contains the following information for each audit event found in the audit
file:
Date

Time

Instance

Category (dialog or batch)

Message number

Audit class code (for example, a dialog logon attempt belongs to the class number 002.)

User

Transaction code

Terminal number

Summary information is included at the end of the audit data (for example, the number of
records read, number of records selected, and audit file names).
If you select the With statistical analysis checkbox in the display options, a statistical analysis
completes the report with more detailed information.

The information included in a statistical analysis is as follows:

Instance statistics (when analyzing all instances)

Client statistics

Report statistics

Transaction statistics

User statistics

Message statistics

A list of contents is provided at the end of the report.

© Copyright. All rights reserved. 96

 Lesson: Configuring and Using the Security Audit Log

Reading the Security Audit Report – General View

Figure 66: Reading the Security Audit Report – General View

When viewing the audit log, all the tools in the ABAP list viewer are available. You can sort the
report by user, transaction code, or message, and you can filter to look only at specific data.
You can also change the layout and download the data to Microsoft Excel. The format of
transaction SM20Nprovides you with all the tools you need to manipulate the report to meet
your needs.

Reading the Security Audit Report – Detailed View

Figure 67: Reading the Security Audit Report – Detailed View

© Copyright. All rights reserved. 97

Unit 4: Logs in AS ABAP

To view details about a specific message, right-click the entry and choose Edit Details. This
displays a detailed description of the message, including information, such as the task name,
class, message documentation, and technical details of the audit record.

To Display the Audit Analysis Report

To display the audit analysis report, perform the following steps:

1. To access the Security Audit Log Analysis screen, choose

Tools Administration Monitor Security Security Audit Log Analysis, or run
transaction SM20).
The Security Audit Log: Local Analysis screen appears; local analysis is the default.

2. Enter any restrictions you want to apply to the audit analysis report in the appropriate
fields or by selecting the desired indicators (for example, From date/time , To date/time ,
User, Transaction , Audit classes , or Events to select).

Hint:
Events are classified into three categories: critical, important, and noncritical.
Critical events are the most important. You can view only critical events,
critical and severe events, or all events.

3. Include or exclude specific messages from your report.

To include or exclude specific messages from your report, perform the following:

a) Choose Detailed Sel.

b) Choose the Audit events you want to record.

c) Choose Accept changes (the green check mark).

4. To read the security audit log, choose one of the following options:

Choose Security Audit Log Re-read audit log to initially read or to replace a
previously read log.

Choose Security Audit Log Re-display to view only the last audit log you read. For
example, you can change the Selection options to modify the audit analysis report
without having to re-read the log.

Choose Security Audit Log Read audit log to merge new information using different
selection criteria with the current information in the audit analysis report.

The result is the audit analysis report containing the messages that correspond to your
selection criteria. By selecting an individual message, you can view more detailed information.

LESSON SUMMARY
You should now be able to:

Describe the Security Audit Log

Check the configuration of the Security Audit Log

© Copyright. All rights reserved. 98

 Unit 4
Lesson 2
Monitoring AS ABAP Using Logs

LESSON OVERVIEW
This lesson explains the logs that you can use to monitor various applications running in AS
ABAP. Auditors typically do not themselves use these logs, but you need to ensure that
access to these logs is configured appropriately and assigned to the right person.

Business Example
Many logs are written throughout SAP systems. You need to know which logs to use to ensure
that access is appropriately granted. For this reason, you require the following knowledge:

An understanding of the SAP logs that apply to your implementation

An understanding of how to use SAP logs to support audit controls and monitoring

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Monitor applications in AS ABAP

Monitor the WebFlow (or workflow) log

Monitor data changes in tables

Monitor transports in the change and transport system

Monitor changes in user and authorizations

Monitor read access

© Copyright. All rights reserved. 99

Unit 4: Logs in AS ABAP

Application Log

Figure 68: Application Log

As a security auditor or an administrator, it is not your job to monitor application logs.

However, you must be able to answer the following questions about an application log:
What is an application log?

Who uses an application log?

Where can you find an application log?

An application log includes application messages, just like the system log includes system
messages. Application logs are used heavily in SAP Business Suite and SAP Business
Warehouse Management. The application log traces application events and tasks, and reports
on their activity (for example, transfer of data from SAP ERP Central Component (ECC) to
SAP APO).
The application log traces the user who initiated the transfer, the time when the transfer was
made, and the items that were transferred. The application log provides a detailed error
message for queues with errors.
The developer (or an application expert who has the knowledge) uses the application log for
troubleshooting and to monitor the daily operation. You analyze the application log using
transaction SLG1.
Application logging records the progress of the execution of an application; this allows you to
reconstruct the execution later, if required. The system log records only system events, and
the application log records only application-specific events. Use transaction SLG0 to define
entries for your own applications in the application log, and use transaction SLG1 to analyze
the application log.

© Copyright. All rights reserved. 100

 Lesson: Monitoring AS ABAP Using Logs

The application log is a table structure consisting of several tables. Applications write their
entries to these tables using SAP function modules. These modules are protected by the SAP
authorization concept. To understand the application log, you first need to understand the
application process that writes data into the log.
For more information about application processing and the application log, see https://
help.sap.com/viewer/fe143c646c5510148906c2564726e947/7.02.22/en-US/
2afa0216493111d182b70000e829fbfe.html . On the portal, search for BC Extended
Applications Functions Library Create application log .

Note:
You can use transaction SLG2 to delete old application logs.

From a system auditor’s perspective, the application log contains specific messages for an
application. If you are not an expert in the application, you might not understand individual
messages. However, you must ensure that someone in the application is monitoring
messages and responding to them in an appropriate manner.

WebFlow/Workflow Logging

Figure 69: Logging WebFlow/Workflow Execution

As a security auditor or an administrator, it is not your job to monitor the WebFlow logs.
However, you should have a basic knowledge of the logs.

You must be able to answer the following questions about WebFlow logs:
What is a WebFlow log?

Who uses a WebFlow log?

Where can you find a WebFlow log?

The WebFlow log (or workflow log) includes all activities that have occurred due to the
execution of the workflow. It includes each step in the workflow, the user who executed the
step, the action that occured, and the time frame in which the execution took place.

© Copyright. All rights reserved. 101

Unit 4: Logs in AS ABAP

The workflow administrator who is responsible for the workflow uses the WebFlow log. Each
user who participates in the WebFlow can also look at logs in the Business Workplace. To view
logs, choose Office Workplace . To analyze the workflow log, use transactions SWI5,
SWI2_FREQ, and SWI1.
You use the WebFlow Engine in SAP Business Workflow to automate business processes.
These processes can be simple release or approval procedures, or more complex business
processes, such as the creation of a material master and the associated coordination of the
departments involved.
The WebFlow Engine is suitable for situations in which work processes run repeatedly, or for
situations in which the business process requires the involvement of many agents in a specific
sequence.
You also use the WebFlow Engine to respond to errors and exceptions in other existing
business processes. You can start a workflow when predefined events occur, for example, an
event can be triggered if an automatic check finds particular errors.
SAP provides several workflows that map predefined business processes. These workflows
do not require much configuration. The WebFlow Engine uses the existing transactions and
functions of the SAP system; it does not change those functions. You can combine the
existing functions of the SAP system to form new business processes with the WebFlow
Engine. The workflow system controls business processes.
The technology and tools required to automate the control and processing of cross-
application processes are included in the SAP Business Workflow functions to provide logging
and analysis functions. These activities are not used in application logging.
The analysis functions in SAP Business Workflow are also protected by the SAP authorization
concept.
As the auditor, your job is to ensure that someone is monitoring the workflow log. You also
ensure that there are no old and incomplete workflows. To completely understand the
workflow log, you need workflow experience; however, you can use the log to observe how
many workflows are executing. You must ensure that someone is monitoring the log.

Hint:
For a more detailed look at SAP Workflow monitoring see Monitoring, Analysis
and Troubleshooting Workflow at https://help.sap.com/viewer/
fe143c646c5510148906c2564726e947/7.02.22/en-US/
2afa0216493111d182b70000e829fbfe.html

© Copyright. All rights reserved. 102

 Lesson: Monitoring AS ABAP Using Logs

Change Document Logging

Figure 70: Logging Change Documents

As a security auditor or an administrator, it is not your job to monitor change documents

logs.

You must be able to answer the following questions about change documents:
What is a change documents log?

Who uses a change documents log?

Where can you find a change documents log?

Changes are logged as they occur in many applications in the SAP system.

The following applications, among others, log changes:

Logistics

Sales and distribution

Purchasing

Materials management

Users who use the application daily can review the changes in a change documents log.
Change documents are stored on several tables. The header table is CDHDR. Each
application has its own transaction to review change documents, for example, MM04for
material changes and VD04 for customer changes. Normally, the menu option is Display
Changes.
The data in an SAP system frequently changes. It is often useful, or even necessary, to be able
to trace the changes made. If changes are logged, you can find out what was changed, when it
was changed, and how the change was made at any time. This can sometimes simplify the
analysis of errors. In Financial Accounting, for example, change documents are used to
facilitate auditing.
A change document tracks changes to an SAP object. The change document is created
independently of the actual database change.

© Copyright. All rights reserved. 103

Unit 4: Logs in AS ABAP

The change document structure consists of the following components:

Change document header
The header data of the change to an object ID in a particular object class is stored in the
change document header. The change document number is automatically issued.

Change document item

The change document item contains the old and new values of a field for a particular
change and a change flag.
The change flag can take the following values:
- U(pdate)
Data was changed by an update. (Log entry for each changed field that was flagged in
the ABAP Dictionary as change document-relevant).
- I(nsert)

Data was inserted.

Changes: Logs entry for the whole table record.

Planned changes: Logs entry for each table record field.

- D(elete)

Data was deleted. (Log entry for the whole table record).

Change document number

The change document number is issued when a change is logged, that is, when the change
document header is created by the function module for change document creation
(function group SCDO).

To view change documents for an object, you can also use the transaction SCDO.
For more information about change documents, see https://help.sap.com/viewer/
c14d25a8f471453590980dbb47a2aa0e/7.4.15/en-US/
48d1c0eff6c96745e10000000a421937.html?q=change%20documents .
What do change documents mean to you, the system auditor? Because change documents
are used so heavily in an SAP ECC system, they can help you to debug authorization errors.
As each change is recorded, you can quickly ascertain who has been making changes to the
data.
This ability can be critical in discovering why a change was made that perhaps should not
have been made. From the AIS role, you can use Repository/Tables Audit Change
Documents Display Change Documents to review the changes that have been made.

© Copyright. All rights reserved. 104

 Lesson: Monitoring AS ABAP Using Logs

Table Logging

Figure 71: Table Logging

Your analysis of logged Customizing objects allows you to answer the following questions
about Customizing setting changes:
Who made a change?

What was changed?

When was the change made?

Logs are analyzed by object, which means that the changes can be shown in their
Customizing context, not just technically at the table level. You can delete or archive the
change logs. If you archive the change logs, ensure that the analysis includes the archived
change logs.

Caution:
For performance reasons, production data changes should not be logged.

You should be able to answer the following questions about logging changes to table
data:
What is the table changes log?

Who uses the table changes log?

Where can you find the table changes log?

You can turn on logging for specific tables and use a table changes log to monitor changes to
the data in the table. Power users who are monitoring the changed data can review the table
changes log. The table changes log is available using transaction SCU3.

© Copyright. All rights reserved. 105

Unit 4: Logs in AS ABAP

You use the logging flag to define whether changes to the data records of a table should be
logged. If logging is switched on, each change to an existing data record (with UPDATE or
DELETE) by the user or the application program is recorded in the database in the log table
DBTABPRT.
It is recommended that you activate the logging of changes to table data for those tables that
are critical or susceptible to audits. You must activate this logging explicitly.

To log changes in tables, enable the following:

You must enable table logging in the SAP system with the rec/client parameter. This
parameter specifies whether the SAP system logs changes to table data in all clients or
only in specific clients.
The possible values of rec/client parameter are as follows:
- rec/client = ALL logs all clients
- rec/client = 000 [,....] logs the specified clients
- rec/client = OFF turns logging off

In the technical settings (use transaction SE13), set the Log data changes flag for those
tables that you want to have logged.

Note:
To activate table logging completely, you also have to activate it for changes to
table entries coming within transports. Otherwise, table logging is incomplete. You
can control this setting using the rec_client for tp parameter.
Another option to activate the logging in transport is to make the entry,
r3transoptions = recclient="XXX", in the transport control profile. The XXX entry
can have the same value as the profile parameter rec/client.

Caution:
Logging slows down accesses that change the table. First, a record must be
written in the log table for each change. Second, several users access this log
table in parallel. This can cause lock situations, even though the users are
working with different application tables.

If both of these conditions are met, the database logs table changes in the DBTABPRT table. It
is not sufficient to set only the Log data changes flag for recording table changes. You must
also set the rec/client parameter.

Note:
Although SAP delivers predefined settings, you generally have to modify them to
meet your requirements. Use the RSTBHIST report to obtain a list of those tables
that are currently set to be logged. Use transaction SE13 to change the Log data
changes flag for these or other tables.

What does table logging mean to you, the system auditor? Specific table logging can be
helpful to you during an audit. If you care about high-profile tables, such as critical IMG

© Copyright. All rights reserved. 106

 Lesson: Monitoring AS ABAP Using Logs

configuration tables, use the table log to ascertain how the table is being changed and who is
making the changes. Logging can have a significant impact on performance, so it should be
performed on an as-needed basis.

Table Logging Setup

To check the table change logging, perform the following steps:
1. Choose Tools ABAP Workbench Development ABAP Dictionary.

2. Enter the name of the table whose log settings you want to check.

3. Choose the Display pushbutton.

4. Choose Goto Technical Settings .

5. Ensure the Log data changes checkbox is selected.

Hint:
All Customizing tables are automatically recorded by default.

To activate the table log, perform the following steps:

1. Run transaction SE12.

2. Enter the table name.

3. Choose the Change pushbutton.

4. Select the Log data changes checkbox.

5. Save your entries.

In the IMG logging, you can list the tables with automatic change logging. To record table
changes automatically, allow data change logging.

To display the logged tables, perform the following steps:

1. Choose Tools Customizing IMG IMG Logging.

2. Choose List Logged Tables .

3. Choose Evaluate Logs.

For more information about logging changes to tables, see SAP Notes 1916 and 112388. SAP
Note 112388 provides guidelines on which tables to log from an FI perspective.
For more information about the activation of table logging, see https://help.sap.com/viewer/
795d2aa039194a87a7eca419d4b950eb/7.3.15/en-US/d36bc334-c9bc-4a52-
bb2d-314c7547913d.html?q=table%20change%20logging .

Transport Logs
This section discusses the logs made with the Change and Transport System and it
answers the following questions:
What are transport system logs?

Who uses transport logs?

Where can you find transport logs?

© Copyright. All rights reserved. 107

Unit 4: Logs in AS ABAP

There are several ways to monitor transport activities in an SAP system using the Transport
Management System (TMS). The following list provides a brief overview of each of these
options:

Transport Logs
The transport logs are stored in the subdirectory logs of the transport directory, for
example \usr\sap\trans\logs. You can open the transport logs in the display of transport
requests (transactions SE01 or SE09), in the import queue, or directly in the file system.

TMS Alert Log

TMS Alert Viewer displays information about all imports that were started using the
Transport Management System. This includes alerts as well as additional information
about imports.

Computing Center Management System (CCMS) Alert Monitor and Technical Monitoring
with Solution Manager
CCMS and Technical Monitoring display alerts from different areas of the system,
including the Transport Management System.

Import History
The import history provides an overview of all imports into the SAP system.

Export History
The export history provides an overview of all exports into the SAP system.

Table Change Logging

If the parameter RECCLIENT is set to a client in the system profile and in the transport
profile, the system logs any table changes made in the specified client. To do this, you
must set the transport profile parameter RECCLIENT to <client> on the Transport Tools
tab in the TMS configuration for the system.

A transport system log monitors all the changes that are migrated from development to
production. The user makes the changes and the system administrator monitors these logs.
Users can view the logs using transactions SE09 and SE10. You can also view the logs at the
operating system where they are physically held (/usr/sap/trans).
It is important to keep track of all the changes made to your production system. In addition to
application logging, change documents, and table recording, any changes that you make to
your production system using the Change and Transport System are documented in
transport logs.

Table 14: Logs Created by the Change and Transport System

Log (File or SAP System Table) Description
<transport directory>/data Data files containing the contents of the
transport
<transport directory>/cofiles Status files containing a list of transport
steps
<transport directory>/log Logs containing the keys of the transported
objects
Table E070 in the SAP system Header information for the transport request

© Copyright. All rights reserved. 108

 Lesson: Monitoring AS ABAP Using Logs

Log (File or SAP System Table) Description

Tables E071 and E071K in the SAP system Object list and keys from table entries

Note:
Because the transport directory is a central location that contains most of the
transport information, SAP recommends that you regularly archive its contents
and keep the archives for auditing purposes.

In addition, the SAP system version management records a history of changes made to
repository objects (programs and Data Dictionary objects).
What do transport logs mean to you, the system auditor? Transport logs will be most helpful
for specific issues you need to debug. For example, a problem occurs in production. The
problem is related to a change in the IMG configuration. You can use the transport logs to
determine what was recently transported, what changes were made by the transports, and
why the changes were implemented.

Hint:
For more information on monitoring transport activities, see SAP NetWeaver
Application Server for ABAP Security Guide at https://help.sap.com/viewer/
864321b9b3dd487d94c70f6a007b0397/7.51.3/en-US/
de6b0d9ff34d11d3a6510000e835363f.html?q=monitoring%20transport
%20activities .

Logs of User and Authorization Data Changes

Figure 72: Review Change Logs for Users

© Copyright. All rights reserved. 109

Unit 4: Logs in AS ABAP

This section discusses the logs of changes made to user and authorization data, and it
answers the following questions:
What are user and authorization logs?

Who uses user and authorization logs?

Where can you find user and authorization logs?

User and authorization logs record the changes that are made to users, authorizations, and
profiles. The security administrator monitors these logs. All SAP systems log changes are
made by a user administrator. As users and roles are created and maintained, all changes to
users, authorizations, and profiles are logged.
You can view the logs using transaction SUIM or in Information System under
Tools Administration User Maintenance Information System Change Documents.
You can also view the logs in the Audit Information System (AIS). For users, you can see the
creation, deletion, locking, and profile changes.
What do user change logs mean to you, the system auditor? You use these change logs often
to detect the users who have been changed and the roles that have been changed. These
change logs are the logs you access most frequently.
As of SAP NetWeaver 7.5, changes in the software architecture of authorization maintenance
have eliminated the limit in the number of profiles that you can assign to a user or to the
number of values a generated PFCG authorization can have.
These changes in profiles and authorization values have changed the tables for these
elements in the following ways:

1. Profile assignments used to be recorded in tables USR04 and UST04. Table USR04 is now
only used for some header information. Change logs are no longer recorded in USH04.

2. Authorization values used to be written in tables USR12 and UST12. Table USR12 is now
only used for some header information. Change logs are no longer recorded in USH12.

Change logs for profiles and authorization values are now recorded in the central change logs
(CDPOS, CDHDR, and related tables).

Read Access Logging

Data privacy is about protecting and restricting access to personal data. In some countries,
data privacy regulations even require that access to certain personal data be reported.
Companies and public institutions may also want to monitor access to classified or other
sensitive data for their own reasons.
Read Access Logging is used to monitor and log read access to sensitive data. This data may
be categorized as sensitive by law, by external company policy, or by internal company policy.
The Read Access Logging framework can thus be used to fulfill legal or other regulations, to
detect fraud or data theft, for auditing purposes, or for any other internal purpose.

Typical Questions
The following questions might be of interest for an application that uses Read Access
Logging:

Who accessed the data of a given business entity (for example, a bank account)?

Who accessed personal data (for example, of a business partner)?

Which employee accessed personal information (for example, a person’s religion)?

© Copyright. All rights reserved. 110

 Lesson: Monitoring AS ABAP Using Logs

Did anyone search, for example, for VIPs who were admitted to hospital?

Which accounts or business partners were accessed by which users?

These questions can be answered using information about who accessed particular data
within a specified time frame.
Technically, this means that all remote API and UI infrastructures (that access the data) must
be enabled for logging. Read Access Logging is currently limited to the following channels.

Channels Available in Read Access Logging

Remote Function Calls (sRFC, aRFC, tRFC, qRFC, bgFRC)

Dynpro

Web Dynpro

Web services

When an application is started, the Read Access Logging configuration is read. It indicates
whether the current remote-enabled function module, Web service operation, or Web Dynpro
UI element is log-relevant, and to what extent.

Note:
The performance of your system depends upon the amount of data you log, as
well as the complexity of the conditions you specify for which data is logged.

Configuration of Read Access Logging

To configure for Read Access Logging, you use the Read Access Logging Manager
(transaction SRALMANAGER ).
Before you can use the Read Access Logging Manager, you must activate the Read Access
Logging services ( SRALMANAGER , SRALMONITOR
, SRALCONFIG ) in transaction SICF . This is
shown in the figure Activating a Service.

© Copyright. All rights reserved. 111

Unit 4: Logs in AS ABAP

Figure 73: Activating a Service

Figure 74: Read Access Logging Manager

To log read access data, you must define the following:

Logging purpose
A way to classify each log entry: for example, "Finance records."

Logging domain
A way to classify and group each field that appears in a log entry: for example, "Finance -
Sales data".

© Copyright. All rights reserved. 112

 Lesson: Monitoring AS ABAP Using Logs

Configuration
You configure Read Access Logging to determine what read access to data is logged and
under which conditions.

Enabling in client
By default, Read Access Logging is disabled. In each client in which you want to use Read
Access Logging, you have to enable it. You can create configurations for Read Access
logging even if it is not enabled, but the logging will be ignored.

Recordings
Manage recordings of application user interfaces such as Web Dynpro or Dynpro.

User Exclusion List (optional)

Exclude specific users from Read Access Logging.

Administrative log (optional)

Displaying changes made to Read Access Logging configuration and evaluating errors and
warnings (optional).

Read Access Logging configurations are the core of the setup and maintenance of Read
Access Logging. You can specify one or more configurations for the objects you want to log.
Logging purposes and logging domains are just ways to classify and organize logs and the
fields in them.
For each Read Access logging configuration, you specify the following:

A log context
A log context is the key field that other fields are related to within the logging session. For
example, the log context of a configuration for a HR application may be the employee
number.

One or more log groups

A log group is a collection of fields that are displayed in the same log entry (based on the
logging purpose). For example, in Web services, the fields are elements of the underlying
Web service message; in Web Dynpro, the fields are UI elements of Web Dynpro
applications.

One or more conditions (optional)

Conditions are optional. They are the rules you define for when the fields in the log group
are logged. Conditions contain expressions, which are built using select options. If a log
group contains no conditions, then every read access to the fields in the log group is
logged.

© Copyright. All rights reserved. 113

Unit 4: Logs in AS ABAP

Figure 75: Read Access Logging Configuration

You use the Read Access Logging Monitor to display the Read Access Log. You can run
transaction code SRALMONITORto open the Read Access Logging Monitor. Alternatively, you
can go to the Read Access Logging Manager (transaction code SRALMANAGER ) and choose
Read Access Log on the Monitor tab page.

Table 15: SAP Roles for Read Access Logging

To work with Read Access Logging, the following roles are delivered by SAP:
Role User / Description

SAP_BC_RAL_ADMIN_BIZ (template) A template role for business administrators

of Read Access Logging. It contains the au-
thorizations for all configuration, monitoring,
and archiving tasks.
SAP_BC_RAL_ADMIN_TEC (template) A template role for technical administrators
of Read Access Logging.
SAP_BC_RAL_ANALYZER (template) A template role for Read Access Logging
analyses. It contains the authorization for the
Read Access Logging Monitor.
SAP_BC_RAL_CONFIGURATOR (template) A template role for Read Access Logging
configuration. This role allows users to ac-
cess and change the RAL configuration, but it
prohibits access to the read access logs
themselves.

© Copyright. All rights reserved. 114

 Lesson: Monitoring AS ABAP Using Logs

Role User / Description

SAP_BC_RAL_SUPPORTER (template) A template role for configurations of Read

Access Logging. It contains the same author-
ization objects as SAP_BC_RAL_ADMIN_BIZ,
but all activities are display only.

For more information about Read Access Logging, refer to https://help.sap.com/viewer/

6f3ce46d6c4b1014a4a3b2483edb0caf/7.01.22/en-US .

LESSON SUMMARY
You should now be able to:

Monitor applications in AS ABAP

Monitor the WebFlow (or workflow) log

Monitor data changes in tables

Monitor transports in the change and transport system

Monitor changes in user and authorizations

Monitor read access

© Copyright. All rights reserved. 115

 Unit 4

Learning Assessment

1. What information can be recorded in the security audit log?

Choose the correct answers.

X A Remote Function Calls (RFCs) to function modules

X B Changes to profile parameters

X C Changes in user master records

X D Changes to the audit configuration

2. Which of the following can you specify in the security audit filter selection criteria?
Choose the correct answers.

X A Client

X B User

X C User Group

X D Audit Class

X E Events

3. The application log traces application events and tasks, and reports on the activities. If
there is a failure in the application, the application log provides detailed error messages.
Determine whether this statement is true or false.

X True

X False

© Copyright. All rights reserved. 116

 Unit 4: Learning Assessment

4. The workflow log includes all activities due to the execution of the workflow. It includes
each step in the workflow, the user who executed the step, the action that occurred, and
the time frame in which the execution took place. The administrator must ensure that
there are no old and incomplete workflows.
Determine whether this statement is true or false.

X True

X False

5. Which of the following do you need to set up if you want to log changes to tables?
Choose the correct answers.

X A Configure the profile parameter rec/client

X B Select the Log Data Changes checkbox for the table you want to log

X C Set up change documents

X D Configure system auditing

6. A change document tracks changes to an SAP object. Which of the following information
can be found in a change document item?
Choose the correct answers.

X A Change flag

X B Old value

X C New value

X D Authorization flag

7. Change documents record the changes that occur to users, authorizations, and profiles.
Determine whether this statement is true or false.

X True

X False

© Copyright. All rights reserved. 117

Unit 4: Learning Assessment

8. Which of the following can be used to monitor and log read access to classified or sensitive
data?
Choose the correct answer.

X A Change documents

X B Audit Information Cockpit

X C Read access logging

X D System audit

© Copyright. All rights reserved. 118

 Unit 4

Learning Assessment - Answers

1. What information can be recorded in the security audit log?

Choose the correct answers.

X A Remote Function Calls (RFCs) to function modules

X B Changes to profile parameters

X C Changes in user master records

X D Changes to the audit configuration

2. Which of the following can you specify in the security audit filter selection criteria?
Choose the correct answers.

X A Client

X B User

X C User Group

X D Audit Class

X E Events

3. The application log traces application events and tasks, and reports on the activities. If
there is a failure in the application, the application log provides detailed error messages.
Determine whether this statement is true or false.

X True

X False

© Copyright. All rights reserved. 119

Unit 4: Learning Assessment - Answers

4. The workflow log includes all activities due to the execution of the workflow. It includes
each step in the workflow, the user who executed the step, the action that occurred, and
the time frame in which the execution took place. The administrator must ensure that
there are no old and incomplete workflows.
Determine whether this statement is true or false.

X True

X False

5. Which of the following do you need to set up if you want to log changes to tables?
Choose the correct answers.

X A Configure the profile parameter rec/client

X B Select the Log Data Changes checkbox for the table you want to log

X C Set up change documents

X D Configure system auditing

6. A change document tracks changes to an SAP object. Which of the following information
can be found in a change document item?
Choose the correct answers.

X A Change flag

X B Old value

X C New value

X D Authorization flag

7. Change documents record the changes that occur to users, authorizations, and profiles.
Determine whether this statement is true or false.

X True

X False

© Copyright. All rights reserved. 120

 Unit 4: Learning Assessment - Answers

8. Which of the following can be used to monitor and log read access to classified or sensitive
data?
Choose the correct answer.

X A Change documents

X B Audit Information Cockpit

X C Read access logging

X D System audit

© Copyright. All rights reserved. 121

 UNIT 5 Security in System
Administration Tasks

Lesson 1
Securing System Administration Services 123

Lesson 2
Securing External System Access and RFC Communications 141

UNIT OBJECTIVES

Secure background job scheduling

Secure spool and other administration services

Secure Access to Remote Function Modules in your SAP AS ABAP Applications

Secure RFC Communications

© Copyright. All rights reserved. 122

 Unit 5
Lesson 1
Securing System Administration Services

LESSON OVERVIEW
This lesson explains how to secure system administration tasks in production systems. It
includes tasks performed by power users or system administrators.
Some examples of such tasks include looking at background jobs, spool lists, downloading
data from SAP to spreadsheets, and system calls that are performed behind the scenes when
going outside the SAP system, such as creating a purchase order that goes to a vendor.

Business Example
Users execute many tasks that have an impact on system administration. All users need
some access to system administration authorization objects and some administration
transaction codes. For security reasons, you need to protect the system’s authorization
objects and the authorizations that can be accessed by users that are logged on to the
system. Only administrators and required persons should have the administrative powers
related to these objects and transaction codes.
As a security administrator or auditor, you need to understand what these tasks are and how
these tasks should be protected. For this reason, you require the following knowledge:

An understanding of how to secure background processing

An understanding of how to secure spool and print processing

An understanding of how to secure access to the operating system

An understanding of how to identify security needs for desktop downloads and program
file input or output

An understanding of how to structure security requirements for communication interfaces

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Secure background job scheduling

Secure spool and other administration services

Secure Background Scheduling

Background jobs can be used for different reasons, such as ERP runs, printing checks or
invoices, reports for users, and processing data from an external system. System
administrators can schedule background jobs, but there are other transaction codes in which
the user may be prompted to execute something in dialog or the background. If the user
chooses the background, the system creates a background job.

© Copyright. All rights reserved. 123

Unit 5: Security in System Administration Tasks

Issues to Consider for Background Jobs

Can users only create background jobs, or can they also release them?

Which user’s master records are used to execute a background job?

Which users can monitor background jobs, and what level of access do they have to
background jobs?

The primary transaction used to create background jobs is transaction SM36

(Tools CCMS Jobs Definition ). Transaction SM37
(Tools CCMS Jobs Maintenance ) is used to monitor background jobs.
However, there are other transactions that give the user a choice to schedule background
jobs. One of these transactions is transaction SA38, which can be accessed from any SAP
screen from the system menu ( System Services Reporting).

Primary Authorization Objects Used in Background Processing

S_BTCH_JOB

S_BTCH_NAM

S_BTCH_ADM

S_RZL_ADM

Users Creating Background Jobs

Transaction SM36is the primary transaction code for creating background jobs. There are
several other transaction codes that provide the option for background execution.
For a user to schedule a background job, no special authorizations are required. Sometimes,
an SAP transaction or report includes a menu path or a button, such as the Execute in
Background button. This enables the user to run the report in the background, which creates
a background job.

Hint:
If you want to see a specific example, check the Information Systems menu area.
Almost every transaction code available in the menu area enables the user to
schedule something in the background.
For a specific example, choose Information Systems Logistics Purchasing
Vendor Purchasing Values . Then, choose Vendor analysis Execute in
background .

No special authorizations are required to create background jobs. You can create a job
without any specific authorizations; however, the job is not released, in other words, it does
not execute.

© Copyright. All rights reserved. 124

 Lesson: Securing System Administration Services

User Scheduling a Report

Figure 76: User Scheduling a Report

To display a list of the people who can release or execute jobs, look for the S_BTCH_JOB
authorization object with the value RELE in the Job Action field.
Some companies give authorization to release background jobs immediately. This means that
a job is created and released for all users who have access through a transaction to execute
something in the background.
Other companies do not allow users to release jobs immediately. A user can schedule a job,
but someone else must review and release it. SAP supports both implementations. Company
policy should dictate who can release background jobs.

Users Running Background Jobs

Figure 77: User ID for Job Steps

© Copyright. All rights reserved. 125

Unit 5: Security in System Administration Tasks

When a background job is created, it is scheduled to run under the user ID of the person who
scheduled the job. Thus, if you execute a report as an end user, the scheduled job will be
under your user ID. If you are a power user or an administrator using transaction SM36to
schedule background jobs, these jobs would also run under your user ID by default.
The figure shows a background job with two steps. Each step is executed using a specific user
ID. The user ID can either be the same or different for each step.

Figure 78: Setting Up the User ID for a Job Step

In the figure, the SMITHJO user ID is used to execute the financial report program,
RFDKVF00. Normally, you do not want a user for a job step to be the same user as the person
who created the job. SAP recommends that you define specific users for background
processing and define them as system users (nondialog). The user IDs that are created
should have only the authorizations required for the background jobs they need to run.

Some of the reasons to use specific user IDs for background jobs are as follows:
The user ID is stable; the user never changes jobs or departments.

The password does not need to be reset when using a system user ID.

The user ID is used only for background processing. No one can log on with this user ID.

The user ID facilitates security administration and maintenance of the background

schedule.

Using specific system user for background jobs is recommended for several reasons. For
example, SMITHJO has scheduled a background job to check printing that runs every night. If
SMITHJO is transferred from the accounts payable department to the collections
department, SMITHJO should no longer have access to print checks, and the background job
should fail with SMITHJO’s new authorizations.
In addition, if SMITHJO leaves the company and the user ID is locked by the security
administrator, the background job would fail.

© Copyright. All rights reserved. 126

 Lesson: Securing System Administration Services

Setting up specific system users for background jobs assists with security administration and
maintenance of the background schedule.

Authorization Object – S_BTCH_NAM

Figure 79: Authorization Object – S_BTCH_NAM

The S_BTCH_NAM authorization object protects the user IDs that are used to execute job
steps. The User field contains the user IDs, which can be used to schedule jobs. In the
example, the user ID SMITHJO is listed in this field, which can be used to create, schedule, and
execute a background job.

Users Monitoring Background Jobs

Figure 80: Users Monitoring Background Jobs

For users who have access to transaction SM37to monitor jobs, ensure that security is set up
correctly. Some background jobs have spool requests as part of their output. This could
include invoices that need to be printed and mailed out, checks that need to be mailed,
paystubs, and so on.

© Copyright. All rights reserved. 127

Unit 5: Security in System Administration Tasks

If users execute background jobs and go to transaction SM37to monitor the jobs, they should
be able to see spool requests only from their own jobs and not other jobs.
The best way to ensure this is to give users access to transaction SM37, but no additional
access. It means they do not have access to S_BTCH_ADM or S_BTCH_NAM. If you grant
users access to use transaction SP02 to look at their spool request and also provide access to
transaction SM37to look at background jobs, the users need only the transaction code for
background jobs.
No additional authorizations are required. This enables users to see the background jobs and
look at a spool for their own background jobs only.
If user only need to get the authorization to display their own spool requests, it is sufficient to
assign them the transactions SM37and SP02 using the authorization object S_TCODE.
No other authorization objects are required to view the spool.

Administering Background Jobs

Administering background jobs involves several tasks, including the following:

Defining background jobs

Maintaining the events used for background processing

Monitoring background jobs

Performing analysis of background jobs

Debugging and improving the performance of background jobs

SAP provides the SAP_BC_BATCH_ADMIN role, which gives the access that is required for
background jobs. This role has the transaction codes and authorizations that are required to
administer background jobs.
To support the SAP_BC_BATCH_ADMIN role, authorizations are needed to the authorization
objects, S_BTCH_JOB, S_BTCH_NAM, S_BTCH_ADM, and S_RZL_ADM.

Table 16: Minimum Authorizations Required to Administer a Background Job

Authorization Object Field Value
S_BTCH_JOB Job Operations DELE, RELE, SHOW, PROT
S_BTCH_JOB Summary of job for a group *
S_BTCH_NAM Background user name All the user IDs that can be
used for scheduling back-
ground steps
S_BTCH_ADM Background Administrator Y
S_RZL_ADM Field Name 01 (Create), 03 (Display)

Table 17: Functions of Authorization Objects

Authorization Object Function
S_BTCH_JOB It protects the actions that you can execute
using background jobs. The administrator
needs to release jobs, delete jobs, and dis-
play job details and job logs.

© Copyright. All rights reserved. 128

 Lesson: Securing System Administration Services

Authorization Object Function

S_BTCH_NAM It protects the names that can be entered
when the background job steps are created.
When a background job is created, the name
used for execution defaults to the user ID of
the person creating the job. If another user ID
is entered, it protects the user IDs that can
be entered.
S_BTCH_ADM It declares if the user is the background ad-
ministrator. If you are a background adminis-
trator, this authorization object enables you
to perform the operations on all the jobs.
S_RZL_ADM This authorization object is required if the
background job executes an external com-
mand or an external program.

Types of Job Steps

Figure 81: Types of Job Steps

A background job consists of one of the following step types:

ABAP program

External command
External commands are predefined scripts, commands, or programs at the operating
system level. External commands are protected by authorizations so that end users can

© Copyright. All rights reserved. 129

Unit 5: Security in System Administration Tasks

schedule only those commands to which they are assigned. For example, an operator
needs to execute an external command from SAP ERP that tells her how much disk space
is free on a particular drive, while someone who works in purchasing may need to execute
an external command to determine if a file has arrived from a vendor or partner.
You do not need to log on to the operating system to execute the commands.

External program
External programs are unrestricted commands that are neither pre-defined or restricted
by authorizations. A user with administrator authorization can enter any of these in a job
step.

To include external commands and external programs in a background step, you must have
the activity 01 for the S_RZL_ADM authorization object. If the background job is using external
commands, you need to additionally maintain the S_LOG_COM authorization object. If the
background job is to use external commands or external programs, additional security is
required.

To Define Users for Background Processing

To define users for background processing, perform the following steps:

1. Define specific users for background processing. Define them as system users (non-
dialog), and give them only the authorizations that are needed for the executed programs.

2. Separate the authorizations needed for job definition and job execution. The end user can
define the job steps, but the administrator executes the job.

Note:
To define the job steps that run under a different user, you need an
authorization for the S_BTCH_NAM authorization object. You should give this
authorization only to the batch administrator.

3. Restrict the batch administrators to run job steps using the previously defined batch
users.

4. Ensure that the job steps cannot be executed using any of the super users (for example,
SAP* and DDIC).

To Use Authorizations in Background Processing

The steps to use authorizations in background processing are as follows:

1. Ensure that the values for the authorization objects are used appropriately.

© Copyright. All rights reserved. 130

 Lesson: Securing System Administration Services

Table 18: Values for Authorization Objects

Object Field Value Meaning
S_BTCH_JOB Job operations RELE Release your own
jobs automatically. If
a user has no RELE
authorization, the
jobs remain in the
Scheduled status.
DELE Delete the other
user’s jobs. You may
delete your own jobs
without any special
authorization.
LIST (not used)
SHOW Display the other
user’s job defini-
tions.
PROT Display the job logs.
A user can either
display no logs or all
the job logs. The sys-
tem does not differ-
entiate between
your own jobs and
the other jobs.
Summary of jobs for * Should always have
a group an *.
S_BTCH_NAM Background user- <username that can Determines the user
name be used when as- names that you can
signing a job step to use to assign job
a user ID> steps to users. For
example, you are
creating a back-
ground job that will
run a financial re-
port. The job should
run with the system
user of the FI report.
You must define the
user of the FI report
here so that you can
use the FI report
when creating the
job in transaction
SM36.

© Copyright. All rights reserved. 131

Unit 5: Security in System Administration Tasks

Object Field Value Meaning

S_BTCH_ADM Background admin- Y The user is the batch
istrator ID administrator. This
means the user can
do anything with the
jobs in all clients.
N or blank The user can work
only with jobs in the
current client.

2. A user with batch administrator privileges can do anything with the jobs in all clients (the
authorization object S_BTCH_ADM, the Batch administrator field is set to Y). Without this
authorization, users can work only on jobs in the client in which they are logged on.

3. All users can schedule, cancel, delete, or check the status of their own jobs with no
additional special authorizations.
Additional authorization objects are required for the following tasks:

To release one’s own batch jobs (S_BTCH_JOB - Action = RELE)

To show logs of all the jobs (S_BTCH_JOB - Action = PROT)

To assign ABAP programs to a job step (S_PROGRAM)

To assign a different user to a job step (S_BTCH_NAM)

4. Authorizations that allow a user to delete jobs or display information belonging to other
users are as follows:

Delete the jobs belonging to other users (S_BTCH_JOB - Action = DELE).

Display the job definitions and spool lists belonging to other users (S_BTCH_JOB -
Action = SHOW).

5. For the execution of external commands within jobs, the user needs an authorization for
the S_LOG_COM object.

Securing Spool and Print Processing

Spool, print, or fax can be used to print checks, purchase orders, reports, and so on.

When looking at spool and printing, you should check a few things, including the
following:

Ensure that printers are correctly secured.

Ensure that people can only see their spool requests.

Ensure that the management of physical printers and the spool system can be done only
by system administrators.

Define which printers you can print to (authorization object S_SPO_DEV).

Define which action is allowed with the spool requests (authorization object S_SPO_ACT).

© Copyright. All rights reserved. 132

 Lesson: Securing System Administration Services

Define who is allowed to administer the spool system (authorization object S_ADMI_FCD).

The primary areas that you secure with printing include, who can create printers, who can
manage the spool system, what printers users can use, and what actions users can take with
the spool requests.
From an audit perspective, the process of securing printers is simplified if most users are
given access to transaction SP02 to manage their own spool requests. Users can access the
system menu with transaction SP02 by choosing System Own Spool Requests. The only
authorization object required with transaction SP02 is S_SPO_DEV.
S_SPO_DEV protects the printers that a user can access. You must take note of the sensitive
printers and verify which users can access them. Sensitive printers are used for check
printing, invoice printing, payroll checks, financial reports, and employee data.
Transaction SP02 is the safest way to ensure that users can look only at their own spool
requests.
System administrators and spool administrators need additional transaction codes and
access to S_ADMI_FCD and S_SPO_ACT.

Table 19: Authorization Objects Used to Protect Spool and Print Processing
Authorization Object Field Value
S_ADMI_FCD System Administration Func- SP01, SP0R, SPAA, SPAB,
tion SPAC, SPAD, SPAM, SPAR,
SPTD, and SPTR

S_SPO_ACT Spool Actions ATTR, BASE, DELE, PRNT,

REDI, and REPR
S_SPO_ACT Value for authorization check __USER__

The S_SPO_ACT authorization object is very powerful. This object is checked only when you
try to access a spool request that does not belong to your user ID. In the Value for
authorization check field, the value __USER__ gives someone access to all users spool
requests.

Caution:
Anyone who has the S_SPO_ACT authorization object with the value LIST in
combination with the S_ADMI_FCD authorization object with the values SP01 or
SPORcan look at the data for every spool request.

SAP provides a role for a spool administrator, named SAP_BC_SPOOL_ADMIN, that is a good
example of what a system administrator needs to have. The minimum transactions required
for spool administration include SP01, SPAD, SP11, SP12, and RZ20. The authorizations in this
role include authorizations for objects S_ADMI_FCD, S_RZL_ADM, S_SPO_ACT, S_SPO_DEV,
and S_SPO_PAGE.
S_SPO_PAGE is an authorization object that enables you to limit the number of pages a user
can print to a specific printer. You do not need to implement this authorization object. There
are no SAP recommended audit criteria for this authorization object.

© Copyright. All rights reserved. 133

Unit 5: Security in System Administration Tasks

Securing Access to the Operating System

Access to the operating system must be set up very carefully, as the operating system hosts
your SAP installation. Examples of the operating systems supporting SAP include Windows
OS, UNIX, AS/400, Linux, and OS/390. Users can access the SAP operating system by
executing the external commands within SAP systems.

Examples of external commands:

Use the database backup tools such as brbackup

Access the operating system environment commands

List the directories and space available on the operating system

Execute the saprouter

External commands can include any command that you execute at the operating system.
The maintenance and execution of external commands are protected by SAP authorizations.
External commands can be executed in ABAP programs, in the background job steps, or by
using transaction SM49.

The creation and execution of external commands can be performed with the following
transaction codes:
SM49/ SM69
These transactions are used to maintain or execute external commands.

Caution:
Every user with either programmer or debugging authorizations can execute any
of the operating system commands as user <SID>adm (UNIX) or
SAPService<SID> (Windows).

© Copyright. All rights reserved. 134

 Lesson: Securing System Administration Services

Definition of External Commands with SM69/SM49

Figure 82: Definition of External Commands with SM69

An external command is an alias defined in the SAP system that represents an operating
system command. For example, you can define the ZPING external command, which
represents the operating system command ping to ping a host name.
You can modify these external commands and set up additional security mechanisms. You
can also extend the range of the predefined commands supplied by SAP with your own
commands and parameters. However, SAP command names in the customer's system
cannot be changed.
To maintain external commands, use transaction SM69. To maintain external commands, you
need to have the S_RZL_ADM authorization object with the value 01, 03 in the Activity field.

© Copyright. All rights reserved. 135

Unit 5: Security in System Administration Tasks

Execution of External Commands

Figure 83: Execution of External Commands

To use external commands, use transaction code SM49/ SM69.

SAP systems contain detailed information for each external command, including the
operating system command, the predefined parameters in their full length, and information
about whether additional parameters are permitted.
Before the SAP system executes an external command, the additional parameters are
checked. If parameters that are not allowed are found, the system does not execute the
command and raises the SECURITY_RISK exception.

Users who execute external commands need to have the S_LOG_COM authorization
object in their user master records with the following fields defined:
Command (the name of the external command)

Opsystem (the operating system for the command)

Host (the symbolic host name of the target system)

The Command and Opsystem fields are used to uniquely identify the external command. The
Host field defines the authorizations for executing commands on certain target computers.
Be restrictive when assigning authorizations for external commands. Administrators must
control who has the authorization based on the S_LOG_COM authorization object because
programs can be accessed at the operating system level.

© Copyright. All rights reserved. 136

 Lesson: Securing System Administration Services

Secure Desktop Downloads and Program Files Input/Output

Figure 84: Downloading Lists

SAP systems use the following ways to download lists:

The standard list download

Application-specific implementations for downloading

The standard list download is accessed either from the menu path
System List Save Local file or through other implementations of function module
LIST_DOWNLOAD.
Application-specific implementations include Microsoft Excel like other mechanisms
applications use it to implement their own download methods, which they protect with their
own authorization objects. These implementations use function module DOWNLOAD or
function module WS_DOWNLOAD.
Although you cannot prevent a user from saving data from a displayed list to a file, for
example, by creating a screenshot and saving it in a separate file, the S_GUI authorization
object is used to assist with download security.
S_GUI protects which users can download lists. However, it applies only to the standard
download and not to application-specific implementations. Additionally, if a user can
download lists, they can download all lists.

File Access with S_DATASET

There are times when a user must access a file from an ABAP program. The access can be
known or unknown to the user. For example, a user creates a purchase order. This purchase
order goes out to the vendor.
In the example, purchase orders are placed in a file and sent out to the vendor. As a user
creates a purchase order, if the file is written immediately, the user must have access to write
files. SAP recommends that users have access to the S_DATASET authorization object. The
minimum activities required are 33 (normal file read) and A6 (read file with filter).

© Copyright. All rights reserved. 137

Unit 5: Security in System Administration Tasks

Guidelines for Securing System Administration Services in Production

General Guidelines
You must consider the following general guidelines for securing and auditing system
administration services in production:

Be aware of anyone who has the debug authorization in production. Activity 02 is

prohibited.

Most users do not need access to S_BTCH_JOB, S_BTCH_NAM, S_BTCH_ADM,

S_RZL_ADM, and S_ADMI_FCD.

Guard the authorization object S_ADMI_FCD carefully. While administrators need

generous access to this object, most end users need only limited access.

For background jobs that run periodically, set up specific user IDs that are reserved only
for background processing.

SAP provides many roles and templates that can be used as a guideline for what users
need. Use those roles as a general guideline of the system access that a user may require.

Users in RFC destinations should be Communications or System users. Reserve these user
IDs for use for users in RFC destinations.

Keep track of all users who can look at the data of spool requests for all users
(S_ADMI_FCD and S_SPO_ACT).

Be aware of who can execute and create external commands (S_RZL_ADM and
S_LOG_COM).

Authorizations in S_ADMI_FCD Authorization Object

The S_ADMI_FCD authorization object may contain authorization for following different
areas or functions in the system:
- System administration functions
- Spool administration
- SAPscript Font Maintenance
- TemSe Administration
- System monitoring
- Live cache administration

Possible Values for System Administration Functions Field of the S_ADMI_FCD Object
NADM
Network administration (using transactions SM54, SM55, SM58, and SM59)

PADM
Process administration (using transactions SM50, SM51, and SM04), interception of a
background job (debugging function in background job administration, transaction SM37)

SM02

© Copyright. All rights reserved. 138

 Lesson: Securing System Administration Services

Authorization to create, change, and delete system messages

SPAD
Authorization for spool administration in all clients

T000
Creation of new clients

S_ADMI_FCD is a powerful authorization object. It gives access to many system

administration functions. While system administrators need generous access to this object,
you need to be aware of the access granted by this authorization object. In particular, you
need to know which non-administrators who have access to the authorization object. Users
who are not administrators should have little or no access. To check who has this
authorization object, use the User Information System (transaction code SUIM).
Consider using the following SAP role or template when assigning system authorizations to
your users:

SAP_USER_B is a template provided by SAP that includes basic system authorizations for
all users. This template does not include any access to S_ADMI_FCD.

The SAP_BC_BASIS_ADMIN is a role provided by SAP for system administrators. It

provides broad level access to S_ADMI_FCD.

Basis Authorization Required by Each User

The lesson discusses the administrative services that you need to protect. You have looked at
these services from the perspectives of the end user and the administrator. SAP provides a
role of basis functions for the end user, SAP_BC_ENDUSER, and a role for the system
administrator, SAP_BC_BASIS_ADMIN.
In addition to roles, SAP also provides templates. Templates are sets of authorizations that
can be inserted into any role. The SAP_USER_B template that is provided by SAP includes
basis authorizations that each user requires. From an auditor’s standpoint, the SAP_USER_B
template provides a good starting point to determine the authorizations that all users might
need for system administration tasks.

The SAP_USER_B template contains the following authorization objects, among others:
S_RFC

S_DATASET

S_SPO_DEV

S_PROGRAM

S_TABU_DIS

The SAP_USER_B template might provide a few more or a few less authorization objects or
authorizations than your users need, but it is a good reference point. To evaluate
authorizations inside SAP templates, choose Users and Authorizations Audit Role
Administration Authorization Default Values for profile generator (customer data) , or enter
transaction code SU24 then choose Authorization Template .

LESSON SUMMARY
You should now be able to:

Secure background job scheduling

© Copyright. All rights reserved. 139

Unit 5: Security in System Administration Tasks

Secure spool and other administration services

© Copyright. All rights reserved. 140

 Unit 5
Lesson 2
Securing External System Access and RFC
Communications

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Secure Access to Remote Function Modules in your SAP AS ABAP Applications

Secure RFC Communications

SAP Applications Using RFC Communications Interface

Figure 85: SAP Applications Using RFC Communications Interface

In today's application ecosystem, business scenarios are becoming more and more
integrated across different platforms and software solutions. To be effective, the integration
between these scenarios and their respective business processes needs to be seamless.
Customers, partners, suppliers, etc. are all becoming accustom to certain levels of access to
the data and functions provided by a companies SAP Applications. The ability to provide such
access improves customer to business and business to business communication. However,
the interfaces and communication mechanisms used to provide end to end service
capabilities may leave your company at risk for a unauthorized access to company data.
In the SAP environment, we often find SAP applications using the RFC interface to
communicate between SAP or external systems. For example, if your company has an SAP
Business Information Warehouse system as well as an SAP ECC system, the SAP ECC system
must use RFC’s to send data to the SAP BW system for analytical purpose.

© Copyright. All rights reserved. 141

Unit 5: Security in System Administration Tasks

RFC Destinations

Figure 86: RFC Destinations

SAP offers several interfaces that are based on the Remote Function Call (RFC) interface,
such as Application Link Enabling (ALE), Business Application Programming Interfaces
(BAPIs), and RFC function modules. In the SAP ERP system alone over 38,000 remote
enabled function modules are delivered to support a wide range of business scenarios and
business functions. To provide remote access to these interfaces and function modules, RFC
destinations are created which define where each system is located and how it can be
accessed.
As an administrator, you must ensure that access to all remote enabled function modules is
protected and that the communication between systems is secure.

Securing Access to Remote Function Modules (RFMs) with SAP Unified Connectivity
(UCON)

Figure 87: The SAP Unified Connectivity (UCON)

The traditional approach to securing remote access to function modules is based on securing
access to an RFC destination using authorization checks. This approach is critical and will be

© Copyright. All rights reserved. 142

 Lesson: Securing External System Access and RFC Communications

discussed in more detail later. SAP Unified Connectivity (UCON) provides enhanced
protection by adding a layer of access checks that are independent of users, roles and
traditional authority checks involving the S_RFCauthorization object.
The basic strategy employed with UCON is to reduce the total number of Remote Function
Modules (RFMs) in your SAP applications that are exposed to external connectivity. Of the
over 38,000 RFMs provided by SAP ERP solutions, many companies only need to expose a
few hundred RFMs to support their configured business scenarios. UCON provides a
framework to identify which RFMs are being used and to block access to all the others.
Blocking access to unnecessary RFMs can significantly reduce the ability of a potential
attacker to gain access via RFC communications.

Control External Exposure of Remote Function Modules

Figure 88: Control External Exposure of Remote Function Modules

The UCON approach to RFC security is designed to enhance the protection already provided
in the NetWeaver AS ABAP basis layer. UCON incorporates and additional layer of access
checks independent of the users and roles to the standard authorizations provided via the
S_RFCauthorization object. As an outside user tries to access a remote function module on a
system where UCON is configured, additional access validation is performed to check if the
FRM in question is included in the default UCON component assembly. The component
assembly is generated after an evaluation of RFM usage to determine which RFM’s should be
available for external access.
If the RFM is not contained within the default assembly and exposed, the external access
attempt is terminated. If the RFM is contained in the default assembly and is exposed, access
is granted and the security validation moves to the standard AS ABAP authority checks
against standard authorization objects.
UCON checks do not interfere with internal calls within the same client and system.

© Copyright. All rights reserved. 143

Unit 5: Security in System Administration Tasks

UCON Three Phase Configuration Procedure

Figure 89: UCON Three Phase Configuration Procedure

To setup and configure UCON, the following prerequisites are required:

1. Set the UCON/RFC/ACTIVE UCON profile parameter to value 1 to enable UCON runtime
validation checks for RFMs in the final phase.

2. Run the UCON setup to generate a default communication assembly (CA) and other
required entries.

3. Schedule the SAP_UCON_MANAGEMENTbatch job that selects and persists the RFC
statistic records that are required by the UCON phase tool on the database.

Once all prerequisites have been completed, UCON provides a three phase process and tool
set to help you determine which RFMs to expose and which need to be blocked. UCON
incorporates and additional layer of access checks independent of the standard
authorizations provided via the S_RFCauthorization object.

Phase 1: Logging

Figure 90: Phase 1: Logging

The first phase of the UCON process is to determine which RFMs are accessed from the
outside during a pre-defined period. All RFMs that have been called must be identified and
evaluated. The required timeframe will depend upon the scenarios and processes in use by
the customer. If all scenarios and/or processes typically run during a two month period then
logging should at least mirror that timeframe.

© Copyright. All rights reserved. 144

 Lesson: Securing External System Access and RFC Communications

Once logging has completed, transaction /NUCONPHTLcan be used to display and filter the
results in order to determine which RFMs have been called. Next, each called RFM must be
evaluated further to determine whether or not the call is legitimate and related to productive
scenarios. SAP recommends that all identified RFMs be assigned to the default component
assembly (CA). Assignment to the default CA makes the RFMs exposed and available to be
called via RFC from outside the system.

Phase 2: Evaluation

Figure 91: Phase 2: Evaluation

It is critical to ensure that UCON checks do not interfere with productive customer scenarios.
Blocking access to legitimate external access calls would disrupt normal productive
operations. In the UCON evaluation phase, simulation of the UCON runtime checks ensures
that all needed RFMs have been properly exposed and are available to support productive
operations.
The evaluation phase should be long enough to ensure that all required connectivity scenarios
have sufficient time to run once. Include recurring and annual closing scenarios and also
include an adequate safety margin to ensure that all needed RFMs are identified.
At the end of the evaluation phase, the customer reviews all RFM calls to determine whether
all needed RFMs are assigned to the default CA. Any RFMs identified which are not a part of
the default CA can be added, ensuring that no required RFMs are overlooked prior to the
activation phase.

Phase 3: Activation

Figure 92: Phase 3: Activation

© Copyright. All rights reserved. 145

Unit 5: Security in System Administration Tasks

After the Evaluation phase, all needed RFMs should be contained in the default CA. In the
Activation phase runtime checks are activated by changing the phase assignment in the
UCON phase tool. Once active these checks ensure that only RFMs contained in the default
CA are accessible from outside the system.

Note:
UCON is lifecycle enabled, meaning that it supports the SAP Landscape concept.
UCON is configured in both the DEV and PRD environments. The default CA is
generated and configured initially in the DEV system and transported to PRD. The
PRD system collects the UCON logging and evaluation statistics which are
exported in a .csv file format and uploaded to DEV. Changes and updates to the
default CA are then made in DEV and an updated default CA is transported to
production and activated for real time checks.
Further, since new RFMs will present themselves from time to time, either through
product updates, custom development or third party products, UCON
automatically assigns new RFMs to the logging phase to begin data collection for
ongoing maintenance of the default CA.

SAP Unified Connectivity (UCON) Summary

Figure 93: SAP Unified Connectivity (UCON) Summary

LESSON SUMMARY
You should now be able to:

Secure Access to Remote Function Modules in your SAP AS ABAP Applications

Secure RFC Communications

© Copyright. All rights reserved. 146

 Unit 5

Learning Assessment

1. Which of the following authorization objects can be used in background processing?

Choose the correct answers.

X A S_BTCH_JOB

X B S_SPO_DEV

X C S_BTCH_NAM

X D S_ADMI_FCD

2. Which of the following authorization objects is required to execute external commands?

Choose the correct answer.

X A S_BTCH_ADM

X B S_ADMI_FCD

X C S_EXT_ADM

X D S_LOG_COM

3. To properly secure external access to your SAP Applications the system administrator
should understand which of the following? Select all that apply.
Choose the correct answers.

X A Which remote functions are needed for productive operations.

X B Which internal stake holders are the most important.

X C How to restrict access to remote functions that are not needed.

X D How to secure access to remote functions using the RFC interface.

4. SAP Unified Connectivity incorporates an additional layer of access checks independent

of the standard authorizations provided via the S_RFCauthorization object.
Determine whether this statement is true or false.

X True

X False

© Copyright. All rights reserved. 147

Unit 5: Learning Assessment

5. SAP UCON check prohibits internal calls within the same client and system.
Determine whether this statement is true or false.

X True

X False

© Copyright. All rights reserved. 148

 Unit 5

Learning Assessment - Answers

1. Which of the following authorization objects can be used in background processing?

Choose the correct answers.

X A S_BTCH_JOB

X B S_SPO_DEV

X C S_BTCH_NAM

X D S_ADMI_FCD

2. Which of the following authorization objects is required to execute external commands?

Choose the correct answer.

X A S_BTCH_ADM

X B S_ADMI_FCD

X C S_EXT_ADM

X D S_LOG_COM

3. To properly secure external access to your SAP Applications the system administrator
should understand which of the following? Select all that apply.
Choose the correct answers.

X A Which remote functions are needed for productive operations.

X B Which internal stake holders are the most important.

X C How to restrict access to remote functions that are not needed.

X D How to secure access to remote functions using the RFC interface.

The system administrator needs to understand which remote functions are needed for
productive operations, how to restrict access to remote functions that are not needed and
how to secure access to remote functions using the RFC interface.

© Copyright. All rights reserved. 149

Unit 5: Learning Assessment - Answers

4. SAP Unified Connectivity incorporates an additional layer of access checks independent

of the standard authorizations provided via the S_RFCauthorization object.
Determine whether this statement is true or false.

X True

X False

SAP Unified Connectivity incorporates an additional layer of access checks independent

of the standard authorizations provided via the S_RFCauthorization object.

5. SAP UCON check prohibits internal calls within the same client and system.
Determine whether this statement is true or false.

X True

X False

SAP UCON check does not prohibit internal calls within the same client and system.

© Copyright. All rights reserved. 150

 UNIT 6 Security in Change
Management

Lesson 1
Securing Change Management 152

Lesson 2
Understanding Software Security Vulnerabilities 168

UNIT OBJECTIVES

Describe change management

Configure the system and client change settings

Verify security settings in transports and change management

Understand Security Vulnerabilities

© Copyright. All rights reserved. 151

 Unit 6
Lesson 1
Securing Change Management

LESSON OVERVIEW
This lesson explains change management from a security perspective. It also discusses
controls that should be in place before releasing changes to production.

Business Example
System security encompasses the guarantee that production is safe and continues to remain
safe as changes are moved from a development environment into a production environment.
Configuration and Customizing changes (working with the Implementation Guide) and
programming changes are major parts of any SAP implementation.
A single incorrect language statement in a new program, whether placed there intentionally or
accidentally, can cause irretrievable data loss in a production system. You are responsible for
reporting on system security as it relates to careful change management in your systems. For
this reason, you require the following knowledge:

An understanding of how to describe change management landscape, procedures, and

tools that protect your production systems from unauthorized or untested change

An understanding of how to identify secured systems and clients against unauthorized or

untested change

An understanding of how to outline the benefits of a Quality Assurance (QA) approval

system and controlling the release of change into production

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Describe change management

Configure the system and client change settings

Verify security settings in transports and change management

SAP System Landscape

© Copyright. All rights reserved. 152

 Lesson: Securing Change Management

Figure 94: Recommended Three-Tier System Landscape

To protect your production system from unwanted or incorrect changes, SAP recommends
that you take special care in separating your development system from the production
system. You must define policies and procedures for making changes and transporting them
into your production system. Avoid making changes in your production system.
In regard to your system landscape, SAP recommends a three-tier system landscape that
consists of separate development, quality assurance (QA), and production systems. The
three systems share a common transport directory. With this setup, you can thoroughly make
and test changes without interfering with your production operations. The figure shows the
recommended three-tier system landscape.

The Three-Tier System Landscape

With the three-tier system landscape, you can make various changes to your system,
including Customizing, in a separate development system. You export these changes to a
common transport directory. You then import these changes into a QA system, where you
can thoroughly test them. Once you are satisfied that the changes are safe, you can then
import them from the common transport directory into your production system.

The three-tier system landscape offers the following security advantages:

You ensure that changes take place in only one location, namely, the development system.

Your developers do not have access to production data.

You thoroughly test changes in a separate QA system before they take effect in your
production system.

You control the point in time when changes take effect in the production system.

You reduce accidental or unauthorized changes to production data by controlling when,

from whom, and from which systems transfers take place.

You can keep a record of changes for tracing or auditing purposes.

© Copyright. All rights reserved. 153

Unit 6: Security in Change Management

Note:
If you discover errors in the QA system that result in the need to make further
changes, SAP recommends that you make the changes in the development
system and import them again into the QA system.

Do not forget that in a development environment, users generally have more access. You
must mask sensitive data that is loaded into a development environment, for example,
employee data from your legacy system.

Configuration of the System and Client Change Settings

When setting up your SAP systems, the system administrator must check for the
following important settings:

Does this system allow changes to occur, and if so, what are the types of changes allowed?

Note:
Production systems do not allow changes.

Does the client allow changes to occur within each system, and if so, what types of
changes are allowed?

Where does the configuration and development work get performed, and how does it move
from one system to another, in other words, what is the transport route followed?

Use the Audit Information System (AIS) to verify that each of these settings is set up
appropriately.

© Copyright. All rights reserved. 154

 Lesson: Securing Change Management

System Change Option

Figure 95: System Change Option

System changes should be allowed only in development systems. From an audit perspective,
you want to ensure that all systems except the development system are set to Not modifiable .
On the AIS screen, choose System Audit SAP System Group Tools Set System
Change Option (or transaction SE06). In a non-development system, the Global Setting field
should be set to Not modifiable .
The Not modifiable setting is the first way to ensure that no development or configuration
(Implementation Guide) changes can occur on the development system.

Client Change Option

Figure 96: Example of Client Changes on a Development System

© Copyright. All rights reserved. 155

Unit 6: Security in Change Management

If the system change options are set to Modifiable , you need to check the options for the
clients. Not all clients should allow changes to take place. In a development system, you may
have more than one client; however, configuration and development changes normally occur
in one client.
In a development system, you might have three clients, for example, a sandbox client, a
configuration or development client, and a unit test client. You can allow changes in the
sandbox and configuration or development clients, but users should not have the ability to
make configuration or development changes on a test client.

Client Change Options for Configuration in Development Client

Figure 97: Client Change Options for Configuration in Development Client

In a client that is used for development and configuration changes in Customizing, you need
to enable both types of changes to occur by selecting Automatic recording of changes and
Changes to Repository and cross-client Customizing allowed .

Client Change Options for Unit Test Client

Figure 98: Client Change Options for Unit Test Client

For a client in which unit testing is performed, no changes should be allowed for configuration
or development.

© Copyright. All rights reserved. 156

 Lesson: Securing Change Management

To check these settings, choose System Audit SAP System Group Tools Set System
Change Option. Then, choose the Client Setting pushbutton. From there, you can double-click
any client to view client settings (transaction SCC4).

Transports
Transport routes define where changes are made and how the changes migrate through the
system landscape after they have been released.

Checking Transport Routes

From an audit perspective, when you check the transport routes, you want to ensure that
changes are moved somewhere to be tested before being moved into production. SAP
recommends that you have a QA system in which changes are tested.
To verify the transport routes, choose System Audit SAP System Group Transport
Management System (TMS) System Overview Environment Transport routes . You
should see at least three systems, with changes moving from a development environment to a
QA environment, and then to a production environment.

Hint:
You can access the log files using the Workbench Organizer in the request
hierarchy.

The activities and steps involved in SAP transport management are as follows:
1. Release the change request that contains your objects using either transaction SE09 or
SE10.

2. Review the log files to make sure that the export was successful. If any errors occur,
correct them before continuing.

3. Import the change request into the target system.

4. Review the log files created by the transport management system (TMS).

5. Test your imports thoroughly. If errors occur, repair the objects in the source system and
re-export them into the QA system.

Responsibilities and Their Corresponding Authorizations

For your changes and transports to take effect successfully in your production system, you
need to have a well-organized administration team with defined roles and responsibilities. No
single person should be responsible for changes to the production system.
You should define and document the various roles and their corresponding activities. The
communication flow between the individuals in these roles should also be well-defined and
practiced.

Roles and Responsibilities

Individuals involved when working with changes moving from development to production
system are as follows:

1. The person creating the change request, releasing the request, and verifying the logs

2. The person moving the changes into the QA system

© Copyright. All rights reserved. 157

Unit 6: Security in Change Management

3. The person testing the change in the QA system

4. The person who approves the request after testing

5. The person moving the changes into the production system

Companies organize these job roles differently. In some companies, many people get involved
in the path from development to production, while in other companies, there are fewer steps.
From an audit perspective, there should be at least one person using the change request and
a different person approving the change request.

The individuals among whom the possible roles get distributed are as follows:
Team member or developer

Project leader

Transport administrator

QA (Quality Assurance) team

Team members are responsible for releasing their own tasks in the Workbench Organizer.

The project leader is responsible for the following tasks:

Defining and organizing a project using change request management

Verifying the contents of a change request prior to release, for example, ensuring that
syntax checks have been performed for all objects

Confirming the success of the release and export

Verifying that the change request was successfully imported into the target system

Confirming that the imported change request contains the necessary objects and proper
functions

The transport administrator is responsible for the transporting tasks. The transport
administrator uses tp or Transport Management System (TMS) to activate change request
imports and verify their success. The transport administrator is not responsible for testing the
contents of a change request.
The QA team tests the entire functionality and integration of the individual components from
the change request in the QA system.
Many companies do not differentiate between the team leader and the project leader.
However, SAP recommends that you have at least one person performing quality assurance
before moving changes to production.
Many companies have the developer create and release their own change request. In addition
to a QA check of ‘Does this program work correctly?’, you may also want to consider security
checks for development work before it is moved to production.

Authorizations Required for Transports

SAP provides authorizations for users working with transports. The S_TRANSPRT and
S_CTS_ADMI authorization objects protect most functions of working with change
management.
S_TRANSPRT is the authorization object for the Transport Organizer.

© Copyright. All rights reserved. 158

 Lesson: Securing Change Management

An authorization for S_TRANSPRT is required for the following accesses:

ABAP Workbench

Customizing

Transport Organizer

Developers and Customizing developers should have an authorization for this object. The
display authorization is sufficient for administrators. Administration functions in the Change
and Transport System area are checked using the S_CTS_ADMI authorization object.

The authorization object S_TRANSPRT contains the following fields:

Request type (Change and Transport System)

Activity

Table 20: Permitted Field Values for the S_TRANSPRT Authorization Object
Field Value Function
CUST Customizing requests
DTRA Workbench requests
TASK Tasks (repair or correction)
MOVE Relocation transports (all three types)
TRAN Transport of copies
PATC Preliminary corrections and deliveries
PIEC Piece lists
CLCP Client transports

Table 21: Permitted Field Values for the S_TRANSPRT Activity Code
Field Value Function
01 Add or create
02 Change
03 Display
05 Lock
06 Delete
23 Change in object list editor
43 Release
50 Change source client of a request
60 Import
65 Reorganize
75 Release other requests
78 Enter request in transport proposal

© Copyright. All rights reserved. 159

Unit 6: Security in Change Management

Field Value Function

90 Change owner

Table 22: Predefined Authorizations in SAP Systems

The following authorizations apply to various roles:
Role for S_Transport Authorizations
QA team Not predefined in SAP systems
Administrator (transport super user) S_CTS_ALL
Project leader S_CTS_PROJEC
Team members and developers S_CTS_DEVELO
End users S_CTS_SHOW

These authorizations give some indication as to how SAP recommends the authorizations for
this critical object to be used. The table lists authorizations that exist already in SAP. There is
no preconfigured role or template for transports other than the roles for administrators.
However, these authorizations offer a guideline of what should be included in a role for end
users contrasted with the administrator.
To see the details of these authorizations recommended by SAP, choose User and
Authorizations Audit Information System Users and Authorizations Authorizations
Authorizations by Object . In the Authorization object field, enter S_TRANSPRT . In the
Authorization field, enter S_CTS*. This lists the authorization in the table given in this section,
along with some additional authorizations. To see the values for any authorization, double-
click that authorization.
S_TRANSPRT is such a critical authorization object that it is also listed in the Users with
Critical Authorizations report. To check this report, choose User and Authorizations
Audit Information System Users and Authorizations User User with critical
authorizations .
S_CTS_ADMI is the authorization object for the administration functions in the Change and
Transport System. This includes the ability to perform QA approvals. This authorization
object has the CTS_ADMFCTfield, whose values describe the various administration activities
that can be checked using the authorization object.

Table 23: Some Values for the CTS_ADMFCT Field in S_CTS_ADMI

Authorization Object Function
TABL Users can maintain transport routes and call
certain tools by using this object.
INIT Users can set the system change option by
using this object.
IMPA Users can import all transport requests by
using this object.
IMPS Users can import individual requests by us-
ing this object.

© Copyright. All rights reserved. 160

 Lesson: Securing Change Management

Authorization Object Function

TADD Users can perform an ’addtobuffer’ by using
this object.
TDEL Users can perform an ’delfrombuffer’ by us-
ing this object.
TQAS Users can activate or delete requests in an
import queue by using this object.
TADM Users can execute tp commands by using
this object.
QTEA Users can get authorization for approving
transports into the production system by us-
ing this object.

To see the authorizations recommended by SAP for S_CTS_ADMI, choose User and
Authorizations Audit Information System Users and Authorizations Authorizations
Authorizations by Object . In the Authorization object field, enter S_CTS_ADMI. In the
Authorization field, enter S_CTS*. This lists the authorization in the table and some additional
authorizations. To see the values for any authorization, double-click that authorization.
TMS also uses a special user, TMSADM, for executing transports. TMSADM is a Remote
Function Call (RFC) user with authorizations limited to TMS activities.

System Specific Permissions Configuration

Figure 99: System Specific Permissions Configuration

You can restrict the permissions that a certain user has for a specific system. One scenario
could be that a developer should only export the objects that he created. The import should
be done by someone else. The developer needs to have export permissions for the
development system, but should not be able to start the import.
Another option would be to restrict the import permissions per system. Several
administrators could have the permission to start the import for the QA system, but only a
few should be able to import anything new into the productive system. This might be helpful if
imports require post import steps that might include a system restart. Restarts have to be

© Copyright. All rights reserved. 161

Unit 6: Security in Change Management

coordinated and agreed on within the company, especially if productive systems are
concerned.
For systems configured for CTS+ functionality, you can use the standard role:
SAP_CTS_PLUS to restrict actions available to Developers. Two new authorizations are
delivered with this role:

S_SYS_RWBO is used to restrict the permissions for creating transport requests. You have
to enter the SIDs of the systems for which the user should be able to create transport
requests.

S_CTS_SADM is used to restrict the permissions for importing.

If you need different settings for different users, you have to create different roles. If the new
authorization objects do not appear in the role (dependent on the SPS level), copy the role,
add these objects to the role and adjust the authorizations according to SAP Note 1003674.

System Specific Permissions Configuration

Figure 100: System Specific Permissions Configuration

You can restrict the permissions that a certain user has for a specific system. One scenario
could be that a developer should only export the objects that he created. The import should
be done by someone else. The developer needs to have export permissions for the
development system, but should not be able to start the import.
Another option would be to restrict the import permissions per system. Several
administrators could have the permission to start the import for the QA system, but only a
few should be able to import anything new into the productive system. This might be helpful if
imports require post import steps that might include a system restart. Restarts have to be
coordinated and agreed on within the company, especially if productive systems are
concerned.
For systems configured for CTS+ functionality, you can use the standard role:
SAP_CTS_PLUS to restrict actions available to Developers. Two new authorizations are
delivered with this role:

S_SYS_RWBOis used to restrict the permissions for creating transport requests. You have
to enter the SIDs of the systems for which the user should be able to create transport
requests.

© Copyright. All rights reserved. 162

 Lesson: Securing Change Management

S_CTS_SADMis used to restrict the permissions for importing.

If you need different settings for different users, you have to create different roles. If the new
authorization objects do not appear in the role (dependent on the SPS level), copy the role,
add these objects to the role and adjust the authorizations according to SAP Note 1003674.

Note:
If you use TMS, be careful with the TMS authorizations (S_TMS_READ,
S_TMS_WRITE, and S_TMS_RFC). If you do not use TMS, protect the program tp
at the operating system level.

Recommendations for Securing ABAP Programs and Tables Before Transport

Include the following security checks before transporting a program from development to
production:

Link custom programs or table access to custom transaction codes.

Include AUTHORITY-CHECK statements for all programs for which the custom transaction
code is not deemed sufficient protection.

Ensure that proper controls are in place if this custom program or function module
accesses critical tables, such as financial documents or employee data.

Assignment of Transaction Codes to Access Tables or Programs (Transaction SE93)

Figure 101: Assignment of Transaction Codes to Access Tables or Programs (SE93)

With the help of transaction SE93, you can assign transaction codes to programs or provide
access to certain tables. By using this technique, you may get rid of transactions SA38 or
SE16.

© Copyright. All rights reserved. 163

Unit 6: Security in Change Management

In transaction SA38, a user can execute a report in the foreground or in the background. In
transaction SE16, a user can access tables depending on the authorization object,
S_TABU_DIS.

Caution:
The problem with transaction SA38 is that the security is dependent upon the
actual program a user is executing. Everyone needs the same authorization to
get to transaction SA38. Once a user is inside transaction SA38, the next
authorization check comes from within the program the user is executing.
If your company continues to use transaction SA38, it is critical that each custom
ABAP report executed has some type of a security check.

The S_TABU_DIS authorization object has the following properties:

S_TABU_DIS is checked anytime someone looks at the data in a table directly with one of
these transactions: SE16, SE16N, SE17, SM30, and SM31; or with the Implementation
Guide.

S_TABU_DIS has two fields, Activity and Authorization Group .

The Authorization Group field is mapped to the tables that a user can access. The mapping
is performed in the TDDAT table. The TDDAT table maps the Authorization Group to a list
of tables.

Recommendations for securing transactions SA38 and SE16 are as follows:

If possible, do not grant general access to transactions SA38 or SE16 on productive
systems.

Instead of transactions SA38 and SE16, associate reports or access to specific tables via
custom transaction codes. Use area menus to group these transaction codes into menu
trees.

If you require general use of transaction SA38, make sure that every custom ABAP report
has some type of security check, for example, using the ABAP syntax AUTHORITY-CHECK
in the program code, or the authorization group set in the attributes of the program.

© Copyright. All rights reserved. 164

 Lesson: Securing Change Management

AUTHORITY-CHECK

Figure 102: ABAP Editor Source Code Review Authority-Check

Use the Find in Source Code function of the ABAP Editor to conduct a source code review to
determine if and how authority check statements have been incorporated into your custom
program.
An example of where you would include AUTHORITY-CHECK statements could be if people
from different divisions execute the same program, but with different results of the report,
like a specific amount. The custom program might need an AUTHORITY-CHECK statement
for division to ensure that division A does not run the report for division B.

Protection of Security-Critical Objects

There are certain security-critical objects in SAP systems, for example, the system profile
parameter file or the system client table T000, which you should make sure are protected
from unauthorized access.

The measures to be taken to protect security-critical objects are described in the

following topics:

System profile parameter files

Tables for maintaining system clients

Other security-critical objects

Protection of the System Profile Parameter Files

Certain security-relevant configurations are contained in the system profile files (for example,
the profile parameters).

© Copyright. All rights reserved. 165

Unit 6: Security in Change Management

Standard profiles and their path:

Path
usr/sap/<SID>/sys/profile

Instance Profile
<SID>_<Instance> – Parameter profile for the application servers

Start Profile
START_<Instance> – Start script and parameters for the instance

Default Profile
DEFAULT.PFL – Global profile file

You should protect these files from unauthorized access. If an intruder manages to access
and change these files, then that intruder can change the system configuration for the next
time that the system is started. Ensure that only a few people are given access to these files.
Also, regularly ensure that these files are authentic.
Only the system administrator should be able to maintain these files. They are maintained in
transaction RZ10.

Protection of the Table for Maintaining System Clients (Table T000)

Table T000 is a fundamental table in your SAP system. You create and maintain your SAP
system clients in this table. Therefore, you need to protect this table in your production
system from unauthorized access.

To protect the T000 table, take the following precautions:

Give maintenance access to the system administrators only. The corresponding

authorization object is S_ADMI_FCD.

Define a process for creating and maintaining the clients.

Ensure that T000 can be updated by accessing the maintenance transactions, such as
SCC4, SM30, and SM31.

Ensure that S_TABU_CLI authorization object to the value X enables access to the cross-
client tables, such as T000.

Anyone with authorization object S_TABU_DIS to the values 02 and 03 for the Activity field
and the value SS for the Authorization group field can maintain T000.

© Copyright. All rights reserved. 166

 Lesson: Securing Change Management

Security-Critical Objects

Figure 103: Security-Critical Objects

To protect certain objects from being changed by imports, you define a set of security-critical
objects in the table TMSTCRI. You are then warned of changes to these objects in transport
requests.

Note:
This table is updated using transaction STMS, or by choosing Overview Imports
Extras Critical Transport objects .

For example, you may have a function module, program, or user exit that should be
transported with caution. When you add them to the list of critical transport objects, the
administrator can check to see if the critical objects are included before executing an import.

Note:
Critical object validation is enhanced when using SAP Solution Manager Change
Request Management to include the ability to check for critical customizing
configuration settings.

LESSON SUMMARY
You should now be able to:

Describe change management

Configure the system and client change settings

Verify security settings in transports and change management

© Copyright. All rights reserved. 167

 Unit 6
Lesson 2
Understanding Software Security
Vulnerabilities

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Understand Security Vulnerabilities

Software Security Vulnerability

Figure 104: Software Security Vulnerability

The security of business applications and software solutions depends upon the security of its
source code. Business applications are complex, having evolved over many years, across
numerous technical platforms and having been adapted or enhanced for specific customer
needs. Changing business requirements necessitate a continuous review and optimization of
business function and performance to keep pace with industry change. In short, custom code
can represent one of the greatest sources of risk to an organizations software components,
functions, infrastructure and business data.
To properly secure an application all of the applications components, functions, infrastructure
and related threats must be understood. This understanding must take into consideration
new and evolving technology which bring new vulnerabilities and introduce potential new
risks. Firewalls, intrusion detection systems, digital signatures and encryption are not always
sufficient to make an application secure.
Vulnerabilities is the code can lead to negative publicity, damage to a corporate image or
brand, lost revenue, legal repercussions and regulatory fines and penalties. News stories
abound with examples of companies struggling with security hacks, data breaches’, system
outages, etc. The shift towards mobility and cloud based solutions can multiply this risk.

© Copyright. All rights reserved. 168

 Lesson: Understanding Software Security Vulnerabilities

SAP software solutions can also be put at risk as most customers have teams of developers
creating custom programs or making modifications or enhancements to SAP objects.

Reactive Approach to Application Security

Figure 105: Reactive Approach to Application Security

Traditional development platforms and approaches can often lead to vulnerabilities in custom
code that are not discovered until after deployment into a companies productive
environment. It is only then that the risks become apparent after a security incident occurs.
Companies then go into damage containment mode and are forced to address the scenario
and risks. The cost to correct code defects and vulnerabilities in a production environment
can be substantially greater and cause more business disruption that properly developing and
testing the application before going live.
Custom development must be made secure early in the development cycle, well in advance of
its deployment into production. An effective solution must provide certain functional
capabilities which include:

The ability to run vulnerability checks on custom code during the development process to
identify gaps and flaws.

Leverage tools that are already integrated into the standard SAP ABAP Development
infrastructure.

Provide developers with extensive document to support a rapid response to security

issues and incidents.

Support the compliance and automation requirements of the software quality assurance
team.

© Copyright. All rights reserved. 169

Unit 6: Security in Change Management

Application Security Testing Solutions at SAP

Figure 106: Application Security Testing Solutions at SAP

As the industry leader in enterprise software solutions for the past 20 plus years, SAP has
developed millions and millions of lines of code and has developed tools and strategic
partnerships to aid in validating the security and vulnerability of its delivered solutions. SAP
Development runs security tests on all SAP Applications and code delivered by SAP. Testing
and validation include dynamic application testing to find issues and vulnerabilities in a
running application. Static application security testing is also deployed to scan code to find
security and data access vulnerabilities.

SAP Code Vulnerability Analysis Tools

Figure 107: SAP Code Vulnerability Analysis Tools

The SAP code vulnerability analyzer scans a companies custom code during the development
process and is tightly integrated with the ABAP Development Workbench tool set and the
ABAP Test Cockpit (ATC). Analysis scans are designed to detect any security flaws and
security dumps in order to make custom code secure prior to deployment. Integration with
standard ABAP development and change management tools allows developers easy access
to testing functionality and also extensive documentation in order to resolve identified issues
or potential coding issues. SAP Code Vulnerability Analysis (CVA) is provided via an add-on to
SAP NetWeaver.
SAP Quality Center by Micro Focus is a partner solution designed to enable comprehensive,
risk-based, testing in order to catch defects early in the development cycle and to improve
testing efficiency and accuracy.

© Copyright. All rights reserved. 170

 Lesson: Understanding Software Security Vulnerabilities

End-to-End Application Security

Figure 108: End-to-End Application Security

Together these solutions provide an end-to-end application security toolset to ensure code
vulnerabilities are detected as early as possible and corrected before they become
productive. SAP Code Vulnerability Analysis (CVA) ensures that development and quality
assurance teams have access to the technical capabilities to:

Automatically detect weaknesses in your ABAP source code.

Reduce false-positive rate through data flow analysis.

Support exemption workflows to ease handling of false-positives.

Integration into standard ABAP development infrastructure (ABAP Test Cockpit).

Support for single object and group object testing.

Capture manual and automated check executions.

Access extensive documentation to avoid and remediate issues in custom code.

For more information, see https://www.sap.com/products/code-vulnerability-analysis.html .

LESSON SUMMARY
You should now be able to:

Understand Security Vulnerabilities

© Copyright. All rights reserved. 171

 Unit 6

Learning Assessment

1. Which of the following systems are included in a three-tier system landscape?

Choose the correct answers.

X A Development system

X B Quality Assurance (QA) system

X C Customizing system

X D Production system

2. From an audit perspective, you should set the system change options to Not Modifiable in
all systems except the development system.
Determine whether this statement is true or false.

X True

X False

3. Which of the following actions are advisable for ABAP programs and tables before you
transport them into a production system?
Choose the correct answers.

X A Link custom programs or table access using custom transaction codes.

X B Include Authority-Check statements for all ABAP programs for which custom
transactions cannot provide sufficient protection.

X C Restrict general access to transactions SA38 and SE16.

X D Maintain user group to control user access to critical programs and tables.

© Copyright. All rights reserved. 172

 Unit 6: Learning Assessment

4. ___________ is the authorization object for the Transport Organizer.

Choose the correct answer.

X A S_TRANSPRT

X B S_CTS_ADMI

X C S_CTS_PROJEC

X D S_TABU_CLI

5. You can protect certain objects from being changed by imports by defining a set of
security-critical objects in the TMSTCRI table.
Determine whether this statement is true or false.

X True

X False

6. The SAP code vulnerability analyzer scans a company's custom code during the
development process but is not integrated with the ABAP Test Cockpit.
Determine whether this statement is true or false.

X True

X False

7. SAP code vulnerability analyzer ensures that development and testing teams have access
to which of the following technical capabilities?
Choose the correct answer.

X A Integration into standard ABAP development infrastructure (ABAP Test Cockpit)

X B Automatically detect weaknesses in your ABAP source code

X C Access extensive documentation to avoid and remediate issues in custom code

X D All of the above.

© Copyright. All rights reserved. 173

 Unit 6

Learning Assessment - Answers

1. Which of the following systems are included in a three-tier system landscape?

Choose the correct answers.

X A Development system

X B Quality Assurance (QA) system

X C Customizing system

X D Production system

2. From an audit perspective, you should set the system change options to Not Modifiable in
all systems except the development system.
Determine whether this statement is true or false.

X True

X False

3. Which of the following actions are advisable for ABAP programs and tables before you
transport them into a production system?
Choose the correct answers.

X A Link custom programs or table access using custom transaction codes.

X B Include Authority-Check statements for all ABAP programs for which custom
transactions cannot provide sufficient protection.

X C Restrict general access to transactions SA38 and SE16.

X D Maintain user group to control user access to critical programs and tables.

© Copyright. All rights reserved. 174

 Unit 6: Learning Assessment - Answers

4. ___________ is the authorization object for the Transport Organizer.

Choose the correct answer.

X A S_TRANSPRT

X B S_CTS_ADMI

X C S_CTS_PROJEC

X D S_TABU_CLI

5. You can protect certain objects from being changed by imports by defining a set of
security-critical objects in the TMSTCRI table.
Determine whether this statement is true or false.

X True

X False

6. The SAP code vulnerability analyzer scans a company's custom code during the
development process but is not integrated with the ABAP Test Cockpit.
Determine whether this statement is true or false.

X True

X False

The SAP code vulnerability analyzer scans a company's custom code during the
development process but is integrated with the ABAP Test Cockpit.

7. SAP code vulnerability analyzer ensures that development and testing teams have access
to which of the following technical capabilities?
Choose the correct answer.

X A Integration into standard ABAP development infrastructure (ABAP Test Cockpit)

X B Automatically detect weaknesses in your ABAP source code

X C Access extensive documentation to avoid and remediate issues in custom code

X D All of the above.

All of these capabilities are available.

© Copyright. All rights reserved. 175

 UNIT 7 SAP Security Notes

Lesson 1
Consulting SAP Security Notes 177

Lesson 2
Appendix: Optimizing Security Using SAP Security Optimizaton Self-Service 183

Lesson 3
Appendix: Implementing and Checking Technical Security Recommendations 194

UNIT OBJECTIVES

Consult SAP Security Notes

Use the SAP Security Optimization Self-Service

Implement and check technical security recommendations using SAP Solution Manager

© Copyright. All rights reserved. 176

 Unit 7
Lesson 1
Consulting SAP Security Notes

LESSON OVERVIEW
This lesson explains the security notes provided by SAP and how to use them for security
assessment.

Business Example
Your company is required to upgrade its security measure and enhance the security feature
on the SAP server. You need to know how to secure your SAP system. For this reason, you
require the following knowledge:

An understanding of how to use SAP security notes

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Consult SAP Security Notes

Security Notes

Figure 109: Security Notes

SAP Notes give you instructions on how to remove known errors from the SAP systems. They
include a description of the symptoms, the cause of the error, and the SAP release and
Support Package level in which the error occurs.

Depending on the type of error, an SAP Note may include the following information:
Work-arounds

© Copyright. All rights reserved. 177

Unit 7: SAP Security Notes

Descriptions of how to correct repository objects in the ABAP workbench, known as

correction instructions

Links to Support Packages that solve the problem

You can access SAP Notes from both the SAP Support Portal and SAPNet - NetWeaver AS
Frontend.

Caution:
The Note Assistant can automatically implement those SAP Notes that have
correction instructions. You must read the SAP Note carefully before you use the
Note Assistant to implement it.
The SAP Note can contain prerequisites, interactions, and references to post-
processing activities (for example, making changes to a table) that you must
take into consideration when you implement it.

SAP security notes contain SAP's expert advice regarding important action items and the
patches to ensure the security of the customers' systems. You can search for the SAP
security notes or you can set up a filter to customize the products or versions you are
interested in My security notes.
You must read SAP Notes before you start configuring the Enterprise Search. SAP Notes
contain the most up-to-date information regarding the configuration and use of Enterprise
Search, as well as corrections to the documentation.
SAP Note 1085845 gives up-to-date information about the security aspects of Enterprise
Search.
All security notes are published on the SAP Support Portal. Different applications show
different selections of security notes.
The complete list of all security notes is at https://support.sap.com/securitynotes .
The System Recommendations application in the SAP Solution Manager shows the security
notes that are relevant for a given system according to the installed software components,
release, Support Package, and patch level, as well as on the basis of whether the note is
already installed using the ABAP Note Assistant.
The Early Watch Alert report checks the usage of the application System Recommendations
in SAP Solution Manager to provide recommendations concerning security, Hot News, and
Other important Notes that are relevant for a given system. For more information, see
https://wiki.scn.sap.com/wiki/display/SM/EWA+-+Security#recommendations
To find more information regarding the security patch process, refer to http://scn.sap.com/
community/security/blog/2012/03/27/security-patch-process-faq .

System Recommendations in SAP Solution Manager

System recommendations enable you to find relevant SAP Notes for a technical system,
display information for these SAP Notes, and perform the related actions. These functions are
only available in SAP Solution Manager in this form.
To simplify data entry and speed up delta calculation, a background job is scheduled during
the configuration of SAP Solution Manager that automatically collects all the required
information from the managed systems. The next figure shows a simplified view of this
function.

© Copyright. All rights reserved. 178

 Lesson: Consulting SAP Security Notes

Integration with the Global Support backbone

Figure 110: Integration with the Global Support backbone

In general, all SAP Note types are supported. The SAP Note types shown below should initially
be activated:

Security Notes
Important SAP Notes in the Security category.
HotNews
SAP HotNews, which are SAP Notes with priority 1 (very high). These SAP Notes provide
information to help avoid and/or solve problems that can result in data loss or crashes of
the SAP system.
Performance Notes
SAP Notes from the performance category improve the performance of your system.
Legal Changes
SAP Notes from the Legal Change, Announcement of Legal Change, and Correction of
Legal Function categories respond to changes in legal requirements.
SAP Correction/Patch Notes
All SAP Notes that contain corrections to program source code (ABAP) or contain
patches (JAVA).

System Recommendations provides a convenient repository of information regarding notes

that are relevant for a particular SAP system. The following functions are available in the
system recommendations to help you identify, organize and manage the implementation of
SAP Notes:

Filter and sorting to display results by application, application component, software

component, or as a list.

Assign a status to an entry and display SAP Note information for this status.

Analyze the impact of implementing SAP Notes on the system and the business
processes.

Create a change request or select a Java patch and add it to the download basket.

© Copyright. All rights reserved. 179

Unit 7: SAP Security Notes

Display, download, and implement SAP Notes.

Security Note Tool RSECNOTE No Longer Supported

Figure 111: Security Note Tool RSECNOTE No Longer Supported

SAP no longer recommends using security note tool RSECNOTE as it is no longer supported.
See SAP Note 1890782 RSECNOTE no longer supported for further details.

Solution Manager Launchpad

Figure 112: Solution Manager Launchpad

To start the System Recommendations start the transaction SM_WORKCENTER within the SAP
Solution Manager to start the SAP Solution Manager Launchpad. Then navigate to the Change
Management area and select System Recommendations to start the application.

© Copyright. All rights reserved. 180

 Lesson: Consulting SAP Security Notes

System Recommendations 1

Figure 113: System Recommendations 1

To use System Recommendations each SAP system in your environment will need to be
configured as a Managed System for your Solution Manager. After the managed system setup
is complete, you will be able to find your system in the System Overview in system
recommendations.
When you start the application, the System Overview is displayed. The figure System
Overview shows the available functions. When you choose Display SAP Notes, the SAP Note
Overview screen displays, as shown in the figure SAP Note Overview.

System Recommendations 2

Figure 114: System Recommendations 2

By choosing Display Detail Page, the Show SAP Note Details screen displays, as shown in the
Display SAP Note figure.

© Copyright. All rights reserved. 181

Unit 7: SAP Security Notes

System Recommendations 3

Figure 115: System Recommendations 3

With the Integrated Desktop Actions you could for Example Download the SAP Note or Create
Request for Change which can be used to implement the note in the relevant system.
For additional information on System Recommendations, see https://
support.sap.com/en/alm/solution-manager/processes-72/system-recommendations.html .
See also https://wiki.scn.sap.com/wiki/display/SM/Getting+Started+WIKI+for+SAP
+Solution+Manager .

LESSON SUMMARY
You should now be able to:

Consult SAP Security Notes

© Copyright. All rights reserved. 182

 Unit 7
Lesson 2
Appendix: Optimizing Security Using SAP
Security Optimizaton Self-Service

LESSON OVERVIEW
This lesson discusses how to optimize the security and availability of your SAP solutions with
the SAP Security Optimization Service.

Business Example
Enterprise IT landscapes are increasingly vulnerable to security breaches due to open and
complex landscapes. The SAP Security Optimization Service is a remote service to check
your SAP system landscape for critical security settings to minimize your security risk. For
this reason, you require the following knowledge:

An understanding of how the SAP Security Optimization Service benefits you

An understanding of how to execute a Self-Service in the SAP Solution Manager

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Use the SAP Security Optimization Self-Service

© Copyright. All rights reserved. 183

Unit 7: SAP Security Notes

SAP Security Optimization

Figure 116: SAP Solution Management Optimization Service Offerings

The SAP Security Optimization Service is part of the SAP Solution Management Optimization
program. This program offers a series of services to keep SAP solutions running optimally.
These services optimize applications and system operations by solving technical issues that
have been identified in safeguarding services as a risk to smooth operations.
The SAP Security Optimization Service is a remote service as compared to SAP EarlyWatch
Service.

The following table lists the main difference between the SAP Security Optimization
Service and SAP EarlyWatch:

SAP Security Optimization Service SAP EarlyWatch Service

It proactively analyzes security vulnerabilities It proactively analyzes your operating sys-
within an enterprise’s SAP landscape to en- tem, database, and entire SAP system to en-
sure optimal protection against intrusions. sure optimal performance and reliability.

Within 1-2 days, the following steps are performed:

The service is primarily automated, but includes some manual checks.

The service checks the SAP systems and SAP middleware components.

The service prioritizes and delivers results with recommendations for how to resolve
identified vulnerabilities.

© Copyright. All rights reserved. 184

 Lesson: Appendix: Optimizing Security Using SAP Security Optimizaton Self-Service

The service should perform checks at regular intervals for the following reasons:
To verify that actions derived from earlier service runs lead to the desired results

To verify that recent configuration changes did not introduce new security holes

To include the most up-to-date checks

You can use the SAP Security Optimization Service at any time. The best time to use it is
during the going live phase, which means that you have finished installing and implementing
your SAP system; you then perform security optimization in the production phase for your
company.
When everything is done, you can check the security to check and see how the data is going to
be protected. This service is useful when you prepare for internal and external audits. You can
rerun it to ensure that the applied changes in the system configuration were successful and
that no new vulnerabilities appear.

Process Overview

Figure 117: Process Overview

The SAP Security Optimization Service is designed to verify and improve the security of the
SAP systems of customers by identifying potential security issues and giving
recommendations on how to improve the security of the system.

© Copyright. All rights reserved. 185

Unit 7: SAP Security Notes

SAP Security Optimization Service and Self-Service Overview

Figure 118: SAP Security Optimization Service and Self-Service Overview

The underlying concept of the SAP Security Optimization Service is to ensure the smooth
operation of the SAP solution by taking the actions proactively, before severe security
problems occur. This action consists of hundreds of checks based on the SAP security
guidelines and the knowledge of the SAP security consultants.
The SAP Solution Manager offers the possibility to execute SAP services locally.
An important part of the remote SAP Security Optimization Service is available as Self-
Service in the SAP Solution Manager.
With Self-Services from SAP, you have access to the security experience that SAP has gained
through thousands of installations, and you have minute details at your fingertips. You can
perform the same tasks that SAP consultants perform during the delivery of the services.
Self-Services help to identify and optimize the technical issues within an SAP system
landscape. Self-Services are only available in the SAP Solution Manager.

Self-Service Offerings:

It checks the Customizing settings that are relevant to security, such as password policy,
standard users (SAP*, DDIC, and so on), and recommended settings from the SAP
Security Guide.

It checks for the following authorization concepts:

- It checks the access to sensitive data, such as business data, user data, and critical
system settings, for example, RFC connections.
- It checks the access to user management, system management, and change
management functionality.
- It checks for conspicuous users.

© Copyright. All rights reserved. 186

 Lesson: Appendix: Optimizing Security Using SAP Security Optimizaton Self-Service

Scope of SAP Security Optimization Service

Additional examples of the scope of SAP Security Optimization service are as follows:

Table 24: Checks Performed in the SAP SOS

For SAP NetWeaver Applica- For SAProuter For SAP NetWeaver Applica-
tion Server ABAP (SAP Net- tion Server Java (SAP Net-
Weaver AS ABAP) Weaver AS Java)

ABAP Basis Administration Saprouttab check Java Landscape check

check
User Management check Operating system access Configuration check
check
Super users check Secure Network Communica- Secure Socket Layer (SSL)
tion (SNC) check check
Password check Administration check
Spool and printer authoriza-
tion check
SAP GUI Single Sign-On
(SSO) check
Certificate Single Sign-On
(SSO) check
Background authorization
check
Batch input authorization
check
Transport control authoriza-
tion check
Role management authoriza-
tion check
Profile parameter check
External authentication
check

Note:
Refer to http://support.sap.com/sos for more information.

Security Optimization with the SAP Solution Manager

The prerequisites to optimize security using the SAP Solution Manager are as follows:
The system to be tested needs to be prepared for Early Watch Alert sessions because the
Early Watch Alert download is also the basis for the Security Optimization Service.

© Copyright. All rights reserved. 187

Unit 7: SAP Security Notes

Refer to SAP Notes 837490 and 696478 for important information about the preparation
for the SAP Security Optimization. These notes also list known errors.

A specific authorization must be set up in the target system before you can collect the data
for the Security Optimization Service.

The steps to optimize security using the SAP Solution Manager are as follows:
1. Creation of the Security Optimization Service Session

2. Execution of customer-specific authorization checks

3. Creation of the ST14 download in the analyzed system

4. Completion of the questionnaire for the service session

5. Execution of the customer report

Creation of the Security Optimization Session

You can create an instance of a Security Optimization Session in your solution landscape.

Creation of the Service Session

Figure 119: Creation of the Service Session

The service plan of your solution displays the Security Optimization Services that have been
created. Now, a request is sent to the target system to create an Early Watch Alert download
and send it back to the solution manager. This download is used to build up the service
session. Some profile parameter data is used for a part of the security checks.

© Copyright. All rights reserved. 188

 Lesson: Appendix: Optimizing Security Using SAP Security Optimizaton Self-Service

Customer-Specific Authorization Checks

Figure 120: Customer-Specific Checks

If you want to add your own authorization checks, check the definition of the customer-
specific authorization checks.

Steps to check the definition of the customer-specific authorization checks are as

follows:
1. In the satellite system, run transaction ST13.

2. Select the SOS_CUSTOMER_DATA tool and choose the Execute pushbutton.

© Copyright. All rights reserved. 189

Unit 7: SAP Security Notes

Creation of the ST14 Download in the Analyzed System

Figure 121: ST14 Download

Now, you need to create the ST14 download in the system that needs to be analyzed with the
Security Optimization Service and send it to the Solution Manager.

The prerequisites for the creation of the ST14 download in the system are as follows:

The system needs to be connected to the SAP Solution Manager

The system needs the support Plug-Ins ST-PI and ST-A/PI

Implementation of SAP Note 696478

Implementation of SAP Note 873038, if customer-specific checks should be created only

for ST-A/PI 01F*

To create the ST14 download, perform the following steps:

1. Run transaction ST14 and select the application Security Optimization .

2. Complete the input parameters of the selection screen, as described in SAP Note 696478.

3. When the data collection ends, send the analysis to the Solution Manager.

© Copyright. All rights reserved. 190

 Lesson: Appendix: Optimizing Security Using SAP Security Optimizaton Self-Service

Completion of the Questionnaire for the Service Session

Figure 122: The Questionnaire

The questionnaire is used to influence the content and the look of the resulting service report.

For completing the questionnaire, perform the following steps:

1. Include all known users with special authorizations (such as system administrators, user
administrators, key users, and so on) so that they are excluded from the service report.

2. Choose the clients that should be checked.

3. Decide if the user names should appear on the report.

Task of the questionnaire:

It provides the specification of known users with critical authorizations in the
questionnaire.

It keeps the report readable and helps to perform correct risk analysis.

It customizes the look of the report.

It helps to choose the tested client.

© Copyright. All rights reserved. 191

Unit 7: SAP Security Notes

Execution of the Customer Report

Figure 123: The Service Session Action Item List

You need to include the ST14 download in your analysis session and create the service report.

Characteristics of the customer report – action item list:

The action items list gives an overview of the complete system status.

The action items are created automatically, containing all the checks rated with high risk.

All checks have a four-digit identifier, which allows finding the detailed description in the
report easily.

© Copyright. All rights reserved. 192

 Lesson: Appendix: Optimizing Security Using SAP Security Optimizaton Self-Service

Customer Report

Figure 124: Customer Report – Check Example

The general characteristics of a customer report are as follows:

It provides an explanation of a specific vulnerability.

It displays the number of unexpected users that have authorization.

It gives a recommendation on how to handle the situation.

It displays all checked authorization objects.

LESSON SUMMARY
You should now be able to:

Use the SAP Security Optimization Self-Service

© Copyright. All rights reserved. 193

 Unit 7
Lesson 3
Appendix: Implementing and Checking
Technical Security Recommendations

LESSON OVERVIEW
This lesson provides an overview of various features in Solution Manager which we can use to
check whether the systems in our landscape are configured consistently, in particular the
security setup. The features covered in this lesson are Configuration Validation, System
Recommendations and Early Watch Alerts.

Business Example
Your company needs to upgrade its security measures and enhance the security features on
an SAP Server. For this reason, you require the following knowledge:

An understanding of how to use SAP Solution Manager to secure systems

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Implement and check technical security recommendations using SAP Solution Manager

Configuration Validation

Figure 125: Scope of Configuration Validation

Use Cases for Configuration Validation

Security Compliance
In this case, Configuration Validation checks compliance with the customer-defined policy,
such as gateway configuration, authority and users, security-relevant instance
parameters, and so on.

Transports
In this case, Configuration Validation covers sections such as missing or failed transport
requests and the validation of production backlog.

© Copyright. All rights reserved. 194

 Lesson: Appendix: Implementing and Checking Technical Security Recommendations

OS/Host
In this case, Configuration Validation compares the configuration of operating system and
host.

Database
In this case, Configuration Validation validates the configuration of the database
parameters and level.

Software
In this case, Configuration Validation validates ABAP or JAVA software packages.

SAP Kernel
In this case, you deal with the SAP Kernel level compliance.

Customer
In this case, you deal with the customer-defined configuration baselines that are used for
validation.

Reporting
In this case, Configuration Validation performs reporting on the software or SAP Kernel
level and other Config Items without validation.

Configuration Validation enables you to use a reference system containing the baseline for
validation, which is performed against a number of comparison systems. As a reference
system, the data of a managed system can be used to compare the configuration data of an
existing system with the configuration data of other existing systems.
You can also create a target system based on the collected configuration data of an existing
system. You can edit the configuration data of this target system to create a baseline for
validation that is independent of any current system setting.

Landscape Model for Configuration Validation

Figure 126: Landscape Model for Configuration Validation

Configuration Validation enables you to determine whether the systems in your landscape are
configured consistently and in accordance with your requirements. You can check the current
configuration of a system in your landscape using a defined target system or compare it with
an existing system.
Configuration Validation provides a report to understand how homogeneous your system
configuration is. Using centrally stored configuration data in Solution Manager and a subset of
the collected configuration data, you can perform Configuration Validation of many systems.

© Copyright. All rights reserved. 195

Unit 7: SAP Security Notes

More Information About Configuration Validation

End-to-End Change Control Management:
https://support.sap.com/solution-manager/processes/change-control-
management.html

Configuration Validation at SCN:

https://wiki.scn.sap.com/wiki/display/TechOps/ConfVal_Home

End-to-End Diagnostics and SAP Solution Manager

Figure 127: End-to-End Diagnostics and SAP Solution Manager

When an IT-related problem occurs, it can be recorded, categorized, and prioritized in the
SAP Solution Manager Service desk by the end user or an IT employee. This message is sent
to the first-level support, which attempts to solve the problem. In addition, first-level support
performs a search in the customer's solution database or a note search in the SAP Service
Marketplace.
If a solution cannot be found, second-level customer support begins by carrying out a Root
Cause Analysis. If the error cannot be clearly assigned to a customer solution component, the
SAP Solution Manager uses cross-component diagnostics to directly identify the component
that is responsible for the error.
The end-to-end Diagnostics and SAP Solution Manager systematically helps to target the
cause of the error. Therefore, avoid performing a detailed Root Cause Analysis on multiple
components using component experts, who usually cannot detect a malfunction for their
specific component. The latter method is time-consuming and expensive.
The cross-component diagnostics tools in SAP Solution Manager are based on a central
diagnostics database that contains data related to agents on the component systems. These
agents are preconfigured by SAP when they are delivered, such that only the data required for
systematically isolating the problematic component is obtained from the component
systems.
The end-to-end Root Cause Analysis in SAP Solution Manager supports the components
implemented in ABAP, Java, or C++, or those components that run on the Microsoft .NET
framework.
SAP Solution Manager standardizes, aggregates, and correlates the following functions:

Performance and resource metrics

© Copyright. All rights reserved. 196

 Lesson: Appendix: Implementing and Checking Technical Security Recommendations

Access to technical configuration

Exceptions (critical logs and dumps)

Traces

Transparency on changes to software (code), configuration, or content

End-to-End Change Analysis

Figure 128: End-to-End Change Analysis

You can perform an end-to-end analysis with the help of the configuration section of Solution
Manager Diagnostics. Using the Solution field, choose the system that you want to analyze.
Choose end-to-end change analysis by selecting the system you want to analyze. If you want
to analyze all systems, choose the All pushbutton. You can customize the duration of the
analysis using the menu option provided within the system.
The Overview tab page shows the change information for a selected duration of time. You can
also select the required server from the included server list, which is available in that
particular scenario.
The main instances are divided from the system you choose. Each system has one main
instance. The end-to-end changes are always detected on a daily basis. The overview quickly
identifies the main instance of the system for which changes have been detected. The
corresponding changes are saved in the Solution Manager database.
The logs show changes in the instances, mainly the ABAP central instance.
The details provided by end-to-end change analysis are as follows:

Software maintenance
Displays the changes to software components through patch level updates

Parameter
Displays the changes regarding ABAP instance parameters and database parameters

Transport request
Displays the changes applied on transports and SAP Notes

© Copyright. All rights reserved. 197

Unit 7: SAP Security Notes

RFC destination
Displays the changes that are interpreted, creation or updates on RFC

By clicking the screen for a corresponding change analysis, you can see the changes made
during the selected time frame.
For example, if you choose the Parameter data link, you can see the tabular display for the
changes made. The additional information indicates the changes made to the current value,
that is, the current initial value, the old updated value, or the deleted value.

Architecture Overview

Figure 129: Architecture Overview

Change analysis is a part of an end-to-end analysis within Root Cause Analysis. Change
analysis is based on the data from Configuration and Change Database (CCDB) within the
SAP Solution Manager. Any changed figures are stored in SAP NetWeaver Business
Warehouse (BW), and the configuration data itself is stored in the configuration stores of
CCDB.
The configuration stores are part of CCDB and contain all configuration details. Change
analysis uses the change reporting data viewer to display detailed configuration data. The
change analysis application is available in an end-to-end analysis.
The change analysis function provides an overview of the changes applied to the managed
systems. It also displays the number of changes per system, the change category, and the
day when the change was made. You access it from the Root Cause Analysis work center.

Configuration Items – Overview and Baselines

Figure 130: Overview of Configuration Items

© Copyright. All rights reserved. 198

 Lesson: Appendix: Implementing and Checking Technical Security Recommendations

The configuration items overview reports changes to the configuration items of a system (for
example, operating system, database, ABAP parameters, Java parameters, transport
requests, and support packages) and serves as a central entry point for Root Cause Analysis.
Change analysis helps you to keep track of the changes in your solution landscape. Your
development system may behave differently compared to your production system. If the
J2EE instances of your production system behave differently, you need to determine the
reason.
Regular snapshots of the configuration settings are taken and stored in CCDB of the SAP
Solution Manager. With this information, the change analysis function enables you to identify
the changes. This function also enables you to know the number of changes made. This
function automatically takes you to the change reporting data viewer for the details and
history of a changed item.

Possible Reference Systems or Configuration Baselines

Figure 131: Possible Reference Systems or Configuration Baselines

The possible reference systems or configuration baselines are as follows:

Reference is an existing system

Reference is a target system

Using a Real System as the Baseline

Figure 132: Using a Real System as the Baseline

Configuration Validation allows you to perform a validation using the Config Items collected
for a managed system as a baseline. In this case, the complete configuration of the real

© Copyright. All rights reserved. 199

Unit 7: SAP Security Notes

existing system is compared with the Compared Systems. One of the relevant use cases for
this comparison is the validation after the Roll Out phase.
In this use case, a new release is created from the implementation of software packages and
SAP Notes, Kernel updates, parameter adjustments, custom own transports, and so on. The
system that contains all these changes is used as a reference system after the Roll Out
validation phase is completed. The goal is to check how the Compared Systems match the
reference system.

Using a Target System as the Baseline

Figure 133: Using a Target System as the Baseline

Configuration reporting allows you to use a target system as the baseline for validation. In this
case, you are not interested in the validation of the complete list of possible configuration
items. Depending on the use case, only some of the validation parameters are important.
For example, in case of security compliance, you are interested in the validation of ABAP
parameters, ABAP notes, user authorization, gw configuration, and the Kernel level. For
validation of failed transports, you only need the ABAP_TRANSPORTS store. As a result, you
need to restrict the configuration items to be validated. This restricted reference system,
which is adjusted for one or another use case, is called the target system and is not stored in
CCDB. It is stored in a separate database table, and it can be adjusted or extended anytime.

© Copyright. All rights reserved. 200

 Lesson: Appendix: Implementing and Checking Technical Security Recommendations

Target System Maintenance

Figure 134: Target System Maintenance

In a target system, you can specify a compliant rule for each Config Item. If the rule applies to
the corresponding Config Item of a comparison system, the Config Item has the compliant
status in the reporting output. Otherwise, it has the non-compliant status.

Drilldown Reporting

Figure 135: Drilldown Reporting

For a validation report, it is necessary to select the following elements:

Reference system

Comparison systems (Comparison List)

© Copyright. All rights reserved. 201

Unit 7: SAP Security Notes

Validation Template

Number of rows displayed in a report

The option to run the report with or without showing the BW query pop-up

Cross-System Check for System Recommendations – Integrated Business Warehouse

Reporting as of SolMan 7.10 SP3

Figure 136: Integrated Business Warehouse Reporting as of SolMan 7.10 SP3

By using the BW reporting query, you can perform the following tasks:

Display the data range for transports

Validate data for Config Stores

Use the reference system

Use the Compared System

Save selections to the Reporting Directory

The header of the BW query provides information about input data, such as reference and
compared systems, validated Config Stores, and items.
The Report Output displays the report in the following views:

Flat view
This view shows all Config Items at once as a flat table, and the results of compliance
checks are displayed in color for each single item.

Hierarchical view
This view groups Config Items in a hierarchical view, and the compliance results are
aggregated for each hierarchy level.

© Copyright. All rights reserved. 202

 Lesson: Appendix: Implementing and Checking Technical Security Recommendations

Solution Manager 7.10 – Rule-Based Operators

Figure 137: Rule-Based Operators

Rule-based operators provide greater flexibility to define a fitting target system.

Some Config Stores are instance-related, and some are client-related. Information about the
instance or client is not displayed initially.

Hint:
To display that information, you need to drill down to the Instance and Cf Item
value info characteristics. Then, expand Navigation Block and view the
characteristics in the Free Characteristics section.

Get the instance information for Config Store ABAP_INSTANCE_PAHI, the notes description
of ABAP_NOTES items, and the client of the AUTH_PROFILE_USER Config Store.
Configuration Validation can be found in the following locations:

In SAP Solution Manager 7.0/7.10, in the work center change management in related links
through the SAP Easy Accessscreen.

In SAP Solution Manager 7.10 SP05, in the work center change management in related
links in the work center Root Cause Analysis through the SAP Easy Accessscreen.

© Copyright. All rights reserved. 203

Unit 7: SAP Security Notes

Solution Manager 7.10 – Operators and Target Systems in SAP Solution Manager 7.1

Figure 138: Operators and Target Systems in SAP Solution Manager 7.10

In Solution Manager 7.1, all rules are transparent and none of the rules are hardcoded. Also,
the operators are available for all types of Config Stores, such as property, table, text, and
XML. The operators comprise the rules used to validate a Config Item.

ABAP Notes – Online Recommendations from the SAP Security List

Figure 139: ABAP Notes – Online Recommendations from the SAP Security List

The SAP Notes from the SAP security list provide Software and Kernel dependency for a
particular topic (if the corresponding note is available for that topic). Only relevant SAP Notes
from the source system (in other words, the SAP notes that match components and the
Kernel Release from the source system) can be inserted.

© Copyright. All rights reserved. 204

 Lesson: Appendix: Implementing and Checking Technical Security Recommendations

ABAP Notes – System Recommendations

Figure 140: ABAP Notes – System Recommendations

System Recommendations collects any required information from the managed systems
using a background job that should be scheduled on a regular basis. A direct refresh of the
information that has already been calculated for a specific system can also be started directly.
Only the calculation of result is done in SAP’s Global Support Backbone, which means that
there is no load being generated on the SAP Solution Manager system or the managed
system.
The SAP Notes relevant to the source system can be restricted using the following elements:

A data range

A note group – for example, only security and HotNews SAP Notes can be inserted

After the recommendation has been calculated, the user can set various statuses for the
recommended notes, such as ‘implemented’, ‘not relevant’, or ‘postponed’. These statuses, in
combination with a filter displaying only notes with a certain status, helps to keep an overview
of all recommendations and keep track of the tasks that are assigned to recommendations.
System Recommendations can be used as a source of SAP Notes that are relevant to
Configuration Validation.

© Copyright. All rights reserved. 205

Unit 7: SAP Security Notes

User Interface – Security Template

Figure 141: User Interface – Security Template

The features of the new Security Template are as follows:

It enables you to have a head start when starting with Configuration Validation for security.

It contains suggestions for rules and values for a number of Config Stores and can be used
to create a target system.

It enables you to add or remove Config Stores and change rules and values.

It helps in navigation and provides guided procedures with steps for the basic
configuration.

It provides detailed information about each step, such as what needs to be done and what
will happen in the background.

It lists all single activities during each step, along with the documentation for Customizing
activity.

It shows detailed logs for each activity.

© Copyright. All rights reserved. 206

 Lesson: Appendix: Implementing and Checking Technical Security Recommendations

End-to-End Alerting

Figure 142: End-to-End Alerting

You can add a target system to end-to-end alerting. As a result, the non-complaint items raise
an alert in the alert inbox.

Solution Manager 7.10 – SP3 Management Dashboard

Figure 143: Solution Manager 7.10 – SP3 Management Dashboard

The MY_DASHBOARD dashboard application shows the validation result of the comparison
between selected systems with a target system.

© Copyright. All rights reserved. 207

Unit 7: SAP Security Notes

System Recommendations

Figure 144: System Recommendations – Overview

To keep your SAP systems up to date and secure, you need to apply various types of notes
and patches. System Recommendations shows all the relevant notes and patches for the
selected systems and helps you to keep all your systems up to date.

Advantages of System Recommendations

It provides a detailed recommendation of SAP Notes and non-SAP Notes that should be
implemented, based on the actual status of the system and already implemented notes.

It provides recommendations that comprise the following notes categories:

- Security notes
- Performance-relevant notes
- HotNews
- Legal change notes
- Correction notes or patch notes

It features a powerful calculation method for notes that provides a comprehensive

recommendation for the selected system.

It increases system security by applying up-to-date, security-relevant notes exactly

tailored for the respective system.

It enables integration into Change Request Management to directly create change

requests for the selected notes.

It provides easy-to-use filter settings, allowing an exact selection of a system or solution.

© Copyright. All rights reserved. 208

 Lesson: Appendix: Implementing and Checking Technical Security Recommendations

Process Flow

Figure 145: Process Flow

Since System Recommendations provides only those SAP Notes that are missing in the
Compared Systems, it imposes limitations on the usage of the System Recommendations
application for status reporting.
The SAP Notes that were missing on the first day that System Recommendations were
calculated (Q1) can differ from the SAP Notes calculated at a later date (Q2) because some
SAP Notes may be implemented in the system; additionally, new SAP Notes may be released
during this interval.
To use System Recommendations for notes validation, you need to freeze the calculated list
of SAP Notes and save it as a target system (Q1). Then, using the validation process on a later
date, you can receive the compliance results that show how compliant a Compared System is
with the status of the target system.

System Recommendations – Process Flow

Figure 146: System Recommendations – Process Flow

System Recommendations is a new functionality in SAP Solution Manager that focuses on

SAP Notes. It provides a tailored recommendation of notes that should be applied to a

© Copyright. All rights reserved. 209

Unit 7: SAP Security Notes

selected managed system. This recommendation is calculated based on the actual notes
status of the system.
The recommendation that System Recommendations makes for a system is based on factors
such as whether a specific note is already implemented in the system, what the version of the
implemented note is, and whether newer versions are available.

AGS Workcenter – Change Management

Figure 147: AGS Workcenter – Change Management

During troubleshooting, check application log AGS_SR to see the configuration and check
logs. In case of any problems, create a customer message under component System
Recommendations for managed systems (SV-SMG-SR).

System Recommendations – Set Up

The following steps must be followed to set up System Recommendations:

1. The SAP-OSS RFC connection must be set up correctly.

2. All managed systems must be connected to SAP Solution Manager and documented in
transaction SMSY.They must be assigned to a product system and to a solution.

3. Authorization object SM_FUNCS controls the access to and visibility of tabs in System
Recommendations.

To collect this data automatically for use in System Recommendations, set up a batch job in
the settings area of System Recommendations.
System Recommendations is a part of the change management work center in SAP Solution
Manager.
For more information about the System Recommendations setup, see http://help.sap.com/
saphelp_sm71_sp01/helpdata/en/83/68fad4952d42a192469fa02586aeff/frameset.htm.

© Copyright. All rights reserved. 210

 Lesson: Appendix: Implementing and Checking Technical Security Recommendations

System Recommendations – Key Elements

Figure 148: System Recommendations Key Elements

Key Elements of System Recommendations

You can filter by solution product system, technical system, and date. You can filter the
recommendations based on the solution, product system, technical system, and date.

You can filter by application component. This makes the view easier in an application
scenario.

Structured recommendation for system.

You can perform BW reporting as of SolMan 7.20 SP3.

Multiple views are possible.

Status management and filter are possible.

The change request and maintenance optimizer can be integrated.

You can export to MS Excel by choosing the Export button.

Extended Functions in System Recommendations as of SolMan 7.10 SP5

Figure 149: Extended Functions in System Recommendations as of SolMan 7.10 SP5

© Copyright. All rights reserved. 211

Unit 7: SAP Security Notes

System Recommendations is delivered with SAP Solution Manager 7.0 SP26. It is also
included in SAP Solution Manager 7.1. This functionality is only available within the change
management work center using transaction SOLMAN_WORKCENTER or transaction
SM_WORKCENTER . Therefore, as a prerequisite, you must have access to the work center.
To ease data collection and speed up the delta calculation, schedule a background job that
automatically collects all the needed information from the managed systems can be
scheduled.
To control access to System Recommendations, use authorization object SM_TABS (in SAP
Solution Manager 7.0) or authorization object SM_FUNCS (in SAP Solution Manager 7.1) to
grant or deny access to the different tabs of System Recommendations.
Before using System Recommendations, SAP strongly recommends that you implement SAP
Notes 1554475 and 1577059. SAP also recommends that you configure your Solution
Manager system to the automatic update check.

Cross-System Check for System Recommendations and Solution Manager

The code-exchange project in the SAP Community Network offers the report
ZSYSREC_NOTELIST, which you can use to produce a cross-system report as of SolMan 7.00
SP 26. You can download the source code from the SAP Community Network wiki at http://
wiki.sdn.sap.com/wiki/download/attachments/343933423/ZSYSREC_NOTELIST.txt.
For more information about this program, see the blog post Report ZSYSREC_NOTELIST -
Show results of System Recommendation on the SAP Community Network at http://
scn.sap.com/community/security/blog/2011/07/18/report-zsysrecnotelist--show-results-
of-system-recommendation.

Security Topics in Early Watch Alert

Figure 150: Early Watch Alert in the SAP Engagement and Service Delivery Work Center

SAP Early Watch Alert (EWA) is an important part of making sure that your core business
processes work. It is a tool that monitors the essential administrative areas of SAP
components and keeps you up to date on their performance and stability. SAP EWA runs
automatically to keep you informed so that you can proactively resolve issues before they
become critical.

© Copyright. All rights reserved. 212

 Lesson: Appendix: Implementing and Checking Technical Security Recommendations

Information in EWA Report

The EWA report includes the following information about critical security observations:

SAP security notes – ABAP and Kernel Software Corrections

Default passwords of standard users

Password policy

Gateway and Message Server Security

In users with critical authorizations, you can find detailed and additional information with the
help of security self-services.
For more information about SAP EWA, refer to http://service.sap.com/ewa .

SAP Early Watch Alert

In SAP EWA, important service data is extracted on the system for which an EWA check is
processed, and it is transmitted through a remote connection to your Solution Manager,
where the data is processed. For your convenience, data can also be transmitted to SAP
directly and processed in an SAP internal service system.
The data transferred includes only technical data with nonsensitive content, which is
transparent and manageable using transaction SDCCN .
The processing system analyzes this data and provides a clear overview of the results in a
report. Keeping the Total Cost of Ownership (TCO) low and the performance of your SAP
solution high gives tremendous value to your business.

SAP Early Watch Alert Data Transfer

Figure 151: SAP Early Watch Alert Data Transfer

We recommend that you activate EWA when you connect an SAP Satellite system to your
Solution Manager.

Features of SAP EWA

It identifies potential problems at an early stage

It prevents bottlenecks by:

© Copyright. All rights reserved. 213

Unit 7: SAP Security Notes

- Reacting to issues before they become critical

- Knowing what affects the performance and stability of your solution

It monitors the following regularly and automatically:

- The performance of SAP systems
- Essential administrative areas of SAP systems

It greatly minimizes the risk of downtime

SAP EWA also helps to reduce the TCO by knowing what affects the performance and stability
of your solution.
The underlying purpose of SAP EWA is to ensure the smooth operation of individual SAP
systems by keeping you informed of their status and allowing you to take the required action
before severe technical problems occur.

SAP Security Notes – Default Passwords of Standard Users

Figure 152: Default Passwords of Standard Users

Standard users such as SAP* or DDIC have default passwords.

We recommend that you use report RSUSR003 to check the usage of default passwords by
standard users.
Ensure that the following conditions are met:

User SAP* exists in all the clients.

Users SAP*, DDIC, SAPCPIC, and Early Watch have non default passwords in all the
clients.

Profile parameter login/no_automatic_user_sapstar is set to 1.

You must make sure that the standard password for user TMSADM is changed in client 000,
and you should delete this user in any other client. SAP Note 1414256 describes a support toll
for changing the password of user TMSADM in all the systems of the transport domain.
The password status should not be DEFAULT. User SAP* must exist in all clients, and its
password must be changed. The other users need not exist in all clients.

Gateway and Message Server Security

Figure 153: Gateway and Message Server Security

© Copyright. All rights reserved. 214

 Lesson: Appendix: Implementing and Checking Technical Security Recommendations

In order to enable the Gateway and Message Server security functionality, a minimum patch
level of the Kernel is required. Your system currently misses this requirement. For example,
SAP recommends that you update the kernel of your system to the newest kernel patch level
available. You need to update to a kernel patch level that is at least equal to or higher than the
minimal required kernel patch level shown in the figure. For additional information, refer to
SAP Note 1298433.

Note:
SAP recommends to use the newest kernel patch level, even if you have already
the minimum required patch level (or higher) in use.

Gateway Security – Gateway Security Properties

Figure 154: Gateway Security Properties

The GW/REG_NO_CONN_INFO parameter shows the Gateway Security properties. This

parameter controls the activation of certain security properties of SAP Gateway. It is defined
as a bit mask with one bit per property. The figure shows the properties identified for your
system.
SAP recommends that you enable the missing properties by adding the respective
recommended values to the current value of gw/reg_no_conn_Info. For more information
about this parameter, refer to SAP Note 1444282.

Gateway Security – Enabling an Initial Security Environment

Figure 155: Enabling an Initial Security Environment

The GW/ACL_MODE parameter is used to enable an initial security environment. SAP

recommends that you set this parameter to 1 to activate more secure default behavior in case
either of the access control lists defined by gw/sec_info and gw/reg_info does not exist.
SAP recommends that you set gw/acl_mode to 1 to establish an additional line of defense in
case any of the mentioned access control lists is missing. For more information about this
parameter, refer to SAP Note 1480644.

© Copyright. All rights reserved. 215

Unit 7: SAP Security Notes

Gateway Security – Gateway Access Control Lists

Figure 156: Gateway Access Control Lists

The GW/SEC_INFO GW/REG_INFO parameter is used to access the gateway control access
lists. Profile parameters gw/sec_info and gw/reg_info provide the file names of the
corresponding access control lists. These access control lists are critical to control the
Remote Function Call (RFC) access to your system, including connections to RFC servers.
You should create and maintain both access control lists, which can be done using
transaction SMGW . For more information, refer to SAP Note 1425765.

Message Server Security – Separation of Internal and External Message Server

Communication

Figure 157: Separation of Internal and External Message Server Communication

The RDISP/MSSERV RDISP/MSSERV_INTERNAL parameter is used to separate internal and

external message server communication.
Communication with the message sever should be separated into SAP system internal
communication (TCP/IP port defined by rdisp/msserv_internal) and communication, for
example, from user SAPGUIs to the system (TCP/IP port defined by rdisp/msserv). Network
firewalls should block access to the port given in rdisp/msserv_internal from outside the SAP
system.
You must set parameter rdisp/msserv_Internal to a TCP/IP port number different from the
port number given in rdisp/msserv; additionally, you must prevent access to the internal
message server port using appropriate firewalls. For more information, refer to SAP Note
821875.

Message Server Security – Message Server Administration Allowed for External Clients

Figure 158: Message Server Administration Allowed for External Clients

© Copyright. All rights reserved. 216

 Lesson: Appendix: Implementing and Checking Technical Security Recommendations

SAP recommends that you block external administration of the message server by setting
both profile parameters ms/monitor and ms/admin_port to the value 0.
To set profile parameter ms/admin_port dynamically, use transaction SMMS
, and then choose
Goto Security Settings .

Message Server Security – Message Server Access Control List

Figure 159: Message Server Access Control List

Profile parameter ms/acl_info provides the file name of the message server’s access control
list. This list controls which application servers are allowed to log on to the message server.
SAP recommends that you define and properly maintain this list to prevent rogue application
servers from joining the system. For more information about this parameter, refer to SAP
Note 821875.

RFC Hopping – Output with Critical RFC Destinations

Figure 160: RFC Hopping – Output with Critical RFC Destinations

This report shows all the RFC destinations with critical status. You can customize the critical
user authorization using the AUTH_PROFILE_USER store (by default, the users with the
SAP_ALL profile are checked).
For validation details, in the figure, the Comparison Value field helps you to find all the
validation information about the critical RFC destination. In our example, for RFC destination
PMIB4X001, which is created in the B4X system, user PIRWBUSER and the password are
saved in the logon data. This has the SAP_ALL profile assigned in the B4X system.
If an RFC destination contains the logon data of a user with critical authorizations (for
example, with the SAP_ALL profile), the following risks are involved:

Privilege escalation

User impersonation

© Copyright. All rights reserved. 217

Unit 7: SAP Security Notes

Bypass of Network Firewalls

Access to the whole system landscape (for example, enabling a jump to a central system,
such as the Solution Manager)

To avoid these risks, it is necessary to identify critical RFC destinations across systems and
also monitor RFC destinations to critical systems.

RFC Hopping – Finding RFC Destinations Pointing to a Critical System

Figure 161: RFC Hopping – RFC Destinations Pointing to a Critical System

The RFCDES_TYPE_3_CHECK store is filled based on the content of the RFCDES_TYPE_3

store, which contains the definition of all RFC destinations. Config Store RFCDES_TYPE_3 is
read and, according to the RFC destination, it is used to find the target system (host, system
id) and the technical system ABAP.
After the target system is found, the AUTH_PROFILE_USER Store for this system is checked
for the authorizations assigned to the user saved in the RFC destination.
If the destination user is found there, the destination is validated as critical, and the
expression CRITICAL_USER_PROFILE is stored.

© Copyright. All rights reserved. 218

 Lesson: Appendix: Implementing and Checking Technical Security Recommendations

Critical RFC Destinations – RFC Output

Figure 162: Critical RFC Destinations – Report Output

The 0TPL_0SMD_VCA2_NCOMPL_CI_REF report shows all RFC destinations with critical

status. You can customize the critical user authorizations using the AUTH_PROFILE_USER
store (by default, users with the SAP_ALL profile are checked).

Users with Critical Authorizations – Config Stores in Configuration and Change Database

Figure 163: Config Store in Configuration and Change Database

Some of the authorization objects are as follows:

AUTH_CHECK_USER – The user authority check store

AUTH_PROFILE_USER – The user profile check store

AUTH_TRANSACTION_USER – The user transaction check store

© Copyright. All rights reserved. 219

Unit 7: SAP Security Notes

Critical User Authorizations – Customizing Store Content

Figure 164: Critical User Authorizations – Customizing Store Content

In an SAP system, only the services critical to SAP Internet Communication Framework (ICF)
should be active. Some services should not be active at all. For more information, refer to the
Secure Configuration SAP NetWeaver Application Server ABAP white paper ( https://
websmp201.sap-ag.de/securitynotes ; search under White Papers). The services mentioned
in the white paper are checked by these definitions.
The SICF_SERVICES Config Store of the managed systems contains only records for the
active services. The ICF_NAME of our Config Store is not a unique key. Therefore, we use the
Not exists operator for the URL key and not for the ICF_NAME. The content of the URL field
correlates to the content of the SICF SERVICE column of the white paper, section LIMIT
WEBENABLED CONTENT.
The Config Stores that contain security-related items are secured. The user needs additional
authorizations.

Critical User Authorizations – Analysis of User Profiles

Figure 165: Critical User Authorizations – Analysis of User Profiles

To perform all Configuration Validation examples, it is most convenient to create a target

system up front. The AUTH_PROFILE_USER profile checks the stores in the target system
(reference) and defines that no user is allowed to have the SAP_ALL profile.

© Copyright. All rights reserved. 220

 Lesson: Appendix: Implementing and Checking Technical Security Recommendations

Critical User Authorizations – Analysis of User Authorizations

Figure 166: Critical User Authorizations – Analysis of User Authorizations

In the Critical User Authorization tool, navigate to the Technical Systems tab page. Select
System and display the stores that are relevant to critical user authorizations. Navigate to the
Customizing tab page and create a new Customizing variant. Insert the necessary user
profiles.
AUTH_CHECK_USER defines that only certain administration users are allowed to have debug
authorizations.

Critical User Authorizations – Analysis of User Transactions

Figure 167: Critical User Authorizations – Analysis of User Transactions

© Copyright. All rights reserved. 221

Unit 7: SAP Security Notes

The AUTH_TRANSACTION_USER authorization object for user transaction check store in the
target system (reference) defines that only administration users are allowed to have
authorizations for transaction SM59. As a result, those users who are not allowed to have
authorizations to configure RFC in system SD7 (Compared System) can be found easily.

Use Case – Predefined Reports About Security Notes

Figure 168: Use Case – Predefined Reports About Security Notes

SAP provides predefined SAP reports.

Some examples of predefined reports are as follows:

0SECNOTE – Validation of an SAP Note using online recommendations

0SPLVCHK – Validation of the Support Package level using the latest release

0PRDBLG – Reporting of the Production Backlog

0BADTRAN – Finding a failed transaction

0DEVBLG – Reporting of the development backlog

0LOCTRA – Reporting of the local transport

LESSON SUMMARY
You should now be able to:

Implement and check technical security recommendations using SAP Solution Manager

© Copyright. All rights reserved. 222

 Unit 7

Learning Assessment

1. Which of the following tools does SAP recommend for use to identify security related
notes that a customer should implement in their SAP system?
Choose the correct answer.

X A Note Assistant

X B Note Browser

X C RSECNOTE

X D Note Checker

X E None of the above.

2. SAP Solution Manager provides which tool to recommend SAP Notes that should be
considered for implementation in a customers SAP system?
Choose the correct answer.

X A Configuration validation

X B RSECNOTE

X C Software Update Manager

X D System Recommendations

3. What is a Hot News SAP note?

Choose the correct answer.

X A A critical SAP note related to changes in legal requirements.

X B An important SAP Note in the Security category.

X C An important SAP Note in the performance category.

X D None of the above.

© Copyright. All rights reserved. 223

Unit 7: Learning Assessment

4. SAP Notes with priority 1 (Very High) and which can help with avoiding data loss or a
system crash are classified as which type of SAP Note?
Choose the correct answer.

X A Performance

X B Hot News

X C Legal Change

X D Security

© Copyright. All rights reserved. 224

 Unit 7

Learning Assessment - Answers

1. Which of the following tools does SAP recommend for use to identify security related
notes that a customer should implement in their SAP system?
Choose the correct answer.

X A Note Assistant

X B Note Browser

X C RSECNOTE

X D Note Checker

X E None of the above.

SAP recommends none of these tools.

2. SAP Solution Manager provides which tool to recommend SAP Notes that should be
considered for implementation in a customers SAP system?
Choose the correct answer.

X A Configuration validation

X B RSECNOTE

X C Software Update Manager

X D System Recommendations

SAP Solution Manager provides the System Recommendations tool to recommend SAP
Notes.

3. What is a Hot News SAP note?

Choose the correct answer.

X A A critical SAP note related to changes in legal requirements.

X B An important SAP Note in the Security category.

X C An important SAP Note in the performance category.

X D None of the above.

A Hot News SAP note is none of these.

© Copyright. All rights reserved. 225

Unit 7: Learning Assessment - Answers

4. SAP Notes with priority 1 (Very High) and which can help with avoiding data loss or a
system crash are classified as which type of SAP Note?
Choose the correct answer.

X A Performance

X B Hot News

X C Legal Change

X D Security

Hot News

© Copyright. All rights reserved. 226