SAP Security
Application layer
An SAP HANA system lives on applications. When you develop these applications, you should think about securing them early. Using HTTPS instead of HTTP is one of the basics. In addition, you ensure secure authentication and implement a Secure Software Development Lifecycle to ensure backup in your own developments. In your applications, you better start to check them for risks early on and run this backup process regularly. You can analyse and restrict access to source code later. Create a risk register and address security vulnerabilities in a risk-based manner. The later you discover a risk, the more expensive the fix will be. Further information on SAP Security in addition to the article can be found here. Do you have any further questions or suggestions concerning this topic? Would you like us to go further on the subject? I look forward to your feedback!
Customers with such a case regularly contact us. Creating a Permission Concept from the ground up is often a time-consuming task. Furthermore, the know-how, which aspects should be dealt with in an authorisation concept and how the corresponding processes can look practical and at the same time audit-proof is often lacking. Our solution: tool-based generation of an individual, written authorisation concept In this situation, we have recommended to our customers the tool-based generation of a written authorisation concept directly from the SAP system. We use the XAMS Security Architect tool, with which we have had good experiences. This includes a template for a revision-proof and comprehensible, written authorisation concept. It includes established best practices for role and entitlement management. The template covers all relevant areas in a permission concept. The included text of the authorisation concept is completely customisable, so that the concept can be tailored to your situation without creating a permission concept from scratch. Dynamically update the written authorisation concept One of the biggest challenges after the development of an authorisation concept is to keep it up to date in the long term and to measure the sustainable implementation in the system. This is achieved by integrating live data such as configuration settings and defined rules directly from the connected system. For example, lists of existing roles or user groups and tables are read from the system each time the document is generated and updated in the permission concept. The following screenshot shows an example of what the appearance in the concept document might look like. Automatically check and monitor compliance with the concept To check compliance with the concept, the XAMS Security Architect includes extensive inspection tools. These cover the rules formulated in the concept and are suitable for measuring the extent to which the reality in the system meets the requirements formulated in the concept.
SAP Basis is the foundation of any SAP system. You can find a lot of useful information about it on this page: www.sap-corner.de.
SAP PI(XI)
If regulations for the standardisation of SAP systems or tasks and procedures are in place, they must also be consistently complied with and their compliance must also be verified. In case of non-compliance, for example due to project influences or technological problems, the exception must be returned to the standard in a timely manner. Resources must be made available for this.
Examples of names are: SAP Cross-Application, SAP Innovation & Technology, SAP Services & Innovation, SAP Operations & Innovation or SAP Service Provider & Business Innovator. DESCRIPTION OF OWN PERFORMANCE AND SERVICE PORTFOLIO In order to be consulted by upstream or downstream entities, it is necessary to provide a detailed and understandable description of your service portfolio. This means that it can be explicitly stated in which cases the SAP basis needs to be contacted and involved in order to make the necessary decisions and not jeopardise a project or company success. In addition to the range of tasks covered by the SAP basis, it is also necessary to specify for which tasks and topics the SAP basis is not responsible. This recommendation is to be considered as universal and applies to all IT departments in order to clearly distinguish them and document the performance of their own IT organisation. INTERNAL MARKETING DESIGN AND ESTABLISH Building on the recommendation [A3], it is recommended to design and establish an internal marketing. The aim is to provide a transparent picture of the activities carried out in terms of the company's success and which are not visible to everyone.
The "Shortcut for SAP Systems" tool is ideal for doing many tasks in the SAP basis more easily and quickly.
If you would like to learn about the architecture of HANA, I recommend a contribution from our colleagues at erlebe Software.
To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.
Use Transaction OSSordering the desired support packages in the SAPNet - R/3 frontend.