Use of Secure Network Communication
Highest availability & performance
In this article on SAP Security Automation I would like to take a look at the future of automated processes in the SAP Security area. For many companies, the topic of security automation still offers a lot of potential in terms of time savings and process optimisation. Our daily work environment offers numerous tasks that could be handled excellently automatically. For this reason, in this article I present two of the possibilities that already exist in the broad area of security automation. Security Automation via SAP Security Check The first option of Security Automation, which I want to introduce here, is the automatic verification of the existing permissions. Have you ever wondered who has critical permissions in your SAP system? And have you ever tried to do this by hand? Depending on the level of expertise and experience of the privilege administrator, this is a time-consuming work. If an audit is also announced and the SAP system is to be checked for critical permissions and segregation of duties, then it is very difficult to meet all requirements and secure the eligibility landscape in this respect. For this reason, various vendors provide solutions to automate the verification of the permission system with regard to critical permissions and segregation of duties using tool support. This allows permission administrators to use their valuable time to correct the errors rather than just looking for them. For example, we use a tool that runs through the verification of over 250 rules. We then get an evaluation of which rules are violated and which points are correct. A simple example of such rules is the use of the SAP_ALL profile. Another would be to grant the jump permission in debugging (S_DEVELOP permission object with the ACTVT = 02 field). These are two relatively simple examples of Security Check tools' rulebook. In addition, queries are also made, which are located in the field of Segregation of Duties. Using this tool allowed us to move from manual validation of critical permissions to an automatic process.
He has already gathered a lot of helpful information from the day-to-day business in his department: Johannes knows the RFC interfaces and the corresponding technical RFC users from his work with the applications. He also quickly got the password for various RFC users via the radio ("As long as passwords are only communicated by phone and never exchanged in writing, we are clean!"). And that the RFC users are generously entitled even in productive systems is no longer a secret ("Better to have more permissions than too little; the RFC connections have to run, otherwise there is trouble from the specialist areas!"). Since Johannes has access to the SE37 as a developer, it is not a problem to get the necessary access using the function block BAPI_USER_CHANGE - disguised as RFC User. In short, it changes the user type of a technical RFC user in a production system from to by calling the function block.
If you want to get more information about SAP basis, visit the website www.sap-corner.de.
You implement - we support!
The application layer is the central component of the SAP R/3 system. This layer is therefore also referred to by SAP as the actual basis system. Within the layer there are application servers and a message server.
With the function module SWNC_COLLECTOR_GET_AGGREGATES one can determine the most important SAP Basis transactions. After all, each SAP Basis expert sees different transactions as important.
Use "Shortcut for SAP Systems" to accomplish many tasks in the SAP basis more easily and quickly.
Which miner is right now? The solution is to divide the consensus into time blocks, in which a miner is randomly selected, and then determine which transaction it has selected as the consensus during this block.
To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.
They have the opportunity to clarify individual issues and to determine the focus of the security check.