High Availability ( HA/DR ) concepts
SARE Archive Explorer
In this article on SAP Security Automation I would like to take a look at the future of automated processes in the SAP Security area. For many companies, the topic of security automation still offers a lot of potential in terms of time savings and process optimisation. Our daily work environment offers numerous tasks that could be handled excellently automatically. For this reason, in this article I present two of the possibilities that already exist in the broad area of security automation. Security Automation via SAP Security Check The first option of Security Automation, which I want to introduce here, is the automatic verification of the existing permissions. Have you ever wondered who has critical permissions in your SAP system? And have you ever tried to do this by hand? Depending on the level of expertise and experience of the privilege administrator, this is a time-consuming work. If an audit is also announced and the SAP system is to be checked for critical permissions and segregation of duties, then it is very difficult to meet all requirements and secure the eligibility landscape in this respect. For this reason, various vendors provide solutions to automate the verification of the permission system with regard to critical permissions and segregation of duties using tool support. This allows permission administrators to use their valuable time to correct the errors rather than just looking for them. For example, we use a tool that runs through the verification of over 250 rules. We then get an evaluation of which rules are violated and which points are correct. A simple example of such rules is the use of the SAP_ALL profile. Another would be to grant the jump permission in debugging (S_DEVELOP permission object with the ACTVT = 02 field). These are two relatively simple examples of Security Check tools' rulebook. In addition, queries are also made, which are located in the field of Segregation of Duties. Using this tool allowed us to move from manual validation of critical permissions to an automatic process.
The SAP Basis & Technology department deals intensively with SAP technologies and their application. The possibilities and limits are investigated and corresponding specifications and tools are developed in order to use the technologies profitably. The results and findings are made available to the other alogis areas and implemented in real-life customer projects.
Analysis and reflection of the existing system configuration
This makes the technical user the dialogue user and a login in the SAP system is unrestricted. So Johannes logs in with the known password of the RFC user in the production system. Thanks to very extensive permissions, it now has access to all sorts of critical tables, transactions, and programmes in production. With the identity of the RFC user Johannes starts with the technical compromise of the production system... RFC Security: All invented - or everyday threat? Whether a simple trim, altered biometric properties or an encapsulated technical user in the SAP system: the basis of the compromise is the same. A person uses a different identity to gain access and permissions to protected areas. Moreover, the evil in all three stories could have been prevented by pro-activity. When was the last time you thought about the security of your RFC interfaces? Can you say with certainty that all your technical RFC users only have the permissions they actually need? And do you know who exactly knows the passwords of these users? Can you 100% rule out that not now in this moment an SAP user with a false identity infiltrates your production systems? Change now: It's about pro activity! But before you start now and start looking for the "identity converter" (which I really do not recommend!), I suggest that you take root of evil and proactively strengthen your RFC security. So if you want to find out more, I have the following 3 tips for you: 1) Our e-book about SAP RFC interfaces 2) Clean up our free webinar about RFC interfaces 3) Blog post about our approach to optimising RFC interfaces As always, I look forward to your feedback and comments directly below these lines!
Parameters in the SAP create a high degree of flexibility. Profiles can be used to configure the system for almost any purpose. But with such a large number of parameters one quickly loses an overview of the influence of each parameter. For storage management alone, there are 20 different parameters that can be changed at different points in the SAP system. This article brings order to the mess and explains the most important parameters. There are three types of memory in the SAP system for a work process: ・ Roll Area - Local Memory Area for a Work Process ・ Extended Memory - Global Memory Area for All Work Processes ・ Private Storage /Dynamic Memory (Private Memory/Heap Memory) - Private Memory Overview of SAP System Memory Regions Parameters for the Rolling Range When a user starts a programme, a role area is created for that programme instance through a workprocess. The user context is stored in this memory area. The size of the roll area for a work process is determined by the ztta/roll_first parameter. If the storage area is not sufficient, a portion of the Advanced Memory will be allocated for the user context, the size of which will be determined by ztta/roll_extension, ztta/roll_extension_dia, and ztta/roll_extension_nondia. The latter two override ztta/roll_extension if used and offer the possibility to set different quotas for dialogue and non-dialogue work processes.
With "Shortcut for SAP Systems" a tool is available that greatly facilitates some tasks in the SAP basis.
Check Tool.
In this case, attention should be paid to an individual authorisation.