0000696478

3

Click here to load reader

Transcript of 0000696478

Page 1: 0000696478

SAP Note

Header Data

Symptom

l You want to carry out some preparatory work for executing the SAP Security Optimization service on a customer system. For this, you require one of the latest versions of the ST-A/PI plug-in and a special authorization.

l In transaction ST14, you are unable to start the download modules for the SAP Security Optimization service, or the only result you receive is a single check entitled Not authorized!, check ID 0000 and the result line User XXXX is not authorized to run SAP Security Optimization.

l You want to use transaction ST14 to view the data determined for the SAP Security Optimization locally on your system in order to gain an overview of your system settings.

Other Terms

Security Optimization, CQC Security Optimization, Guided Self Service, Self Service, SEC, SEC_SELF

Reason and Prerequisites

You want to use the SAP Security Optimization service to check the security of your SAP system.

Solution

Installing the current ST-A/PI plug-in

To fully execute the SAP Security Optimization service, you require the plug-in ST-A/PI. Release prerequisite:

l Version 01N* in combination with the SAP Notes 1608969 and 1793404 or

l Version 01N* with Support Package 1 and the  SAP Notes 1664250 and 1793404 or

l Version 01P in combination with SAP Note 1793404

l or higher.

(The star denotes the relevant SAP system application. There is only ever one ST-A/PI for each SAP system. There is no confusion.) This plug-in is available on SAP Service Marketplace under: http://service.sap.com/supporttools

Setting up and granting the required authorization

To start the Security Optimization data collector in transaction ST14, you require (in addition to the authorization object S_TCODE with the value ST14 and S_ADMI_FCD with the values ST0R and AUDD) an authorization for the authorization object S_PTCH_ADM with the values SECURITY-CHECK for the field COMPONENT and 02 for the field ACTVT. An authorization for this object with the * value for both fields is not sufficient. The TABLE field is not checked and can therefore contain any value. In addition the authorization object S_RZL_ADM with the value 03 for the field ACTVT is required during the data collection. To schedule the data collector job in the background, you require the authorization for the authorization object S_BTCH_JOB with the value RELE for the field JOBACTION. To display the scheduled job, the values PROT and SHOW are also required for the JOBACTION field. Alternatively, the background job can be authorized by a sufficiently authorized user. ST-PI 2008_1 Support Package 08 delivers an update role SAP_SECURITY_OPTIMIZATION. The attachment to this SAP Note contains a pre-release of the SAP role, role Z_SECURITY_OPTIMIZATION_3, in the customer namespace. You can use transaction PFCG to import this Z role.  To do so, proceed in three steps:

    696478 - SAP Security Optimization: Preparation & additional info  

Version   34     Validity: 20.12.2012 - active   Language   Inglés

Released On 21.12.2012 02:08:16

Release Status Released for Customer

Component SV-SMG-SER SAP Support Services

SV-SMG-SDD Service Data Download

Priority Recommendations / Additional Info

Category Installation information

Other Components

Page 2: 0000696478

l Import the role

l Define values for the profile (assign job group) and generate

l Assign users

The attachment also contains examples and detailed descriptions.

Scheduling the data collection

Call transaction ST14 and select the Security Optimization area. Choose Schedule Job to access the Schedule Analysis dialog box. First assign a name and then select a client even though the data is basically collected for all existing clients. The specification for the period is irrelevant for carrying out the Security Optimization service since this service carries out a key date evaluation for the current period. The proposed time interval does not have to be changed. The data area contains the following parameters for controlling the data collection:

l BS List personal data (N/Y)

l BS List profiles (N/Y)

l BS User for SAPNet R/3 Frontend [Default: current user]

l BS Skip Address Check 0006 (N/Y)

l BS Threshold percentage [Default: 80]

Out of all these parameters, only BS User for SAPNet R/3 Frontend requires an entry, and only then if Checks for SAP WebAS System is selected in the Analysis scope described below. For Checks for SAP WebAS System, this attribute is prefixed by a symbol. The required entry is then checked (where necessary, a dialog box remembers this). With the other parameters, the value N is preset up to Release 01L*, and 80 is the BS Threshold percentage. You have to select the parameter in the Choose doc/obj type column and enter the value in the Document no./object column. The + button offers eight instead of two entry lines and then becomes the - button. After the parameters are entered, the buttons Next Page and Previous Page are displayed to aid navigation in the list. List personal data = Y adds the complete names of the listed users to the output list BS List profiles = Y adds the profiles that contain the critical authorizations of the relevant users to the output lists. The user who can open the connection to SAPNet is entered in the BS User for SAPNet R/3 Frontend parameter that is assigned multiple times. Skip Address Check 0006 = Y ignores the check performed in check 0006 for the fully maintained address data of all users that can multiply the data collection runtime in large systems. BS Threshold percentage = 70  (for example) displays all users in check 0023 who have * authorization for at least 70% of all authorization objects. 80% is the default setting, as mentioned above. The following changes have been introduced with regard to the parameters in Release 01M* SP00:

l BS List personal data (N/Y) [Default: Y] The default value of this parameter has been set to Y. The complete names of the listed users are added to the output lists without this having to be set separately.

l BS List profiles (N/Y) [Default: Y] The default value of this parameter has been set to Y. The profiles that contain the critical authorizations of the respective users are added to the output lists without this having to be set separately.

l BS Skip Address Check 0006 (N/Y)[Def.: Y] Without the explicit change of this parameter, the check for fully maintained address data of all users is omitted.

As Analysis scope, you can select the following components for the Security & Basis checks in releases up to Release 01L*:

l Checks for SAP WebAS System

l Checks for ITS Backend System

l Checks for ITS Monitoring System

l Checks for J2EE Backend System

Checks for SAP WebAS System This option contains all checks that are carried out in the ABAP stack. This also applies to Basis releases lower than 6.10 (for example, Release 4.6C). In this case, Checks for ITS Backend System checks the authorizations in the system accessed via the external ITS. Checks for ITS Monitoring System only delivers the results, if CCMS monitoring is set up in the system in question (transaction RZ20). The setup is described in Notes 418285, 390549 and 371023 attached to this note. Selecting the Checks for J2EE Backend System is only worthwhile if you access the ABAP stack of a WebAS from a J2EE engine. As of Release 01M* SP00, there are only two components for the analysis scope security opimization:

Page 3: 0000696478

l SAP NetWeaver Application Server - ABAP corresponds to "Checks for SAP WebAS System"

l J2EE Backend System (Remote Service) corresponds to "Checks for J2EE Backend System"

Lastly, the Schedule job button starts the data collection job, either immediately or at the start time entered.

Local viewing of data collected

After the data is collected, which may take several hours (depending on the information required and the size of the system), you can also view the information collected in transaction ST14 under the Utilities ->Analysis browser menu option. Unlike the final report that is output, these lists contain all users (except the SAP_ALL users) who have critical authorizations in the relevant tests. After you select an analysis, you can use the View data button to access the hierarchy display. The ABS - GENERIC_KF node contains the check numbers set in parentheses in the final report behind which you can expand the complete lists in each case.

Including customer-specific authorization checks in the R/3 area

As of the ST-A/PI 01F* plug-in, you can also include customer-specific authorization checks in the Security Optimization Service (executed remotely). These must be defined before starting the ST14 analysis. The exact procedure is described in Note 837490.

Validity

This document is not restricted to a software component or software component version

References

This document refers to:

SAP Notes

This document is referenced by:

SAP Notes (11)

Attachments

1016166   SAP Security Optimization: Error in ST14 data collection

1453653   Security Optimization Service: Display of all users

1489613   EWA: "Default Passwords of Standard Users" is unrated

1522373   ST-PI role SAP_SECURITY_OPTIMIZATION

1663259   New Procedure: SAP Security Optimization Self Service

1800234   Activate protected RFC usage of /SDF/EWA_GET_PARAMETER_DATA

371023   OS07/ST06: Monitoring operating system data

418285   Installation of the ITS-Plugin for the CCMS Agent

837490   Execution of the security optimization self-service

967938   Security Optimization Self-Service: SDCC download

1800234   Activate protected RFC usage of /SDF/EWA_GET_PARAMETER_DATA

1663259   New Procedure: SAP Security Optimization Self Service

967938   Security Optimization Self-Service: SDCC download

1489613   EWA: "Default Passwords of Standard Users" is unrated

1484124   Guided Security Optimization Self Service - Prerequisites

837490   Execution of the security optimization self-service

1016166   SAP Security Optimization: Error in ST14 data collection

1522373   ST-PI role SAP_SECURITY_OPTIMIZATION

1453653   Security Optimization Service: Display of all users

418285   Installation of the ITS-Plugin for the CCMS Agent

371023   OS07/ST06: Monitoring operating system data

File Name File Size (KB) Mime Type

Z_SECURITY_OPTIMIZATION_3.zip 130 application/x-zip-compressed


(Tesla) - The Tesla Magnetic Car Engine

(Tesla) - The Tesla Magnetic Car Engine

Disclaimer

Disclaimer

18 Tricks to Teach Your Body

18 Tricks to Teach Your Body

The Best American Humorous Short Stories

The Best American Humorous Short Stories

Tragic Heroes

Tragic Heroes

How Computer Keyboards Work

How Computer Keyboards Work

Life Is Just A Dream - Or Is It?

Life Is Just A Dream - Or Is It?

Aesops Fables

Aesops Fables

Introduction to Six Sigma

Introduction to Six Sigma

Basic Buffer Overflows Explained

Basic Buffer Overflows Explained

Do you admire Leonardo da Vinci?

Do you admire Leonardo da Vinci?

The Last Carnival I Ever Saw

The Last Carnival I Ever Saw

Improve the Color Quality Of Your Monitor

Improve the Color Quality Of Your Monitor

Barclays1

Barclays1

United States Constitution

United States Constitution

Effective Parenting: Establishing Boundaries

Effective Parenting: Establishing Boundaries

The Dutch Republic In International Trade

The Dutch Republic In International Trade

Star Wars Original Trilogy Trivia (Episodes IV-VI)

Star Wars Original Trilogy Trivia (Episodes IV-VI)

Chapter 23

Chapter 23

Daniel Zanella and Alexander Weygers

Daniel Zanella and Alexander Weygers