0000696478
Click here to load reader
-
Upload
oscr-ccanihua -
Category
Documents
-
view
15 -
download
3
Transcript of 0000696478
SAP Note
Header Data
Symptom
l You want to carry out some preparatory work for executing the SAP Security Optimization service on a customer system. For this, you require one of the latest versions of the ST-A/PI plug-in and a special authorization.
l In transaction ST14, you are unable to start the download modules for the SAP Security Optimization service, or the only result you receive is a single check entitled Not authorized!, check ID 0000 and the result line User XXXX is not authorized to run SAP Security Optimization.
l You want to use transaction ST14 to view the data determined for the SAP Security Optimization locally on your system in order to gain an overview of your system settings.
Other Terms
Security Optimization, CQC Security Optimization, Guided Self Service, Self Service, SEC, SEC_SELF
Reason and Prerequisites
You want to use the SAP Security Optimization service to check the security of your SAP system.
Solution
Installing the current ST-A/PI plug-in
To fully execute the SAP Security Optimization service, you require the plug-in ST-A/PI. Release prerequisite:
l Version 01N* in combination with the SAP Notes 1608969 and 1793404 or
l Version 01N* with Support Package 1 and the SAP Notes 1664250 and 1793404 or
l Version 01P in combination with SAP Note 1793404
l or higher.
(The star denotes the relevant SAP system application. There is only ever one ST-A/PI for each SAP system. There is no confusion.) This plug-in is available on SAP Service Marketplace under: http://service.sap.com/supporttools
Setting up and granting the required authorization
To start the Security Optimization data collector in transaction ST14, you require (in addition to the authorization object S_TCODE with the value ST14 and S_ADMI_FCD with the values ST0R and AUDD) an authorization for the authorization object S_PTCH_ADM with the values SECURITY-CHECK for the field COMPONENT and 02 for the field ACTVT. An authorization for this object with the * value for both fields is not sufficient. The TABLE field is not checked and can therefore contain any value. In addition the authorization object S_RZL_ADM with the value 03 for the field ACTVT is required during the data collection. To schedule the data collector job in the background, you require the authorization for the authorization object S_BTCH_JOB with the value RELE for the field JOBACTION. To display the scheduled job, the values PROT and SHOW are also required for the JOBACTION field. Alternatively, the background job can be authorized by a sufficiently authorized user. ST-PI 2008_1 Support Package 08 delivers an update role SAP_SECURITY_OPTIMIZATION. The attachment to this SAP Note contains a pre-release of the SAP role, role Z_SECURITY_OPTIMIZATION_3, in the customer namespace. You can use transaction PFCG to import this Z role. To do so, proceed in three steps:
696478 - SAP Security Optimization: Preparation & additional info
Version 34 Validity: 20.12.2012 - active Language Inglés
Released On 21.12.2012 02:08:16
Release Status Released for Customer
Component SV-SMG-SER SAP Support Services
SV-SMG-SDD Service Data Download
Priority Recommendations / Additional Info
Category Installation information
Other Components
l Import the role
l Define values for the profile (assign job group) and generate
l Assign users
The attachment also contains examples and detailed descriptions.
Scheduling the data collection
Call transaction ST14 and select the Security Optimization area. Choose Schedule Job to access the Schedule Analysis dialog box. First assign a name and then select a client even though the data is basically collected for all existing clients. The specification for the period is irrelevant for carrying out the Security Optimization service since this service carries out a key date evaluation for the current period. The proposed time interval does not have to be changed. The data area contains the following parameters for controlling the data collection:
l BS List personal data (N/Y)
l BS List profiles (N/Y)
l BS User for SAPNet R/3 Frontend [Default: current user]
l BS Skip Address Check 0006 (N/Y)
l BS Threshold percentage [Default: 80]
Out of all these parameters, only BS User for SAPNet R/3 Frontend requires an entry, and only then if Checks for SAP WebAS System is selected in the Analysis scope described below. For Checks for SAP WebAS System, this attribute is prefixed by a symbol. The required entry is then checked (where necessary, a dialog box remembers this). With the other parameters, the value N is preset up to Release 01L*, and 80 is the BS Threshold percentage. You have to select the parameter in the Choose doc/obj type column and enter the value in the Document no./object column. The + button offers eight instead of two entry lines and then becomes the - button. After the parameters are entered, the buttons Next Page and Previous Page are displayed to aid navigation in the list. List personal data = Y adds the complete names of the listed users to the output list BS List profiles = Y adds the profiles that contain the critical authorizations of the relevant users to the output lists. The user who can open the connection to SAPNet is entered in the BS User for SAPNet R/3 Frontend parameter that is assigned multiple times. Skip Address Check 0006 = Y ignores the check performed in check 0006 for the fully maintained address data of all users that can multiply the data collection runtime in large systems. BS Threshold percentage = 70 (for example) displays all users in check 0023 who have * authorization for at least 70% of all authorization objects. 80% is the default setting, as mentioned above. The following changes have been introduced with regard to the parameters in Release 01M* SP00:
l BS List personal data (N/Y) [Default: Y] The default value of this parameter has been set to Y. The complete names of the listed users are added to the output lists without this having to be set separately.
l BS List profiles (N/Y) [Default: Y] The default value of this parameter has been set to Y. The profiles that contain the critical authorizations of the respective users are added to the output lists without this having to be set separately.
l BS Skip Address Check 0006 (N/Y)[Def.: Y] Without the explicit change of this parameter, the check for fully maintained address data of all users is omitted.
As Analysis scope, you can select the following components for the Security & Basis checks in releases up to Release 01L*:
l Checks for SAP WebAS System
l Checks for ITS Backend System
l Checks for ITS Monitoring System
l Checks for J2EE Backend System
Checks for SAP WebAS System This option contains all checks that are carried out in the ABAP stack. This also applies to Basis releases lower than 6.10 (for example, Release 4.6C). In this case, Checks for ITS Backend System checks the authorizations in the system accessed via the external ITS. Checks for ITS Monitoring System only delivers the results, if CCMS monitoring is set up in the system in question (transaction RZ20). The setup is described in Notes 418285, 390549 and 371023 attached to this note. Selecting the Checks for J2EE Backend System is only worthwhile if you access the ABAP stack of a WebAS from a J2EE engine. As of Release 01M* SP00, there are only two components for the analysis scope security opimization:
l SAP NetWeaver Application Server - ABAP corresponds to "Checks for SAP WebAS System"
l J2EE Backend System (Remote Service) corresponds to "Checks for J2EE Backend System"
Lastly, the Schedule job button starts the data collection job, either immediately or at the start time entered.
Local viewing of data collected
After the data is collected, which may take several hours (depending on the information required and the size of the system), you can also view the information collected in transaction ST14 under the Utilities ->Analysis browser menu option. Unlike the final report that is output, these lists contain all users (except the SAP_ALL users) who have critical authorizations in the relevant tests. After you select an analysis, you can use the View data button to access the hierarchy display. The ABS - GENERIC_KF node contains the check numbers set in parentheses in the final report behind which you can expand the complete lists in each case.
Including customer-specific authorization checks in the R/3 area
As of the ST-A/PI 01F* plug-in, you can also include customer-specific authorization checks in the Security Optimization Service (executed remotely). These must be defined before starting the ST14 analysis. The exact procedure is described in Note 837490.
Validity
This document is not restricted to a software component or software component version
References
This document refers to:
SAP Notes
This document is referenced by:
SAP Notes (11)
Attachments
1016166 SAP Security Optimization: Error in ST14 data collection
1453653 Security Optimization Service: Display of all users
1489613 EWA: "Default Passwords of Standard Users" is unrated
1522373 ST-PI role SAP_SECURITY_OPTIMIZATION
1663259 New Procedure: SAP Security Optimization Self Service
1800234 Activate protected RFC usage of /SDF/EWA_GET_PARAMETER_DATA
371023 OS07/ST06: Monitoring operating system data
418285 Installation of the ITS-Plugin for the CCMS Agent
837490 Execution of the security optimization self-service
967938 Security Optimization Self-Service: SDCC download
1800234 Activate protected RFC usage of /SDF/EWA_GET_PARAMETER_DATA
1663259 New Procedure: SAP Security Optimization Self Service
967938 Security Optimization Self-Service: SDCC download
1489613 EWA: "Default Passwords of Standard Users" is unrated
1484124 Guided Security Optimization Self Service - Prerequisites
837490 Execution of the security optimization self-service
1016166 SAP Security Optimization: Error in ST14 data collection
1522373 ST-PI role SAP_SECURITY_OPTIMIZATION
1453653 Security Optimization Service: Display of all users
418285 Installation of the ITS-Plugin for the CCMS Agent
371023 OS07/ST06: Monitoring operating system data
File Name File Size (KB) Mime Type
Z_SECURITY_OPTIMIZATION_3.zip 130 application/x-zip-compressed