STANDARDISATION AND VIRTUALISATION
The typical tasks of system support and administration of an SAP landscape, regardless of whether it is 2-tier or multi-level, include the following
If you want to evaluate for which tables a logging takes place, the table DD09L is suitable for this. The column "Log" shows you for which tables changes are logged.
In order to drive innovation in the company, it is necessary to establish a team or a few experts whose recognised role is to promote research projects and PoCs, to continuously train themselves in this regard, to develop innovation proposals and to bring them into the committees. They are therefore largely excluded from operational operations. CONSTRUCTION OF A TEST LABORATORY In addition to resources, it is also necessary to create the framework conditions for the implementation of the research and pilot projects. To this end, it is recommended to set up a test laboratory with as few restrictions as possible on company standards. These are often so massive that a quick and effective implementation of pilot projects is severely hindered or completely prevented.
In this article on SAP Security Automation I would like to take a look at the future of automated processes in the SAP Security area. For many companies, the topic of security automation still offers a lot of potential in terms of time savings and process optimisation. Our daily work environment offers numerous tasks that could be handled excellently automatically. For this reason, in this article I present two of the possibilities that already exist in the broad area of security automation. Security Automation via SAP Security Check The first option of Security Automation, which I want to introduce here, is the automatic verification of the existing permissions. Have you ever wondered who has critical permissions in your SAP system? And have you ever tried to do this by hand? Depending on the level of expertise and experience of the privilege administrator, this is a time-consuming work. If an audit is also announced and the SAP system is to be checked for critical permissions and segregation of duties, then it is very difficult to meet all requirements and secure the eligibility landscape in this respect. For this reason, various vendors provide solutions to automate the verification of the permission system with regard to critical permissions and segregation of duties using tool support. This allows permission administrators to use their valuable time to correct the errors rather than just looking for them. For example, we use a tool that runs through the verification of over 250 rules. We then get an evaluation of which rules are violated and which points are correct. A simple example of such rules is the use of the SAP_ALL profile. Another would be to grant the jump permission in debugging (S_DEVELOP permission object with the ACTVT = 02 field). These are two relatively simple examples of Security Check tools' rulebook. In addition, queries are also made, which are located in the field of Segregation of Duties. Using this tool allowed us to move from manual validation of critical permissions to an automatic process.
To facilitate communication within IT departments, it is necessary to identify clear communication channels and contact persons and also to use uniform tools for communication. It would also be possible to designate contact points (contact points) for upstream and downstream IT departments and external service providers and suppliers.
Some missing SAP basic functions in the standard are supplied by the PC application "Shortcut for SAP Systems".
The implementing user also needs some permissions to perform the necessary manual pre- and post-processing of the note on the system: Authentication for the transaction SLG1 Read permission for the S_APPL_LOG permission to write and delete data from the application directory Upgrade the SAPCAR version on your system to version 7.20 or higher SAP basis version 700 or higher, for older versions the notice must be inserted manually If you have met these requirements, you can use the implementation of note 24080 Start 73.
In practice, it is quite possible that the target specifications defined in the security concept do not match the current actual status.