Technical implementation and typical tools in the SAP Basis environment
Creating a basis for the SAP landscape
The database layer is used to store all company data and consists of the database management system (DBMS) and the data itself. In every NetWeaver system there is a database server on which the SAP database is located. It provides all other applications with the necessary data. The data is not only data tables, but also applications, system control tables and user data. All basic components ensure that the user has fast and reliable access to this data.
In addition to scanning and identifying the respective security vulnerabilities of a program, it is also possible to stop tasks that are to be transported to other SAP systems with security vulnerabilities in the further transport process This applies, for example, to the CHARM process based on SAP Solution Manager. This forces a programmer to securely check the programs he or she is responsible for according to the same security criteria. If a program then still has security problems, it can either be released via the dual control principle or returned for further processing. Do you know of any other solutions for improving ABAP code security or have you already gained experience with the products mentioned above? I look forward to your comments!
Technical changes
In transaction PFUD (see image above), you can perform the user match manually for all roles (or selected roles). You can choose between the matchup types Profile Matchup, Matchup of Indirect Assignments from Composite Roles, and Matchup HR Organizational Management. According to SAP documentation, the matchups differ as follows: Profile Matchup: "The program compares the currently valid user assignments of the selected single roles with the assignments of the associated generated profiles and makes any necessary adjustments to the profile assignments. Matching indirect assignments from composite roles: User assignments to composite roles result in indirect assignments for the single roles contained in the composite role. This match type matches the indirect assignments of the selected single roles to the user assignments of all composite roles that contain the single roles. If the selection set contains composite roles, the comparison takes place for all single roles contained in it. HR Organizational Management comparison: This comparison type updates the indirect assignments of all selected single and composite roles that are linked to elements of HR Organizational Management. The HR adjustment is inactive and cannot be selected if no active plan version exists or if a global deactivation has been made by setting the Customizing switch HR_ORG_ACTIVE = NO in table PRGN_CUST. Furthermore, the option "Perform cleanup" is interesting, which can be selected independently of the three adjustment types and does not refer to the role selection. The Perform Cleanup function can be used to remove residual data that resulted from incomplete deletion of roles and the associated generated profiles.
Especially after security incidents it may be necessary to find out which (technical) users have logged in at which time. The USR02 table provides a first entry point. In the TRDAT column you can find the last login date for the user you want. However, a history of previous applications is not found in this table. In such cases, the Security Auditlog or SAL helps. Preparation In order to access the desired data, it must also have been saved previously. In the Security Auditlog, you can use various filters to determine which users are logged on which client and which information. The Security Auditlog stores, depending on configuration, logins, RFC calls, and other actions for specific users. You can make these settings in the SM19 transaction. Note: Logging user activity must be aware of the users concerned! Configure the SAL only for technical users or in consultation with users / works council / etc. It can be seen there among other things when the SAL was activated and last edited (1). You can also select the various filters (2), activate the filters individually (3), specify clients and users (4) and specify which activities are logged (5). Static configuration in the SM19 Under the Dynamic Configuration you can also see if SAL is currently active for the system. Determine the status of the SAL Evaluation of the SAL If the Security Audit Log is active, switch to the SM20 evaluation of the Security Audit Log. Select the desired user and client and the appropriate time window. The option Dialogues login is sufficient for the login. Then, restart the AuditLog analysis. Start evaluation You will get an overview of the user's login to the selected client of the system.
"Shortcut for SAP Systems" simplifies tasks in the area of the SAP basis and complements missing functions of the standard.
It is necessary to participate regularly in information events organised by SAP, DSAG and also by third parties and to obtain their information media in order to stay up to date on the changes in the SAP product portfolio and the associated technological developments.
The website www.sap-corner.de offers many useful information about SAP basis.
Instead of data maintenance and application development, SAP Basis is more about providing and maintaining the software environment on which the data resides and is processed.