SAP S/4HANA migration
ORGANIZATION
A secure SAP system does not only include a good role concept. It is also necessary to check whether a user should (still) have a specific role. Regular verification of role assignment is called recertification. In this blog post, I'd like to introduce you to the need for recertifications and our own tool, EasyReCert. The need for recertification - scenarios: Example 1: The "apprentice problem" Imagine the following scenario: A new employee (e.g. apprenticeship or trainee) will go through various departments as part of his or her training and will work on various projects. Of course, an SAP User will be made available to your employee right at the beginning, which is equipped with appropriate roles. As each project and department passes, the employee repeatedly needs new permissions to meet the requirements. After the employee has successfully completed his or her induction and is now in a permanent position, he or she still has permissions that are not necessary to perform his or her duties. This violates the principle of "last privilede" and represents a potential security risk for your company. Example 2: The change of department The change of department is one scenario that probably occurs in every company. If a change of department does not automatically involve a complete reallocation of roles and the employee simply takes his old permissions with him, critical combinations of permissions can occur very quickly. For example, an employee who has permissions in accounts payable and accounts receivable violates the SoD ("Segregation of Duties") principle and poses a potential security risk to your company. Recertification as part of a revision: The two examples above show that a regular review of role allocation identifies potential security risks for your business and can be addressed.
The Advanced Memory thus contains mainly user contexts of different work processes, if these cannot be loaded completely into the roll area. Since the storage area is accessible for all work processes, the work processes can also access external user contexts that lie here. In addition, the Advanced Memory contains a global area where data can be stored independently of user contexts. The extended memory size is determined by the values of em/initial_size_MB and em/global_area_MB. The first parameter determines the size of the storage area in which user contexts can be stored, and the second determines the size of the global area. Parameters for Private Storage Last but not least, there is the private storage, which is only used when the user context of a work process has used up all the other storage areas available to it, i.e. its share of the extended memory and its rolling area. In this case, the workprocess goes into PRIV mode. A workprocess in private mode is bound to its current user context and will not become free for other tasks until the current request is completed. If it has used up all the private memory allocated to it, the workprocess will then be restarted and the memory released. This behaviour is controlled with the abap/heaplimit parameter. At times, the user context may exceed the value of abap/heaplimit. The parameters abap/heap_area_total, abap/heap_area_dia and abap/heap_area_nondia define an upper limit for private storage. The abap/heap_area_total parameter defines how much private storage all workprocesses can use in total. The parameters abap/heap_area_dia and abap/heap_area_nondia, on the other hand, determine how much private storage a single (non-)dialogue workprocess can use.
Knowledge or experience in the administration of server hardware and storage technologies
An important area of SAP Security is the analysis of the customer's own SAP programs, which are classically written in the proprietary SAP language ABAP. Here, too, as in all programming languages, security vulnerabilities can be programmed - whether consciously or unconsciously. However, the patterns of security vulnerabilities in ABAP code differ from those in Java stacks or Windows programs. The goal of these conventional programs is usually to either crash the program (buffer overflow) or to artificially execute the program's own code (code injection). Both is not possible in ABAP, since a crash of a process causes nothing else than the creation of an entry in the log database (Dump ST22) and a subsequent termination of the report with return to the menu starting point. So a direct manipulation as in other high level languages or servers is not possible. However, there are other manipulation possibilities.
SAP Basis refers to the administration of SAP system that includes activities like installation and configuration, load balancing, and performance of SAP applications running on Java stack and SAP ABAP. This includes the maintenance of different services related to database, operating system, application and web servers in SAP system landscape and stopping and starting the system. Here you can find some useful information about SAP Basis: www.sap-corner.de.
Introducing secinfo and reginfo files into an existing system landscape is associated with risk and effort. As already indicated in the two options, the workload increases greatly as the system landscape grows.
Use "Shortcut for SAP Systems" to accomplish many tasks in the SAP basis more easily and quickly.
However, since the transactions can also be assigned to the user via different roles, this would not be useful.
So much information... how can you keep it so that you can find it again when you need it? That's what Scribble Papers is great for.
Protect: CodeProfiler for ABAP protects the SAP system from internal and external attacks from the first day of deployment.