SWPM - the Software Provisioning Manager integrates the classical tools like sapinst, ehpup, etc. for the maintenance/installation of SAP systems.
In this article on SAP Security Automation I would like to take a look at the future of automated processes in the SAP Security area. For many companies, the topic of security automation still offers a lot of potential in terms of time savings and process optimisation. Our daily work environment offers numerous tasks that could be handled excellently automatically. For this reason, in this article I present two of the possibilities that already exist in the broad area of security automation. Security Automation via SAP Security Check The first option of Security Automation, which I want to introduce here, is the automatic verification of the existing permissions. Have you ever wondered who has critical permissions in your SAP system? And have you ever tried to do this by hand? Depending on the level of expertise and experience of the privilege administrator, this is a time-consuming work. If an audit is also announced and the SAP system is to be checked for critical permissions and segregation of duties, then it is very difficult to meet all requirements and secure the eligibility landscape in this respect. For this reason, various vendors provide solutions to automate the verification of the permission system with regard to critical permissions and segregation of duties using tool support. This allows permission administrators to use their valuable time to correct the errors rather than just looking for them. For example, we use a tool that runs through the verification of over 250 rules. We then get an evaluation of which rules are violated and which points are correct. A simple example of such rules is the use of the SAP_ALL profile. Another would be to grant the jump permission in debugging (S_DEVELOP permission object with the ACTVT = 02 field). These are two relatively simple examples of Security Check tools' rulebook. In addition, queries are also made, which are located in the field of Segregation of Duties. Using this tool allowed us to move from manual validation of critical permissions to an automatic process.
System changeability and client settings
The Security Audit Log (SAL) is one of the most important elements when it comes to security in your SAP landscape. With SAL critical and security relevant activities in SAP systems can be recorded and evaluated. The settings in SAL are relevant for secure continuous operation.
In the area of SAP Basic Administration there are many tasks that occur at long but irregular intervals, such as adjusting the system modifiability. As a result, the know-how is often lacking and it is quickly taken to the next search engine, where long and partially incomplete forum entries make finding the right approach even more difficult. For this reason, I will regularly record recurring tasks from the SAP basis Administration for you in simple tutorials. This blog post will start with the topic system modifiability and client control. If you want to jump directly to a step-by-step guide, just scroll down to the bottom, where I summarised everything once. System Modifiability - What Is It? The system modifiability allows you to set which objects of the repository and the client-independent customisation are modifiable or not. Repository objects can also be customised even further, with respect to the software component and the namespace. You can choose whether an object should be modifiable, restricted, or non-modifiable. In this context, restrictively modifiable means that repository objects can only be created as non-originals (small note: for packages the setting "restricted modifiable" and "modifiable" is identical in the function). Let us now turn to the direct approach to the changeover to system variability. Change system modifiability As a preparation, you should clarify how long the modifiability should take place in your system. I have learned from my clients that it is often desired to set the system to "changeable" for certain tasks from the specialist areas only temporarily. If you have organised this, call the transaction SE06 in the 000 client and click on the button "System Modification". If you do not have permissions for this transaction, you can try either the transaction SE03 —> System Modifiability or the transaction SE09 -> Jump -> Transport Organiser Tools -> System Modifiability (under "Administration"). The following screenshot shows the way across the SE03: Here you can change the desired namespaces and software components depending on your request.
Some missing SAP basic functions in the standard are supplied by the PC application "Shortcut for SAP Systems".
The status light should be green.
SAP Basis Administration Batch Control Job Control A large proportion of batch jobs run at night, while IT systems are available for dialog and online applications during the day.