Expand +



Introducing a Free New Self-Service Tool That Runs Comprehensive Security Checks in Minutes, Not Days

by Frank Buchholz | SAPinsider

April 1, 2006

by Frank Buchholz, SAP AG, Larry Justice, SAP America, and Matthias Buehl, SAP AG SAPinsider - 2006 (Volume 7), April (Issue 2)

Frank Buchholz,

Larry Justice,
SAP America

Matthias Buehl,

With the onset of Web services, IT systems that were formerly accessible only from within a company can now be accessed externally by employees and business partners. System access even extends to customers, with the prevalence of online shops and Web-based customer service interfaces. This openness, combined with the growing imminence of corporate regulations, requires companies to have an accurate picture of who has access to what system data, and whether that data is both valid and confidential.

As a result, regular security checks are essential to maintaining secure, compliant IT systems. Companies need a clear snapshot — at any point in time — of all potential security vulnerabilities that may be putting critical business information at risk.

So why haven't more SAP customers made security checks a regularly scheduled event for their IT organization? A few factors have prevented routine security checks from becoming the norm:

  • While IT teams have been able to use standard SAP functionality — including transactions like SUIM, reports like RSCSAUTH, and the Audit Information System — to conduct security checks on their own, they needed senior analyst-level expertise to really drill down, interpret, and apply the results.

  • Communication gaps can make it challenging for the technical security team and functional users of mySAP ERP applications like FI, SD, and MM to collectively determine which transactions or combinations of transactions are the most crucial to monitor. This becomes even more complicated when functional users are trying to determine authorizations associated with critical transactions.

To help companies overcome these challenges, SAP has introduced the Security Optimization Self-Service, a new diagnostic tool that comes with the latest release of SAP Solution Manager (see sidebar) at no additional charge. The self-service enables IT teams to perform regular system checks, diagnose security weak points, and follow specific recommendations to overcome any potential vulnerabilities.

This article provides an overview of the prerequisites and steps necessary to begin using the Security Optimization Self-Service. We'll demonstrate how a small upfront time investment can ensure that reliable, repeatable security checks become part of your company's administrative routine. We'll also provide information about the full SAP Security Optimization Service, of which the self-service is a subset (see sidebar at the end of the article), and explain when customers should use this service to extend the capabilities of the new self-service tool.

Why Sound Security Depends on SAP Solution Manager

SAP Solution Manager, SAP's application management platform, offers you a complete view and central command of all management activities associated with your SAP solutions. We strongly encourage all customers to implement SAP Solution Manager, as it is a prerequisite for the Security Optimization Self-Service. SAP Solution Manager is also helpful for synchronizing production support between existing and new release landscapes through the use of customizing distribution, project issue management, and help desk functionality. It further serves as a repository for project- related documentation.

For more information about SAP Solution Manager, see "Looking for Ways Your IT Organization Can Contain Costs Without Sacrificing Services? An Introduction to SAP Solution Manager Tools" by Cay Rademann in the January-March 2005 issue of SAP Insider (

Regulate Security Checks with the SAP Security Optimization Self-Service

The SAP Security Optimization Self-Service is available for free with release 3.1 of SAP Solution Manager. With the self-service offering, security checks that used to take several days can be carried out in less than an hour.

The SAP Security Optimization Self-Service enables you to regularly run the most up-to-date checks, verify the effectiveness of implemented security measures from earlier service runs, and ensure that recent configuration changes have not introduced new security holes. The tool:

  • Analyzes the technical configuration of your SAP system and indicates where the security risks are

  • Generates a ranking of the most crucial security vulnerabilities

  • Provides a summary of the currently implemented security levels

  • Gives recommendations for mitigating identified security risks

After running the service, you'll get an easy-to-understand and very helpful final report (see Figure 1) that not only details what checks were executed down to the current authorization object field values, but also explains what to do to remediate the findings. The report primarily focuses on authorizations, but it also delivers important information on the fundamental configuration of your SAP system to increase security in areas like handling super users and maintaining security policies (see sidebar below).

Figure 1

The Security Optimization Self-Service Final Report Details All Potential Problems in the Security Landscape
click here to view a larger version of this image

Getting Started: Check Customer-Specific Authorizations

Once you have all system prerequisites in place (see Figure 2), you're ready to begin customizing the self-service tool to check for the specific users and authorizations in your landscape. At the start of any security check session, you must fill out a questionnaire to indicate the specific authorizations you want the security check to monitor and whether you'd like certain users to be excluded from the report. This upfront work makes the resulting report more readable and ensures that its recommendations are relevant.

Central System
The system where the self-service tool resides
Target System
The CRM, ERP, SCM, or other system where you are running the security check
  • SAP Solution Manager (release 3.1 or higher), with a system landscape definition that includes the target system to be checked
  • ST-SER plug-in, release 2005 1
  • ST-A/PI plug-in, release 01F*, in order to collect the data in the system to be checked
  • Must be connected to SAP Solution Manager
  • Current ST-PI plug-in
  • Current ST-A/PI plug-in
  • Implementation of SAP Note 696478, namely creating a special authorization for the user who performs the ST14 data collection, and installing the ST-A/PI plug-in, version 01D*
The asterisks next to 01F and 01D represent the relevant SAP application. Because there is only one ST-A/PI plug-in for each system, you must be careful to install the correct version.
Figure 2

System Prerequisites for Executing the Security Optimization Self-Service

The SAP Security Optimization Self-Service has over 100 built-in checks for critical authorizations, which it will perform automatically. These checks, however, pertain only to the system administration area. To search for critical authorizations in mySAP ERP applications or other SAP solutions, you have to define these checks yourself.

To maintain your own critical authorizations and include them in the final service report, select the SOS_CUSTOMER_DATA tool in transaction ST13. For every critical authorization, you can enter up to four different authorization objects, including relevant authorization values (see Figure 3). In addition, you can add any number of transactions to a critical authorization. This means that for every critical authorization, you can select all users that either have all of the authorizations specified or that are authorized for at least one of the transactions specified.

Figure 3

Transaction ST13 to Maintain Specific Critical Authorizations

For example, if a user were authorized to maintain any table, you would enter the following critical authorizations:

  • Transactions: SE16, SE16N, SE17, SM30, SM31

  • Authorization object: S_TABU_DIS with field ACTVT value "02" and field DICBERCLASS value "*"

The key challenge here is determining which critical authorizations in mySAP ERP are most important for your system. To help, we recommend using the SAP Compliance Calibrator by Virsa Systems in addition to the full Security Optimization Service (see sidebar) to analyze your complete authorization concept. The Compliance Calibrator is sold by SAP, comes with an extensive database of predefined critical authorization combinations, and extends the abilities of mySAP ERP to meet Sarbanes-Oxley compliance standards.

What Exactly Does the Self-Service Check For?

The SAP Security Optimization Self-Service performs security checks to ensure that these requirements are met:

  • Availability: Systems are operational and functional at any given moment. When the target system is up and running, the self-service checks for critical authorizations that might influence the availability of the system.

  • Integrity: Data is valid and cannot be compromised. The self-service checks for critical authorizations that might be misused to compromise data (using the developer or debugging authorization, for example).

  • Authenticity: Users are who they claim to be. The self-service checks the secure handling of super users and the quality of the password policy to ensure that every person can only use his personal logon.

  • Confidentiality: Only authorized users access information. The self-service checks for critical authorizations to ensure that direct table access is extremely limited. (To ensure confidentiality of application data, however, the customer has to run additional tests.)

  • Compliance: The system security setup is in accordance with established guidelines. The Security Optimization Self-Service can be used as part of the checks and balances needed to ensure that regulatory compliance requirements are and continue to be met.1

Common "Gotcha": Specify Known Users with Critical Authorizations

When defining critical authorizations in your questionnaire, you must be careful that system administrators and other power users with critical authorizations do not skew the report. Enter these known users with critical authorizations into the questionnaire to exclude them from the report and simplify the results (see Figure 4).

Figure 4

Configure the Questionnaire So That Known Users with Critical Authorizations Do Not Skew Your Results

Once you've configured the self-service to the authorizations and users in your system, schedule the security scan. For a complete HOWTO paper on running the scan, visit the SAP Service Marketplace at and navigate to the Media Library.

Each questionnaire is paired to a specific self-service run and is deleted when the run ends. If you plan to reuse a particular questionnaire, download it and save it as a Word document just before you execute the service. You can then upload the questionnaire for use in future sessions.

Carefully Implement the Report's Recommendations

In addition to the list of detected security issues shown back in Figure 1, the report generated by the Security Optimization Self-Service also provides recommendations for how to eliminate or reduce these vulnerabilities (see Figure 5). We strongly advise you to implement each of the measures proposed in the report.

Figure 5

Sample Recommendations Report

Before implementing the recommendations, however, be sure to perform the following tasks:

  1. Confirm that the identified risks actually apply to your system, and then prioritize applicable risks according your system's needs. Evaluate the expected amount of effort needed to execute these measures, and perform a cost-benefit analysis.

  2. Investigate the impact of the recommended measures before applying them to your system, and plan your actions carefully to avoid confusion among users. Simply implementing a stronger password policy, for example, might be confusing to end users if you have not notified them about the new policy.

  3. Once you have prioritized the appropriate recommendations and prepared your users for any system changes, apply the measures.

Additional live technical support from SAP consultants is also available through the SAP Security Optimization Service from SAP Active Global Support.

When to Consider SAP's Complete Security Optimization Service

While running the self-service security check is easy, some customers may want additional technical support to guide them through the process of implementing the recommended security measures. For these customers, we recommend the SAP Security Optimization Service. This complete service is especially applicable for customers running one or more of SAP's middleware components, and is also able to check a J2EE installation.

Launched in 2004 as part of SAP Active Global Support's portfolio of customer services, the SAP Security Optimization Service is designed to help customers ensure the security of their SAP systems and keep SAP solutions running optimally, thereby improving return on investment and reducing the cost of operations.

The fee-based service is a comprehensive one- to two-day automated evaluation of a customer's critical security settings across their system landscape, performed remotely and actively monitored by a technical support team at SAP. This evaluation helps identify and eliminate potential vulnerabilities — including applications, middleware, Internet gateways and interfaces, third-party systems, and user authorizations — and minimizes the risk of unauthorized intrusions.

Following the evaluation, customers receive a detailed analysis of security gaps and vulnerabilities — prioritized according to severity and probability — and action plans for how to resolve them. The recommended security measures can be carried out by the customer, SAP Consulting, or certified SAP partners.

For more information on the SAP Security Optimization Service, visit and --> SAP NetWeaver Platform --> Security.

"With the dynamic development of enterprise IT landscapes and their increasing openness to customers and business partners, companies are continually presented with new challenges in terms of security," says Sachar Paulus, chief security officer, SAP AG. "Knowing that our customers run business-critical information on SAP systems, we have always taken IT security very seriously. SAP Security Optimization will help our customers fortify their system landscapes and safeguard the sensitive data and processes that are essential to their business success."


Regularly using the SAP Security Optimization Self-Service — available at no additional cost within SAP Solution Manager — will give you a clear picture of any potential security vulnerabilities in your system landscape. The self-service will help you keep a close watch on critical authorizations, which is essential for maintaining compliant systems. Where you once had to be senior-level security analyst to drill down and use security check functionality, the Security Optimization Self-Service brings the ability to conduct security checks to the everyday user. And with the service's user-friendly results and recommendations report, you have a guided roadmap you can follow to ensure the security of your system landscape.

For more information on the SAP Security Optimization Self-Service, please consult the resources listed in the "References" sidebar or email your queries to And for further on-site support from experienced SAP technicians, you can also participate in the full Security Optimization Service from SAP Active Global Support.


For more information, please visit these sites:

Security Optimization Service at the SAP Service Marketplace

SAP Education
Course ADM960: Security in SAP System Environments
( --> User Education)

SAP TechEd '05 session AGS250: Self-Service Security Optimization with SAP Solution Manager

SAP Developer Network Blog: Security Services @ SAP

SAP Security Guides at the SAP Service Marketplace

SAP Security Consulting Services

SAP Notes
696478: SAP Security Optimization: Preparation & additional info
837490: Execution of the security optimization self-service

1 A complete check for corporate governance and compliance — determining, for example, if a system is Sarbanes-Oxley compliant — is not within the scope of the self-service, as topics outside the security area would also need to be checked to guarantee full compliance to these requirements.

Frank Buchholz joined SAP in 1994. With a strong focus on security, he worked in HR quality management before participating in the development of Secure Network Communications and the Audit Information System. After assuming the development lead role for maintaining and improving user and authorization management functions (ABAP), Frank joined the SAP NetWeaver Product Management Security team as a Security Architect in the fall of 2003.
Larry Justice joined SAP in 1996. He is a Platinum Technical Consultant with a Basis systems background and 10 years of experience with SAP America. He is currently working in the areas of user access, security strategy development, security audit, SSO, LDAP, and other SAP NetWeaver Portal technical areas — including upgrade support and other related issues. Larry also works as a technical lead on implementations, and his expertise covers virtually all SAP products, including component SAP R/3 systems, mySAP Business Suite, SAP NetWeaver Portal, SAP BW, and many others. In addition, Larry is currently the Regional Group Lead, North America, for the Security Focus Group.
Matthias Buehl joined SAP in 1999. He worked in HR development for the Swiss country version before participating in the development of the SAP Security Optimization Service. Beginning in June 2004, Matthias was responsible for this service in the SAP Global Active Support organization. He now is part of the architecture team of the SAP Application Platform.

An email has been sent to:

More from SAPinsider


Please log in to post a comment.

No comments have been submitted on this article. Be the first to comment!