Adm900 en Col10 Vlc Fv Part a4

ADM900

.

PARTICIPANT HANDBOOK VIRTUAL LIVE CLASSROOM

. Course Version: 10 Course Duration: 2 Day(s) Material Number: 50117500

Duplication is prohibited.


SAP System Security Fundamentals

SAP Copyrights and Trademarks

© 2013 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. ●

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

●

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.

●

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

●

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or

●

Oracle is a registered trademark of Oracle Corporation

●

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

●

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

●

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

●

●

Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

●

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

●

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.

●

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company.



other countries.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.



© Copyright . All rights reserved.

iii



iv


VLC About This Handbook About This Handbook This handbook provides you with basic information for attending your virtual live classroom session. Adobe Connect Support Information Web and audio support is available by: ●

Pressing *0 from within the audio-conferencing

●

Calling the support hotline numbers listed below

●

Emailing the PGI support hotline below

Global PGI Support Hotline for SAP Education (24/7) Tel: +1 800-368-1945 Tel: +1 719-234-7915 Note: After dialing in, press option 2 for technical support. You will then be presented with two options – press 1 for Audio support, or press 2 for Web support. Email: [email protected]

Ideally you want to be in a private room when participating in a synchronous (live) event. In reality, you ³N¤õ,ÿKâ4ÑŁ0/XHWWÐ]ıµÎí³¸±Òo‹@/¹YÌ*)UµÉ•p|ð‘iØüÖs+AË· èØV0`˙ÝÊ²ˆØe³'=Ëk˜H1XT)*õ\DQ~·7Dë=ËŁÏÒÒó¹só@łÝI¿-¢.c¶RŒ:2¾J†G~oÙnZıÞƒ‹„Áár[¨§òRTÅà&¸MmåîG�j@ñ:ÁJ†‰v o
Create an inspirational office/studio to work in

●

Use a comfortable chair

●

Use well designed and functional computer peripherals

●

³N¤Ó,ÿW²4�Ł>/ H˙WÝ]ŸµÎí½¸ýÒ`‹]@.¹DÌX*)U«ÉÒprð⁄i�÷Ö<+AËº úØ0/˙fiÊžˆše¨'<Ë.˜H1XPTp*é\^QX~±7ë'ËÜÏ ÒÒóüsµIłÀIí-ï.d¶_Œ˘:*¾Q†X~HoÄnXı“ƒ‡„ÇáhG¨ôòž

Before your online class: ● Tell co-workers you will be in class (send e-mail) ●

Post a sign indicating when you will be free again (when class is over)

●

Use a headset instead of your computer speakers to minimize disruption of others

●

Ignore people who try to get your attention

●

Turn off the ringers / alerts on telephone, pager, and cell phone

●

Turn off e-mail and instant message alerts

●

Remove other distractions lying on your desktop

●

Keep a glass of water at your desk

Teleconferencing ground rules: Use the mute button or press *6

●

●

Do not place call on hold


v



Setting up your Learning Environment

●

Use the "Raise hand" icon in the Attendee List: My Status to indicate you want to ask a question

●

Identify yourself before speaking, when not called on

●

Charge the batteries for your cordless handset

●

If possible use a land line instead of your cell phone

Minimum Hardware Requirements ●

●

●

PC with 1 GHz processor or higher. Minimum 1 GHz processor recommended for screen sharing. You may be asked to share their screen during hands-on exercise portion of virtual class. 17 inch or larger monitor is recommended, set at 1024 X 768. Larger monitor and 1024 X 768 setting will make presentation and system screens easier to read. Phone with Headset/Microphone or Speakerphone feature – to maximize student listening and comfort during presentation and demonstration portions of the course.

Software Requirement A complete list of supported Operating Systems, browsers and additional requirements for Adobe® Acrobat® Connect™ can be found at: www.adobe.com/products/acrobatconnectpro/systemreqs Sample Email to Notify Others You Are in a Virtual Class

%ÿ�û¨g<7Bó“˙⁄»l%ªx”Ÿ£Õ¢C~Ł-Û3îÉ]A}4Î Today I will be participating in an online class from my desk. I will be online from approximately 9:30 a.m. to 5:30 p.m. EST. I would appreciate it if you would not disturb me during this time. If you have an %ÿ�Öö<;Bä“_⁄±l+ª`”‚£’¢S~⁄-Ë3øÎ]}{[¥ßäÉÊ±¹Kzfl¦"C˙¡ð−‚Oo„ºÿ×ƒ{E©Ö';!wvqü‡9üÎLïpA"<²µ™˛÷Á-Âä´bíiTþqÙ‹¹ôMã.¹:q'„F ŠÏgÆËJ)U .íáfiNwÀšþS:"†fàð‰QŽfíh¨#-®Ý@�˝³à^î¥"îuáÙÏ”Ó(ñŒı⁄yÑ”#·‡º] Best regards, Getting the Most Out of Your Session Session Guidelines ●

●

Participate and prepare to be called on by name.

●

Use the “Raise Hand” icon if you have an immediate question or comment.

●

Be patient waiting for a response to your chat messages.

●

vi

Turn off email, phones, instant messaging tools, and clear other distractions away from your training area.

If you leave the program, please use the “Step Away” status icon in the Attendee List pod to let your instructor know when you leave and remember to clear it when you return.




This is a sample of an email you can send to your colleagues and manager when you are taking an online %ÿ�Ü¨m<#Bó“H⁄½ldª4”T£’¢‡

About This Handbook This handbook is intended to complement the instructor-led presentation of this course, and serve as a source of reference. It is not suitable for self-study. Typographic Conventions American English is the standard used in this handbook. The following typographic conventions are also used.

This information is displayed in the instructor’s presentation

Demonstration

Procedure

Hint

Related or Additional Information

Facilitated Discussion

User interface control

Example text

Window title

Example text


vii



Warning or Caution



viii


Contents xi

Course Overview

1

Unit 1:

2 19

Lesson: Review Security Fundamentals Unit 2:

20 27 35 42 63 77

Unit 3:


Infrastructure Security Lesson: Review Network Topology Lesson: Enable Secure Network Communication (SNC) Lesson: Enable Secure Socket Layer (SSL)

Unit 5:

210 233 235

242


Unit 4:

162 174 189

241

Advanced User Administration Topics Lesson: Implement Central User Administration (CUA) Exercise 4: Distribute User Data with CUA Lesson: Work with Directory Services Lesson: Describe SAP Governance, Risk, and Compliance (GRC) 10.0 Exercise 5: Run Reports and View Dashboards Lesson: Work with Identity Management

137 143

209

Basic User Administration AS ABAP and AS Java Lesson: Implementing Basic User Administration AS ABAP Exercise 1: Create Users in AS ABAP Exercise 2: Work with Roles Lesson: Implementing Basic User Administration AS Java Exercise 3: Implement User and Group Administration

78 95 100 107

161

Security Fundamentals

Single Sign on in SAP Systems Lesson: Implementing Single Sign-On (SSO) in SAP Systems Exercise 6: Check Logon Procedure of ICF Service Exercise 7: Activate HTTP Security Sessions

Unit 6:

Security Monitoring with SAP Solution Manager Lesson: Monitoring and Analyzing Security with SAP Solution Manager


ix



x


Course Overview TARGET AUDIENCE This course is intended for the following audiences: ●

Technology Consultant

●

Executive




xi



xii


UNIT 1

Security Fundamentals

Lesson 1 Review Security Fundamentals

2

UNIT OBJECTIVES ●

Ensure computer security




1

Unit 1 Lesson 1 Review Security Fundamentals

LESSON OVERVIEW This lesson describes the security threats to a system and its security safeguards. It also explains how to categorize the security measures to secure the system environment. Business Example You need to have a basic understanding of the security threats to a system and the security measures that should be implemented. For this reason, you require the following knowledge: ●

An understanding of computer security

●

An understanding of security policies An understanding of security measures and the necessary steps to establish a secure system environment

LESSON OBJECTIVES After completing this lesson, you will be able to: ●


Introductions Instructor Introduction Student Introduction ●

Your name and company name

●

Part of business and project you represent

●

SAP release currently implemented or implementing

●

Status of project

●

What products or services your company provides

●

Class expectations

Session Best Practices ●

-

●

2

Phones Place your phone on mute except when talking to the instructor to eliminate background noise for other participants Access email and web sites only during breaks and after completion of exercises




●

Lesson: Review Security Fundamentals

●

●

Managing Questions: -

Use the Q and A pod to ask questions electronically

-

Review the Ask a Question icon in My Status

-

Ask for verbal questions at different points in lecture and demonstrations

-

Some questions will be parked until later

Discussions on the Phone: -

Instructor will act as a moderator

-

Speak clearly and loud enough so everyone can hear

-

Only one conversation at a time

More Session Best Practices ●

Be prompt returning from breaks and lunch -

Be considerate of and respect your fellow students -

Remember every person learns at a different speed

-

Remember each student in class has a different SAP experience level

Additional Information Documentation Website: http://help.sap.com PGI Support Contact Information: Press *0 from within the audio conference Mail to: [email protected] PGI Support hotline numbers: 1-800-368-1945 OR 1-800-234-7915 Note: Press option 2 for technical support and then press 1 for audio support or 2 for web support

Computer Security Concepts Safeguards, threats, and goals are closely related. Threats compromise certain security goals, whereas safeguards protect your system against certain threats. As a result, when implementing security, you need to consider the safeguards with reference to the goals and the threats. Security requirements for sensitive business data arise due to the following reasons: ●

Protection of intellectual property

●

Legal issues and contracts

●

Trust relationship with business partners


3



●

Restart times will be posted in meeting room

Unit 1: Security Fundamentals

●

Continuous business operations

●

Protection of image

●

Correctness of data

Security can optimize administration processes in the following ways: Reduce the number of password resets when using Single Sign-On (SSO)

●

●

Use digital signatures for approval processes

Some interesting facts from the 2010/2011 Computer Crime and Security Survey conducted by the Computer Security Institute (CSI): ●

●

●

●

●

Respondents reported markedly fewer financial fraud incidents than in previous years, with only 8.7 percent of respondents saying they had seen this type of incident during the covered period. Of the approximately half of respondents who experienced at least one security incident last year, fully 45.6 percent of them reported they’d been the subject of at least one targeted attack. Respondents said that regulatory compliance efforts have had a positive effect on their security programs. By and large, respondents did not believe that the activities of malicious insiders accounted for much of their losses due to cybercrime. 59.1 percent believe that no such losses were due to malicious insiders. Only 39.5 percent could say that none of their losses were due to non-malicious insider actions. Slightly over half (51.1 percent) of the group said that their organizations do not use cloud computing. Ten percent, however, say their organizations not only use cloud computing, but have deployed cloud-specific security tools.

The source of the data is CSI (http://www.gocsi.com). The aim of this survey is to raise the level of security awareness, as well as help determine the scope of computer crime in the United States. System Security Goals The following goals are achieved through security measures: ●

Availability

●

Authentication

●

Authorizations

●

Confidentiality

●

Integrity

●

Non-repudiation

In detail, these goals entail:

4




●

Malware infection continued to be the most commonly seen attack, with 67.1 percent of respondents reporting it.


●

Availability Availability ensures that the users can access their resources whenever they need them. When determining your requirements with reference to the availability of resources, you should consider the costs that result from unplanned downtime, for example, loss of customers, costs for unproductive employees, and overtime. Some damage cannot fully be factored in terms of money, for example, loss of reputation.

●

Authentication Authentication determines the real identity of the user. You can use the following authentication mechanisms in a system environment:

●

-

Authentication using user ID and password

-

Authentication using smart card

-

Authentication using a smart card and PIN

Authorization Authorization defines the rights and privileges of the identified user. It also determines the functions that a user can access. The application must be programmed to check whether or not a user is authorized before that user can access a particular function. Confidentiality Confidentiality ensures that the user’s history and communication is kept confidential. Information and services need to be protected from unauthorized access. The authorizations to read, change, or add information or services must be granted explicitly to only a few users and other users must be denied access. If you post something on the Internet, the confidentiality of information is at risk.

●

Integrity Integrity ensures that the user information, which has been transmitted or stored, has not been altered. Programs and services should execute successfully and provide accurate information. As a result, people, programs, or hardware components should not modify programs and services.

●

Nonrepudiation Repudiation is the process of denying that you have done something, whereas nonrepudiation ensures that people cannot deny their actions.


5



●


Security Threats and Goals

The threats shown in the figure are only a set of commonly known threats. A major security threat is social engineering where sensitive information is exposed casually or picked up without going through the correct channels. Case Study – Social Engineering Threats The case study is a good example, which shows the proper procedures that should be maintained for a secure environment. A security consultant was asked to visit a large company and evaluate the security lapses in the company. The man with whom the consultant was supposed to work was quite busy and left the consultant alone, saying he would be back soon. After an hour, the consultant walked down to the computer room but could not get in because it was a secure room. When another employee arrived and swiped his own access card, the consultant was let into the computer ™z,”Ùš!{ñ`†8d While inside the secure room, the consultant saw a note card next to the terminal with the administrator password written on it; he logged on to the server. The consultant worked on the computer for about 45 minutes. Then, an employee said that he and his coworkers were going out to lunch. The consultant was left alone in the computer room for another hour. The security consultant finished his work and returned to the desk of the man with whom he was supposed to work. The man was apologetic and asked the consultant to return the next day. The security consultant replied that he was already finished working and that the company had numerous security lapses. When considering security, do not think only of system attacks. Any untrained employee could also be a risk by performing unexpected or inappropriate system activities.

6




Figure 1: Security Threats and Goals


Examples of security threats: ● Accidents Unexpected system activities may occur if the system is handled by an inexperienced employee. ●

Environmental threats Environmental threats, such as earthquakes, might compromise the availability of the system.

●

System penetration Systems are penetrated when an unauthorized person gains access to them by guessing accounts and passwords.

●

Authorization violation A person can violate authorizations and penetrate a system by misusing the current authorizations that were allocated or stolen. With some authorizations, the hacker is allowed to access the operating system, which allows transport of information and access to other operating system functions.

●

Planting of programs

●

Tampering of data This occurs when a hacker grabs a connection and communicates with both the client and the server. After the hacker has grabbed the connection, the hacker can change the data.

●

Code injection The dynamic nature of websites causes security holes which can be used to gain elevated access privileges to sensitive page-content, session cookies, and a variety of other information maintained by the browser. Cross Site Scripting (XSS) attacks are a special form of code injection. Another code injection technique is a Structured Query Language (SQL) injection. An SQL injection attack consists of insertion or injection of a SQL query through the input data from the client to the application.

●

Denial of service A denial of service attack brings down the server and makes the server unavailable. There are several ways to make the server unavailable, such as cutting the network cable, physically destroying the server, or unplugging the server from the network.

●

Repudiation A buyer could repudiate the fact that he or she purchased an item from an online store.

●

Message flooding A hacker can deny service by flooding the system with messages so that the system cannot respond.

●

Masquerading


7



A hacker may gain access to a system and plant a program to access the computer. For example, a hacker might use the program source code to create a new user to break into the system, or a hacker might eavesdrop without being detected.


A person can masquerade as another user. ●

Spoofing Programs can be written to modify the Internet Protocol (IP) address of the source of the Transmission Control Protocol/Internet Protocol (TCP/IP) packet and trick the network because the true IP identity is concealed or disguised and looks like the packet is coming from within the network. This process is known as spoofing.

●

Buffer overflow An application can receive data that the application is not expecting or not prepared to receive. As a result, unpredictable results occur. This is known as buffer overflow and can lead to vulnerability within the server.

●

Phishing Acquiring sensitive information such as usernames, passwords, or credit card details by masquerading as a trustworthy entity is known as phishing.



Threats in Client-Server Communication

Figure 2: Threats in Client-Server Communication

Due to the open and exposed communication architecture, client-server communication is vulnerable to attacks. The client communicates with the server across the network, where attackers can eavesdrop, capture, and manipulate data. At the back-end system, applications and the operating system may contain security holes where attackers can take advantage. The threats shown in the figure also apply to the client. In most cases, clients are more difficult to control than servers.

8



Communication in Open Networks

Figure 3: Communication in Open Networks



On the Internet, there are several threats to consider because there are various components over which you have no control. The threats on the Internet are as follows: Network components of Internet Service Provider (ISP)

●

●

Domain Name System (DNS) servers

●

Landscape of the communication partner

Threats in the digital world are similar to threats in the real world and are dangerous. Threats in the digital world are dangerous due to the following reasons: ● The attacks can be automated. ●

The attacks can be executed remotely.

●

The attacks can be performed by people with little knowledge of technology.


9


Security Safeguards

Figure 4: Safeguards

The figure shows a list of security safeguards. Types of Security Safeguards



Figure 5: Types of Security Safeguards

Security safeguards can be categorized as follows: ● Technical safeguards, such as firewalls, cryptographic algorithms, and certificates ●

Organizational safeguards, such as rules or guidelines

●

Physical safeguards, such as fire detection, secured rooms, and buildings

To prevent physical damage, you should establish the following measures:

10



●

Secure the buildings

●

Secure the server rooms

●

Lock the servers

●

Use underground wires

●

Install security cameras around the building

●

Define policies to lock doors

Figure 6: Technical Safeguards

There are measures available for most of the threats that have been described earlier. The figure does not represent all the possible threats and measures. It shows an example of how you can use security measures against various potential threats. An important aspect of technical security is to regularly install security patches for applications and operating systems that are provided by vendors. Even though many security lapses can be fixed, customers and users still need to update their systems regularly.


11



Technical Safeguards


Security Policies

A company or an organization needs to define a general security policy. From this general security policy, a detailed IT security policy is derived. The documents that describe the security configuration of specific components in the system landscape are then created. Security Implementation Cycle

Figure 8: Security Implementation Cycle

The figure shows how you can implement security. Analyze the risks to determine the security requirements and then look at the threats that are relevant. Determine the vulnerability to those threats and the appropriate safeguards for the threats.

12




Figure 7: Security Policies


As part of the risk analysis, conduct the following activities: ● Determine your security requirements with reference to availability, confidentiality, and integrity of data. ●

Identify the threats that could compromise your security.

●

Determine the relevance of a threat to your company (vulnerability).

●

Determine the measures or safeguards to protect your system (after you know the risks).

●

Measure the associated risk of a threat and the cost of securing your system against the risk. As a result, you can make a cost-benefit analysis.

The risk analysis process leads to creating Standard Operation Procedures (SOPs) and implementing safeguards. Prioritize the safeguards, if there are constraints against implementing all of the safeguards at one time. The security implementation cycle leads to monitoring, implementation, and education. This is not a linear process but a circular process with continuous enhancements. System upgrades and landscape changes mean that you must adapt your security measures accordingly and continuously.



Note: Security is an on-going process. You need to reassess your security policy regularly.

INTERACTIVE ELEMENT: Breakout Rooms 1. List the security measures implemented in your system environment. . . . . . . . . . .

LESSON SUMMARY You should now be able to: ●



13




14


Unit 1 Learning Assessment

1. Employee X works in ABC Company and meets employee Y who works in PQR Company. They discuss some internal issues of ABC Company. Which threat does employee X pose to ABC Company? Choose the correct answer. X

A Spoofing

X

B Code injection

X

C Social engineering

X

D Authorization misuse

Choose the correct answer. X

A Structured Query Language (SQL) injection

X

B Cross Site Scripting (XSS)

X

C Spoofing

X

D Message flooding



2. _________ is a process to modify the Internet Protocol (IP) address of the source of the Transmission Control Protocol/Internet Protocol (TCP/IP) packet.

3. What are the various reasons for implementing security?

4. List the measures that you can take to prevent physical damage to systems.

5. Identify five threats to system security.


15

Unit 1: Learning Assessment

6. List the categories of security safeguards. Give examples for each category.



16


Unit 1 Learning Assessment - Answers

1. Employee X works in ABC Company and meets employee Y who works in PQR Company. They discuss some internal issues of ABC Company. Which threat does employee X pose to ABC Company? Choose the correct answer. X

A Spoofing

X

B Code injection

X

C Social engineering

X

D Authorization misuse

Choose the correct answer. X

A Structured Query Language (SQL) injection

X

B Cross Site Scripting (XSS)

X

C Spoofing

X

D Message flooding

3. What are the various reasons for implementing security? Some reasons to implement security are: protection of intellectual property, legal issues and contracts, trust relationship with business partners, continuous business operations, protection of company image, and correctness of data. 4. List the measures that you can take to prevent physical damage to systems. Some measures that you can take to prevent physical damage to systems are: secure the buildings, secure the server rooms, lock the servers, use underground wires, install security cameras around the building, and define policies to lock doors.


17



2. _________ is a process to modify the Internet Protocol (IP) address of the source of the Transmission Control Protocol/Internet Protocol (TCP/IP) packet.

Unit 1: Learning Assessment - Answers

5. Identify five threats to system security. Some threats to system security are: penetration, authorization violation, planting, denial of service, and repudiation. 6. List the categories of security safeguards. Give examples for each category. Categories of security safeguards are: technical safeguards such as firewalls, organizational safeguards such as rules or guidelines, and environmental safeguards such as fire detection.



18


UNIT 2

Basic User Administration AS ABAP and AS Java

Lesson 1 Implementing Basic User Administration AS ABAP Exercise 1: Create Users in AS ABAP Exercise 2: Work with Roles

20 27 35

Lesson 2 Implementing Basic User Administration AS Java Exercise 3: Implement User and Group Administration

42 63

●

Implement user administration concept

●

Describe the authorization concept

●

Change login parameters and user information

●

Configure the User Management Engine (UME)

●

Describe user and group administration

●

Explain Java authorization concept




UNIT OBJECTIVES

19

Unit 2 Lesson 1 Implementing Basic User Administration AS ABAP

LESSON OVERVIEW This lesson explains the implementation of user administration in Application Server ABAP (AS ABAP). Business Example

20

●

An understanding of user administration

●

An understanding of user types and user groups

●

An understanding of authorization objects and authorization checks

●

An understanding of menus and authorizations in role maintenance

●

An understanding of users and roles

●

An understanding of login parameters



●


●





The users of the SAP system require user IDs with the appropriate authorizations to log on to the system. As an administrator, you need to set up user IDs for each user in the system. For this reason, you require the following knowledge:

Lesson: Implementing Basic User Administration AS ABAP

Basics of User Administration

Figure 9: Users in the SAP Environment

In an SAP environment, the term user usually means user ID. People log on to operating systems, database, or the SAP system using a user/password combination. Operating systems, database, and SAP systems usually have different authorization concepts. If a user name and password combination is created in an SAP system for a user, this does not mean that it is possible to log on to the operating system of a host with the same user name and password combination. However, it is possible that identical user name and password combinations are created for SAP systems and operating systems.

Note: SAP work processes process the user requests. All these work processes use a common user to access the database. This lesson deals exclusively with SAP users that are used to log on to a client of an ABAPbased SAP system. Users and authorization data are client dependent. Access to the operating system level of the application server and database server must be protected. Otherwise, it might not be possible to use the SAP systems or the data could be damaged.


21



The concepts of user master record and authorization are important to obtain a better understanding of SAP systems.

Unit 2: Basic User Administration AS ABAP and AS Java

Users and Authorizations

22

You can log on to a client of an SAP system if you know the user name and password of a user master record, and if the user type is authorized for the logon type. For example, it is not possible to log on with a communication or system user in the dialog process. In an SAP system, there is an authorization check every time a transaction is called. If you attempt to start a transaction for which you are not authorized, the system rejects the logon and displays an appropriate error message. If you start a transaction for which you have authorization, the system displays the initial screen of this transaction. Depending on the transaction called, you enter data and perform actions on this screen. There may be additional authorization checks to protect the data and actions.




Figure 10: Users and Authorizations


User Master Record

User authorizations are assigned using roles (and sometimes through manual profiles, for example, SAP_NEW). The authorizations are combined in roles and the roles are entered in the user master record.

User Type

Figure 12: User Types

The user type is an important property of a user. The following user types are available for different purposes: Dialog

●


23



Figure 11: User Master Record


The Dialog user type is used for all logon types by just one person. During a dialog logon, the system checks for expired or initial passwords, and the user has the opportunity to change his or her password. Multiple dialog logons are checked and logged in the system. ●

System The System user type is used for dialog-free communication within a system, for background processing within a system, or for Remote Function Call (RFC) users for various applications. The applications accessed using RFC include Application Link Enabling (ALE), Workflow, Transport Management System, and Central User Administration. It is not possible to use this type of user for a dialog logon. Users of this type are exempt from the usual settings for the validity period of a password. Only user administrators can change the password.

Note: For more information about the incorrect user type for the UME communication user, see SAP Note 622464.

●

Communications Data The Communications Data user type is used for dialog-free communication between systems. It is not possible to use this type of user for a dialog logon. The usual settings for the validity period of a password apply to users of this type. Service The Service user type is a dialog user that is available to a larger, anonymous group of users. In general, you should assign only highly restricted authorizations to users of this type. Service users are used, for example, for anonymous system access using an Internet Transaction Server (ITS) or Internet Communication Framework (ICF) service. The system does not check for expired or initial passwords during logon. Only the user administrator can change the password. Multiple logons are permitted.

●

Reference The Reference user type is a general user and is not specific to a particular person. It is similar to the service user. You cannot use a reference user to log on. A reference user is used only to assign additional authorizations. You can assign a reference user to a dialog user using the Roles tab page.

User Group User groups are used to distribute user maintenance among several user administrators or for mass maintenance of user data. A user group for authorization checks is required if you want to divide user maintenance among several user administrators. Only the administrator who has the authorization for this group can maintain users of this group. If you leave the field empty, the user is not assigned to any group. This means that any user administrator allowed to maintain any group can maintain the user. This assignment is part of the logon data in the user master record. For mass maintenance of user data (transaction SU10), users could be assigned to a user group on the Groups tab page. Assignments that you make on the Groups tab page are not

24




●


used for the authorization checks that are specified on the Logon Data tab page using the User Group field. This is purely a grouping that is suitable for mass maintenance. User groups can be created in transaction Maintain User Groups (SUGR).

INTERACTIVE ELEMENT: Chat 1. Take 5 minutes and write some responses to the following question in your Participant Handbook: What are the different user types available in the SAP system and for what purpose are they used? . . . . . . . .

.

User Maintenance To start user maintenance (transaction SU01), choose Tools
Logon data This tab page contains details such as password, validity period of the user, and user type. For further information about the password rules for special users, see SAP Note 622464.

●

Secure Network Communications (SNC) This tab page contains the security functions (external product) that are not directly available, but have been prepared in SAP systems. Note the usage regulations for the country in which you want to use this function.


25



.


Hint: The SNC tab page is not automatically displayed in every version of transaction SU01. This depends on the product/system/release and the Support Package (SP) level. This tab page becomes visible when you are using SNC and have activated the profile parameter snc/enable. For more information about using network security products, see SAP Note 66687.

●

Defaults This tab page displays the default values, such as the default printer and the logon language.

●

Parameters This tab page displays the user-specific values for standard fields in SAP systems.

●

Roles and Profiles This tab page displays the roles and profiles assigned to the user.

●

Groups This tab page is used for grouping users for mass maintenance. Personalization This tab page is used for applying personal settings. Some transactions require personal settings that affect the appearance of a particular transaction code. These settings can be stored (prepopulated) using personalization objects on this tab page.

Note: The SAP application developer decides whether and when the personalization functions are available. There is no special Customizing switch that the customer has to activate. For SAP programs, any subsequent programming of this function is always a modification. As a result, subsequent programming of this function is rarely implemented in practice.

●

License Data This tab page is used to specify the contractual user type of the user. The license data is required for system measurement.

When creating a user, you must maintain at least the following input fields: Last name on the Address tab page

●

●

26

Initial password and identical repetition of password on the Logon Data tab page




●

Unit 2 Exercise 1 Create Users in AS ABAP

Business Example You need to create new users. Create a user in client 100 with the name ADMIN<##>, where <##> is your group number. 1. Log on to client 100 in your SAP system, and create a user (master record) with the name ADMIN<##>. 2. Maintain the first and last names of the user. 3. Assign the user an initial password. Make sure that you use the correct upper and lower case. Assign the password to User Group for Authorization Check SUPER. 4. Enter a default value for the logon language for the user (for example, EN or DE). 5. Save the user master record.




27

Unit 2 Solution 1 Create Users in AS ABAP

Business Example You need to create new users. Create a user in client 100 with the name ADMIN<##>, where <##> is your group number. 1. Log on to client 100 in your SAP system, and create a user (master record) with the name ADMIN<##>. a) Run transaction SU01. b) On the User Maintenance: Initial Screen, enter the name ADMIN<##> in the User field, and choose the Create pushbutton.

28

a) On the Address tab page, enter the names in the Last name and First name fields. 3. Assign the user an initial password. Make sure that you use the correct upper and lower case. Assign the password to User Group for Authorization Check SUPER. a) On the Logon Data tab page, enter the password in the Initial password field. b) Enter the password again in the Repeat password field. c) Enter SUPER in the User group field. 4. Enter a default value for the logon language for the user (for example, EN or DE). a) On the Defaults tab page, enter EN for English or DE for German in the Logon Language field. 5. Save the user master record. a) Save the changes.




2. Maintain the first and last names of the user.


Authorization Objects and Authorization Checks

Figure 13: Authorization Object

In an ABAP-based SAP system, authorization objects protect actions and access to data. The authorization objects are delivered by SAP and are in SAP systems. To provide a better overview, authorization objects are divided into various object classes. Authorization objects allow complex checks that involve multiple conditions. The conditions allow a user to perform an action. The conditions are specified in authorization fields for the authorization objects and are AND linked for the check. Authorization objects and their fields have descriptive and technical names. In the example shown in the figure, the authorization object User Master Maintenance: User Groups (technical name: S_USER_GRP) contains two fields, Activity (technical name: ACTVT) and User Group in User Master Record (technical name: CLASS). The authorization object S_USER_GRP protects the user master record. An authorization object can include up to 10 authorization fields. An authorization is always associated with exactly one authorization object and contains the value for the fields for the authorization object. An authorization is a permission to perform a certain action in the SAP system. The action is defined on the basis of the values for the individual fields of an authorization object. For example, Authorization B in the figure for the authorization object S_USER_GRP allows the display of all user master records that are not assigned to the user group SUPER. Authorization A, however, allows the display of records for this user group. There can be multiple authorizations for one authorization object. SAP delivers some authorizations, but most authorizations are created specifically for the customer’s requirements.


29



To understand the ABAP authorization concept, you must have some knowledge of roles and authorization profiles in the user master record. You also need to understand how to create your own roles and authorizations.


Authorization Check

Figure 14: Authorization Check

When the user calls a transaction, the system checks whether the user has an authorization in the user context that allows him or her to call the selected transaction. Authorization checks use the authorizations in the user context. If you assign new authorizations to the user, it may be necessary for this user to log on to the SAP system again to be able to use these new authorizations. (For more information, see SAP Note 452904 and the documentation for the parameter auth/new_buffering.) If the authorization check for calling a transaction was successful, the system displays the initial screen of the transaction. Depending on the transaction, the user can create data or select actions. When the user completes his or her dialog step, the data is sent to the dispatcher, which passes it to a dialog work process for processing. Authority checks (AUTHORITY-CHECK) that are checked during runtime in the work process are built into the coding by the ABAP developers for the data and actions that are to be protected. If the user context contains all required authorizations for the checks (return code = 0), the data and actions are processed and the next screen is displayed. Even if one authorization is missing, the data and actions are not processed and the user receives a message that his or her authorizations are insufficient. The value of the return code controls this step. In this case, the value of the return code is not equal to 0. All authorizations are permissions. There are no authorizations for prohibiting. Everything that is not explicitly allowed is forbidden. You can call this a positive authorization concept.

30




When a user logs on to a client of an SAP system, his or her authorizations are loaded in the user context. The user context is in the user buffer (in the main memory, query using transaction SU56) of the application server.


Role Maintenance – Menus and Authorizations

Role maintenance (transaction PFCG, previously also called Profile Generator) simplifies the creation of authorizations and their assignment to users. In role maintenance, transactions that belong to the company’s point of view are selected. Role maintenance creates authorizations with the required field values for the authorization objects that are checked in the selected transactions. A role can be assigned to various users. Changes to a role, therefore, have an effect on multiple users. Users can be assigned various roles. Menu Layout

Figure 16: Menu Layout


31



Figure 15: Role Maintenance


The user menu comprises role menu(s) and contains entries that are assigned to the user through the roles. Examples of such entries include transactions, URLs, and reports. You can access role maintenance with transaction PFCG or by choosing Tools[Ìj?ûBTAdministration[Ìj?ûBTUser Maintenance[Ìj?ûBTRole Administration[Ìj?ûBTRoles. Enter the name of the role, and choose Create or Change. Choose the Menu tab page. Select and change functions by adjusting the menu tree for the individual roles, as required. You can also insert or delete transactions into or from the tree structure. By choosing the function Report in the dropdown menu of the Insert pushbutton, you can integrate reports. In this case, role maintenance creates transaction codes (if they do not already exist) with which the reports can be called. By choosing the function Web address or file in the dropdown menu of the Insert pushbutton you can add Internet addresses or links to files (such as tables or text files). When integrating files, you must use storage paths instead of URLs. You can also specify Business Warehouse (BW) Web Reports and links to external mail systems and the Knowledge Warehouse (KW). In the change menus, you can create, move, delete, and rename directories and subdirectories, as required. You can use the function Drag & Drop in role maintenance. Authorization Profiles Generation



Figure 17: Generating Authorization Profiles

Role maintenance automatically creates the authorizations associated with the transactions specified in the menu tree. However, all authorization values must be manually checked and adjusted, if required, in accordance with the actual requirements and authorities. The system administrator is responsible for this task, together with the appropriate user department. When using organizational levels, you do not carry out maintenance directly in the field but by means of the Organizational Levels pushbutton (CTRL+F8). Choose the Authorizations tab page and then choose Display Authorization Data or Change Authorization Data pushbutton depending on the maintenance mode. Check the scope and contents of the authorizations.

32



If the system has proposed these authorizations, a green traffic light in the authorization overview indicates that role maintenance has supplied at least one proposal for each authorization field. A yellow traffic light indicates that the authorization must be manually maintained after it has been created. Role maintenance does not provide a default value for the authorization. While accessing files, role maintenance cannot determine whether data access should only be read access or read and write access. Some fields appear in many authorizations. A number of important fields, are therefore, combined into organizational levels, such as the company code. If you maintain an entry for the organizational level using the Organizational Levels pushbutton, you can then maintain all the fields that appear there in one go. A red traffic light indicates an unmaintained organizational level. When all authorizations are maintained as required, the authorization profile can be generated by choosing Generate. After creation, this name cannot be changed. The authorizations are combined into profiles.

Note: The second character of the profile name must not be an underscore (_) (see SAP Note 16466).



The profiles must be entered in the user master record (by the role maintenance) for the authorizations to take effect for the user. This is called user master record comparison.

Users and Roles

Figure 18: Assigning Roles to Users

The assignment of users to roles is performed in the role maintenance transaction (transaction PFCG) or in the user maintenance transaction (transaction SU01). Choose the User tab page and the user IDs to be maintained. When selecting user IDs, the system uses the current date as the start of the validity period of the assignment and sets 31.12.9999 as the end date. You can change both values.


33


Users can be linked to more than one role. This can be useful if some activities, such as printing, are to be permissible across roles. The assignment of roles to users does not automatically grant the corresponding authorizations to the users. To assign the authorizations, you must perform a user master record comparison, during which the profiles assigned to the roles are entered in the user master record. User Master Record Comparison

34

A user master record comparison determines whether authorization profiles should be added or removed from the current user based on his or her role assignment. During comparison, profiles are added to a user master record due to roles that have been added. If role assignments are manually or time-dependently removed, the corresponding authorization profiles are deleted from the user master record. The comparison can be individually performed for every role. Select the role in role maintenance. Choose the User tab page, and choose User comparison. In the dialog box that the system displays, choose Complete comparison. If multiple role assignments are to be updated, you can perform a corresponding comparison in role maintenance by choosing Utilities”ß0w §óÛMass comparison (transaction PFUD). You can individually specify the desired roles or update all assignments by entering the asterisk (*) character. You can also activate the periodic user master record comparison in role maintenance by choosing Utilities”ß0w §óÛMass comparison. Select the Schedule or check job for full reconciliation option. The system then displays a search window for the background job PFCG_TIME_DEPENDENCY. If it does not find a corresponding job, you can create a new one. The default value is that the comparison of all user master records takes place once every day.




Figure 19: User Master Record Comparison

Unit 2 Exercise 2 Work with Roles

Business Example Authorizations for users are created using roles and profiles. Administrators create the roles, and the system supports them by creating the associated authorizations. Task 1 Copy a role template and assign it to a user. 1. Choose the single role SAP_BC_ENDUSER that was delivered. Copy this completely to your role BC_ENDUSER<##>. 2. Check the transactions assigned for the user menu with this role. 3. Check the authorizations for the role and maintain open authorizations, if necessary. 4. Assign the role to user ADMIN<##>, and save your settings.

Task 2 Check the user ADMIN<##>. 1. Log on to the SAP system with the user ADMIN<##> and your chosen password. Check whether the user can execute the transactions you assigned.


35



5. Perform a user comparison.

Unit 2 Solution 2 Work with Roles

Business Example Authorizations for users are created using roles and profiles. Administrators create the roles, and the system supports them by creating the associated authorizations. Task 1 Copy a role template and assign it to a user. 1. Choose the single role SAP_BC_ENDUSER that was delivered. Copy this completely to your role BC_ENDUSER<##>. a) Run transaction PFCG.

c) Choose the Copy Role pushbutton. d) Enter BC_ENDUSER<##> in the to role field in the Query dialog box that appears. e) Choose the Copy all pushbutton. 2. Check the transactions assigned for the user menu with this role. a) On the initial screen of transaction PFCG, choose the Change pushbutton. Alternatively, choose Role»T{$½tÖÃChange for the role BC_ENDUSER<##>. b) On the Menu tab page, choose the Search pushbutton. c) Expand Basis Functions. 3. Check the authorizations for the role and maintain open authorizations, if necessary. a) On the Authorizations tab page, choose the Change Authorization Data pushbutton. b) Check the authorizations for the role and maintain open authorizations, if necessary. For example, choose the yellow traffic light pushbutton and confirm the system query (whether full authorization should be assigned with Execute). c) On the Change Roles: Authorizations screen, choose the Generate pushbutton and save the profile settings. d) Accept the proposed profile name in the process. Confirm the message and exit from the Change Roles: Authorizations screen. Note: You do not need to save again because this was already performed with the Generate function. 4. Assign the role to user ADMIN<##>, and save your settings.

36




b) On the Role Maintenance screen, enter SAP_BC_ENDUSER in the Role field.


a) On the User tab page, enter ADMIN<##> in the User ID field. b) Save your settings. A user master comparison has not yet been performed, however, (next subtask). If the user ADMIN<##> does not exist, create a user with this name in transaction SU01 in a new session. 5. Perform a user comparison. a) Choose the User Comparison pushbutton and then choose the Complete comparison pushbutton. b) Exit and go back to the initial screen for PFCG, and save the data. Task 2 Check the user ADMIN<##>. 1. Log on to the SAP system with the user ADMIN<##> and your chosen password. Check whether the user can execute the transactions you assigned. a) Log on to the SAP system with the user ADMIN<##>. b) Switch to the user menu, and execute some of the assigned transactions.




37


Login Parameters

Figure 20: System Parameters for User Logons 1

The following questions are considered when dealing with login parameters: ● Which system settings can be used to influence logon behavior? ●

How can errors and problems be analyzed?

You can set the minimum length for passwords with the parameter login/min_password_lng. The parameters login/min_password_digits, login/min_password_letters, login/ min_password_lowercase, login/min_password_ uppercase, and login/ min_password_specials specify the minimum number of digits, letters (number of upper and lower case), or special characters that a password must contain. The parameter login/password_expiration_time specifies the number of days after which ëÒj*d®²Ð|Ù¹¡çyë?<‹Ž½T¬©íÇwÃq,ï‹ûšûä˚‚àhrÛ¯tÇe?)Š%s‰?š„ß²,›f˚þ>1¥5¿ló™>‡EéògiÛ‘¢D9Jâ…¨‘ ˇ…ø˙q)�-½þÛ…›-ö%^ý÷Š„g£¡·Wc0, the user does not need to change his or her password. The general rules for a password that cannot be deactivated are as follows: A password must not begin with “?” or “!”.

●

●

A password must not be the keyword pass.

Hint: The setting that determines that users must create a new password that differs from the previous five passwords they have entered is no longer mandatory. You can use the parameter login/password_history_size to set the history from between 1 and 100. The proposed standard value remains 5. You can define additional password restrictions in the table USR40. SAP Web Application Server 6.20 and 6.40 offered the parameters login/password_max_new_valid and login/ password_max_reset_valid. They specified how long an initial password for a newly created

38




This section deals with authorizations in the SAP system from an operational point of view.


user or a password that was reset by an administrator was valid. With SAP NetWeaver AS 7.0, they have been replaced by parameter login/password_max_idle_initial.

Hint: The parameter login/password_max_idle_initial indicates the maximum length of time during which an initial password (a password that the user administrator selects) remains valid if it is not used. Once this period expires, the password can no longer be used for authentication. The user administrator can reactivate the password logon by assigning a new initial password.

Caution: If you are using a Basis release prior to 6.20, the system may behave in a manner you do not expect with the parameters login/password_max_reset_valid and login/password_max_new_valid. Check SAP Note 450452 beforehand to see which settings are possible for your particular release level.

With the parameter login/min_password_diff, the administrator can determine the number of different characters a new password must possess in comparison with the old one when users change their passwords. This parameter does not take effect when a new user is created or passwords are reset (initial password). System Parameters for User Logons 2/2

Figure 21: System Parameters for User Logons 2


39



Another new parameter in SAP NetWeaver AS 7.0 is login/password_ max_idle_productive. This indicates the maximum length of time a productive password (a password that the user chooses) remains valid when it is not used. Once this period expires, the password can no longer be used for authentication. The user administrator can reactivate the password logon by assigning a new initial password.


You can set the number of failed logon attempts after which the SAP GUI is terminated using the parameter login/fails_to_session_end. If the user wants to try again, he or she must restart the SAP GUI. You can set the number of failed logon attempts after which a user is locked in the SAP system using the parameter login/fails_to_user_lock. The failed logon counter is reset after a successful logon attempt.

Hint: At midnight (server time), the users that were locked as result of incorrect logon attempts, are no longer automatically unlocked by the system (default value since SAP NetWeaver 7.0). You reactivate this automatic unlocking with the parameter login/failed_user_auto_unlock = 1. The administrator can unlock, lock, or assign a new password to users in user maintenance (transaction SU01). If the parameter login/disable_multi_gui_login is set to 1, a user cannot log on to a client more than once. This can be desirable for system security reasons. If the parameter is set to 1 and the user logs on again then the user has the option to continue with this logon and end any other logons in the system or terminate this logon. Users to whom this should not apply should be specified in the parameter login/multi_login_users. The insertion in the parameters should be separated with commas and with no spaces.



40





●


●





41

Unit 2 Lesson 2 Implementing Basic User Administration AS Java

LESSON OVERVIEW This lesson provides an overview about the User Management Engine (UME) and UME configuration. This lesson also presents the tools for the administration of users and groups. In addition, the lesson describes how authorizations control which functions are permitted for a user and the assignment of these authorizations to a user. Business Example

●

An understanding of UME data source(s) and parameters

●

An understanding of user and group administration

●

An understanding of UME roles and JEE security roles



You use Application Server ABAP (AS ABAP) and Application Server Java (AS Java)-based systems. You want to ensure consistent user master data within a heterogeneous system landscape. For this reason, you require the following knowledge:



●


●


Basics AS Java provides an open architecture supported by service providers for the storage of user and group data. The AS Java is supplied with the following service providers (user store): ● Database Management System (DBMS) provider This is used for storage in the system database. ●

Universal Description, Discovery and Integration (UDDI) provider This is used for storage using external service providers.

●

UME provider qÉ–d,•ÍýžP S57¨Ã|®úöu”›úeV®Y+−Cä,ÌUÈ±fÞ“š−5Up<˙ý¦þ
The DBMS and UDDI providers implement standards and, therefore, ensure that AS Java is Java 2 Enterprise Edition (J2EE)-compliant. When AS Java is installed, SAP’s own UME is

42


Lesson: Implementing Basic User Administration AS Java

always set up as the user store and is the preferred choice for most SAP customers. The UME is the only way to flexibly set up and operate user and authorization concepts. Important features of the UME: ● The UME has its own administration console for administering users. It allows the administrator to perform routine tasks of user administration, such as creating users and groups, role assignment, and other actions. ●

●

●

●

The UME provides security settings that can be used to define password policies, such as minimum password length and the number of incorrect logon attempts before a user is locked. The UME provides different self-service scenarios that applications can use. For example, a user can change his or her data or register as a new user. Newly created users can be approved using a workflow. The UME uses an export or import mechanism by which user data can be exchanged with other (AS Java or external) systems. The UME logs important security events, such as a user’s successful logons or incorrect logon attempts, and changes to user data, groups, and roles.



User Store and Data Sources

Figure 22: User Store and Data Sources

The UME supports the following data sources where user data can be stored: ● System database ●

Directory service (Lightweight Directory Access Protocol (LDAP) server)

●

ABAP-based SAP system (as of SAP Web AS 6.20)


43


Architecture of the UME

The figure shows the architecture of the UME. The UME is a Java application that runs on AS Java. The UME covers the following functional areas: UME core layer

●

The UME core layer provides persistence managers between the application programming interface (API) and the user management data sources. The persistence managers control where the user data such as users, user accounts, groups, roles, and their assignments are read from or written to. Therefore, the applications that use the API do not have to know where the user management data is stored. ●

UME API layer The UME API layer provides APIs not just for UME developers but also for customers and partners. This means that you can access the UME functions with the Java programs that you develop yourself.

●

UME services The UME provides the following services to higher-level software layers: -

●

44

Logon procedure and Single Sign-On (SSO) (logon to AS Java is taken over for other systems and vice versa)

-

Provisioning processes through user master data

-

Authorization concept

UME UI




Figure 23: Architecture of the UME


The UME is responsible for UI, which appears in the web browser in some logon procedures. The UME is also responsible for the UI of the UME administration console. The SAP NetWeaver usage types that are based on AS Java, such as SAP NetWeaver Portal, are based on the UME and perform a number of specific functions on this basis. Examples of tW*ú^Ìõ¦LÊÐ–ıþkI˚q\“5ÆPŒÏÑÇ?G˛ÊÖè}„!ÃmÒ“‡ ìÒç´¦˘`‰pªÇˇ”þD±l
Figure 24: Data Partitioning

The UME persistence manager offers the option of storing user data in different data sources. The UME persistence manager also supports data partitioning. This means, for example, user data for different user types can be stored in different data sources. In practice, you often work with a combination of the data sources, such as database and directory service or database and ABAP user management. Working with a combination of tW-úFÌõ¦ÊÝ–šþvI˝q\“ ÆJ“ÏÀÇ?GÊflè.„öÃ(ÒÄ‡ìÐç¶¦M`œpªÇI”ìD¦a<~RŽú˚—Y¨µ¬3(j-ÏLô¡ƒNä¯+ˆ−îÓ| ÿ qhnÃ@PgD¨èðr'~]NŁaJïÌ˝C§pÞ˜Iłˇ1×ò¬çX^fi˝>×å®';n&.1cºŠ°KõUm[»Ð1k¹1kÊ˙Æ˜ı"AôšíåbÐ users by their categories (internal or self-registered users). The different types of data partitioning are as follows: Attribute-based data partitioning

●

With attribute-based data partitioning, a user in the UME has certain attributes, some of which are classified as global attributes (such as user ID and telephone number) and others are application specific. The system mostly stores the global information in a directory service and application-specific information in the database. ●

User-based data partitioning With user-based data partitioning, the data source in which users are stored is dependent on the category of the user (self-registered or internal users). For example, users who register by self-service can be stored in the database and internal users can be stored in the directory service.

●

Type-based data partitioning


45



Data Partitioning


With type-based data partitioning, different object types can be distributed to different data sources. Examples of object types are users, groups, roles, and user accounts. For example, users can be stored in the directory service and roles in the database. SAP delivers preconfigured data source combinations, which you should change only in special cases. For example, if you are using a directory service as a data source, you may need to perform attribute mapping. You generally use the delivered preconfigured data source combinations without additional changes.

46

Figure 25: Data Source(s) After Installation

The data source(s) stored in the AS Java database are configured in the form of configuration files (in the XML format). In most cases, the installation option is retained or the configuration of data sources is done immediately after AS Java installation. The data source that is set up during AS Java installation depends on the following SAP NetWeaver usage types: Usage Type

Data Source

Configuration File

AS Java (without ABAP)

System database

dataSourceConfiguration_dat abase_only.xml

AS ABAP + Java

ABAP system

dataSourceConfiguration_ab ap.xml




Data Source(s)


Supported Change Options

Modifying data sources after installation can result in inconsistencies. Therefore, certain restrictions apply to the modification of UME data sources. The figure explains the supported modification options.

Hint: Please make sure that you observe SAP Note 718383.

The following changes are supported in UME data sources: System database (dataSourceConfiguration_database_only.xml)

●

You can switch to any required LDAP configuration file (dataSource- Configuration_[ldap description]_db.xml) or an ABAP system (dataSourceConfiguration_abap.xml). In this case, you must make sure that the new data source does not contain any users and groups with the same unique attributes as in the database. For example, the new data source must not contain any users or groups with the same unique name or ID as the users or groups in the database. ●

ABAP system (dataSourceConfiguration_abap.xml) No change is possible.

●

Directory service (dataSourceConfiguration_[ldap description]_db.xml) If you have selected an LDAP directory as the user data source, you can modify the structure of the LDAP directory or switch to a different LDAP, if this does not modify any unique user IDs.


47



Figure 26: Supported Change Options


Example of a Heterogeneous System Landscape

48

The figure shows a complex system landscape with AS ABAP, AS Java, and non-SAP systems. In this type of heterogeneous system landscape with SAP and non-SAP systems, it is useful to use a directory service as the primary storage location for user data. As shown in the figure, the ABAP systems are administered with Central User Administration (CUA). CUA synchronizes user data with the directory service. In case of AS Java systems, the directory service is configured as the data source. Non-SAP systems also have access to user data through the directory service.




Figure 27: Example of a Heterogeneous System Landscape


SAP NetWeaver Identity Management

In SAP NetWeaver Identity Management, SAP provides integrated, business process-driven Identity Management functions for a heterogeneous system landscape. SAP NetWeaver Identity Management uses a central identity store to consolidate and save data from various source systems (for example, SAP ERP Human Capital Management (SAP ERP HCM)). This information is distributed to connected target systems. User accounts and role assignments for SAP and non-SAP applications are distributed. Role assignments can be automated using rule definitions. An important function of SAP NetWeaver Identity Management is the option of making authorization assignment workflow-controlled. Integration with SAP ERP HCM as one of the possible source systems for identity information is a key function for business process-driven Identity Management.

Note: For more information about SAP NetWeaver Identity Management, see the SAP Developer Network (https://www.sdn.sap.com/irj/sdn/nwidentitymanagement).


49



Figure 28: SAP NetWeaver Identity Management


Tools for UME Configuration (Viewing and Modifying)

The figure lists the tools with which you can display and change the UME configuration.

Note: For more information about global settings for UME properties, see SAP Note 948654. The tools to view and modify the UME configuration are as follows: ● UME administration console You can use the UME administration console running in the web browser to modify selected settings even without knowing the technical parameter names (path: http(s):// : /useradmin ¶·úœ•å˚Configuration).

Hint: Many settings do not require a restart. If a restart is necessary, you are notified accordingly after you save the properties.

Hint: As of 7.20, an Expert mode is available in the configuration area, which enables you to maintain most of the UME properties.

●

50

Configuration tool (Configuration Editor mode)




Figure 29: Tools for UME Configuration (Viewing and Modifying)


You are able to access all the UME settings only in the Configuration Editor mode (path: cluster_configÉRë}ÁÑ�systemÉRë}ÁÑ�custom_globalÉRë}ÁÑ�cfgÉRë}ÁÑ�servicesÉRë}ÁÑ�com.sap.security.core.ume .serviceÉRë}ÁÑ�Propertysheet properties). ●

SAP NetWeaver Administrator, Java Configuration Browser You can use the SAP NetWeaver Administrator running in the web browser to view all the UME parameters (including tooltip with descriptive text). Choose Configuration InfrastructureÉRë}ÁÑ�Java Configuration Browser and then ÉRë}ÁÑ�cluster_configÉRë}ÁÑ�systemÉRë}ÁÑ�custom_globalÉRë}ÁÑ�cfgÉRë}ÁÑ�servicesÉRë}ÁÑ�com.sap.sec urity.core.ume.serviceÉRë}ÁÑ�properties.

Note: In the SAP NetWeaver Administrator, you can also view the UME parameters (choose ConfigurationÉRë}ÁÑ�InfrastructureÉRë}ÁÑ�Java System PropertiesÉRë}ÁÑ�Overview). Select a template or an instance there. Then, select service User Management Engine on Services tab page. The UME parameters are now selected. Do not change any values here; just use the global change options. SAP NetWeaver Administrator, Authentication As of SAP NetWeaver AS 7.11, some UME parameters regarding logon can be changed online in the SAP NetWeaver Administrator by choosing ConfigurationÉRë}ÁÑ�SecurityÉRë}ÁÑ�Authentication and Single Sign-OnÉRë}ÁÑ�Properties. ●

UME Configuration iView If usage type EP Core has been installed in your SAP NetWeaver system, you can use the portal interface to access an iView for UME configuration. This offers setting options similar to the UME administration console (portal path: System AdministrationÉRë}ÁÑ�System ConfigurationÉRë}ÁÑ�UME Configuration).

Caution: Before you make any changes to the UME configuration, you should first back up the current configuration. You can do this using a function in the UME administration console (User Management ConfigurationÉRë}ÁÑ�SupportÉRë}ÁÑ�Download Configuration ZIP File), which saves the current configuration data in a ZIP file. This file allows you to record and trace the changes. However, they are not intended to be reimported in AS Java.

The steps to perform various advanced settings in Configuration Editor mode are as follows: 1. Stop all the Java instances in your system. 2. Start the Configuration Tool. 3. Switch to the Configuration Editor mode. 4. Switch to change mode.


51



●


5. Choose cluster_config;,A€‡ž°system;,A€‡ž°custom_global;,A€‡ž°cfg;,A€‡ž°services;,A€‡ž°com.sap.security.core.um e.service;,A€‡ž°Propertysheet properties and double-click Propertysheet properties. 6. Make the required changes (Apply Custom). 7. Start the Java instances on the system.

52

Figure 30: Displaying the Active Data Source

The figure shows how you can find out the current active data source in the Offline Configuration Editor mode.




Displaying the Active Data Source


UME Parameters

After you have selected and configured a data source, there are many other parameters with which you can influence the behavior of the UME. The figure provides an overview of the relevant areas. The important UME parameters are as follows: Date source(s)

●

●

Security policy

●

E-mail notification

●

Logging on and off

●

SAP logon ticket

●

Groups

●

Administration

The following table shows the data source(s) parameter: Date Source(s) Parameter

Description

ume.persistence.data_source_configuration

Name of the UME configuration file (depending on the data source, other parameters may be relevant for connecting the data source)

The following table shows the various security policy parameters:


53



Figure 31: Functions of the UME Parameters


Security Policy Parameter

Description

ume.logon.security_policy.auto_unlock_time

Specifies number of minutes after which a ¸KÛJO–çqº�±Dñ] }7•»nQoafl:1±3À)¡O&æ°†Åä:ÜuAÃ«ÀIÌB˛$ºÑû÷Tìgü[¶› Ÿö˚®k–}•j attempts is unlocked again (if the value is 0, then the user remains locked)

ume.logon.security_policy.lock_after_invalid_ ¸KÛ{O–ˇçfºÿ±Eñ[ p7”»xQ+aÚ:&±;À(¡K&æã†Ïä|Ü:AÌ«”IÓM˛>ºÙûÿT%g¸[z›Efiö˚®b attempts attempts after which a user is locked (automatically set to 0 in an AS ABAP+Java) ume.logon.security_policy.password_special_ Determines the minimum number of special char_required characters that the password must contain

ume.logon.security_policy.password_expire_ days

Determines number of days before the password expires

ume.logon.security_policy.password_max_le ngth or ume.logon.security_ policy.password_min_length

Specifies maximum or minimum length of the password

ume.logon.security_policy.useridmaxlength Determines maximum or minimum length of or ume.logon.security_policy.useridminlength the user ID There are different security policy profiles, for example, Default and Technical User. The properties for the profile Technical User are hard coded and cannot be changed. The properties can be viewed by selecting the profile in useradmin¸KÛ�nâ–ÍConfiguration¸KÛ�nâ–ÍSecurity Policy. Changes to the Default security profile properties affect the properties mentioned in the security policy parameters table and vice-versa. You can create your own security policy profiles where you can maintain property settings that are different to the Default security policy profile. You can view these settings and maintain them only in the simple mode. These settings are not accessible through the Expert mode or the Configuration Editor mode of the Configuration Tool. In the UME administration console, you can maintain users and assign them security policy profiles. Therefore, you can have users with different values of the security policy properties. By default, the Default security policy profile is assigned to a user. E-mail Notification You can configure the UME in such a way that in certain situations (for example, after locking a user), you can send e-mails through an external Simple Mail Transfer Protocol (SMTP) server. For this to be possible, you need to store valid e-mail addresses in the user master records. The following table shows the various e-mail notification parameters:

54

E-mail Notification Parameter

Description

ume.notification.mail_host

This is the name of the SMTP server for the e-mail notification




ume.logon.security_policy.password_alpha_n Specifies the minimum number of numeric umeric_required and alphabetical characters that the password must contain (for example, if the number is three, then the password must contain at least three numbers and three letters)


E-mail Notification Parameter

Description

ume.notification.create_performed or ume.notification.delete_performed

The user receives an e-mail as soon as the administrator creates or deletes a user

ume.notification.create_approval or ume.notification.create_denied

The user receives an e-mail as soon as the administrator approves or rejects the creation of a user account

ume.notification.lock_performed bzw. ume.notification.unlock_performed

The user receives an e-mail when the administrator locks or unlocks the user

ume.notification.pswd_reset_request

The user sends an e-mail to the administrator when the password is to be reset

ume.notification.unlock_request

The user sends an e-mail to the administrator when the account is to be unlocked

ume.notification.system_email

The sender’s e-mail address is sent with a dummy name (the address does not have to exist)

Logging On and Off Parameter

Description

ume.logon.branding_image

Path to the image is displayed on the logon screen

ume.logoff.redirect.url

The address that is called following logoff (only for the SAP NetWeaver portal)

The following table shows various SAP logon ticket parameters: SAP Logon Ticket Parameter

Description

logon.ticket_lifetime

Lifetime of the SAP logon ticket (Format: :)

logon.ticket_client

Dummy client written to the SAP logon ticket (default 000, in the case of AS ABAP with Java must be set to a client (value) which is not used in the ABAP system)

ume.logon.security.relax_domain.level

Number of subdomains to be removed (for example, a value of 2 means that the SAP logon tickets issued by a system on the host twdf1234.wdf.sap.corp are sent to servers in the domain sap.corp).

The following table shows various groups parameters:


55



The following table shows the various logging on and off parameters:


Groups Parameter

Description

ume.supergroups.anonymous_group.display name

ID of the group of anonymous users (default Anonymous Users)

ume.supergroups.authenticated_group.displa ID of the group of logged on users (default yname Authenticated Users) ume.supergroups.everyone.displayname

ID of the group of all users (default Everyone)

ume.virtual_groups.names

IDs of virtual groups (formed on the basis of certain user properties)

Administration Parameter

Description

ume.admin.addattrs

Makes it possible to add customer-specific attributes to the user master record

ume.admin.search_maxhits

Maximum number of search hits displayed in the administration console (default 1,000)

ume.admin.search_maxhits_warninglevel

Number of hits as of which a warning is issued in the administration console (default 200)

ume.admin.wd.url.help

URL to the online documentation (for example, it may point to the customer’s local help system)

ume.admin.wd.table.size.

Specifies the number of rows for output in the administration console (for , there are small, medium, and large.)

Link between Users, Groups and Roles In the UME environment, the term principle designates central objects mentioned in the following table: Principle

Meaning

User

General properties of a user (such as name, e-mail, telephone number, and so on)

User account

Logon-related properties of a user (such as password, validity, lock indicator and so on)

Group

Set of user and/or groups

Role

Set of (Java) authorizations

Users and user accounts are different principles, which are typically associated with each other. When the term user is employed, it is intended for the associated principles user and user account.

56




The following table shows various administration parameters:


Note: Depending on the SAP NetWeaver usage type, the principles have an additional meaning. Therefore, in an SAP NetWeaver portal, there are portal roles that are also handled in the same way as a UME principle.

Figure 32: Assigning Principles

The figure shows how you can assign principles. Users are usually assigned to groups to which roles are then assigned. However, it is also possible to directly assign roles to users. The principle group supports the hierarchies of groups. A group may also possess higher and lower-level groups. Users possess the following roles: Roles that are directly assigned to users.

●

●

Roles that are assigned to the groups to which users belong.

●

Roles that are assigned to the higher-level groups of the groups to which they belong.

When performing a search in the UME administration console, you must always check the field Search Recursively if you want to see indirectly assigned principles.


57



Assigning Principles


Special Features of the ABAP System Data Source

If you use a client of an ABAP system (and, consequently the configuration file dataSourceConfiguration_abap.xml) as the data source, UME behaves in a certain manner. The UME behavior is as follows: ● The ABAP users are visible in AS Java and can logon to AS Java with their ABAP passwords. ●

●

The ABAP roles are depicted in AS Java as UME groups of the same name. In AS Java, the assignment of ABAP users to ABAP (composite) roles appears as the assignment of UME users to UME groups.

The reason for this group administration concept is the shared authorization administration for applications that have both ABAP and Java components. Applications such as Process Integration (PI), for example, possesses both ABAP and Java components. The ABAP authorizations are mapped with PFCG roles. The JEE authorizations are mapped with UME roles. A user must be assigned a PFCG role in the ABAP system and a UME role on the Java side for the user to have both ABAP and Java authorizations. To avoid the double effort of role assignments, the PFCG roles are visible as groups in the UME. The PFCG role (a group) can be assigned a UME role in the UME. If a user is assigned the PFCG role in the ABAP system, he or she automatically receives the authorizations from the UME role. Assigning authorizations, therefore, becomes simpler. The connection between the UME in an AS Java and user management in an AS ABAP is established through the Java Connector (JCo). For this purpose, a communication user existing in ABAP is stored as a UME parameter (this usually has SAPJSF in its name). This communication user’s ABAP authorization determines whether it is possible to modify ABAP user master records using UME resources.

58




Figure 33: Special Features of the ABAP System Data Source


The access provided is as follows: The role SAP_BC_JSF_COMMUNICATION_RO gives the UME read access to the user data in the AS ABAP.

●

●

The role SAP_BC_JSF_COMMUNICATION gives the UME write access to the user data in the AS ABAP.

Hint: Even if the communication user gets write access to the user data in the AS ABAP, assigning users to PFCG roles in the UME is not possible.

Note: If an ABAP system is used as the data source, certain restrictions apply. These are listed in the online documentation.

For more information about companies and the delegated user administration of the AS Java, see the online documentation for SAP NetWeaver 7.3x, path SAP NetWeaver Library: Function-Oriented Viewr'ãåh�HSecurityr'ãåh�HIdentity Managementr'ãåh�HUser Management of the Application Server Javar'ãåh�HConfiguring User Managementr'ãåh�HConfiguring Delegated User Administration Using Companies.


59



When configuring the ABAP data source, the ABAP user groups appear as Companies in the UME; this was introduced in Release 7.10. The assignment of the user group for authorization check in the user master record of the user in AS ABAP (transaction SU01) is represented in the UME as an assignment to the company. The delegated user administration can then be immediately used even after the installation in the AS Java.


Administration Tools

The figures, in this section, explain the tools that you, as an administrator, can use to maintain users and groups. The most important tool for a user administrator in an AS Java system is the UME administration console. This tool functions independent of the configured data source and is implemented as an application running in a web browser (based on Web Dynpro Java). You can start the user-friendly UME administration console in one of the following ways: ● Using the URL http(s)://.:/useradmin ●

●

Using the SAP NetWeaver Administrator (URL …/nwa) by choosing the path Configuration×ˇ†øÖ�RþSecurity×ˇ†øÖ�RþIdentity Management Using the Portal by choosing User Administration×ˇ†øÖ�RþIdentity-Management

Hint: The function scope available in the administration console depends on the current user’s Java authorizations.

60




Figure 34: UME Administration Console


ABAP User Administration

If you have used the UME configuration file dataSourceConfiguration_abap.xml to connect an ABAP system client, then the usual AS ABAP tools (such as transaction SU01) are available for user administration.

INTERACTIVE ELEMENT: Breakout Rooms 1. Which tools are used for administration purposes? . . . . . . . . . .

User Types Similar to AS ABAP, the UME distinguishes between different user types (also called security policy profiles). The security policy profiles are as follows:


61



Figure 35: ABAP User Administration


User Type or Security Logon to AS Java Policy

Password Change Forced

Mapped ABAP User Types (with ABAP system as data source)

Default

Possible

Yes

Dialog

Technical users

Possible

No

System

Internal service user

Not possible

-

-

Unknown

Depends on AS ABAP Depends on AS ABAP Communication, user type user type Service and Reference

Self-created

Possible

Yes

-

62

Note: The last column in the table is relevant only if you are operating a UME with an ABAP system as the data source. Changes to the user type of an ABAP user are mapped to the corresponding UME user master record (and vice versa if the UME has write access to the ABAP system).

Hint: You can define your own user types (also called security policy profiles) in the UME configuration to provide you own set of password rules. For example, you can create a user type with very strong password rules for your super users or emergency users.




You specify the user type when you create a user through the UME administration console (you may not create the type, Unknown). In the case of existing users, subsequent changes to the user type are possible only with restrictions.

Unit 2 Exercise 3 Implement User and Group Administration

Business Example You are using AS Java and are responsible for user administration. You need to provide new users access to selected applications. Task 1 Perform user maintenance. Copy and modify a user using the UME administration console. 1. Log on to the UME administration console with your user. 2. Copy the template user TEMPLATE to a user JAVA-<##> (## corresponds to your group number). 3. Analyze the UME roles that your user JAVA-<##> is assigned.

Perform group maintenance. Create and modify UME groups using the UME administration console. 1. Attempt to start SAP NetWeaver Administrator as user JAVA-##. 2. Log on to the UME administration console with your course user ID. 3. Create a UME group GROUP<##> and assign the user JAVA<##> and the UME role NWA_READONLY to it. 4. Attempt to start SAP NetWeaver Administrator as user JAVA<##> again.


63



Task 2

Unit 2 Solution 3 Implement User and Group Administration

Business Example You are using AS Java and are responsible for user administration. You need to provide new users access to selected applications. Task 1 Perform user maintenance. Copy and modify a user using the UME administration console. 1. Log on to the UME administration console with your user. a) Start a web browser.

Note: Alternatively, you can call the UME administration console using SAP NetWeaver Administrator. c) Logon with your user ID. 2. Copy the template user TEMPLATE to a user JAVA-<##> (## corresponds to your group number). a) Run a search in the Identity Management area of the UME administration console for the TEMPLATE user. b) Choose the TEMPLATE user and choose Copy to New User. c) On the General Information tab page, enter the Login ID…oïE± ˇÌ⁄Ôì:ç÷æ[má fi!hPïml·}nˆôE)Žf°¡JPassword…oïE and Last Name…oïE± ˇÞ⁄ßì7çþæ d) Do not change the other fields and save the data. 3. Analyze the UME roles that your user JAVA-<##> is assigned. a) In the UME administration console, view the details for the user JAVA-<##> in Display mode. b) Choose the Assigned Roles tab page. Select the Search Recursively checkbox and choose Go. You should see that the copied user has the same roles and groups as the copy template. You can manage users in the UME administration console. Task 2

64




b) Enter the URL http://.wdf.sap.corp:500/useradmin (for example, http://twdf1234.wdf.sap.corp:50000/useradmin).


Perform group maintenance. Create and modify UME groups using the UME administration console. 1. Attempt to start SAP NetWeaver Administrator as user JAVA-##. a) Close all the previously opened browser windows. b) Enter the URL http://.wdf.sap.corp:500/nwa (for example, http://twdf1234.wdf.sap.corp:50000/nwa). c) Enter the logon data for the user JAVA-## (and change the password). You will see a message informing you that you do not have the necessary authorizations. 2. Log on to the UME administration console with your course user ID. a) Enter the URL http://.wdf.sap.corp:500/useradmin (for example, http://twdf1234.wdf.sap.corp:50000/useradmin). Note: Alternatively, you can call the UME administration console through the SAP NetWeaver Administrator. b) Logon with your course user ID.

a) In the Identity Management area of the UME administration console, switch to the Groups view. b) Choose the Create Group pushbutton. c) In the General Information tab page, enter GROUP-## in the Unique Name field. d) Choose the Assigned Users tab page. Under Available Users, search for the user JAVA<##>. Select this entry and choose Add. e) Choose the Assigned Roles tab page. Under Available Roles, search for the role NWA_READONLY. Select this entry and choose Add. f) Save the group. 4. Attempt to start SAP NetWeaver Administrator as user JAVA<##> again. a) Close all the previously opened browser windows. b) Enter the URL http://.wdf.sap.corp:500/nwa (for example, http://twdf1234.wdf.sap.corp:50000/nwa). c) Enter the logon data for the user JAVA<##>. You can work with the SAP NetWeaver Administrator (for viewing). You can use the UME administration console to manage groups.


65



3. Create a UME group GROUP<##> and assign the user JAVA<##> and the UME role NWA_READONLY to it.


Users and Authorizations in AS Java

You can use authorizations to control which users can access a Java application and which actions are permitted for a user. Authorizations are combined as roles and then assigned to a user or a user group by an administrator. The UME administration console (also integrated in the SAP NetWeaver Administrator) is used to assign authorizations. Authorization checks are built into a Java application where you can control what kind of ˇ=8ZÎ>Ófi?c−WövÚ2JÒDžŒWŁXÅ¥û•,â$8€V:4úè¥Èiô ¹ŠÁÊ±íFŁË[³Ï"-[yT˛ŁÞüœù?a»sî®ò„ƒˆáDU5ŁÎoðï@ł˛`¯Ëmê:¬éÌłOÇ$"hÝ —_önåQò¼spˆ‚™¼xéc �Ø˘¶†³«%.âŠ4ÿ³$žIÖlÞ¥w1TZÃÝø1ë«Vs activities, or by object instances. Access to an application is only allowed when the appropriate JEE security role is assigned to the requesting user. If the user does not have the required security role, an error message is displayed and access is denied. Users already have access to the application when they request access to individual activities. When requesting a special activity, for example, Delete, the system checks whether the required JEE security role or UME permission is assigned (by means of UME action and UME role). In addition, you have the option of managing the protection of access to object instances (for example, to folders or documents) using the access control list (ACL). With all the types of authorization checks specified, the developer needs to define the authorizations query in the application. The developer decides which type of authorization check is to be used. In practice, this means that the application determines the JEE security roles, UME permissions, or UME ACLs that are to be used. JEE security roles are a part of the JEE standard. UME permissions are an SAP-specific concept. You can define the same authorization checks with JEE security roles and UME permissions. However, certain programming techniques for SAP applications that enhance the JEE standard require the use of UME permissions. Therefore, an administrator should be familiar with both the concepts.

66




Figure 36: Authorization Concept in the AS Java


UME Roles In the UME, there is a role concept with which authorizations, users, or groups are assigned. These authorizations relate to authorization checks that are defined in the coding of the SAP Java application. The authorization concept in the UME uses permissions, actions, and roles. Permissions are defined in the Java coding. Permissions are used to provide access control. Permissions cannot be assigned directly to a user. An action is a collection of permissions. The developer of an SAP Java application defines his or her own actions and specifies the authorizations in the XML file actions.xml. Actions are displayed in the UME administration console. You can use the UME administration console to combine these actions into roles. UME roles group actions of one or more applications. You can assign UME roles to users in the UME administration console. Many Java applications from SAP work with UME roles.

Figure 37: Structure of UME Roles

The figure shows the Purchase Order application as an example. This application consists of multiple objects, such as Create order and Approve order, into which a developer has built the corresponding authorization check directly in the coding. With UME roles, the developers define permissions (authorization objects) directly in the coding and then bundle them into actions. The administrator can then combine these actions into roles and assign them to a user or a user group. Developers can define very detailed authorizations on the basis of this concept, but the complexity is hidden behind a small number of actions. The developers predefine the actions, which are delivered to the customers together with the application and are available as an XML file. This allows a simple, clear, and cross-application authorization concept for large Java applications.


67



Structure of UME Roles


JEE Security Roles

Figure 38: Structure of JEE Security Roles

A JEE security role (or security role) is an abstract logical definition that protects access to an application, a service, or another resource. The security role consists of only a name and a description. The security role relates only to the application for which it was defined. Security roles allow an access check for JEE applications. The authorizations are usually defined declaratively. A developer creates a security role for each application object requiring protection. The protected application, its protected modules, classes, or methods can be used by a user only if the administrator has assigned users or groups to the security role. The figure shows the Purchase Order application as an example. For this application, a developer creates objects such as Create order and Approve order, and so on. If you are using JEE security roles, a security role must be created for each object. The security role is defined either in the deployment descriptor (XML file) or directly in the application coding. In addition to the security roles specified by the developer, the UME generates more security roles that are valid for the entire application. The advantage here is that these roles can be combined into one application-wide security role for several security roles with the same œ¶)QõłŁw“ÀL±å ¤9=‚ë�0JÝ ÕR—Â'·fi>œÆXK×ı©r}Bø„b¾íÈGM#ÆO'‘łl• f={å²X1œ<É 6)A‹àÉXO]r ÐœÀìofl¯slw“»êÈ²àGS ß¦é~]+Š¤ã2~ª¦ ©�É0\}Łï!
68




JEE security roles are a part of the JEE standard.


There are some special actions you can use for segregation of duties (SoD). These are Manage_Role_Assignments_SoD and Manage_Roles_SoD. A user with the activity Manage_Role_Assignments_SoD is able to assign roles to any user but himself. A user with the Manage_Roles_SoD activity is able to create roles. The user is able to maintain all roles (assign actions) except roles that are assigned to himself. The following actions should not be combined in SoD: ● Manage_Users ●

Manage_Groups

●

Manage_Roles

●

Manage_all_Companies

●

Manage_Role_Assignments_SoD

●

Manage_Roles_SoD

UME Role Creation and Assignment



Figure 39: Maintaining UME Roles (UME Administration Console)

You can use the UME administration console to maintain UME roles. You perform both the assignment of actions to UME roles and the assignment of roles to UME users or groups there. JEE security roles are also displayed as actions in UME administration console. After logging on with an administrator user, select the appropriate role, display the assigned actions, and change the role, if necessary. Then assign the role to a user or a group. It is important for the administration of authorizations that the Java application UME provides a large number of actions. These UME actions permit the precise definition of the rights that users have as principles (for example, display all users or maintain all groups). The online documentation for SAP NetWeaver 7.3x describes the actions supplied by SAP for the UME (path SAP NetWeaver Library: Function-Oriented ViewÿX?À|Š²³SecurityÿX?À|Š²³Identity


69


Managementñ³˛"¢t´/User Management of the Application Server Javañ³˛"¢t´/Reference Documentation for User Managementñ³˛"¢t´/Standard UME Actions).

ACL Maintenance You have an option of managing the protection of access to object instances (for example, to folders or documents) using an ACL. The developer uses the ACL API of the UME for this purpose. However, as the UME does not provide a UI for ACL maintenance, the developer must develop an individual UI for ACL maintenance. Therefore, there are differences in the UI and also in the authorizations to be assigned in concrete ACL maintenance depending on the application. There are details about ACL maintenance in the security and administration guide of the corresponding applications. In particular, ACL maintenance is used in addition to UME administration in the SAP NetWeaver Portal.



70





●


●





71




72



1. Identify the user type that enables dialog-free data transfer between systems. Choose the correct answers. X

A Reference

X

B Service

X

C Communications data

X

D System

2. An authorization is always associated with exactly one authorization object and contains value for the fields in the authorization object.

X

True

X

False

3. You can set the number of failed logon attempts after which the SAP GUI is terminated using the login/fails_to_user_lock parameter. Determine whether this statement is true or false. X

True

X

False

4. Which of the following are the service providers in an open architecture of Application Server Java (AS Java)? Choose the correct answers. X

A Database Management System (DBMS) provider

X

B Access control list (ACL)

X

C Universal Description, Discovery and Integration (UDDI) provider

X

D User Management Engine (UME) provider


73



Determine whether this statement is true or false.


5. Which of the following are the functions of the User Management Engine (UME) parameter? Choose the correct answers. X

A Date source(s)

X

B Security policy

X

C Mobile notification

X

D E-mail notification

X

E SAP logon ticket

6. The user can define the same authorization checks with JEE security roles as with User Management Engine (UME) permission. Determine whether this statement is true or false. True

X

False



X

74



1. Identify the user type that enables dialog-free data transfer between systems. Choose the correct answers. X

A Reference

X

B Service

X

C Communications data

X

D System

2. An authorization is always associated with exactly one authorization object and contains value for the fields in the authorization object.

X

True

X

False

3. You can set the number of failed logon attempts after which the SAP GUI is terminated using the login/fails_to_user_lock parameter. Determine whether this statement is true or false. X

True

X

False

4. Which of the following are the service providers in an open architecture of Application Server Java (AS Java)? Choose the correct answers. X

A Database Management System (DBMS) provider

X

B Access control list (ACL)

X

C Universal Description, Discovery and Integration (UDDI) provider

X

D User Management Engine (UME) provider


75





5. Which of the following are the functions of the User Management Engine (UME) parameter? Choose the correct answers. X

A Date source(s)

X

B Security policy

X

C Mobile notification

X

D E-mail notification

X

E SAP logon ticket

6. The user can define the same authorization checks with JEE security roles as with User Management Engine (UME) permission. Determine whether this statement is true or false. True

X

False



X

76


UNIT 3

Advanced User Administration Topics

Lesson 1 Implement Central User Administration (CUA) Exercise 4: Distribute User Data with CUA

78 95

Lesson 2 Work with Directory Services

100

Lesson 3 Describe SAP Governance, Risk, and Compliance (GRC) 10.0 Exercise 5: Run Reports and View Dashboards

107 137

Work with Identity Management

143

UNIT OBJECTIVES ●

Explain Central User Administration (CUA)

●

Set up Central User Administration (CUA)

●

Explain directory services

●

Explain SAP Governance, Risk, and Compliance (GRC) 10.0

●

Understand the purpose of Identity Management

●

Explain Identity Management

●

Explain the history of SAP NetWeaver Identity Management


77



Lesson 4

Unit 3 Lesson 1 Implement Central User Administration (CUA)

LESSON OVERVIEW This lesson introduces the principles of Central User Administration (CUA) and provides decision-making aids. The lesson also covers the required steps to set up CUA. Business Example

●

An understanding of the fundamentals of CUA

●

An understanding of the usefulness of CUA for your company

●

An understanding of how to set up CUA

●

An understanding of how to distribute user data with CUA



●


Fundamentals of CUA User information is stored in a client-specific manner in SAP systems. This means that every client in a system has its own, independent group of permitted users. If you have a complex system landscape in your company, you might have more than one of the three standard system types (Development (DEV), Quality Assurance (QAS), and Production (PRD)). Hint: For example, there are three SAP production systems: an SAP Supply Chain Management (SAP SCM) application for production planning, an SAP ERP Central Component (SAP ECC) as an ERP production system, and an SAP Customer Relationship Management (SAP CRM) system. These systems are regarded as PRD systems. The users are maintained in the respective system and client. If, for example, a developer retires from your company, you must ensure that the relevant user record is removed from all affected clients. You must ensure that the relevant user is locked. If you do not know exactly in which areas your colleague worked as a developer, you need to log on to every single client that he or she may have used, and manually search for and remove the user (colleague). In

78




In your landscape of SAP systems, the same users exist in a number of systems and clients. You want to reduce the costs of maintaining users in the different SAP systems. In addition, you want the user administration of the SAP systems in your company to be organized more efficiently and clearly. To do this, you need to implement CUA. For this reason, you require the following knowledge:

Lesson: Implement Central User Administration (CUA)

complex landscapes, this task becomes confusing. This may lead to potential security gaps in your user administration and can result in significant costs for consistent user maintenance.

Note: Users that are no longer to be used for logging on to the SAP system should be locked and not deleted.

Figure 40: Classic User Administration

The figure shows the structure of user administration in a classic scenario with multiple SAP systems. As you can see from the figure, the number of interesting clients (that is, clients other than 000, 001, and 066) to be administrated is 17, even in this simple example. The clients shown are used for different purposes. For example, client 200 is not required in the production system of the SAP ECC system, because it is a test client.

Central User Administration (CUA) The aim of CUA is to reduce the cost of user administration and to make user administration more secure by centralizing the work. CUA envisions only a single client for maintaining user data. Therefore, to administer user data using CUA, you need to determine where you will be maintaining your users in your system landscape. To determine user data using CUA, the following points need to be defined: ●

Which user master records exist in which clients?

●

Which roles and profiles are assigned to these master records?

●

What are the initial passwords?

●

Is the user locked or not?


79



Classic User Administration

Unit 3: Advanced User Administration Topics

Prerequisites for Efficient CUA Implementation The prerequisites for the efficient implementation of CUA are as follows: ● There are a large number of identical users in multiple clients. ●

●

There is a complex system landscape with a large number of clients to be managed. You want to reduce the cost of complex, distributed user administration by implementing CUA.

These prerequisites should exist in your system landscape before the implementation of CUA, otherwise, the work reduction due to the implementation of CUA will not be optimal. However, these prerequisites are not entirely self-explanatory. For example, if you have a standard three-system landscape in which each user primarily works in one client, and the user groups in the different clients are entirely different, the cost saving due to the implementation of CUA is not particularly large. The situation is similar if you use identical users in multiple clients, but your system landscape contains only a few clients or the number of administered users is not high.



Hint: CUA can also simplify user administration in small system landscapes. This is because the user master records are then only administered in one client of your system landscape, which is clearly laid out. This increases the security of the systems that you administer. User Administration Using CUA

Figure 41: User Administration Using CUA – An Example

The figure shows all the work you can perform related to user master records from one central client when you implement CUA. In this example, two CUA landscapes are used to administer users in production and test systems, and the development systems are not managed as part of CUA.

80



CUA resides in a dedicated system. Using CUA, you can distribute the following information from the central system to the child systems by using the ALE technology. The information is about which users exist in which system, in which client, with which roles, and profile assignments. You can also distribute the initial password. You can also distribute the initial password.

Hint: ALE is a powerful tool. Only a small portion of its many possibilities can be explained in the context of CUA. Notes on Implementing CUA The following list contains important notes for implementing CUA: ●

●

CUA can be used cross-release, although a linked system must have at least SAP Basis 4.5B (and should also have as current a Support Package status as possible). CUA can also be used, for example, for user administration in SAP NetWeaver Business ˙·ŁÎrÞH[ERe•T_Cê:CzAcÅB×¬±(›ç§&ãŸÖŠ& 3ÚÀÜpðð®¥Y›Òõ¶b˚É‰@l7åÉÃÝáàð/bÉ¡;^bÍèà2Ä!^JbèÊ']ëü$C4õ fiÎÃÃè†’ù~Ãn'ØÄ˙Â>ËŠ¢ÕÀóNZÎ
˙·ŁÐrÑH EVeÏTkC>êˆCzcøB2×Ž±V9(“ç§ãŽÖÖ&%3ÆÀÝp¤ð›¥c›eOù¶˚Û‰@˝7¤ÉîÝ×“ðmbƒ¡4^!ÍßàSÄ"ûJAè'}ëý$V4è „Î−Ãà†…ùtÃ…nUØ ÄÂ:Ë⁄¢œÀèN[š^ each other. The systems linked to each other are called logical systems. The logical systems in the context of CUA are actually the clients where users need to be maintained. A single SAP system can house multiple logical systems in terms of ALE (and CUA). Data exchange in an ALE-integrated system is performed by exchanging intermediate documents (IDocs) by Remote Function Call (RFC).

Caution: Ensure that if CUA is in use and role definitions are transported (by means of transport requests from one system to another), the user assignments to the roles should not be transported. If CUA is in use and role definitions, including user assignments, are transported at the same time, discrepancies may arise in the user assignment to roles. You can avoid these problems as described in SAP Note 571276: PFCG: Transporting roles using transaction SM30 by setting the entry USER_REL_IMPORT in table PRGN_CUST to NO in all the child systems in CUA.


81



●

CUA can be implemented using a system running at least SAP Basis 4.6C and above. Your system should be as up to date as possible, with the latest Support Packages and kernel patches.


CUA – Step by Step

The figure shows the steps to set up CUA.

Note: The term "technical users, refers to technical users in terms of user classification for system measurement. In this case, the class of technical users represents users for whom no license fees are charged. The technical users that are used for CUA are of the type System (created in transaction SU01), although the documentation and SAP Notes sometimes refer to users of the type CommunicationfiöücfáGž$»*,˘;łN‘Ût/ˆÓwQÞó‹*ˆ˚fl9�Ô>S”ôt—−¯ÒŁW…´VýÃ¼âQ˝ÿƒvÊ®æ,½®ÙÔÑ¼:Wc«ÙÍs5Õ…‘2˘xÝ because users of the type Communication, unlike users of the type System, are subject to password change rules.

Specify and Assign Logical Systems

Caution: In this section, only the terms “central system” and “child system” are used. These terms refer specifically to clients (logical systems). Therefore, if your company runs the central CUA and child CUA on the same SAP system (in different clients), the terms “central system” and “child system” refer to different clients in the same SAP system.

82




Figure 42: Roadmap for Setting Up CUA


You can specify and assign the logical systems as follows: 1. Log on to your central system with an administration user ID. 2. In the Implementation Guide (transaction SALE), choose Basic Settings •ˇ"⁄"Aí] Logical Systems •ˇ"⁄"Aí] Define Logical System or run transaction BD54. Alternatively, you can maintain table view V_TBDLS using transaction SM30. 3. Choose Edit •ˇ"⁄"Aí] New Entries. 4. In the Log.System column, create a new logical name in uppercase letters so that you can easily identify systems by their names later. The naming convention for the logical system names is CLNT###, where you replace with the relevant system ID and ### with the relevant client number, for example, DEVCLNT100. Enter the name of the logical system, such as central system or child system. 5. Save your entries. These entries are then included in a transport request. 6. Create the logical system name of the central system and relevant child name in all the child systems. For this step, you have the following options:

●

Send the transport request generated in step 5 (which contains the names of all logical systems) to all other systems in CUA. Perform steps 1 to 4 in all the child systems of CUA. Create the logical system name of the central system and relevant child system in each case.

Hint: The data for the logical systems is created cross-client. If there are multiple logical systems of CUA in one SAP system, you need to perform steps 1 to 5 (or import the transport request) only once. You can also use transaction SALE to assign the logical systems. To do so, choose Basic Settings •ˇ"⁄"Aí] Logical Systems •ˇ"⁄"Aí] Assign Logical System to Client or run transaction SCC4 directly. Alternatively, you can edit table T000 using transaction SM30. After you switch to the change mode, you can assign an appropriate entry to the field Logical system in the detail view of the client attributes. When doing so, use the input help (F4 help) to avoid input errors. Select the appropriate entry, such as DEVCLNT100, if you want to assign this logical system to client 100 in the DEV system. Make this assignment of logical systems for all the clients involved in CUA (in all of the involved systems). Technical Users and RFC Connections RFC connections are used to exchange data by ALE in the context of CUA. RFC connections are used to distribute user data from the central system to child systems, to send changes to this data in the child systems, and to send status reports back to the central system. In the context of CUA, the central system is treated like another child system in some respects. In the simplest case of CUA (two logical systems linked to each other, one central system and one child system, within the same SAP system), two RFC connections are


83



●


required. If the central system and child system are in different SAP systems, three RFC connections are required. The RFC connections required are as follows: ●

RFC connections from the central system to itself (loopback)

●

RFC connections from the central system to the child systems

●

RFC connections from the child systems to the central system

RFC Connections from the Central System to Itself (Loopback) A separate, additional RFC connection is required to connect the central system to itself. Special users are used for these RFC connections. These technical users are of the type System and their authorizations are clearly delimited using predefined roles.

RFC Connections from the Central System to the Child Systems RFC connections are required from the central system to all the child systems. These RFC connections use the users in the child systems. The naming convention recommended for these users is CUA__###, where is replaced with the system ID of the child system and ### with the number of the client being addressed in the child system. TÅłª¢•/a_>˙'ƒùÿ(C!&ÇXÉ®R¬»Ž�V²µXeÌ©+1Ñ·J#7¤‹w7m˜¸,Â N7Ìj+€‰—‚n ¦flOžÁJi>¹MûöñGtÏfš@h³?_+%ã˚¬‹Vý#�ÐL‰×™rmZm±˜ {wÝC´ó~9qNÉG¨TËÜÌ™Ã›Ł° SAP_BC_USR_CUA_SETUP_CLIENT and SAP_BC_USR_CUA_CLIENT. However, you should not assign the delivered SAP roles to the technical users, but rather copies of these roles for which you have created authorization profiles with role maintenance (transaction PFCG). For simplicity, name the copies of the SAP roles by adding Z_ to the start of the name, that is, Z_SAP_BC_USR_CUA_SETUP_CLIENT and Z_SAP_BC_USR_CUA_CLIENT.

Hint: Note that the technical user in the child system requires the role Z_SAP_BC_USR_CUA_SETUP_CLIENT only while you are setting up CUA. You can then remove this role from the technical user.

84




Note: For more information about CUA minimum authorizations for communication users, see SAP Note 492589. The composite role SAP_BC_USR_CUA groups together the various roles for service users of CUA. The composite role is used only for documentation purposes. The single roles that it contains are assigned directly to the service users.


Hint: To increase the security and performance of your system, you can use the role Z_SAP_BC_USR_CUA_CLIENTŽÇœœ˜bæ„ØiÖÇ˝â}ÕŁ×3(y˙á…b‰;¬�-ûª¸UrłP²ò‡3mì3“Ÿ−ñÉÞ]Šc¿ìÝÃ÷Zk²¡wÍòj¬kê‰ authorizations required to receive the IDocs of CUA and update them. However, the subrole Z_SAP_BC_USR_CUA_CLIENT_RFC (create this in the same way as the roles described earlier) contains only authorization to receive the IDocs. Furthermore, the role Z_SAP_BC_USR_CUA_CLIENT_BATCH contains the update authorization for the inbound IDocs. Assign the first role Z_SAP_BC_USR_CUA_CLIENT to the technical user. However, you assign the role Z_SAP_BC_USR_CUA_CLIENT_BATCH to a system user to allow the user to change user master records. This user is used (in the child systems) to schedule a periodic background job that implements the CUA changes in the child systems (periodically).

RFC Connections from the Child Systems to the Central System

Hint: Because RFC connections can be used cross-client (all clients of a system can use a shared RFC connection), you need to create only one RFC connection to the central system if there are multiple child systems in one SAP system. The connection from the child system to the central system uses a technical user of the type System that must be known in the central system. This user should have the ID CUA_. In this case, stands for the system ID of the child system that communicates with the central system using this user. This user requires authorizations for the roles Z_SAP_BC_USR_CUA_SETUP_CENTRAL, Z_SAP_BC_USR_CUA_CENTRAL, and Z_SAP_BC_USR_CUA_CENTRAL_BDIST. Create the roles by copying the template roles (the template names have the same names as the specified roles, but without Z_ at the start of the name) and generating the profiles for them using transaction PFCG. The first role listed, Z_SAP_BC_USR_CUA_SETUP_CENTRAL, is required only while setting up CUA.

Caution: The role Z_SAP_BC_USR_CUA_CENTRAL_BDIST is required by the user in the RFC connection if the attributes in transaction SCUM are set to Redistribution.


85



RFC connections are also required from the child systems to the central system. Every child system must be able to open an RFC connection to the central system.


Caution: In addition to the RFC connections from the child systems to the central system, you also require an RFC connection from the central system to itself (loopback). This connection also uses the user with ID CUA_, where is the ID of the central system. The required authorizations are contained in the roles Z_SAP_BC_USR_CUA_SETUP_CENTRAL, Z_SAP_BC_USR_CUA_CENTRAL, and Z_SAP_BC_USR_CUA_CENTRAL_BDIST.

Figure 43: Required RFC Connections and Technical Users for CUA

The figure shows the required RFC connections and technical users as well as the roles they require in a very simple CUA scenario.

Hint: For background information about the required authorizations and roles 2§÷0¢‚}é~“ÜÐoçaÂÅ¹à$÷rÚÃÓß00ñQ^íÐD£%íœåßT•/¶TÜÕXõ7Ô¢w°y˝ÿ'ÀÓ9tI¡úÕ·¢5½s½w+m jD²žfi„:»Üg,ŁnÞ�™1Ziäëú.)ÚEtèV#?.BÝ Wè,⁄ ®9 Minimum authorizations for communication users.. After you create the users (as shown in the figure) with the appropriate role assignments in all of the clients involved, you need to define only the RFC connections in transaction SM59. You can do so by performing the following steps: 1. In transaction SALE in the central system, choose Communication 2§3U‚± Create RFC Connections (transaction SM59). 2. Choose the Create pushbutton.

86




Required RFC Connections and Technical Users for CUA


3. Enter the following data in the respective fields: Field Name

Value

RFC Destination

For example, QASCLNT200 or DEVCLNT200 (this entry must be in uppercase letters)

Connection Type

3

Description

Connection to child system

Caution: The RFC destination name must be identical to the logical system that you want to address with the RFC connection. The RFC connection must be specified in uppercase letters. 4. Press the Return key. On the Technical Settings tab page, make the following settings: ●

If you do not want to use load distribution, specify the name of the host on which the central instance of your target system is running as Target Host and specify the instance number of the central instance.

5. On the Logon & Security tab page, specify the client of the required logical system and the technical user CUA__### (for example, CUA_QAS_200 or CUA_DEV_200) and password (in your training course, this password is specified by the instructor before the start of the course). 6. Save this connection. 7. Choose Utilities w)&]n£ Test w)&]n£ Connection Test (CTRL + F3) and Utilities w)&]n£ Test w)&]n£ Authorization Test (CTRL + F4) to test the connection using the functions. To set up the required RFC connection from the child system to the central system, log on to the child system and perform steps 1 to 7 again. Use the user CUA_, where is the system ID of your child system. You should also set up the RFC connection from the central system to itself.

Note: You can also use trusted RFC connections for the CUA communication. This increases the security of your CUA communication further. For information about configuring CUA using trusted RFC connections, see the online documentation. CUA Activation After you successfully activate CUA, you will no longer be able to create users in the linked child systems using transaction SU01. Before you activate CUA, it is still possible to create new users using transaction SU01 in a child system.


87



●

If you want to restrict the function of CUA to a particular server group, you can specify the logon group after selecting the Load Balance: Yes radio button and choosing the Return pushbutton.


The activation of CUA has been significantly simplified and a number of necessary configuration steps are performed automatically by the system. To perform the CUA activation, follow the steps below: 1. Log on to the central system. 2. Access the Implementation Guide (transaction SALE), choose Modelling and Implementing Business Processes a×Xhz š, Configure Predefined ALE Business Processes a×Xhz š, CrossApplication Business Processes a×Xhz š, Central User Administration a×Xhz š, Select Model View for Central Administration (transaction SCUA). 3. Enter the name of your distribution model, such as CUA. 4. Choose Create. 5. Enter the names of all the child systems to be connected in the Recipient column. 6. Save your entries. 7. The result screen Display logs appears. If you expand the nodes for the individual systems, you see the following message for each system:

Note: If problem messages are displayed here, follow the procedure in SAP Note 333441 – CUA: Tips for problem analysis. CUA Configuration When CUA is activated, the system carries out the following configuration steps automatically: 1. The corresponding ALE model is created or adjusted to match the new CUA model if changes have been made. 2. Partner profiles are created in the system. 3. Text comparison with the child systems is carried out for roles (and profiles). The ALE distribution model defines which applications communicate with each other in the distributed systems and which data types are distributed. You require a separate ALE distribution model for CUA. In the central system, you define the structure of your CUA in the model view, which you then distribute to the child systems. In the ALE distribution model to be defined for CUA, the following types of data are distributed: ● User master data (including assigned roles and profiles) ●

Company addresses

In the distribution model, two methods are required to distribute user data and company addresses. To implement these methods, the distribution model uses the Clone method from

88




ALE distribution model was saved Central User Administration activated Text comparison was started


the Business Application Programming Interfaces (BAPIs) of the USER and User Company Business Objects. You can view the partner model in transaction BD64. Partner profiles define the conditions for electronic data exchange through the IDoc interface. If a partner profile does not exist, you cannot communicate with the partner through the IDoc interface. You can display these partner profiles in transaction WE20. The check tables and texts for roles, profiles, and license data in the individual child systems are saved temporarily in the central system. This means that they can be displayed quickly. If they have been changed, you have to run the text comparison. If you run the text comparison in the central system, you can select the child systems from which the data is to be read. If you run the text comparison in a child system, the current data is sent to the CUA central system.

Hint: The functions of transaction SCUA have been improved through Support Packages. For more information, see SAP Note 952349.

Parameters for Field Distribution For each field of transaction SU01, you can use transaction SCUM to determine the system in which the field content can be administered. The parameters to maintain for field distribution are as follows: ● Global You can maintain only data in the central system. The data is then automatically distributed to the child systems. The values for the corresponding fields cannot be changed there; the values can only be displayed. ●

Local You can maintain only data in the child system. Changes are not distributed to other systems.

●

Proposal You have maintained a default value in the central system that is automatically distributed to the child systems when you create a user. After distribution, the data is maintained only locally and is no longer distributed if you change it in the central or child system.

●

Redistribution (Redist) You can maintain the data both centrally and locally. Every time the data is changed, the change is distributed back to the central system and is then forwarded from there to the other child systems.

●

Everywhere (Evrywhr)


89



Caution: Even if users can no longer be created in the child systems, CUA is fully operational only after the steps have been carried out.


You can find this option only on the Lock tab page and for initial passwords (the Logon Data tab page). You can maintain initial passwords and lock data both centrally and locally. However, only the changes made to the data in the central system are distributed to the other systems. Local changes in child systems are not distributed.

Caution: If you subsequently change the distribution from Local or Proposal to Global or Redistribution, inconsistent data can be created. The only exception is that you can reset the indicators on the Lock tab page any time without danger. Ensure that you take into account SAP Note 611972 – SCUM: Change to field distribution parameters.

Hint: The settings of the distribution parameters are automatically forwarded to the child systems. Recommendations for Transaction SCUM

Field

Setting

Print parameters (under Defaults)

Proposal

Parameters

Proposal

User group (under Logon Data)

Proposal

Fields for data that the users maintain themselves

Redistribution or Local

The recommendation for a Global setting applies to all the fields that are not listed (with the exception of locks).

Caution: For information about lock management for your users (for example, due to too many failed logon attempts), see the online documentation. Configuration of IDoc Processing Changes to company addresses and users that affect a child system are transferred to the child system(s) as an IDoc using the RFC connection. To optimize the ALE distribution of CUA, you can execute (separately) the outbound processing and inbound processing of the IDoc in the background.

90




The following table lists the recommendations for the configuration of the parameter distribution for a number of fields:


Note: You can find more information about this in the online documentation under the Activated Background Processing keyword. IDoc Inbound Processing in the Child System In standard systems, the activation of CUA (using transaction SCUA) generates partner profiles in the child systems that allow immediate (synchronous) processing (online).

Note: To check partner profiles, run transaction WE20 in the child system. Navigate to the partner profile by choosing Partner Profiles FEM:JaÊ Partner Type LS FEM:JaÊ . On the first tab page, double-click inbound parameters for message types CCLONE and USERCLONE. Take note of the Processing by Function Module setting on the Inbound Options tab page.

Note: Scheduling of the background job is controlled by the entries in the table TEDEF. In the standard systems, this table (for the current clients) contains an entry with values EVENTT = TRFC-IDOC and ROUTID = BATCHJOB. If you change the table entry to EVENTT = TRFC-IDOC and ROUTID = SYNCHRON, the system updates all IDocs from the dialog work process that are currently used for the RFC communication. Across all applications, the table TEDEF controls the processing of all IDocs that are sent to the current clients. You can use the report RSESYNMESTYP to convert IDoc processing to synchronous processing, depending on the sent message type, IDoc type, or extension. The message types CCLONE and USERCLONE are relevant to CUA.

Note: The report RSESYNMESTYP sets the field ACTFLAG in the table EDIMSG for the selected objects. Synchronization of the Company Addresses As company address data has already been maintained in all systems of the future CUA, you must first ensure that at least the central system contains all valid company addresses. Then, distribute this complete company address set to all the child systems so that a consistent status exists for the company addresses in the entire CUA.


91



In standard systems, the receipt of the IDoc is separated from the IDoc processing (see SAP Note 555229). The dialog work process reserved for the RFC communication does not process the transferred IDocs itself. If an IDoc cannot be processed immediately because no dialog work processes are available, the system schedules a background job (with the step RBDAPP01) for this IDoc with an immediate start. The user that is used for the RFC communication requires additional authorizations for this scenario (see SAP Note 492589).


You can use transaction SUCOMP to administrate company address data. You can use transaction SCUG in the central system to perform the synchronization activities between the central system and child systems. This synchronization is done by selecting your child system on the initial screen of transaction SCUG and then choosing Synchronize Company Addresses in the Central System. For more information, see the online documentation.

Note: For more information about this, see the online documentation. Alternatively, you can compare company addresses using transaction SCUC. You cannot transfer user data in this transaction. Synchronization of User Groups To be able to transfer users from a child system to the central system or distribute them from the central system to a child system, the user group to which the user is assigned must exist in all the systems in which the user exists. Transfer of Users to Central Administration

The user transfer options are as follows: ● New users These users are not yet contained in CUA. By choosing Transfer users, you can transfer the selected users to the central system. All user parameters (such as address, logon data, and so on), profiles, and roles are transferred. The user is maintained centrally in the future. ●

Identical users There are users with identical user IDs (the user ID or ID is the string that you enter in the User field on the SAP Logon screen). For example, these could be user IDs with identical first and last names. You can transfer the roles and profile data of this user to the central system. The user is then distributed as it exists in the central system. Local data is overwritten. In such cases, it is assumed that, for example, the ID MOOREJ that exists in multiple logical systems, with the last name Moore and the first name Jane, always belongs to the same person. In large companies, this assumption is not always correct. For this reason, you should use unique character strings, such as the personnel number as the user ID.

●

Different users These user IDs exist both in the central and child systems, but the user has a different first and/or last name. If, in an individual case, these IDs actually refer to the same user, you can transfer the roles and profile data pertaining to the user to the central system. The user is then distributed as it exists in the central system. If the IDs do not refer to the same user, use CUA to create a new user ID in the child system for one of the users and delete the old ID in the child system.

92




After you synchronize the company addresses, you can transfer the users from the newly connected child systems to central administration. You can do so using transaction SCUG in the central system. On the initial screen of transaction SCUG, select your child system and then choose Copy Users to the Central System.


Alternatively, you can assign a new ID to the user in the child system (if different employees have an identical ID in different clients). For this purpose, you can start transaction SU01 in the child system and choose Users ¹Àu2¢ã¹ Rename. If the user transfer is restarted, the user is listed as a New User rather than a Different User. ●

Already central user These users already exist in CUA and are only administered centrally.

Hint: A function is available for copying users. You can access this function using pushbuttons in transaction SCUG if the Already central user tab page is selected. Using these pushbuttons, you can transfer role assignments, profile assignments, and the license classification of users from the child systems, particularly in cases in which (despite CUA being in use) the corresponding administration was carried out until now in the child systems (in line with the settings in transaction SCUM).

Hint: Until the user transfer is completed, the child systems affected still contain (unexpected) processing options for users who have not been transferred, such as the delete function for users in transaction SU01. Distribution Status Check You use the log display (transaction SCUL) primarily to check the status of IDoc distribution when changing company addresses or users. If you change a company address in the central ¹ÀuÖIãj+3w¥ïâ°ÌJ×D{ã˛q_S`ˇSê¤ìö´rpòÇÕ¡1iºœ7$Łnî¤ØÞ©ÌŸîð0®Œ4ÍâÎ6%− º?ÿ=ý „�˚ECCLONE IDoc is sent to each child system of CUA. If you change a user in the CUA central system, the user data is also distributed to the child systems assigned to this user. At most, three USERCLONExx IDocs are sent for each user: user attributes (USER), profile assignment (PROFILE), and role assignment (ACTGRP). You can then see in the results list of the log display whether the user or company address was replicated successfully to the child systems.

Hint: It may not be possible to completely process IDocs with user changes in the child system (status Unconfirmed in transaction SCUL) because not enough dialog work processes are available (in the child system or contacted instance). In this case, you can start post-processing of the IDocs in the child system using transaction BD87 or opt for inbound processing of the IDocs in background processing. For more information about IDocs, see SAP Note 399271 – CUA: Tips for optimizing ALE distribution performance.


93



Note: For more information, see SAP Note 704412 – CUA support for license data maintenance.




94


Unit 3 Exercise 4 Distribute User Data with CUA

Business Example You need to maintain user profiles in the database and provide authorization to users from a central system. You need to use CUA. Task 1 Create a new role in the child system. 1. In your CUA child system, copy SAP role template SAP_BC_ENDUSER to Z_SAP_BC_ENDUSER. Also create an authorization profile for the new role. 2. Within your CUA child system, trigger a text comparison. You continue to work in your CUA child system. Make sure you are on the start screen of transaction PFCG.

Create a new user for the child system using CUA. 1. In your CUA central system, create a new user, CHILD##. Make sure that this user gets the Z_SAP_BC_ENDUSER role in your CUA child system (but no master record in the central system). Also, maintain additional data, such as the telephone number, fax number, and so on. 2. In your CUA central system, check the distribution log for your new user, CHILD##. You continue to work in your CUA central system. Make sure you are on the start screen of transaction SU01 and user ID CHILD## is selected for the User field. 3. In your CUA child system, check the user master record of your new user, CHILD##. 4. Log on to your CUA child system as user CHILD## and maintain your own (user) data. 5. Log on to your CUA central system as user CHILD## and maintain your own (user) data. 6. In your CUA central system, use transaction SUIM to check which roles are assigned to the user you just created in all the systems connected to CUA.


95



Task 2

Unit 3 Solution 4 Distribute User Data with CUA

Business Example You need to maintain user profiles in the database and provide authorization to users from a central system. You need to use CUA. Task 1 Create a new role in the child system. 1. In your CUA child system, copy SAP role template SAP_BC_ENDUSER to Z_SAP_BC_ENDUSER. Also create an authorization profile for the new role. a) Log on to your CUA child system as administration user ID CHILD_OF_.

c) On the Role Maintenance screen, choose Views and then choose Single Roles. d) Choose the SAP_BC_ENDUSER single role. e) Choose Copy . f) Enter Z_SAP_BC_ENDUSER, in the to role field. g) Choose the Copy all pushbutton. h) Open the new role, Z_SAP_BC_ENDUSER, in Change mode. i) Open the Authorizations tab page and then choose the Change Authorization Data pushbutton. j) Choose the yellow traffic light at the top and confirm the popup regarding full (*) authorizations that will be assigned to the Z_SAP_BC_ENDUSER role. k) Choose the Generate pushbutton and confirm the proposed profile name and text. Go back to the previous screen. l) Note: You cannot assign users on the User tab page. 2. Within your CUA child system, trigger a text comparison. You continue to work in your CUA child system. Make sure you are on the start screen of transaction PFCG. a) Choose Environment ”ýüà‹4sR Text Comparison for CUA Central System. Hint: This will trigger the text comparison for the name and description of all ”ýü2©Ésž®÷ò™½ÈŒk"…0ObU(Qß…2zìË˝çr91 ùÕP=n{ifN¥ÓZ{ß ßQ

96




b) Run transaction PFCG.


Task 2 Create a new user for the child system using CUA. 1. In your CUA central system, create a new user, CHILD##. Make sure that this user gets the Z_SAP_BC_ENDUSER role in your CUA child system (but no master record in the central system). Also, maintain additional data, such as the telephone number, fax number, and so on. a) Log on to your CUA central system as administration user ID -##. b) Run transaction SU01. c) On the User Maintenance: Initial Screen, enter CHILD## in the User field and then choose the Create pushbutton. d) On the Address tab page, enter some data (in particular, for the Last Name field). e) On the Logon data tab page, enter any password in the Initial password field. Enter the same password in the Repeat password field. f) On the Parameters tab page, provide some Parameter ID (for example, BUK = 42).

h) Press ENTER. You will see a notification that a new (logical) system is assigned to this user. You can verify this by opening the Systems tab page. i) Save the new user record. 2. In your CUA central system, check the distribution log for your new user, CHILD##. You continue to work in your CUA central system. Make sure you are on the start screen of transaction SU01 and user ID CHILD## is selected for the User field. a) Choose Environment ÒØ VÊÚ¾⁄ Distribution log. b) Keep all the default values, but select Successful on the Users tab page. c) Choose Execute pushbutton. Green indicators imply successful distribution. 3. In your CUA child system, check the user master record of your new user, CHILD##. a) Log on to your CUA child system as administration user ID CHILD_OF_. b) Run transaction SU01. c) Enter CHILD## in the User field and then choose the Display pushbutton. d) Note the data on all the tab pages. Note the Last Changed On field. Note the changeability when you enter the change mode: Only some fields that are ready for input (these should be the fields that you did not set to Global in transaction SCUM for maintaining field distribution parameters). e) Close the user master record. 4. Log on to your CUA child system as user CHILD## and maintain your own (user) data.


97



g) On the Roles tab page, use the F4 help for a blank line to select the (logical) system of your CUA child system. In the same line, use the F4 help to select your new role, Z_SAP_BC_ENDUSER (for this, you may need to search for roles Z_SAP*).


a) Log on to your CUA child system as new user CHILD##. You have to enter the initial password and a new password (twice). b) To maintain your own user data, you may do the following: ●

On the SAP Easy Access screen, choose Menu Â…&m!·- User Menu Â…&m!·- Basis Functions Â…&m!·- Maintain Own User Data (Address, Default Values, Parameters).

●

Choose System Â…&m!·- User Profile Â…&m!·- Own Data.

●

Run transaction SU3.

c) Note the restricted changeability of the fields. Change some data. d) Save your data. 5. Log on to your CUA central system as user CHILD## and maintain your own (user) data. a) Log on to your CUA central system as new user CHILD##. You will see a status message that you cannot log on to the CUA central system because of a missing CUA system assignment. 6. In your CUA central system, use transaction SUIM to check which roles are assigned to the user you just created in all the systems connected to CUA. a) Log on to your CUA central system as administration user ID -##.

98

c) On the User Information System screen, choose User Information System Â…&m!·- User Â…&m!·Cross-System Information (Central User Administration) -> Users by Roles. d) Run the Users by Roles report. e) On the Report Cross-System Information/Role screen, enter CHILD## in the User Name field. f) Choose the Execute pushbutton.




b) Run transaction SUIM (User Information System).




●





99

Unit 3 Lesson 2 Work with Directory Services

LESSON OVERVIEW This lesson describes how to work with directory services. Business Example Your company uses a directory service to centrally store personnel data. As a member of the user administration team for SAP systems, you need to get an overview of directory services and find out how you can connect your SAP system to this directory service. For this reason, you require the following knowledge: ●

An understanding of directory services

●



LESSON OBJECTIVES After completing this lesson, you will be able to: Explain directory services

Directory Services

Figure 44: Properties of Directory Services

On the Internet, as well as in company networks, there is a danger that information can be lost because it is made available in an unstructured way, it may become obsolete, or no one knows that it exists. Therefore, a modern information system such as a directory server is needed. A directory server is an information system for particular information.

100


Lesson: Work with Directory Services

Directory services act as a central repository for data that is used by various applications. Directory services are typically used to store information about users, documents, or hardware resources, but can also be used to store other types of object. Directory services help us in answering questions such as “What is the project leader’s e-mail address?” or “Where is the nearest color printer?” Directory services are similar to the yellow pages that help in finding a lawyer or the nearest florist. Unlike a relational database management system (RDBMS) where information is stored in two-dimensional tables, directory services use a hierarchical (tree) structure to organize data. Another difference is the relationship of write to read accesses. Directory services are designed so that multiple users can have read access at the same time. However, unlike relational databases, directory services do not support transaction lock concepts, or expensive queries such as joins.

Figure 45: Example Scenario with a Directory Service

Directory services can fully demonstrate their strengths in heterogeneous system landscapes (where products from different vendors are used). In the figure, the example shows a scenario in which a company hires a new employee. The details of this employee are first entered in the HR system (which can be an SAP system or come from a different vendor). Some of the employee details, such as name, personnel number, telephone number, e-mail address, department, and group assignment, are transferred to the corporate directory server. On the other hand, details, such as date of employment, manager, and salary, are deliberately held only in the HR system. Connecting different applications to the directory service offers the following advantages: ● The new employee can immediately log on to the corporate domain at the operating system level. ●

The employee has a functioning e-mail account immediately.


101



Example Scenario with a Directory Service


●

The telephone and fax numbers are assigned to the user centrally.

●

The employee can log on to SAP NetWeaver Portal.

●

●

The employee can access certain SAP systems such as SAP Supplier Relationship Management (SAP SRM) to place orders. Other external systems can be easily integrated.

Conversely, if an employee leaves the company, information about the employee is deleted from the HR system and, therefore, also from the directory. Consequently, the system deletes or locks all accounts of the employee, which is not an easy task if it has to be performed manually. Lightweight Directory Access Protocol (LDAP) LDAP describes how operations are to be formulated for a directory service. The most common operation is querying entries, however, it is also possible to create, change, or delete entries.

LDAPv2 was implemented in 1995 by Yeong, Howes, and Kille at the University of Michigan. This was implemented to minimize the complexity of clients to help facilitate widespread deployment of applications capable of utilizing the directory. LDAP uses a Transmission Control Protocol/Internet Protocol (TCP/IP) stack and simplifies access to X.500 servers. The current version of LDAP is LDAPv3.

Note: For more information about the technical details of LDAP protocol, see Request for Comments (RFC) 2251 and for RFCs, see www.ietf.org. An X.500 server is no longer required; various vendors offer standalone servers that can be addressed using LDAP. In addition to commercial products (such as, eDirectory from Novell, Java System Directory Server from Sun and now Oracle, DirX from Siemens, and Active Directory from Microsoft), there is also an Open Source development.

Note: For more information about Open Source development, see www.openldap.org.

The Data Model There are a number of models for LDAP. In addition to the access protocol, these define how information is stored and identified, and how access is protected. A directory contains entries that consist of one or more attributes. An attribute consists of a type (frequently abbreviated strings, such as cn for common name, c for country, or mail for e-mail address) and one or more values. Certain attributes are required, while others are optional; this is controlled with LDAP using a special attribute, object class. Object classes have an inheritance hierarchy. The information about object classes and attribute types is stored in schemas, which are provided by Internet organizations and vendors of directory servers (which can be customized by the user).

102




LDAP follows the client/server model. In this model, one or more servers hold the information that the client(s) access. Originally, LDAP implemented only communication with an X.500 server, as described by the International Organization for Standardization (ISO).


Hierarchy of Object Classes

Figure 46: Hierarchy of Object Classes



The figure shows the hierarchy of object classes. Entry in a Directory

Figure 47: Entry in a Directory

The entries in a directory are organized in a hierarchical tree structure. Each entry contains a name that is unique across the directory and is also known as Distinguished Name (DN). The DN is created by describing the path from the entry to the root of the tree in the form of a comma-separated list, for example, cn=LHeepmann, ou=instructors, o=sap_lgd, c=de. An individual component of the DN is called the Relative Distinguished Name (RDN), which always identifies the node uniquely, relative to the superordinate node in the tree. Two nodes under the same superordinate node, therefore, cannot have the same RDN.


103


Directory Information Tree (DIT)

The figure shows the DIT structure. The entire tree of entries (which can be stored physically across multiple hosts) is called the DIT. SAP and Directory Services SAP has provided ways to connect SAP systems to directory services for a number of years. In 1997, the LDAP Gateway, a program that runs independent of the application server, was delivered in Java with SAP Basis 4.0A (supported up to SAP Basis 4.6B). Integration into the application server came with the LDAP Connector, which has been available since SAP Basis 4.6A. With Application Server ABAP (AS ABAP) 6.10, user-friendly functions for user master synchronization (mapping, delta management, and synchronization) were added in the SAP systems. The SAP partner directory (http://www.sap.com/partners/customers/directories/ SearchSolution.epx, ) contains a list of partners certified by SAP for the directory server interface . SAP NetWeaver Portals also require storage for user data such as master data and group assignment (user persistence store). SAP Enterprise Portal 5.0 (first delivered at the end of 2001) uses one or more directory servers for this purpose. The system checks the user data against these directory servers when the users log on to the portal. As of Application Server Java (AS Java) 6.20, the User Management Engine (UME) offers different options to store the user data (called data sources). Directory servers are used for most portal implementations.

104




Figure 48: DIT


Central User Administration (CUA) and Directory Services

Both CUA and directory services allow you to maintain user data at one location and to synchronize user data in multiple systems. Both concepts can be implemented independently and you can also connect them with each other. In this way, you can use CUA to connect SAP systems with SAP Basis 4.5 or 4.6, while other SAP systems based on AS ABAP 6.10 or above can also be connected directly to the directory service. In a scenario of this type, LDAP synchronization works as a remote control for CUA, which means that all prerequisites and restrictions of CUA continue to apply.

INTERACTIVE ELEMENT: Breakout Rooms 1. What are the advantages of connecting different applications to the directory server? . . . . . . . . . .


105



Figure 49: CUA and Directory Services


LESSON SUMMARY You should now be able to: Explain directory services



●

106


Unit 3 Lesson 3 Describe SAP Governance, Risk, and Compliance (GRC) 10.0

LESSON OVERVIEW This lesson explains SAP governance, risk, and compliance (GRC) and how this solution helps companies proactively balance risk and opportunity. The lesson also explains compliance initiatives from various regions of the world and the benefits of an integrated solution. Business Example You are managing an ERP system and you need to detect any potential risks and compliance violations in your environment. You also have to come up with a strategy how to integrate SAP GRC into your landscape.

●

An understanding of SAP GRC solutions

●

An understanding of SAP GRC convergence

●

An understanding of the key features and benefits of SAP GRC

●

An understanding of SAP GRC integration

●

An understanding of GRC apps

●

An understanding of how to run reports and view dashboards



For this reason, you require the following knowledge:


Explain SAP Governance, Risk, and Compliance (GRC) 10.0


107


Introduction to SAP Governance, Risk, and Compliance (GRC) 10.0

Figure 50: Risk – Overview

Companies with an advanced perspective of risk and mature management practices recognize that risk is present throughout their business.



Companies need to realize that risks can have a detrimental impact on performance. They should understand the link between risk and performance and also understand how to optimize their business in light of risks to which they are exposed. The GRC solutions help companies to prevent, manage, and respond to risks. GRC Initiatives

Figure 51: GRC initiatives

GRC requirements are pervasive. Knowledge of their business, related risks, compliance, and policy requirements is critical for everyone, everywhere. Regardless of your industry, regardless of where you sit in the organization, there is a set of questions that you need to ask yourself.

108


Lesson: Describe SAP Governance, Risk, and Compliance (GRC) 10.0

The Cost of Not Knowing the Different Risks

Figure 52: The Cost of Not Knowing the Different Risks

The operational cost can be significant in the following instances: ● If you are not able to answer important questions about your business. ●

If you cannot link your investments in GRC programs to performance.



●

If you cannot confidently address complex and constantly changing regulatory requirements.

Balance of Risk and Opportunity

Figure 53: Proactively Balance Risk and Opportunity

SAP GRC solutions help companies to proactively balance risk and opportunity through the following objectives: The objectives of GRC solutions ● Customers can better manage risk, compliance, and other GRC initiatives.


109


●

Customers can better protect their value.

●

Organizations can perform better.

The goal of SAP GRC solutions is to enable organizations to see all risks and compliance issues so that they can make optimal decisions in light of both the opportunity ahead and the related risks. SAP GRC Solutions Capability Model

110

The model illustrates the broad range of capabilities incorporated with SAP GRC solutions.

Note: This capability model is not meant to represent the technical architecture in any way. SAP GRC solutions consist of the following main areas of capabilities: Analyze

●

●

Manage

●

Monitor




Figure 54: SAP GRC Solutions Capability Model


SAP GRC Solutions

Figure 55: SAP GRC Solutions

SAP GRC solutions are delivered through four primary solutions as shown in the figure. These solutions help customers automate risk and compliance, protect their value, and optimize their performance. Enterprise GRC – Risk-Intelligent Management



Figure 56: Enterprise GRC – Risk-Intelligent Management

If companies focus on the three core capabilities listed in the figure, they are able to build a level of risk intelligence and leverage this risk intelligence to increase performance. The core capabilities of Enterprise GRC are as follows: ● Companies are able to automate the key risk and compliance management activities that are often manual, time consuming, resource intensive, and costly. Automation allows companies to be much more efficient and effective in how they manage these activities, which helps improve performance.


111


●

●

Companies are able to leverage real-time monitoring capabilities to monitor KRIs and compliance effectiveness. This is done to enable the companies to proactively identify and respond to any increased risk exposure or compliance violation before the business is negatively impacted. The companies are able to minimize the impact and duration of, if not prevent altogether, risk events and compliance violations. Companies are able to incorporate risk and compliance into the strategic planning and operations processes so that core business processes are executed in a risk-intelligent manner.

Access Risk Management

The business challenge today is that companies continue to struggle to effectively manage access risk, with segregation of duties (SoD) and excessive access rights being the top contributors to fraud and audit findings. Regulatory requirements increase, often resulting in multiple compliance teams across departments and reliance on manual compliance processes. With thousands of users, roles, and processes to test and with multiple compliance applications taxing the IT resources, excessive time is spent documenting processes for auditors instead of focusing on business operations. This fragmented and costly approach for managing access risk leads to reactive – rather than proactive – access risk prevention, inefficient compliance processes, and a lack of real-time visibility into access risk. The solution is SAP Access Control, which addresses these challenges by enabling businesses to confidently manage and reduce access risk across the enterprise. It helps prevent unauthorized access including SoD and critical access, while providing real-time monitoring of access risk and minimizing the time and cost of access risk management. The SAP Access Control application unifies access risk analysis and remediation, business role management, compliant identity management, and emergency privilege management. As a result, this application provides a holistic, enterprise-wide view in real time. It can help ensure day-to-day compliance, provide a comprehensive overview to management, and perform effective and complete audits. The result is an improved ability to protect information and prevent fraud while minimizing the time and cost of access risk management.

112




Figure 57: Access Risk Management


Global Trade Services

Figure 58: Global Trade Services

The Global Trade Services application helps companies automate trade compliance and accomplish the following goals: ● Global Trade Services enables better management of global trade operations by automating many critical trade processes and also integrating directly with supply chain systems. The result of this action is the ongoing trade compliance at a reduced effort, time, and cost. ●

●

Global Trade Services helps companies to ensure ongoing compliance by providing one comprehensive and integrated global trade compliance solution. Critical capabilities are built in, such as sanctioned-party list screening (to avoid inappropriate and illegal trade) and the ability to manage multiple global trade compliance programs cohesively. Global Trade Services allows companies to optimize the cross-border supply chain by automating and optimizing trade activities to speed transactions and consistently meet customer commitments.


113



The global environment today is increasingly dynamic and unpredictable – making international trade risky, volatile, and costly. These realities include complex trade compliance demands, fluctuating transportation costs, and increasing cross-border regulations and drive the need for advanced global trade solutions.


Continuous Transaction Monitoring

Figure 59: Continuous Transaction Monitoring

The SAP Continuous Transaction Monitoring solution allows you to identify and correct errors, waste, abuse, policy violations, and potential fraud. These issues can be revealed only through the in-depth analysis of transactions that are recorded as completed business activities. The key benefits of Continuous Transaction Montoring are as follows: Customers can identify potential problems and, therefore, speed up and improve the quality of business processes. This allows customers to decrease the effort and cost of inspection and increase both throughput and accuracy. This also reduces the operational cost of business processes. Many customers are able to correct problems as they occur. A few customers go on to identify and eliminate systemic problems that lead to repeated occurrences.

114

●

●

Customers are able to increase insight into their business activities, which allows them to know and understand what is really happening and to identify individual occurrences of potential policy or procedure violations. This ensures greater transparency and allows customers to drive a change in behavior. Customers are able to increase margin contribution. For example, by reviewing all purchase transactions, customers are able to make better purchase decisions. Similarly, by reviewing sales orders, they are able to make better sales decisions. Thus, optimizing the discounts, costs, and revenues can help reduce the selling price of the goods sold by the company.




●


Key Benefits of the SAP GRC Solutions

Figure 60: Key Benefits of the SAP GRC Solutions

Some key benefits of the GRC solutions are as follows: The GRC solutions provide the most comprehensive set of capabilities. As illustrated in the solution architecture capability model, SAP has the most comprehensive set of capabilities available. SAP delivers the broadest capabilities to analyze, manage, and monitor activities across risk and compliance management, internal audit, and policy management activities that help SAP customers to perform better across both SAP and non-SAP systems

●

The GRC solutions ensure proactive monitoring across KRIs and compliance effectiveness. SAP combines proactive montoring with comprehensive management capabilities across the governance, risk, and compliance KRIs. Proactive monitoring actually allows customers to prevent a risk or violation from occurring. SAP customers are leveraging this ability to proactively monitor risk and compliance effectiveness. This allows SAP customers to focus their time, resources, and investments on executing and managing their core business activities, rather than reacting to a risk, compliance violation, or loss event

●

The GRC solutions offer industry-specific risk, compliance, and process content. SAP solutions are delivered with industry-specific risk, compliance, and process content so that customers can quickly realize the value in their GRC investments and can manage risks and regulatory requirements specific to them

●

The GRC solutions are proven. SAP GRC solutions are enabling global customers to know their business and optimize performance across virtually every industry. This is made possible by helping customers to better manage their governance, risk, and compliance programs, to better protect against risk events, and, ultimately, to link risk to performance in order to achieve remarkable results

Governance, Risk, and Compliance Key Processes in GRC 10.0 SAP GRC solutions are designed to support companies in managing their Governance, Risk and Compliance (GRC) initiatives. SAP GRC offers several solutions that will help companies


115



●


to comply with legal compliance regulations and internal company policies . Key processes are described here to show how they work in the GRC solutions. Products in GRC Solutions include the following: ●

Access Control - Manage Segregation of Duties , security role, user access, and emergency access

●

Process Control - Review, monitor and document processes and remediation of issues

●

Risk Management – Review, monitor and document Key Risk Indicators (KRI)

●

●

Global Trade Services – Manage and document trade information globally; produce documentation for Customs officials for cross-border shipments Electronic Invoicing for Brazil (Nota Fiscal Eletronica) – Brazilian Electronic Invoice requirement

116

Figure 61: Key Processes - Risk Management

The Risk Management process allows a company to identify, mitigate, and monitor critical business risks that may have a negative impact on the performance, goals, and objectives of the company. The Enterprise Risk Management (ERM) process often allows management to prioritize scarce resources to mitigate the highest-risk areas of the company.




Key Processes - Risk Management


Key Processes – Compliance Management

Figure 62: Key Processes – Compliance Management

Compliance evaluation includes self-assessments and management assessments (using user-definable surveys), manual testing (using test plans), and automated testing and monitoring (using business rules). If the system identifies exceptions during the evaluation process, it creates issues and assigns them for remediation. When the issues are identified, users need to review and determine how these issues are processed. Key Processes – Audit Management

Figure 63: Key Processes – Audit Management


117



The Compliance Management process provides you with documentation on compliance structures and related compliance initiatives. A risk-based approach to scoping helps a company to focus on compliance evaluation for those control activities that are most likely to fail with a potentially negative impact on the company.


The Audit Management process involves risk-based audit planning, preparation, fieldwork, execution, and reporting. This involves the use of the SAP NetWeaver Audit Management application. Key Processes – Policy Management

The Policy Management process enables end-to-end management of corporate policies aligned with risk and compliance management, including creation, localization, distribution, and acknowledgement of policies. Key Processes – Access Risk Management

Figure 65: Key Processes – Access Risk Management

The Access Risk Management process provides the ability to manage and monitor user privileges while ensuring compliance with security policies related to SoD and restriction of critical permissions. You can prevent, monitor, and manage access conflicts present at the system, infrastructure, and application levels.

118




Figure 64: Key Processes – Policy Management


Key Processes – Trade Management

The Trade Management process involves controlling the risk and cost of international trade by ensuring compliance with global regulations, accelerating trade activities, and minimizing duties. For example, SAP Electronic Invoicing for Brazil (Nota Fiscal Eletronica) supports companies in complying with the requirements of the Brazilian authorities for electronic invoicing.

SAP GRC Convergence

Figure 67: GRC Convergence Survey Response

In terms of governance, risk, and compliance, SAP and executives from across the world believe strongly in convergence. In February 2010, KPMG released a global survey on GRC. Working with the Economist Intelligence Unit (EIU), KPMG surveyed 542 executives from a wide range of industries and regions, with approximately a third from each major region of the world. One of the very consistent themes that arose in this survey was that almost two-thirds of the respondents (64%) said GRC convergence was a priority for their organizations. As per the report and many SAP customers, GRC is a topic that has become too unwieldy in most organizations. As the users try to manage GRC, they find that it is too costly, requires too many resources, and leaves them exposed to undue risk. Customers believe that GRC


119



Figure 66: Key Processes – Trade Management


convergence will help them address these issues by reducing their costs and risk exposure and improving the overall performance of their businesses. Importance of GRC Convergence

120

Business Example: Leadership sets a strategy to increase penetration in some of the markets that the company serves. In this example, a variety of related operational initiatives are put into place by different lines of business. Sales and marketing analyzes the demand to establish and accept a target for the expanded penetration. The analysis is communicated to the production planning and they plan to increase production. The manufacturing team works with strategic sourcing to establish the amount of increase in supply of raw materials. They decide on two suppliers for a critical component based upon known performance and other factors that can meet the demand. Manufacturing ramps up additional capacity and pushes more product off the line. Distribution works to get the product into the targeted markets. Sales and marketing work to get the product into customers’ hands and, ultimately, achieve success.




Figure 68: Example Depicting the Importance of GRC Convergence


Disconnection Between Risks, Policies, and Compliance

Figure 69: Disconnection Between Risks, Policies, and Compliance

Add to this the complex composition of most modern companies – a multitude of business processes spanning organizations across several regions, coupled with differing compliance requirements – and the answer is that, unfortunately, you cannot close the performance loop. There is a lot of duplication of effort as organizations try to solve this problem and often there are duplicate activities and technologies in addressing this issue. But even more important is the fact that without getting a clear view into these elements and understanding them, most companies face undue or even catastrophic risks that they are unable to identify or remediate. SAP believes that GRC convergence can help address this problem and is uniquely qualified to deliver solutions to support this movement.


121



The core issue is how do you close the performance loop when there is a clear disconnect between risks, policies, and compliance.


Comprehensive Approach in GRC

122

Enterprise GRC refers to a platform that enables organizations to gain visibility into and efficiently manage all of their risk and compliance activities across the disciplines of Risk Management, Compliance Management, Audit Management, Policy Management, and Access Management. SAP is committed to enabling customers to realize GRC convergence, a key aspect of which is to ensure that GRC is optimized for SAP but not tethered to SAP. Many customers maintain hybrid environments or have chosen a different business process platform. The SAP GRC 10.0 solution is designed to tightly integrate with SAP and also to leverage adapters from technology partners and open APIs, such as web services, to loosely work with other platforms as well. While the application process stack is important, partnership with vendors such as CA, Novell, and Sensage extends the GRC platform across the IT stack, including IT infrastructure and applications, together with categories such as Identity Management integration. The content framework of the GRC solution allows close work with both system integrators and technology service providers to provide out-of-the-box content. This content provides a starting point for customers with specific business scenarios. Through integration with SAP Performance Management, GRC is truly able to close the performance loop by ensuring that risks are tied closely to KPIs in the strategic management process, that risk influences the planning or supply chain process, and that the controls can be tied to consolidation processes to ensure a compliant close.




Figure 70: Comprehensive Approach in GRC


Key Features in SAP GRC 10.0

Figure 71: Purpose and Value of a Common Technical Platform

SAP GRC 10.0 reduces the total cost of ownership (TCO) due to lower overall implementation, administrative, and maintenance costs because the GRC solutions leverage a common technology (ABAP) platform and appropriately shared Implementation Guide (IMG). Enhancements and Benefits of a Common Technical Platform

Figure 72: Enhancements and Benefits of a Common Technical Platform


123



The unified Risk Management, Access Control, and Process Control data model and technology platform enables optional sharing of selected risk and compliance data and functions. Sharing is optional because some customers prefer a silo approach whereas others seek to consolidate and integrate their GRC activities.


Enhanced Visualization and Streamlined Navigation

Figure 73: Purpose and Value of Enhanced Visualization and Streamlined Navigation

Streamlined user navigation with shared work centers emphasizes function rather than component. This significantly reduces duplication of menu items (for example, one inbox and not three) and facilitates sharing of data and functions.

Enhancements and Key Benefits of Visualization and Streamlined Navigation

Figure 74: Enhancements and Key Benefits of Visualization and Streamlined Navigation

124




The menu items that the individual user sees within each work center are controlled by the GRC roles of that user. This also enables data shared across components to be viewed differently by different users.


Configurable User Interface

The configurable user interface allows the configuration to determine the field status by application components. For example, the organization field Average Cost per Control can be shown for the users authorized for SAP Process Control and hidden from the users unauthorized for Access Control. Field statuses (the Required field, the Optional field, the Displayed field, or the Hidden field) can be selected by field, component, or even regulation, if applicable. Changes to the field status are reflected on the user interface without requiring programming. Enhancements and Benefits of the Configurable User Interface

Figure 76: Enhancements and Benefits of the Configurable User Interface


125



Figure 75: Purpose and Value of the Configurable User Interface


Improved Reporting

Figure 77: Purpose and Value of Improved Reporting

GRC reporting leverages the SAP BusinessSuite ABAP List Viewer (ALV)-crystal integration framework to present and personalize ABAP (WebDynpro) reports and convert the reports into SAP Crystal Reports. This lowers TCO and extends the benefits and functionality of Crystal Reports without the need for a separate SAP BusinessObjects Enterprise Server. Enhancements and Benefits of Reporting



Figure 78: Enhancements and Benefits of Reporting

Existing reports are refined on the basis of customer feedback to make them more usable and to facilitate exception management for continuous control monitoring. Dashboard technology enables reporting across all continuous monitoring results and exceptions for better visibility and to facilitate remediation for continuous monitoring. The SAP BusinessObjects Enterprise Server is optional for using the Crystal Reports framework.

126



Enhanced Policy Management

Figure 79: Purpose and Value of Enhanced Policy Management

Policy Management provides complete lifecycle management for corporate policies, and it aligns policies with risk and compliance management activities. Effective policy management reduces enterprise risk and improves corporate governance with management guidance for the behavior, actions, and decision-making processes of an organization. Enhancements and Benefits of Policy Management



Figure 80: Enhancements and Benefits of Policy Management

As a common function, Policy Management is available to customers who purchase Process Control or Risk Management. In a compliance scenario, a policy is related to organizations, processes, risks, and controls. As part of enterprise risk management, a policy is used as a risk response and can also be related to organizational activities. In general, the user measures the adherence to policies with acknowledgements, surveys, or quizzes.


127


Enhanced Business Rule Framework

Figure 81: Purpose and Value of the Enhanced Business Rule Framework

The enhanced, user-configurable rule engine gives customers maximum flexibility in defining their automated rules for automated testing and monitoring. You can monitor a much wider range of back-end systems, consume data from non-SAP systems without needing thirdparty tools, process asynchronous events, and automatically analyze SAP Basis change logs. Enhancements and Benefits of the Business Rule Framework



Figure 82: Enhancements and Benefits of the Business Rule Framework

The enhanced Business Rule Framework empowers business users by reducing dependency on IT resources.The load on expensive IT resources are also lessened.

128



Content Lifecycle Management (CLM)

Figure 83: Purpose and Value of CLM

CLM supports check-in, version control, comparisons, and deployment of packaged content. CLM also formalizes the ability to export structured content to Microsoft Excel and check changes back in the system. This is an enormous productivity boost for making initial implementations, getting content into GRC from legacy or reference systems, making periodic updates, and expanding implementations. Enhancements and Benefits of CLM



Figure 84: Enhancements and Benefits of CLM

SAP GRC Integration The SAP GRC 10.0 solution integrates with several other systems and applications, both across the solution and for specific solution components. The following integrations are applicable across the SAP GRC 10.0 solution:


129


Figure 85: .GRC 10.0 Solution Integration Overview

Access Control Integration

●

HR Triggers integration

●

Identity Management (IdM) integration



Access Control 10.0 includes capabilities for the following integrations: ● Process Control and Risk Management integration for shared Master Data

Access Control Integration - Shared Master Data

Figure 86: Access Control Integration for Shared Master Data

Access Control Integration – HR Triggers The HR Triggers functionality of Access Control 10.0 allows the creation of automatic access requests, corresponding to changes in the master data in SAP or non-SAP HR systems. When an event is triggered in the SAP HR system, such as hiring a new employee, rules are applied and a corresponding action to create a workflow request is initiated in the Access Control

130



solution. The workflow processes the request and provisions to the back-end system by direct assignment or indirect assignment. The configuration of HR Triggers in Access Control 10.0 includes the configuration of actions, rules, and field mapping.

Note: Users do not need to complete an access request form.

Figure 87: HR Integration Process Flow

Access Control and Identity Management Integration Overview Identity Management solutions provide the key infrastructure to manage user accounts in multiple back-end systems. Access Control currently provides integration with Identity Management solutions for enterprise-wide compliant provisioning. This integration enables customers to deploy an automated business and risk-driven Access Control solution enterprise-wide. With this solution, business owners can control access, security posture, and risk on the basis of business-relevant values without requiring domain-specific knowledge of each IT system. SAP Access Control provides robust integration with Identity Management solutions and continues to focus on its own core competencies of risk, SoD, and remediation. To support this strategy, Access Control integrates with market-leading Identity Management vendors, such as Oracle, SUN, and Novell, and integrates and optimizes with SAP NetWeaver Identity Management.


131



HR Integration Process Flow


User Provisioning Scenarios with Identity Management Integration

Figure 88: Access Control - Identity Management Supported Scenarios

GRC-driven provisioning is initiated in the GRC solutions, provisioned by the GRC solutions for SAP systems, and provisioned in Identity Management for non-SAP solutions.



Identity Management-driven provisioning is initiated in Identity Management, submitted to the GRC solutions through web services, provisioned by the GRC solutions for SAP systems, and provisioned in Identity Management for non-SAP systems. GRC-Driven Provisioning Process Flow

Figure 89: GRC-Driven Provisioning Process Flow

GRC-driven provisioning process flow: 1. The user logs on to the Access Control application and creates an access request. 2. The request follows the approval process.

132



3. Access risk analysis and remediation is carried out in the GRC application for requested roles. 4. The approver either approves or rejects the request. If the request is approved, access to SAP systems is provisioned by the GRC application and non-SAP requests are sent to Identity Management for provisioning.

Figure 90: Identity Management-Driven Provisioning

Identity Management-driven provisioning process flow: 1. The user logs on to the Identity Management application, creates an access request, and submits it to the GRC application. 2. The request follows the approval process in the GRC application. 3. Access risk analysis and remediation is carried out in the GRC application for requested roles. 4. The approver either approves or rejects the request. If the request is approved, access to SAP systems is provisioned by the GRC application and non-SAP requests are sent to Identity Management for provisioning. Process Control Integration Integrations for Process Control 10.0 include the following types of integration: Process Integration

●

●

SoD Integration


133



Identity Management-Driven Provisioning


Process Integration

Figure 91: Process Integration

Process Control – SoD Integration



The Process Integration proxy is used to monitor another system, so only Outbound Proxy is supported. Process Integration allows you to monitor deficiencies in other systems. The Process Integration proxy must be complete before you proceed on the portal.

Figure 92: SoD Integration

SoD Integration allows you to perform the following tasks: ● Use SoD analysis results from the Access Control’s solution to mitigate a risk identified in the Process Control applications. The frequency of the AC SoD analysis can be automatically, weekly, or monthly. ●

View job step results for SoD Integration in the Job Monitor.

If you identify a risk in the Process Control application, you can use SoD analysis results of Access Control to mitigate that risk. The monitor allows you to see all job results without receiving a task.

134



Risk Management Integration

Figure 93: Risk Management Integration Overview

Risk Management integrates with several other systems to help users identify and manage risk from one location. The risk manager is responsible to check the current status of the scenarios.




135




136


Unit 3 Exercise 5 Run Reports and View Dashboards

Business Example You want to review information about access risks and other risks for your company and its compliance status. With the Harmonized Reporting Framework, you can view reports and dashboards for all of these areas from one work center, Reports and Analytics. System Data System: ZMC Client: 800 User ID: XX-CUSTOM (where XX is your user ID) Password: Password was changed by participant upon initial logon Task 1

1. Launch SAP NetWeaver Business Client or log on to the SAP GUI in system ZMC using the user xx-CUSTOM with password ‘initial’. 2. Choose the Reports and Analytics work center. 3. Under the Management work set, you will find dashboards for Risk Management. Choose Heatmap. 4. Choose a currency and then choose the OK pushbutton. 5. Explore the Risk Heatmap. 6. Close the Risk Heatmap when finished.

Task 2 View Compliance Dashboards for Process Control from the Reports and Analytics work center. 1. Choose the Risk-based Compliance Management Status dashboard under the Compliance work set.

Task 3 View Access Management Dashboards for Access Control in the Reports and Analytics work center. 1. Under the Access Management work set, choose User Authorization Analysis.


137



View Management dashboards for Risk Management.


2. Select Year for Period, current year for Year, and SOX for Regulation. Then choose the Go pushbutton.



138


Unit 3 Solution 5 Run Reports and View Dashboards

Business Example You want to review information about access risks and other risks for your company and its compliance status. With the Harmonized Reporting Framework, you can view reports and dashboards for all of these areas from one work center, Reports and Analytics. System Data System: ZMC Client: 800 User ID: XX-CUSTOM (where XX is your user ID) Password: Password was changed by participant upon initial logon Task 1

1. Launch SAP NetWeaver Business Client or log on to the SAP GUI in system ZMC using the user xx-CUSTOM with password ‘initial’. a) From the ABAP client, enter /nnwbc and then choose /nwbc in the NWBC window. 2. Choose the Reports and Analytics work center. 3. Under the Management work set, you will find dashboards for Risk Management. Choose Heatmap. a) Choose Reports and Analytics þœ‰˛ÿÆ Management þœ‰˛ÿÆ Heatmap. 4. Choose a currency and then choose the OK pushbutton. 5. Explore the Risk Heatmap. 6. Close the Risk Heatmap when finished.

Task 2 View Compliance Dashboards for Process Control from the Reports and Analytics work center. 1. Choose the Risk-based Compliance Management Status dashboard under the Compliance work set. a) Select Year for Period, current year for Year, and SOX for Regulation. Then choose the Go pushbutton.

Task 3


139



View Management dashboards for Risk Management.


View Access Management Dashboards for Access Control in the Reports and Analytics work center. 1. Under the Access Management work set, choose User Authorization Analysis. a) Choose Reports and Analytics ”ùÇn í¾ Access Management ”ùÇn í¾ User Risk Violation. 2. Select Year for Period, current year for Year, and SOX for Regulation. Then choose the Go pushbutton.



140



GRC Apps The SAP GRC applications are available as apps for smartphones. The GRC apps enable users, such as managers, to perform the following: ● Review and approve time-sensitive and operational-critical access requests. ●

Allow only authorized employees to gain access to systems.

●

Access systems using smartphones.

●

Attend their work in a timely manner.

●

Display lists of user and firefighter access requests.

●

Review user and firefighter access requests, with access details.

●

Review risks associated with a request (if risk analysis has already been performed).

●

Call or e-mail users to request additional information.

●

Add comments before approving or rejecting requests. Forward requests to people in your contacts list in case further analysis and simulation is needed.

Using the apps, users, such as managers, can review any risks associated with the access request and add comments before approving or rejecting the request, as appropriate. Integration with the built-in contacts application makes it quick and easy to contact users for additional information or to forward requests to colleagues for further analysis.


141



●


LESSON SUMMARY You should now be able to: Explain SAP Governance, Risk, and Compliance (GRC) 10.0



●

142


Unit 3 Lesson 4 Work with Identity Management

LESSON OVERVIEW This lesson provides an overview of Identity Management and how to work with it. Business Example You need to manage authorizations for systems within the company and execute the business processes efficiently. For this reason, you require the following knowledge: ●

An understanding of the Identity Management issues in heterogeneous system landscapes

●

An understanding of the SAP NetWeaver Identity Management architecture

●

An understanding of the Identity Center database

●


●


●




LESSON OBJECTIVES After completing this lesson, you will be able to:

What Is the Purpose of Identity Management?

Figure 94: What Is the Purpose of Identity Management?


143


SAP NetWeaver Identity Management Overview

Figure 95: SAP NetWeaver Identity Management Overview

The figure shows an overview of SAP NetWeaver Identity Management. User Life Cycle



Figure 96: User Life cycle

The figure shows how an identity develops throughout its life cycle and demonstrates the potential risks associated with the ineffective management of identities. In the example shown, as Chuck Brown progresses through the company, his permissions and access set increases. He still has some of the permissions that are no longer aligned with his job role and function. Even when he resigns, his permissions are in effect. This scenario has the following issues:

144


Lesson: Work with Identity Management

●

The user takes a long time to become productive.

●

The user needs to follow manual steps to get access.

●

The user still has authorizations for the systems because there is no de-provisioning of authorizations.

Partial User Management Centralization Before SAP offered the SAP NetWeaver Identity Management component, companies used Central User Administration (CUA) to centralize their user management processes. However, CUA is only supported for ABAP-based systems. For interoperability with Java systems that use a Lightweight Directory Access Protocol (LDAP) directory as a user store and for integration with non-SAP applications, users can be synchronized with an LDAP directory using the ABAP LDAP connector. For the central management of a heterogeneous system landscape, companies still need a third-party Identity Management product.

Figure 97: Holistic Identity Management Approach

With SAP NetWeaver Identity Management, SAP offers integrated Identity Management capabilities for heterogeneous system landscapes (SAP and non-SAP software), driven by business processes. The key components of SAP NetWeaver Identity Management are as follows: ● Central identity store The central identity store consolidates identity data from different source systems (for example, SAP ERP HCM) and then distributes this information to the target systems. ●

Approval workflows Workflows distribute the responsibility for authorization assignments to business process owners and managers.

●

Identity virtualization or identity as a service


145



Holistic Identity Management Approach


Identity virtualization provides access to the data within SAP NetWeaver Identity Management using services and standard protocols such as LDAP. ●

SAP Business Suite integration The integration of SAP ERP HCM as one of the possible source systems for identity information is a key functionality for enabling business-driven Identity Management.

●

Compliance checks for GRC The integration of heterogeneous systems with Compliant User Provisioning offers extensive functions for assuring compliance and segregation of duties in the role and authorization assignment process.

●

Definition and rule-based assignment of business roles Definition and rule-based assignment of business roles enables you to define different rule sets to assign roles to users. This means that the assignment can be performed automatically, based on the attributes of the identity.

●

Monitoring and audit Monitoring and audit provides auditors with one central place to check authorizations of employees in all systems. This information is also available for former employees.

●

Password management

●

Distribution of users and role assignments Distribution of users and role assignments handles user accounts and role assignments of SAP and non-SAP applications.

SAP NetWeaver Identity Management within the Technology Platform

Figure 98: SAP NetWeaver Identity Management within the Technology Platform

Identity Management is an integral part of the SAP NetWeaver technology platform. Some of the functions of Identity Management are as follows: It enables efficient and secure management of identity information.

●

146

●

It supports both SAP-only and heterogeneous system landscapes.

●

It integrates with the SAP NetWeaver platform and business applications.

●

It complements integrated SAP NetWeaver security frameworks.




A centralized password management system reduces calls to the help desk for password resets and enables password provisioning across a heterogeneous landscape.


Identity Management Components - Applications and Repositories

Figure 99: Applications and Repositories



Data Services

Figure 100: Data Services


147


Identity Store

Figure 101: Identity Store

The identity store is a relational database and not a directory server. The LDAP directory server is designed for returning small amounts of data. Extracting information about all employees from a directory server is not optimal, compared to extracting information from a relational database.

The LDAP filter is useful in searching for specific identities but cannot perform combined searches, such as INNER JOINS, which you can do in Structured Query Language (SQL). There are also cases where the Identity Management (and meta directory) suppliers want the customers to use the Identity Management supplier’s directory server only. The identity store has the following features: ● Dynamic storage of identity data ●

Meeting point for all identities

Identity Services

Figure 102: Identity Services

148




Traditionally, the LDAP servers are slow for updating data.


Identity Applications

Figure 103: Identity Applications

Figure 104: SAP NetWeaver Identity Management Architecture

The SAP NetWeaver Identity Management architecture consists of the following components: ● Virtual Directory Server (VDS) ●

Identity Center (IC)

VDS The VDS acts as a single access point for clients retrieving or updating data in multiple data repositories. VDS provides a unified view of the data in real time. You can use it, for example, to consolidate multiple repositories and then as a data source for the IC. You then use the IC for provisioning and performing Identity Management function


149



SAP NetWeaver Identity Management Architecture


Identity Center (IC) The IC is the primary component used for Identity Management It includes functions for identity provisioning, workflow, password management, logging, and reporting. The IC uses a database to store information about identities as well as configuration information. The workflow UI allows end users to access tasks such as requests or approvals. The monitoring UI is based on the same technology as the workflow UI. The monitoring UI enables administrators to access the audit and monitoring functionality as well as the status of the provisioning tasks. The management console is an add-on for the Microsoft management console. The management console is used to configure the processing logic of the Identity Center (that is, connect target systems, define workflow processes, and so on). The dispatcher is based on the runtime engine. The runtime engine is responsible for provisioning. The Identity Center retrieves data from the repositories, consolidates the data, transforms the data into the necessary formats, and publishes the data back to the various decentralized repositories.



Management Console

Figure 105: Management Console

The management console serves the following purposes: Administration

●

●

150

Development



Identity Management UI

Figure 106: Identity Management UI

The Identity Management UI is based on WebDynpro Java.



The Identity Management UI provides the main workflow interface for users and managers. This interface provides a web interface for registration and approvals, self-service interface, and password reset. The interface also provides monitoring and audit interfaces, such as logs and queues, for administrators.

Figure 107: Administration User Interface


151


Dispatcher

Figure 108: Dispatcher

The purpose of the dispatcher is to evaluate container tasks and start the runtime engine when tasks and jobs are to be executed.

152

The dispatcher runtime engine has the following features: Responsible for executing jobs

●

●

An advanced version of the runtime engine

●

Same basics as of the other runtime engines.

It is based on Microsoft Windows and Java. Event Agent The purpose of an event agent is to reduce data transfer latency. The event agent detects changes in repositories by using database triggers, LDAP change logs, and Java objects. The event agent schedules jobs for execution.




The dispatcher runs as a service on each machine executing jobs.


IC Database

Figure 109: Identity Center Database

The IC database is the core of the IC product. It contains tables, stored procedures, and triggers. The IC database holds the following information: Jobs ●

Logs

●

Audit data

●

Delta information

●

Status

●

Scheduling



●

The IC database works as an identity store.


153


Database Centric

Figure 110: Database Centric

Everything, including customer data availability and consistency, is based on the database. High availability is possible by maintaining a copy of the database.

The databases supported by SAP NetWeaver Identity Management are as follows: ● Microsoft SQL Server ●

Oracle

●

IBM DB2

Publishing Identity Data An LDAP directory server is used to publish the identity data. The identity data is published in the following ways: ● On the wire standard Based on LDAP or Services Provisioning Markup Language (SPML) and published by combining all the data together. ●

Inheritance The policy applied at the higher level is inherited down the hierarchy.

It is recommended to use SAP virtual directory to provide LDAP or SPML access to the IC database.

154




Database consistency assures continued processing, even if the system crashes.


A Little History



Figure 111: A Little History (1)





●


●



155




156



1. Identify the key benefits of using Central User Administration (CUA). Choose the correct answers. X

A You can maintain roles in one place.

X

B You can reduce the cost of user administration.

X

C You can create user data from multiple places.

X

D You can provide secure user administration by centralizing the work.

2. For which of the following purposes are Remote Function Call (RFC) connections used in the CUA scenario?

X

A To distribute user data from the central system to child systems

X

B To distribute user data from one child system to another

X

C To send changes to the data in the central system to the child systems

X

D To send status reports back to the central system

3. A path from an entry to the root of the tree is automatically defined when a Distinguished Name (DN) is created for an entry. Determine whether this statement is true or false. X

True

X

False


157



Choose the correct answers.


4. For Identity Management, which of the following scenarios does the SAP Governance, Risk, and Compliance (GRC) Access Control solution support? Choose the correct answers. X

A GRC solution-driven provisioning

X

B Segregation of duties (SoD) integration

X

C Identity Management-driven provisioning

X

D Enhancement Health and Security Risk Assessment

5. Which component of the SAP Governance, Risk, and Compliance (GRC) solution provides the ability to manage and monitor user privileges?

158

X

A Risk Management

X

B SAP Access Control

X

C SAP Process Control

X

D Global Trade Services

6. Which of the following are features of SAP Identity Management (IdM)? Choose the correct answers. X

A Integration of the different databases of SAP and non-SAP systems

X

B Compatible with integrated SAP NetWeaver security frameworks

X

C Performs as a Lightweight Directory Access Protocol (LDAP) connector

X

D Integration with SAP NetWeaver platform and business applications




Choose the correct answer.


1. Identify the key benefits of using Central User Administration (CUA). Choose the correct answers. X

A You can maintain roles in one place.

X

B You can reduce the cost of user administration.

X

C You can create user data from multiple places.

X

D You can provide secure user administration by centralizing the work.

2. For which of the following purposes are Remote Function Call (RFC) connections used in the CUA scenario?

X

A To distribute user data from the central system to child systems

X

B To distribute user data from one child system to another

X

C To send changes to the data in the central system to the child systems

X

D To send status reports back to the central system

3. A path from an entry to the root of the tree is automatically defined when a Distinguished Name (DN) is created for an entry. Determine whether this statement is true or false. X

True

X

False


159



Choose the correct answers.


4. For Identity Management, which of the following scenarios does the SAP Governance, Risk, and Compliance (GRC) Access Control solution support? Choose the correct answers. X

A GRC solution-driven provisioning

X

B Segregation of duties (SoD) integration

X

C Identity Management-driven provisioning

X

D Enhancement Health and Security Risk Assessment

5. Which component of the SAP Governance, Risk, and Compliance (GRC) solution provides the ability to manage and monitor user privileges?

160

X

A Risk Management

X

B SAP Access Control

X

C SAP Process Control

X

D Global Trade Services

6. Which of the following are features of SAP Identity Management (IdM)? Choose the correct answers. X

A Integration of the different databases of SAP and non-SAP systems

X

B Compatible with integrated SAP NetWeaver security frameworks

X

C Performs as a Lightweight Directory Access Protocol (LDAP) connector

X

D Integration with SAP NetWeaver platform and business applications





UNIT 4

Infrastructure Security

Lesson 1 Review Network Topology

162

Lesson 2 Enable Secure Network Communication (SNC)

174

Lesson 3 189

UNIT OBJECTIVES ●

Explain networking concepts

●

Explain Secure Network Communication (SNC)

●

Explain Secure Socket Layer (SSL)




Enable Secure Socket Layer (SSL)

161

Unit 4 Lesson 1 Review Network Topology

LESSON OVERVIEW This lesson explains the basics of networks and the network communication in the SAP environment. Business Example

●

An understanding of the network protocols

●

An understanding of the Open Systems Interconnection (OSI) model

●

An understanding of the Transmission Control Protocol/Internet Protocol (TCP/IP)

●

An understanding of the default ports and firewalls

●

An understanding of load balancing



You need to understand the basic network terms and concepts. For this reason, you require the following knowledge:



Network Protocols

Figure 114: Network Protocols

The figure shows the communication protocols and the firewall in a network.

162


Lesson: Review Network Topology

Protocols

Figure 115: Protocols

A protocol is a set of rules that define how communication takes place between communication partners. Different protocols are used when telephoning compared to broadcasting. In computer communication, different issues are handled at different levels.

●

How many volts pulse is a 0 and 1?

●

How to determine the end of a message?

●

How to handle lost messages?

●

How to identify computers?

●

How to connect to a computer?

●

How do applications communicate on a network?




Protocols deal with the following issues:

163

Unit 4: Infrastructure Security

OSI Model

Figure 116: Networking - Why do you need a Standard?

Due to the heterogeneous systems and communication media, there is a need to have a standard to enable communication between different partners.

Open system means that a system can communicate with any other system, which follows the specified standards, formats, and semantics. ISO-OSI Model

Figure 117: ISO-OSI Model

The OSI reference model describes how information from a software application in one computer moves through a network medium to a software application in another computer.

164




The International Organization for Standardization (ISO) has developed a standard model for communication called the OSI model.


The OSI reference model is a conceptual model composed of seven layers, each specifying particular network functions.

Layer

Name

Function

7

Application

Enables program-to-program communication

6

Presentation

Manages data representation and conversion, for example, the presentation layer converts data from EBCDIC to ASCII

5

Session

Establishes and maintains communication channels – in practice, this layer is often combined with the transport layer

4

Transport

Ensures end-to-end integrity of data transmission

3

Network

Routes data from one node to another

2

Data link

Passes data from one node to another, including error detection

1

Physical

Places data on the network media and takes the data off the network

TCP/IP – An Overview

Figure 118: TCP/IP Terms


165



The seven layers of the OSI model and their functions are described in the following table:


The data to be transmitted is passed down the stack from one layer to the next, until the data is transmitted across the network by the network access layer protocols. The four layers in this reference model (as shown in the figure) are designed to distinguish between the different ways that the data is handled as it passes down the protocol stack from the application layer to the underlying physical network. At the remote end, the data is passed up the stack to the receiving application. The individual layers do not know how the layers above or below them function; the layer knows only how to pass data to the other layers. Each layer in the stack adds control information, such as destination address, routing controls, and checksum, to ensure the proper delivery of data. This control information is called a header and/or a trailer because it is placed at the beginning or end of the data to be transmitted. Each layer treats all the information received from the layer above it as data and places its own header and/or trailer around that information. These wrapped messages are then passed to the layer below with additional control information, some of which may be forwarded or derived from the higher layer. When a message exits the system on a physical link, such as a wire, the original message is enveloped in multiple nested wrappers, one for each layer of the protocol through which the data passes. When a protocol uses headers or trailers to package the data from another protocol, the process is called encapsulation.



Default Ports

Figure 119: Default TCP Ports

Information sent across a network is not intended only for a computer but for a program on the computer. Every application that receives data from a TCP/IP network acquires a TCP port. These programs are distinguished by their ports. The TCP port is a 16-bit number (0-65535), which uniquely belongs to that application on that particular host. The application listens on that port for incoming messages. Some ports have numbers that are pre-assigned to services or programs by the Internet Assigned Numbers Authority (IANA). Port numbers can range from 0 through 65536, but port numbers from 0 through 1023 are reserved for privileged services and designated as wellknown ports. This list of well-known port numbers specifies the port used by the server process as its contact port. By default, these well-known ports are defined in the file etc/services.

166



Command netstat -a displays all the connections and ports listening on your computer.

Firewalls

A firewall is a system or a combination of systems that protects a networked system from unauthorized access. Firewalls can be implemented in hardware or software, or a combination of both. There are several types of firewall techniques that filter the traffic at different levels. Different Types of Firewalls

Figure 121: Different Types of Firewalls

The common types of firewalls are as follows: ● Packet filter Packet filters can filter the network traffic up to the TCP layer by looking at IP addresses, port numbers, and the type of protocol used. ●

Application level gateway


167



Figure 120: Firewalls


Application level gateways can analyze and control commands of the application protocol. IP Packet Filtering

Figure 122: IP Packet Filtering

168

The routers can filter IP packets for the following fields: Source IP address

●

●

Destination IP address

●

TCP source port

●

TCP destination port

Packet filters cannot filter information sent at the application level, so an application level gateway is used.




s„äR˝)ÕŸÕ}>Æ·Æ¥®˚ÎXêîÅflÝ,âž·gk[‡Ë%�ªcR˜D;łÛÃX�‚*›§YI[ML8V†þé@PÜœ…,_0ãã±”iæ…6‰u>/Ômt’88-PHÆav¸r-:“ú¼É§Ú–’AP»³€<î6Ä¡qè æ:~Ô?&ó.éŸàMô¹SžÉFáY“úGc!W·ÀfìÉUé4Kz’La§,ïÜ0õ‡>; "%.@™Pé!‹* interfaces of the router.


Application Level Gateway

Application level gateways do not allow any direct network connections between computers from one network to the other. Instead, all the connections from the external network must be made to the gateway, which interprets the protocol traffic and makes connections to the internal network on behalf of the outside requestor. The application level gateway consists of two TCP/IP stacks and application level proxies for each protocol. An application level proxy analyzes and controls the commands for its specific protocol, for example, HTTP. It may also provide additional authentication functionality. Firewall Architecture

Figure 124: Firewall Architecture and Demilitarized Zone (DMZ)


169



Figure 123: Application Level Gateway


You should not connect the servers that are accessible from the Internet directly to the internal network. You should use a two-layer firewall solution that provides additional security for internal networks, even if servers connected to the Internet are compromised. The network zone in between the two firewalls is often called the demilitarized zone (DMZ). If a server located in the DMZ is hacked, the hacker is still not able to access internal systems as the inner firewall limits the access. The DMZ protects valuable resources (for example, application systems) from direct exposure to an untrusted environment. Sometimes, it is also called a perimeter network. Services such as web servers, e-mail servers, and proxies are located in the DMZ.

Hint: The DMZ concept can also be applied to the internal network architecture.

Figure 125: IDS

An IDS is a product that automatically identifies attacks to networks or hosts. In case of an important event, security administrators can be notified about the intrusion. The basic types of IDS are as follows: ● Network-based IDS A network-based IDS monitors and analyzes the traffic for a whole network. ●

Host-based IDS A host-based IDS monitors and analyzes the network traffic, operation system, and file system of a single host.

If the two types of IDS are combined and their data is sent to a central server, it is called a distributed IDS.

Note: Bear in mind that no system automatically provides full security.

170




Intrusion Detection System (IDS)


Intrusion Prevention System (IPS)

Figure 126: IPS

An IPS is an extension of an IDS. Compared to IDS, the IPS is placed inline to actively prevent and block detected intrusions. The system is able to identify attacks and differences in the bit pattern of data traffic using signatures, abnormal algorithms, and advanced patterns. IPS can then take actions by sending an alarm, dropping the malicious packets, resetting the connection, or blocking the traffic from the offending IP address.

Load Balancing



Figure 127: Load Balancing Mechanisms

However, do not confuse load balancing with High Availability (HA). The various load balancing mechanisms are as follows: ● Redirections This mechanism is simple in terms of balancing load but has drawbacks with regard to user experience and maintenance (if there is a single load balancer, the application is not accessible while the load balancer is being maintained). ●

DNS-based methods


171


This mechanism is suitable for an intranet scenario and global load balancing. However, it is not suitable for server load balancing. ●

Load balancing device This mechanism is transparent for the client. It always uses the same URL. It has one official IP address for all application servers and has one server certificate for all servers. Even though it is technically challenging, it is still usually preferable.

Figure 128: Stateful User Sessions

Stateful applications impose special requirements on the load balancing mechanisms. HTTP is a stateless protocol, which means that the network connection does not last for the duration of a user session. The protocol provides no options to return a subsequent request to an already established session. While processing a request, the load balancer directs the user to a particular application server. If the load balancer directs the user to a different server for subsequent requests, the second server would not know what had already occurred on the first server. As a result, session context information is lost. For example, if the first context holds any locks on the data, the second session cannot access these locked items. There is a conflict between the application that uses stateful information and the stateless protocol. As a result, the load balancing device must ensure that all requests from an application session are always directed to the same application server.

172




Stateful User Sessions


Stateful User Sessions – Options

Figure 129: Stateful User Sessions – Options

To make sure that the client is always directed to the correct server, the application server can use a session ID. The application server either saves the session ID in a web browser cookie or inserts it in the URL of the user. In this case, the load balancer does not have to maintain the session information. The server information is contained in the cookie or the URL. As a result, you need access to the plain text information in the request. You cannot use Secure Socket Layer (SSL) for encryption. ●

IP address of the client To make sure that the client is always directed to a particular server, the load balancer uses the IP address of the client. This method works when using encrypted traffic, but there are a few problems. Proxies ÊA⁄-Š‰ç²>}ıÝÈ ÚŒµV$± 8@J)§’½ß~ªûÏœ j6½²Þˇ0ÙIwÛ°.¬…®UNxŠ“àžÂÜŁ*ıµNKÈ«£#Ö‘oÒ8ý¤P«k»Tu`ZúÊU_.üü8Úº<„Š Ò†K#AHƒçž`k˘¸ßºxˆ#`º¤˜9‹¼*Oi—h”²^[L»û‹¥õ=5AæÂB˚Õ‚˘ kmýfwí;‹OÏù1÷º all users who access the IP address of a client through a specific proxy are directed to the same server.




173



The following options are used to maintain stateful user sessions: ● Session ID

Unit 4 Lesson 2 Enable Secure Network Communication (SNC)

LESSON OVERVIEW This lesson explains how to set up and maintain Secure Network Communication (SNC) for the SAP NetWeaver Application Server (SAP NetWeaver AS). Business Example You need to set up SNC to secure Dynamic Information and Action Gateway (DIAG) and Remote Function Call (RFC) communication. For this reason, you require the following knowledge: ●

174

●

An understanding of enabling SNC on SAP NetWeaver Application Server ABAP (SAP NetWeaver AS ABAP) An understanding of enabling SNC on SAP NetWeaver Application Server Java (SAP NetWeaver AS Java)






●

An understanding of SNC

Lesson: Enable Secure Network Communication (SNC)

Work with SNC

This figure shows the possible connection protocols that can be secured by SNC: RFC and DIAG. Providing Privacy – SNC

Figure 131: Providing Privacy – SNC

For connections that use SAP protocols (for example, RFC and DIAG), SNC is used primarily for encryption. SNC can be applied to secure connections between the following SAP components:


175



Figure 130: Product Overview – SNC


●

Two SAP NetWeaver AS ABAP systems

●

SAP NetWeaver AS ABAP and SAP NetWeaver AS Java

●

SAP GUI and SAP NetWeaver AS ABAP

●

SAP routers

SNC must be configured and security libraries must be installed on each of the SAP NetWeaver components that become a communication partner. SNC can also be used with an external security product. SNC provides the following features: ● Authentication between SAP components ●

Integrity protection

●

Privacy protection

Figure 132: SNC on Various SAP NetWeaver AS

When using SNC, the two servers that communicate with each other (for example, SAP NetWeaver AS ABAP and SAP NetWeaver AS Java) have to be able to identify each other in the SNC layer. To establish communication between servers, you have the following options: Either create a single key pair and personal security environment (PSE) that is used by both servers.

●

●

Create individual PSE and exchange public key certificates.

The single PSE is easier to install and establish because the trust relationship is automatic. The single PSE specifies the SNC identity, therefore, all servers that use the same PSE have the same identity. A single identity automatically trusts itself. The individual PSE option is more transparent because each server possesses its own identity. However, in this case, you must manually establish the trust relationship between the žÉ,ƒ’D é^å7ˆÃ¹çM3'ÛÔò2»ñF€ˇüd!öc»± 4]2f�àÞ™É ÿ¾⁄pŠŒıáŒP¨Ò¢“ô.fäI˛4ïf‰¢ì~˘³ðúQ¢fiƒÝuAúJ<Àpvðò¥rú\ëµ−w�˛f˘ÓÒˆ›Ú\\ü˙‹

176




SNC on Various SAP NetWeaver AS


Establishing Trust When Using SNC

Figure 133: Establishing Trust When Using SNC

The options to establish the trust relationship for server-to-server communication are as follows: ● Use the same PSE for all components In this case, all the communicating servers or components share the same identity, which means that the components share the public and private key pair and the associated Distinguished Name (DN). All components use the same identity, therefore, the trust relationships between the components are automatically established. The advantage of this option is that it is easy to set up. The disadvantage of this option is that it is less transparent because all the components have the same identity and name. ●

Use individual PSEs and exchange public key certificates In this case, each server possesses its own identity, which means that each server has its own key pair and DN. The trust relationships are established among communication partners by exchange of the public key certificates belonging to each component to be trusted. For example, the two participating SAP NetWeaver AS ABAP systems must exchange certificates to trust each other and, similarly, SAP NetWeaver AS ABAP and SAP NetWeaver AS Java can also exchange certificates to trust each other. The advantage of this option is that it is transparent because each component has its own identity. The disadvantage of this option is that more configurations are required.


177



When using SNC, the components must identify and trust each other.


Enable SNC Between SAP NetWeaver AS ABAP Systems

Figure 134: SNC between SAP NetWeaver AS ABAP Systems

This figure shows the establishment of SNC between the SAP NetWeaver AS ABAP systems. Roadmap to Enabling SNC on SAP AS ABAP



Figure 135: Roadmap – Enabling SNC on SAP AS ABAP

The figure shows the roadmap for enabling SNC on SAP AS ABAP.

178



¸8Va*åô„¡ -CÒV�/ärÖÃšÞÍè¿�0ÛÑì⁄P®;A™ß´À6G°UoÔq)kŽ3ÄXMÎI¡;„¹;ŸŠm¯&r]{q–U¿}ã“ł*Ýø’ã™8]óö œq£´X§«6SV$m�2»fl/7ÆŽÞíqFGàÇê°¬çPƒ<5r#G]zº0ˆKäJó¾Çêª¼fi›=œ@*wÀ

The SAP Cryptographic Library contains the library file, a license ticket, and a configuration tool, sapgenpse.exe. The configuration tool is for SAP NetWeaver AS version 6.20 or for non-ABAP servers. To use the SAP Cryptographic Library, proceed as follows: ● The library and SAPGENPSE should be in directory $(DIR_EXECUTABLE). If not, move them to the correct location. ●

●

●

The license ticket should be in the directory where the environment variable SECUDIR points to, for example, directory $(DIR_INSTANCE)\sec. If not, move it to the correct location. For example, in the case of Microsoft Windows, use the following files: -

Library -D:\usr\sap\\SYS\exe\uc\\sapcrypto.dll

-

Ticket -D:\usr\sap\\\sec\ticket

Set the environment variable SECUDIR to the location of the license ticket.

For encryption, you must replace the default SAP Security Library, SAPSECULIB, with the SAP Cryptographic Library.


179



Figure 136: SAP Cryptographic Library and SLL


Note: With SAP NetWeaver Single Sign-On (SSO) Secure Login, the SLL can also be integrated to support SNC. SLL is a component from the SAP NetWeaver SSO solution; it is a crypto library for the SAP NetWeaver ABAP system. The SLL supports X.509 and Kerberos technology in parallel.

SLL Setup The steps to install and set up SLL are as follows: 1. Create a new directory named SLL in your application server instance directory. 2. Download and extract the SLL (SECURELOGINLIB.SAR) into the SLL directory. 3. Create PSE. To create PSE, use the SLL command: snccrtpse -x password. 4. Verify the PSE using the SLL command: snc status -v.

180



Step 1 – Create PSE for SLL

Figure 137: Create PSE for SLL

This figure shows the creation of PSE for SLL.



Step 2 – Set Trust Manager Profile Parameters

Figure 138: Set Trust Manager Profile Parameters

The Trust Manager uses the security library SAPSECULIB, by default. This library is delivered and installed in the SAP system.

The parameters sec/libsapsecu and ssf/ssfapi_lib require the location of the SAPCryptolib. The parameter ssf/name must be set to security library SAPSECULIB.

Note: In Secure Store and Forward (SSF), digital signatures and document encryption are used and security library SAPSECULIB supports the security functions. The security functions have the following possibilities: ● You can have more than one security product supporting SSF for different applications in SAP. In this case, you can install multiple security libraries to support digital signatures and document encryption. ●

Each of these products will have a different library and name in the SSF parameters. For example, ssf/ssfapi_lib and ssf/name, ssf2/ssfapi_lib and ssf2/name, ssf3/ssfapi_lib and ssf3/name, and so on.

Use the transaction RZ10 to maintain the profile parameters in the instance profile and restart the various application servers.


181



To use a SAPCryptolib security library, profile parameters need to be set up to inform the Trust Manager. SAPCryptolib can perform all the functions that security library SAPSECULIB can perform, with the addition of encryption, which is restricted by the export regulations.


Steps 3 and 4 – Create SNC PSE and Credentials

Figure 139: Maintaining the SNC PSE and Credential – Trust Manager

You have the following options to create PSE: ● Create a new PSE using trust manager on the SAP NetWeaver AS. ●

Create a PSE on a different server, for example, on the other communication partner SAP NetWeaver AS, and import using Trust Manager.

Note: The SAP Cryptographic Library must be installed to use Trust Manager.

●

In the transaction STRUST, select the SNC PSE node and in the context menu, choose the Create pushbutton. Fill the necessary fields and save the PSE.

Note: If you assign the DN using the profile parameter snc/identity/as, it is displayed when you create the PSE.

●

●

To use SNC, assign a password to the PSE. To create the credential, choose Assign Password. If you do not assign the password for the PSE, Trust Manager will have a problem later. If you want to use an existing PSE instead, which was created from another SAP NetWeaver AS, you can copy the SAPSNCS.pse from your SECUDIR to the target system SECUDIR and choose PSE ¿>@SV[˙b Import from the transaction STRUST.

The various sections on the trust manager screen are as follows:

182




From SAP NetWeaver AS version 6.20 onward, you can use trust manager and transaction STRUST to maintain a PSE.


●

●

●

The left frame shows the available PSEs that you can maintain. The upper section is used for PSE maintenance. You can create the certificate requests, import the corresponding response from the certification authority (CA), import trusted certificates into the certificate list of the PSE, or export the owner of the public key certificate of the PSE into the clipboard. The lower section is used as a clipboard for certificates. For example, you can view and export a certificate from one PSE and import it into the certificate list for a different PSE.

Note: For more information, see the application help under Help ÎÌ%]'YŽÃ Application Help or in the online documentation under http://help.sap.com, choose Security Guide ÎÌ%]'YŽÃ Network and Transport Layer Security. For versions earlier than SAP NetWeaver AS system 6.20, you have the command tool SAPGENPSE to do the following tasks: ● Create a PSE using SAPGENPSE. ●

Create credentials using SAPGENPSE.

To create a PSE using the command tool SAPGENPSE, proceed as follows: Set the environment variable SECUDIR to $(DIR_INSTANCE)/sec.

●

●

Use the following command: sapgenpse get_pse –p .pse –noreq –x .

Create credentials for the user of the SAP NetWeaver AS QAS using the command tool SAPGENPSE as follows: ● SAPGENPSE seclogin -p .pse -x -O . Step 5 – Establish Trust Relationships

Figure 140: Establish Trust Relationships


183



You can also create a PSE on a different system with the transaction STRUST and then move it to a version earlier than SAP NetWeaver AS 6.20.


You can use the same PSE for both systems. In this case, both servers share the same identity and automatically trust each other. Alternately, you can use individual PSEs and exchange public key certificates with each other. On both application server systems, for SAP NetWeaver AS version 6.20 and higher, use the Trust Manager to export the SAP NetWeaver AS certificate and to import it to the other system. To export in transaction STRUST, select SNC PSE and the certificate of the server. Choose Export Certificate and save it to a destination as a local file. To import in transaction STRUST, select SNC PSE and the certificate from its source (for example, the file system) and choose Add to certificate list. For earlier versions of SAP NetWeaver AS, use the command tool SAPGENPSE as follows: To export the SAP NetWeaver AS certificate, use the command sapgenpse export_own_cert –o -p .pse –x .

●

●

To import the SAP NetWeaver AS certificate, the certificate must exist as a file, and then you enter the command sapgenpse maintain_pk –a -p .pse –x .

If SLL is used, import SNC certificates from your ABAP system and all trusted ABAP systems into the SLL PSE using the command snc trust -a .



Step 6 – Set SNC Profile Parameters

Figure 141: Set SNC Profile Parameters

Set snc/enable to 1. If SLL is used, set snc/gssapi_lib to secgss.dll in the SLL directory. If not, set snc/gssapi_lib to $(DIR_EXECUTABLE)\sapcrypto.dll.

Caution: For production systems, deactivate non-SNC access for most SAP GUI users (snc/accept_insecure_gui=U). Only a small number of emergency accounts should be able to access the system with the password login. Set this in the transaction SU01, on the SNC tab page, with the option Unsecure communication permitted (user specific).

184



Step 7 - Set Up Access Control List (ACL) Entries

In addition to identifying the communication partner using the trust relationship, AS ABAP also checks the ACLs. These lists explicitly specify which other systems are allowed to connect to this system using SNC.

Note: The SNC name is the DN given in the server certificate prefixed with p. The two types of ACL are as follows: ● System ACL Enter the SNC name of the remote system and activate the types of communication that are allowed for this system to connect. For example, RFC, DIAG, Common Programming Interface-Communications (CPI-C), user authentication using certificates, or user authentication using other external authentication mechanisms such as pluggable authentication services (PAS). To maintain the access control list, use the transaction SNC0 or the table maintenance transaction SM30 on the table SNCSYSACL or on the view VSNCSYSACL, type = E. ●

Extended user ACL An entry for SAP NetWeaver AS is required if Web RFC is used, for example, with PAS. The entry specifies which users from the system can log on using the SNC connection. To maintain the extended user ACL, use the table maintenance transaction SM30.


185



Figure 142: Set Up ACL Entries


Enable SNC on SAP NetWeaver AS Java

Figure 143: SNC on SAP NetWeaver AS Java

This figure shows the SNC between SAP NetWeaver AS ABAP. Roadmap - Enabling SNC on SAP NetWeaver AS Java



Figure 144: Roadmap – Enabling SNC on SAP AS Java

In dual-stack environments, enabling SNC on SAP NetWeaver AS Java involves almost the same steps as in SNC on SAP NetWeaver AS ABAP. In fact, SAP NetWeaver AS Java can use the same PSE that was created for AS ABAP. The SNC SAP NetWeaver AS Java parameters are set differently and are based on the Java applications. As for the PSE, you can create one PSE and distribute that to all AS systems. Alternatively, you can use the command tool SAPGENPSE to create the PSEs at the operating system level for the AS Java system. Do not mix the maintenance approach. If you use the command tool SAPGENPSE, always use the command tool SAPGENPSE.

186



To install the SAP Cryptographic Library on a standalone AS Java system, proceed as follows: ● Copy the library to . ●

Copy the license ticket to /sec.

●

Copy the sapgenpse.exe to .

Set the environment variable SECUDIR to the sec subdirectory. This is the same directory where the PSE and credentials of the AS Java system are located(Step 1). Steps 2 and 3: Create (or import) a PSE and assign credentials using the sapgenpse.exe tool. PSE can be created using the command tool SAPGENPSE. Use this command to create a new certificate: sapgenpse get_pse –p .pse –noreq –x . Use this command to open the server’s PSE and create credentials: sapgenpse seclogin –p .pse -x -O . Use this command to import the certificate: sapgenpse maintain_pk –a -p .pse -x .



Step 4 - Establish Trust Relationships

Figure 145: Establish Trust Relationships

To exchange the public key certificates, proceed as follows: ● Export the public key certificate of AS Java using the command tool SAPGENPSE: sapgenpse export_own_cert –o -p .pse –x . ●

Export the public key certificate of AS ABAP using the transaction STRUST.

●

Import the PSE of AS Java into ABAP, and vice versa.

To maintain the system access control list on AS ABAP, use the transaction SM30 (table SNCSYSACL or the view VSNCSYSACL and type = E). Enter the SNC name of AS Java and activate the entry for RFC. Save the data.


187


Step 5 - Set the SNC Parameter for AS Java AS Java uses the Java Connector (JCo) to communicate with AS ABAP. The JCo needs the following information to use the SNC connection: SNC library path

●

This can be defined using the SNC_LIB system environment variable of the user who starts AS Java (usually SAPService). ●

Level of protection This is the level of protection to use in the connection; possible values are 1, 2, and 3.

●

My SNC name This optional parameter ensures that the SNC name is used for the connection.

●

Partner’s SNC name

188

Note: The setting of these SNC parameters for the JCo depends on various applications. Each of these applications has its own way of setting up the parameters. Refer to the documentation of the specific application to determine how to set these up correctly. For example, the SAP User Management Engine (UME) sets the SNC parameters in the UME properties. In the scenario of Java iViews in SAP Enterprise Portal, you set the SNC parameters in the system object associated with that Java iView. Other applications might use the destination service in NetWeaver Administrator or Visual Administrator.






This parameter is required and is used to identify the partner AS ABAP. You can find the SNC name of the AS in the profile parameter snc/identity/as.

Unit 4 Lesson 3 Enable Secure Socket Layer (SSL)

LESSON OVERVIEW This lesson explains how to configure Secure Socket Layer (SSL) for SAP NetWeaver Application Server ABAP (SAP NetWeaver ASABAP) and SAP NetWeaver Application Server Java (SAP NetWeaver AS Java). Business Example You need to configure SSL to secure HTTP communication in SAP NetWeaver AS. For this reason, you require the following knowledge: ●

An understanding of how SSL is used on SAP NetWeaver AS

●

An understanding of how SSL is enabled on the SAP NetWeaver AS ABAP

●

An understanding of how SSL is enabled on the SAP NetWeaver AS Java

●



LESSON OBJECTIVES After completing this lesson, you will be able to: Explain Secure Socket Layer (SSL)

SSL on SAP NetWeaver AS

Figure 146: Product Overview


189


The figure illustrates the product overview of SSL on SAP NetWeaver AS. Encryption Using SSL

Figure 147: Encryption Using SSL

To secure HTTP connections in the SAP NetWeaver AS, you can use SSL for encryption. The SAP NetWeaver AS can be either the server or the client component for the connection.

●

SAP NetWeaver AS connects to another SAP NetWeaver AS

●

SAP NetWeaver AS connects to another web server

Secure Configuration of SAP System Configuration of SAP systems can be secured by taking care of the following points: Usage of HTTPS is strongly recommended at least for all browser access from end users to SAP systems. End users should not use HTTP to access SAP systems.

●

●

●

●

●

HTTPS should be implemented for communication between SAP systems, if the network traffic is susceptible to sniffing by end users. ·fi!ß˝1¢|Ñn]µíµË’=âdŠ€æ/ÓÃ*s{ñd®G1¯¢Û`˝xÿ²fi+Ð°tG…ÃÁ>L.–¹Ó–%œ bTÅã'.¾¿¶ì˙wDÈä²SŽKłùãóÑÂ 'GÛôˆëÚÂžàë&s±ÑŽð3m=z-äNÓ*õ\våÄ−Ý{˙ -€lIÐô¢]‹æÝau•_[−�k8ÍÑX½Ú¿õ÷ønK±ûÕ8¾`ï³E·7JY network should be configured to implement HTTPS connections. Alternatively, SAP systems should be configured to directly support HTTPS or SSL server. Restrict access to the table SSF_PSE_D by assigning the table to a dedicated table authorization group. End users should not have access to this new table authorization group. For details, see SAP Note 1485029 – Protect read access to key tables. Restrict file system access to Personal Security Environment (PSE) files from ABAP programs. For details, see SAP Note 1497104 - Protect access to PSE files by additional AUTHORITY-CHECK.

Similar to Secure Network Communication (SNC), SSL in the SAP NetWeaver AS ABAP also uses the SAP Cryptographic Library to perform the cryptographic functions. However, for SNC, you can also use a partner product. For SSL, you must use the SAP Cryptographic Library.

190




SAP NetWeaver AS can be either the client or the server component in the following ways: ● Users connect to SAP NetWeaver AS using their web browsers

Lesson: Enable Secure Socket Layer (SSL)

Note: The SAP Cryptographic Library is available for download from SAP Service Marketplace. SAP Cryptographic Library

The SAP NetWeaver AS Java, up to release 7.02, uses the SAP Java Cryptographic tool kit. This is already installed during the system installation. In later releases, for example, SAP NetWeaver AS Java 7.10, the Java Dispatcher is replaced by the Internet Communication Manager (ICM) and the SAP Cryptographic Library is used.

Note: Wherever an AS ABAP+Java is depicted and SAP Cryptographic Library is used, or terms like PSE and ICM are used, the information is valid only for AS Java 7.1 and higher.


191



Figure 148: SAP Cryptographic Library


SAP Cryptographic Library – Installation Example

Figure 149: SAP Cryptographic Library – Installation Example

ICM or SSL Profile Parameters



Install the library in the $(DIR_EXECUTABLE) directory and install the license ticket in the $ (DIR_INSTANCE)/sec directory.

Figure 150: ICM or SSL Profile Parameters

The icm/server_port_ parameters specify which protocol uses which port. The sequence numbers and protocols for these two parameter listings (as shown in the figure) must correspond and there should be no gaps. In case of HTTPS, you can additionally specify the parameter VCLIENT = 0 to tell the server that no SSL client verification is required. Other possible values for VCLIENT are as follows:

192



●

●

The server asks the client to transfer a certificate. If the client does not send a certificate, authentication is carried out by another method, for example, basic authentication (default setting). The client must transfer a valid certificate to the server, otherwise access is denied.

Note: This server-specific value overrides the value set with the parameter icm/HTTPS/ verify_client. If you specify the SSL configuration with SSLCONFIG, the parameter VCLIENT should not be set here. The parameters sec/libsapsecu and ssf* are necessary for the Trust Manager. The parameter ssl/ssl_lib specifies where the SAP Cryptographic Library is located.

Figure 151: Identities or PSE

SAP NetWeaver AS can be either the server component or the client component for connections. Depending on the role in these connections, the SAP NetWeaver AS has a different identity. For each of these identities, SAP NetWeaver AS has a separate PSE. For example, there is the SSL server PSE and the SSL client PSE. For SNC, there is a PSE as well.


193



Identities or PSE


Server’s Distinguished Name

Figure 152: Server’s Distinguished Name

For example, when using the SSL server PSE, the common name (CN) part of the server’s DN must correspond to the fully qualified host name used to access the server. As a result, different hosts within the same system may need to have different names and different SSL server PSEs. When using the SSL client PSE, the server functions as a client and not as a server and uses the as the CN part. SSL Server PSE

Figure 153: SSL Server PSE

The SSL server PSE is used when the SAP NetWeaver AS is the server component for connections.

194




For each of the different identities, the SAP NetWeaver AS uses a different Distinguished Name (DN) due to restrictions on the corresponding name.


The three types of SSL server PSEs that individual hosts can use are as follows: Standard

●

●

Individual

●

Shared

The standard SSL server PSE is used primarily to create individual SSL server PSEs for each host to use. However, a host may also use this standard PSE for its SSL server PSE. The CN part of the DN must correspond to the fully qualified host name that is used to access the server. As a result, servers that are accessed using the same host name alias can share PSEs.

Figure 154: Standard Server PSE – Example 1

The standard SSL server PSE contains a wildcard as the host name in the DN. The servers that share the SSL server PSE have the same key pair and identity, which saves costs when obtaining the corresponding SSL server certificates. For example, when the user contacts the server using the URL, https:// host123.mydomain.com:8444, the server’s CN is *.mydomain.com. In this case, the user receives a warning in the Web browser indicating that the names do not match. As a result, it is not convenient to use the standard SSL server PSE for individual servers. Use this scenario only when users can access the server, regardless of the mismatched names.


195



Standard Server PSE – Example 1


Individual Server PSEs – Example 2

Figure 155: Individual Server PSEs – Example 2

To avoid warnings or error messages, you can use individual PSEs for the individual servers where you use the server’s host name as the CN part of the DN. In this case, users must be able to access SAP NetWeaver AS, which is not very useful when you need to manage your SAP NetWeaver AS systems using load balancing or network zones. Servers That Share a PSE – Example 3



Figure 156: Servers That Share a PSE – Example 3

For cases where you have a load balancer or other device in front of the SAP NetWeaver AS, you can have the servers sharing one PSE. When setting up this PSE, use the host name of the device as the CN part of the DN for the application server.

196



SSL Client PSE (1)

Figure 157: SSL Client PSE (1)

The three types of SSL client PSEs are as follows: Standard SSL client PSE

●

The standard SSL client PSE is the default type used by the server. Note that this PSE must exist for SSL to work. When using this PSE, the SAP NetWeaver AS will be authenticated using the identity associated with this PSE. ●

Anonymous SSL client PSE The anonymous SSL client PSE is available for use with connections where only serverside authentication and data encryption are necessary. When using this PSE, no client authentication takes place. The anonymous SSL client PSE is used only as a container for the list of certification authorities (CAs) that the server trusts when accessing the other server.

●

Individual SSL client PSE The individual SSL client PSEs are created for additional identities. Use these PSEs if you want the SAP NetWeaver AS to function as an individual identity. For example, you may want your SAP NetWeaver AS to function as an individual identity when accessing a specific application such as a banking application. Contrary to the SSL server PSE, the SSL client PSE is used by all application server instances in the system.


197



For connections where the SAP NetWeaver AS is the client component, it uses a different PSE called the SSL client PSE. You can use different types of SSL client PSEs, depending on the scenario.


SSL Client PSE (2)

You specify which connections use which identity and PSE when you set up the HTTP destination using transaction SM59. For each connection, you can specify a different PSE as shown in the figure.

Enable SSL on the SAP NetWeaver AS ABAP

Figure 159: Roadmap to Create SSL Server PSE

The steps to create the SSL Server PSE are as follows: 1. Create the standard SSL server PSE.

198




Figure 158: SSL Client PSE (2)


2. Specify the PSE for each application server to use. 3. For each unique PSE: ●

Generate a certificate request.

●

Send the request to a CA.

●

Import the certificate request response.

4. Establish the necessary trust relationships.

Figure 160: Creating the SSL Server PSE

Use the Trust Manager transaction STRUST to maintain the SSL server PSE. Creating the SSL server PSE involves the following steps: 1. Create the standard SSL server PSE. The DN for the standard PSE serves as a pattern for the DNs used for each host. 2. Select the type of SSL server PSE (standard, individual, or shared) that each application Bÿ¶&Ðr>ìªkZ;”÷ãºt*ûâ)M‹i)s'Œ´T‰Sã·�À+¥‰µ²®æãè¼S¡™Öô⁄cŽ~¿•%•»Eˇt]rÚ‰SÜõ÷`ÿëçÒŁ˚_�»Ïb�îøQW€ùıU ™ýióÂÚ¾CT«5ÆÓ¯⁄_žvÝ1™¶Ëûï²¸Ÿúqıüü˚B>ÎÃY¹–ÖÏ¿ªÎ4\µ’ygBÀ§º+G assigned the standard PSE.


199



Creating the SSL Server PSE


Generate the Certificate Requests

Figure 161: Generate the Certificate Requests

You generate a certificate request for each SSL server PSE determined by a unique DN.

200

●

Generate an individual request for each individual PSE.

●

Generate one request for a shared PSE.

Send each request to your CA according to the CA’s policy.

Note: For the SAP CA, see the SAP trust center service at http://service.sap.com/tcs.




The certificate requests for different SSL server PSE are as follows: ● Generate one request for the standard PSE, if used.


Import the Certificate Request Responses

Figure 162: Import the Certificate Request Responses

Import the response into the corresponding PSE. You have to import the response only once for a shared PSE. Shared PSEs are distributed to all the application servers.

Caution: Make sure you import the response into the PSE where the corresponding request was created. Establish Trust Relationships (1)

Figure 163: Establish Trust Relationships (1)


201



After you send the requests to the CA, you receive a response from the CA. This response is the certificate signed by the server.


The next step is to establish the trust relationships. Remember that to verify the server’s certificate when using SSL, the user must trust the CA that issued a certificate to the server. As a result, the user must import the CA root certificate into his or her web browser.

Note: Many CA root certificates are stored by default in the most commonly used web browsers.

Figure 164: Establish Trust Relationships (2)

If you also use SSL to authenticate your users by mutual authentication, then the SAP NetWeaver AS must trust the CA that has issued certificates to the users. As a result, you need to import the trusted CA root certificates into the SSL server PSE. In this case, you have to import the certificates into only one SSL server PSE. The list of trusted CAs is distributed to the entire SSL server PSEs, regardless of their type. Some CA root certificates are delivered with the SAP NetWeaver AS in the Trust Manager’s certificate database. The SAP NetWeaver AS is now ready to use SSL for connections where the NetWeaver AS is the server component.

202




Establish Trust Relationships (2)


Roadmap to Create SSL Client PSE

Figure 165: Roadmap to Create SSL Client PSE

Creating the Standard SSL Client PSE



The figure illustrates the roadmap to create SSL client PSE.

Figure 166: Creating the Standard SSL Client PSE

In addition, use the Trust Manager transaction STRUST to maintain the SSL client PSEs. Use the as the CN part of the DN. If the server functions as a client component for connections where SSL is used, create a certificate request and send it to your CA. Import the corresponding response into the standard SSL client PSE.


203


Establish trust relationships by importing the CA root certificates from CAs that you trust into the PSE‘s certificate list. Create the Anonymous SSL Client PSE

Figure 167: Create the Anonymous SSL Client PSE

The anonymous SSL client PSE is optional. You need this PSE only for connections where the SAP NetWeaver AS is not to be authenticated for the connection.

Because the SAP NetWeaver AS is not authenticated when using this PSE, you do not need to use a certificate signed by a CA, so you can skip the certificate request handling steps. However, you need to establish the trust relationships. Import the trusted CA root certificates into this PSE’s certificate list. Create an Individual SSL Client PSE

Figure 168: Create an Individual SSL Client PSE

204




The CN part of the DN is automatically determined by the system as CN = anonymous.


To create an individual SSL client PSE, perform the following steps: 1. Make an entry in the SSL client identity table by choosing Environmentz ¥>IVÂGSSL Client Identities in the Trust Manager menu to access the table. 2. z ¥Ëh·Â‡tø"$tÖ˛œ½é-+ÇÊä•÷•˚5ö¢¡L*n»…1¤uê ´†ÿÒâRpÌ¹*PP9À1Co PÀ¬räŸà®azùÑflÐt'©cåÂ‚½ÇÜ)�‰�w,ÎÚ¦�Ë¥×˙ì2Ð=Ł5=⁄s½k‡_©R}RaXl‚äpv‡ª@Bbn(÷Š}m⁄òÇž{±~pBß�‹u)Ä¹ÓaVï0³â entry. There are no restrictions on the DNs for individual SSL client PSEs. 3. After creating the SSL client PSE(s), restart the ICM.

Figure 169: Assign Connection with SSL client PSE

Create the HTTP connection using transaction SM59. The types of HTTP connection are as follows: ● Type G – To a different web server ●

Type H – To another SAP NetWeaver AS

Under Technical Settings, specify the host, URL, and HTTPS port to use for the target system. The steps that specify the authentication method to use for the login under Logon/ Security options are as follows: 1. Specify the logon method for SAP NetWeaver AS connections of the type H: ●

If SSL client authentication is to be used, select Basic Authentication.

●

Otherwise, select SAP Standard or SAP Trusted System.

2. Activate SSL and specify the SSL identity to use for the connection. 3. Specify the language or target client, if these values are different from the default values. 4. Maintain user mapping in the target system using table USREXTID if you want Single SignOn (SSO) to another SAP NetWeaver AS. This table maps the DN of the client SAP NetWeaver AS to the user ID used for the connection. 5. Test the connection.


205



Assign Connection with SSL client PSE


Enable SSL on the SAP NetWeaver AS Java

206

The figure provides an overview of how to enable SSL for SAP NetWeaver AS Java up to release 7.02. LESSON SUMMARY You should now be able to: ●

Explain Secure Socket Layer (SSL)




Figure 170: Roadmap for Configuring SSL for AS Java


1. Which of the following is often combined with the transport layer and is known for êášKGàÞ#%f" ⁄g«íX,1X}ƒXüt!œ “¯^ˇJå¬qø§•l−P´˜|€àh@b+b+^î€Ðã¿òj*»õ¸w ÌLF"ÛùC4k+S÷Ù7&fi"õûìLùLP£\Zð˛% Choose the correct answer. X

A Application layer

X

B Presentation layer

X

C Network layer

X

D Session layer

2. When you enable Secure Network Communication (SNC) on SAP NetWeaver AS, the environment variable SECUDIR should be set to the location of the license ticket.

X

True

X

False

3. Which of the following types of Secure Socket Layer (SSL) server Personal Security Environments (PSE) can be used by hosts? Choose the correct answers. X

A Standard

X

B Anonymous

X

C Individual

X

D Shared


207





1. Which of the following is often combined with the transport layer and is known for žŒaáÌeSÐæéFxoÿIðBIùo ˘•NÂö{¥Ì˛|jÔ._¹á qÛ÷®òá‚oæ¼¹,Öòàþ¬L9ÁâÎž'd¼êÓÿaÓ;•mfisj«piÛ1¼:Vzí ½ö$®À¤é

208

X

A Application layer

X

B Presentation layer

X

C Network layer

X

D Session layer

2. When you enable Secure Network Communication (SNC) on SAP NetWeaver AS, the environment variable SECUDIR should be set to the location of the license ticket. Determine whether this statement is true or false. X

True

X

False

3. Which of the following types of Secure Socket Layer (SSL) server Personal Security Environments (PSE) can be used by hosts? Choose the correct answers. X

A Standard

X

B Anonymous

X

C Individual

X

D Shared





UNIT 5

Single Sign on in SAP Systems

Lesson 1 Implementing Single Sign-On (SSO) in SAP Systems Exercise 6: Check Logon Procedure of ICF Service Exercise 7: Activate HTTP Security Sessions

210 233 235

UNIT OBJECTIVES ●

Explain Single Sign-On (SSO) in SAP systems




209

Unit 5 Lesson 1 Implementing Single Sign-On (SSO) in SAP Systems

LESSON OVERVIEW This lesson explains the configuration of Single Sign-On (SSO) for SAP NetWeaver Application Server (SAP NetWeaver AS)-based systems. The lesson also explains how to secure SAP NetWeaver AS. Business Example

210

●

An understanding of SSO

●

An understanding of user authentication works and SSO

●

An understanding of Security Assertion Markup Language (SAML) 2.0

●

An understanding of session handling

●

●

An understanding of how to check the logon procedure of the Internet Communication Framework (ICF) service An understanding of how to activate HTTP security sessions






You need to configure SSO for SAP NetWeaver AS-based systems. For this reason, you require the following knowledge:

Lesson: Implementing Single Sign-On (SSO) in SAP Systems

SSO Overview

Users access multiple systems, including SAP and non-SAP systems. Some systems reside in a dedicated network zone in the intranet, but many systems reside on different networks or on the Internet. Users need to have different IDs and passwords to access these systems. Each of these systems also enforces its own password policy. For example, in the SAP HR system, the user needs to change his or her password every 30 days. In another system, the user might need to change his or her password every 90 days. In yet another system, the user might not need to regularly change his or her password at all. As a result of this, users often forget their passwords, which means that the administrator constantly has to reset passwords. Situations like these lead to password frenzy.


211



Figure 171: Password Frenzy

Unit 5: Single Sign on in SAP Systems

Solution to Password Frenzy - SSO

Figure 172: Solution to Password Frenzy- SSO

User Authentication and SSO The Application Server ABAP (AS ABAP) and the Application Server Java (AS Java) are the underlying technologies for authenticating users with SAP NetWeaver. The following table provides an overview of the mechanisms available for each application server and indicates whether the mechanism is used directly for user authentication or for SSO: Mechanism

User SSO Authenticatio n

AS ABAP

AS Java

User ID and password

x

x

x

x

Secure Network Communicati ons (SNC); for example with SAP NetWeaver SSO

x

x

x

x

x

SAP Logon Tickets

212

x




The solution to the problem of password frenzy is SSO. SSO allows users to access multiple systems based on single authentication.


Mechanism

User SSO Authenticatio n

AS ABAP

AS Java

Secure Socket Layer (SSL) and X. 509 client certificates

x

x

x

SAML

Java Authenticatio n and Authorization Service (JAAS)

x

SAML 1.x

x

SAML 2.0

x x

x As of release 7.02

x

As of release 7.20 x

For authentication on an SAP NetWeaver AS that allows SSO for other systems, you can have the system issue logon tickets to the users. The user can then access other systems using the logon ticket as the authentication token instead of having to repeatedly enter his or her user ID and password. SAML is a standard that defines a language to exchange security information between partners. The SAML standard is driven by the Organization for the Advancement of Structured Information Standards (OASIS). SAML uses assertions that contain statements about subjects, authentications, authorizations, and attributes. SAML Token Profile is developed by the OASIS Web Services Security (WS Security) Technical Committee as a standard to integrate and use SAML for WS Security. Although both the SAML token profile and the SAML browser artifact use the SAML standard flo:Mx¶µB(£Š›á4ïùh:zëˇK>ävfløš%#kj~Y#Ã*¦d…ÔNùÕŠøwà\NéÜP5 –F‡‰‡¬–�wÎ˝“×Þr@3Z`Ł!³é:0Zû•:ê"lD 9µ8\ðjCxqÏdy½±k#áò¦Á³°ÊÖ·ƒflû@ƒ<ò ±ıJ*7�3{ÿkš–sˆ·Iø1áýÖCn‹fiZÈ`œiÄ‡âsCø¯‰ÐÀœ6a”ï‰¬ SAML token profiles are used for WS access authentication at the Simple Object Access Protocol (SOAP) message level. SAML browser artifacts are used to authenticate web-based access from a web browser. The AS Java implements the JAAS standard to support various authentication methods. This enables you to choose the required authentication mechanisms for your applications. Applications running on the AS Java can use either declarative or programmatic authentication. Both types of authentication rely on the same underlying technology, login modules, and login module stacks. Additionally, programmatic authentication uses authentication schemes. SAP ships login modules and authentication schemes to support various authentication mechanisms.

Hint: Please note that since version 3.0, SSL is also called TLS (Transport Layer Security).


213



SNC can be used for encryption as well as for authentication and SSO.


Logon Ticket

In the standard delivery, the AS Java uses logon tickets in the logon procedure. The procedure to log on to a system is as follows: 1. The authentication stack ticket used checks for a valid logon ticket (EvaluateTicketLoginModule). 2. If there is no valid logon ticket, the user must enter his or her user ID and password (BasicPasswordLoginModule). 3. A logon ticket is issued if the entries are correct (CreateTicketLoginModule). 4. The logon ticket is sent from the browser in the standard system for each request. This logon ticket goes to the domain of the issuing system and can therefore be used to log on ²Vw⁄Ê& €èG=�VÕºJëÅÑ5jŽ¢kŁYT˘lÖ%¿e−†¯]TnOód©�VE›

Caution: If logon tickets are used as a logon procedure or for SSO, you must make sure that the logon ticket cannot be traced or forwarded. Therefore, encryption is strongly recommended for such cases. Technically, the logon ticket is a session cookie. This means that the cookie is not saved; rather, it is only held in the working memory. It is deleted when the browser session finishes. Logon Ticket Content A logon ticket contains the following data: ● User ID

214




Figure 173: Logon Ticket


●

Mapped user ID

●

Time of issue

●

Validity period

●

Highest authentication scheme

●

Issuing system

●

Digital signature

The prerequisite for SSO with the logon ticket is an identical user ID in the issuing and accepting system. You must configure the accepting system in such a way that the logon ticket of the issuing system is accepted. Using the digital signature, the issuing system can be uniquely identified and the integrity of the logon ticket can be verified.

Figure 174: SSO to Non-SAP Components Using Logon Tickets

You can use one of the following options to perform SSO to non-SAP components when using logon tickets: ● Use Application Programming Interface (API) An API is provided if the non-SAP application does not rely on the web server filter. The API verifies the logon ticket and extracts the application user ID. ●

Use Java Ticket Verification Library The Java Ticket Verification Library provides functions that allow non-SAP applications to verify SAP logon tickets and extract the user ID from the logon ticket. This library is coded in Java and can run on all platforms with a Java Runtime Environment (JRE).

Note: It is recommended to use Java Ticket Verification Library in preference to other libraries, such as C Ticket Verification Library and Dynamic Link Library SAPSSOEXT.


215



SSO to Non-SAP Components Using Logon Tickets


●

Use a web server filter SAP offers a web server filter that can be used to verify the logon tickets for web-based applications that support authentication with an HTTP header variable. After verification, the web server filter writes the application user ID into an HTTP header field. This option is easy to use because the non-SAP components do not need to verify any tickets. Currently, a web server filter is available for Microsoft Internet Information Server (IIS), Apache Web Server, and Oracle iPlanet Web Server.

Note: For more information about web server filters for SSO, refer to SAP Note 442401 Web server filter for SSO to third-party systems. Assertion Ticket An assertion ticket is issued when a connection to a remote system is established. Assertion tickets are an extension of logon tickets. The main differences between an assertion ticket and logon ticket are as follows: Assertion tickets are not stored temporarily, like logon tickets.

216

●

Assertion tickets are only valid for two minutes.

●

Assertion tickets are issued directly for the respective target system.

Older systems interpret the assertion ticket as a logon ticket. The configuration for SSO is performed in a similar way as the configuration for logon tickets. The application area of assertion tickets is used for system-to-system communication through Remote Function Call (RFC) or HTTP. For example, in AS Java, destinations can use the assertion ticket as a logon method. In AS Java, you can use the CreateAssertionTicketLoginModule and EvaluateAssertionTicketLoginModule login modules, as well as the evaluate_assertion_ticketpolicy configuration, to issue and verify assertion tickets.




●


Logon Tickets and AS ABAP

To configure the system for issuing and accepting logon tickets on the SAP NetWeaver AS, proceed as follows: ● Profile the parameters login/create_sso2_ticket and login/accept_sso2_ticket on the application server. For best results, set login/create_sso2_ticket = 1, if the application public key of the server has been signed by a Certification Authority (CA). Use the value 2, if the certificate is self-signed. ●

●

The SAP NetWeaver AS uses the system Personal Security Environment (PSE) to digitally sign logon tickets or to verify logon tickets that have been issued from other servers. Use transactions SSO2 and STRUSTSSO2 to maintain and check the configuration.

To configure the system to accept logon tickets from another AS ABAP, proceed as follows: ● Use transaction SSO2 and enter the RFC destination or the and for the issuing server in the appropriate fields. ●

The wizard enters the information about the issuing system in the access control list (ACL) of the accepting system, which makes the SSO PSE available to the accepting system.

To configure the system to accept logon tickets from AS Java, proceed as follows: ● On the AS ABAP, set the profile parameters. ●

●

Add the public key certificate of AS Java to the corresponding list. For Release 6.10 and higher, use transaction STRUSTSSO2 À^º„•"»“–í#$ˆ…‰"çúa·°(DT4ì¬s‡¬í©>™M•yVN½c�í/"Ñ¯+±AY¬�6 ¡bÞ¯u$ ŠeZš\¦ê^j+ ,ôuõ]6ŽÂA„4¸ýlDP<(˘š†NDÑØ‚€ for the logon ticket (default is the system PSE). Use transaction SSO2 to add the information about AS Java, such as system ID and its Distinguished Name (DN) to the ACL.

AS ABAP Parameters for the Logon Ticket The following table shows the AS ABAP parameters for the logon ticket:


217



Figure 175: Configuring Logon Tickets on SAP NetWeaver AS for ABAP

Parameter

Description

Default Value

Example Value

login/ accept_sso2_ticket

Controls whether logon tickets and assertion tickets are accepted as logon procedures. This parameter must be set to 1 for SSO.

0

1

login/ create_sso2_ticket

Controls whether the 0 AS ABAP issues (1/2) a logon ticket or not (0).

2

login/ ticket_expiration_tim e

Controls the validity period of the logon ticket in hh:mm.

22:34

login/ ticket_only_by_https

If the parameter is set 0 to 1, the logon ticket is only sent if SSL is used from the Web browser to the AS ABAP (or to the load balancer).

1

login/ ticket_only_to_host

If the parameter is set 0 to 1, the logon ticket is sent from the browser to the issuing system only and not to all hosts in the domain (0).

1

8:00

Logon Tickets and AS Java The various SAP NetWeaver AS Java login modules and templates are as follows: ●

CreateTicketLoginModule This is a login module for issuing logon tickets.

●

EvaluateTicketLoginModule This is a login module for accepting logon tickets.

●

Authentication template ticket This is a template ticket that contains both the issuing logon ticket module and the accepting logon ticket module.

The following steps are performed when SAP NetWeaver AS Java acts as the logon ticket issuing system: 1. The user authenticates himself or herself on the AS Java.

218






2. The user is logged on to the server after successful authentication. The server issues a logon ticket to the user. 3. The user browser stores the ticket, which can be used to access other systems. The following steps are performed when SAP NetWeaver AS Java acts as the logon ticket accepting system: 1. When user accesses the Java AS from the browser, the browser sends the logon ticket with the access request. 2. Java AS verifies the digital signatures of the issuing server and, with the entries in its ACL, &ÄÐÖ_“1õ¯W‚B¢›I½ÃU^;—˜6öÎ_PŸílòNˆX²Ój±ªGa*ò%5…ÞQwó3q‘¶1˝‘)â˚mé¯bm»qÇæn−¬¸umWøKKÁ˛}u´<˙[ðîpB3Ú³?Âr;X|þ¬° ¿g+üw®)áÐ5*Tûž¥_‹h¤BNXäK‚Û‘ �fiÏ[9vœBŒ⁄ˇêØkÒ0kk’ácÚ «KtMêÿã°¾Ò ˜H"K³‰„ïł also checked. 3. After the validation is successful, the user is granted access to the requested resources. User Management Engine (UME) Parameters for the Logon Ticket

Parameter

Description

Default Value

Example Value

login.ticket_lifetime

Specifies the validity period of the logon ticket in hh:mm.

8

23:35

login.ticket_client

Specifies the client ID 000 that is sent in the logon ticket. An AS Java does not have clients; an AS ABAP does. For SSO from the AS Java to the AS ABAP, the client ID must also be entered in the ACL (transaction code STRUSTSSO2).

ume.logon.security.re Specifies the number 1 lax_domain.level of subdomains to be removed from the domain of the system. The logon ticket is sent from the browser to the result. If the system is installed on host twdf1234.wdf.sap.cor p, the logon ticket is sent to all hosts in wdf.sap.corp for value 1; it is sent to all hosts in sap.corp for value 2.


697



The following table shows the UME parameters for the logon ticket:

0

219


Parameter

Description

Default Value

ume.login.mdc.hosts

Using this parameter, Not applicable the logon ticket can be sent to other domains. You then enter the hosts here. For more information about this, see SAP Note 654982.

ume.logon.security.e If the parameter is set false nforce_secure_cookie to true, the logon ticket is only sent if SSL is used from the web browser to the AS Java (or to the load balancer).

Example Value http://host.sap.com

true

Configuration of Login Modules If SAP NetWeaver AS Java is used to issue or accept the logon ticket, the corresponding login modules, which are provided by SAP, should be configured.

●

BasicPasswordLoginModule This login module is used to perform user authentication with user name and password, for example, in JSP forms.

●

ClientCertificateLoginModule This login module performs a certificate logon to J2EE Engine.

●

CreateTicketLoginModule This login module is used to create the logon tickets.

●

EvaluateTicketLoginModule This login module is used to verify the logon tickets issued by other servers.

●

SPNegoLoginModule This login module is used for SSO with Kerberos authentication. It implements the Simple and Protected Generic Security Services (GSS) API Negotiation Mechanism (SPNEGO) on SAP NetWeaver AS Java.

Note: To find a list of other login modules in the online documentation, visit http:// service.sap.com/security. Various login modules are bundled to form login module stacks. The template ticket can be used to configure the login modules by choosing Security Provide ServiceÙ©ÍŁ]º�Policy Configuration.

220




The login modules available in AS Java are as follows:


The following table shows a sample configuration using the security provider services: Login Module

Flag

EvaluateTicketLoginModule

SUFFICIENT

BasicPasswordLoginModule

REQUISITE

CreateTicketLoginModule

OPTIONAL

The login modules are configured to perform the following tasks: AS Java checks to see whether the user presents a valid logon ticket. If so, the logon ticket is accepted and no further processing is done.

●

●

If no logon ticket exists, AS Java authenticates the user using basic authentication.

●

After the successful authentication, the user is issued a logon ticket.



X.509 Client Authentication

Figure 176: X.509 Client Certificates

Mutual authentication takes place using SSL. X.509 client certificates can be used to access the following SAP systems: ● SAP NetWeaver AS ABAP, Web Applications ●

SAP NetWeaver AS ABAP, SAP GUI for Windows (with partner product)

●

SAP NetWeaver AS Java

●

SAP Internet Transaction Server (ITS)

X.509 client certificates can also be used to access non-SAP systems that support SSL. Moreover, it can be used for the Internet or Intranet. Authentication is performed with every request. No user intervention is required for multiple logon.


221


SAML 2.0

Figure 177: SAML 2.0

SAML version 2.0 is a standard for communication of assertions about principals, typically users. The assertion can include the means by which a subject was authenticated, the attributes associated with the subject, and an authorization decision for a given resource.

The service provider is a system entity that provides a set of web applications for common session management, identity management, and trust management. The service providers outsource the job of authenticating the user to the identity provider. ●

Identity provider The identity provider is a system entity that manages identity information for principals and provides authentication services to other trusted service providers. The identity provider maintains the list of service providers where the user is logged in and passes on logout requests to those service providers. The client that is trying to access the resource must be HTTP-compliant.

The benefits of SAML 2.0 are as follows: ●

SSO SAML provides a standard for cross-domain SSO. Other methods also exist for enabling cross- domain SSO, but they require proprietary solutions to pass authentication information across domains. SAML 2.0 supports identity provider-initiated SSO, like in SAML 1.x. SAML 2.0 also supports service provider-initiated SSO.

●

Single Log-Out (SLO) SLO enables users to close all their sessions in a SAML landscape simultaneously, even across domains. SLO not only saves system resources that would otherwise remain reserved until the sessions time out, but it also mitigates the risk of the hijacking of unattended sessions.

●

222

Identity federation




The main components of a SAML 2.0 landscape are as follows: ● Service provider


Identity federation provides the means to share identity information between partners. To share information about a user, partners must be able to identify the user, even though they may use different identifiers for the same user. The SAML 2.0 standard defines the name identifier (name ID) as a means to establish a common identifier. When the name ID is established, the user is said to have a federated identity. SSO with SAML 2.0 SAML 2.0 supports identity provider-initiated SSO, like in SAML 1.x. SAML 2.0 also supports service provider-initiated SSO. When the identity provider initiates SSO, you must maintain links on the identity provider system to the protected resources on the service providers. When you protect resources with SAML on a service provider, the service provider is configured to request authentication from the identity provider. SAML provides the following options to pass SAML messages back and forth between the identity provider and the service provider: ● Front channel In front channel, SAML messages are passed back and forth over the user agent with HTTP redirect or HTTP POST methods. You can protect front-channel communication with encryption and digital signatures. Back channel In back channel, the identity provider and service provider only exchange SAML artifacts over the user agent. When a provider receives an artifact, it queries the other provider directly over SOAP. Back-channel communication provides additional security by ensuring that potential eavesdroppers of the user agent only access SAML artifacts. However, back channel communication requires additional round trips to resolve an authentication request. You can also mix communication options, if necessary. Process Flow for Front-Channel SSO with SAML 2.0

Figure 178: Process Flow for Front-Channel SSO with SAML 2.0

The figure illustrates service-provider-initiated SSO with front-channel communication.


223



●


The following steps explain the process flow of the front-channel SSO: 1. A user attempts to access a resource protected by SAML 2.0. 2. The service provider redirects the user to an identity provider for authentication. 3. The identity provider queries the user for authentication credentials. 4. The user or user agent presents the requested credentials. 5. The identity provider returns the user to the service providers with an authentication response. 6. The service provider presents the requested resource to the user.

Figure 179: Process Flow for Back-Channel SSO with SAML 2.0

The figure illustrates service-provider-initiated SSO with back-channel communication. The following steps explain the process flow of the back-channel SSO: 1. A user attempts to access a resource protected by SAML 2.0. 2. The service provider redirects the user to an identity provider and includes a SAML artifact referring to the authentication request. 3. The identity provider gets the authentication request from the service provider over a SOAP channel. 4. The identity provider queries the user for authentication credentials. 5. The user or user agent presents the requested credentials. 6. The identity provider returns the user to the service providers with a SAML artifact referring to the authentication response. 7. The service provider gets the authentication response from the identity provider over a SOAP channel. 8. The service provider presents the requested resource to the user.

224




Process Flow for Back-Channel SSO with SAML 2.0


SLO with SAML 2.0

Single Log-Out (SLO) enables users to close all their sessions in a SAML landscape cleanly, even across domains. Not only does this save system resources that would otherwise remain reserved until the sessions time out, but it also mitigates the risk of the hijacking of unattended sessions. The figure illustrates that SLO is initiated at the service provider over a front channel binding, such as HTTP redirect. The figure also shows SLO between the identity provider and the other service providers over a back-channel binding, such as SOAP over HTTP. The following steps explain the process flow for SLO with SAML 2.0: 1. The user initiates a logout request at a service provider. 2. The service provider forwards this request to an identity provider. 3. After the identity provider validates the request, it sends new logout requests to all other service providers with which the user has a security session that the identity provider is aware of. 4. The service providers validate the request, destroy any session information for the user, and send a logout response to the identity provider. 5. The identity provider destroys the user’s sessions and sends a response to the original service provider. 6. The original service provider informs the user that he or she has been logged out. Identity Federation Identity federation provides the means to share identity information between partners. To "C=¢E⁄7àÎÎ˚˚óHþ“klÕ5/4)yÛµl{z‚rîÞt+³L½nÜúçx=™½€|Qƒï˜§k9’!7Ç¼ &Äž›zìƒ'Ë_)wKÁPfi½−ëoŠ×•Þ¡�pø”ßìÉ}fl¬óí¡ ’A÷,4è,©¬T³3'µâžÖ:èH¶ßc§r�˚ˇ*u!Üš§yâÃS=à˘¸ ‰qV¼mzfi(Ž³’ ƒ•Ì2Éþ–Dèƒ%FyŽıaQ»½Óîˆ� may use different identifiers for the same user. The SAML 2.0 standard defines the name identifier (name ID) as the means to establish a common identifier. Once the name ID has


225



Figure 180: Process Flow for SLO with SAML 2.0


been established, the user has a federated identity. The SAML 2.0 standard defines a number of name ID formats. SAML describes the following types of federation: ● Out-of-band account linking The identities of a user in system A and system B are identified and agreed upon ahead of time between the administrators of the two systems. This kind of agreement is also supported by SAML 1.x. The administrator of the identity provider and the service provider agree how the name ID used for the user in the identity provider maps to the user in the service provider. Use this kind of federation to support most scenarios where you need to map user identities across domains. ●

Transient pseudonym identifiers Federation with transient name IDs creates a federation with a temporary user in the service provider and a permanent user in the identity provider. This federation exists only as long as the security session with the service provider exists. The service provider does not persist data about the visiting user. User attributes and access rights are generated based on rules applied to attributes sent in SAML messages. Use this kind of federation when the service provider does not need to record information about users or do not need local user accounts.

226

Persistent pseudonym identifiers Federation with persistent name IDs establishes a permanent relationship between a user on an identity provider and a user on a service provider or users on an affiliation of service providers. The persistent name ID is used by an identity provider and a service provider as a common name for a user. If this name ID for a user is the same for multiple service providers, the service providers are said to be affiliated or to belong to an affiliation group. Use this kind of federation to link accounts out-of-band, but without using identifiers that can be traced back to a specific user. This increases the security of your systems by preventing eavesdroppers from determining identities on the basis of name ID formats that pass logon IDs or e-mail addresses. It requires you to establish the pseudonym on both providers ahead of time.




●


Account Linking with Persistent Name ID

The figure illustrates an example of the accounts of Laurent Becker, which have an attribute for a persistent name ID and named opaque ID. The value to use here can be agreed upon in advance by the two system administrators or generated by the identity provider and distributed to the service provider. When Laurent Becker is authenticated on the identity provider, the service provider receives the SAML assertion with the opaque ID as the subject. The service provider searches for the user based on the opaque ID and allows the user to log in. You can ensure that sensitive data is encrypted when two systems share such information. The use of the pseudonym name ID formats (transient and persistent) ensures privacy and anonymity between two partners (identity provider and service provider). The partners need not be aware of the local account name used by the other partner, therefore protecting the user’s privacy.


227



Figure 181: Account Linking with Persistent Name ID – An Example


SAML 2.0 with SAP Components

The figure shows the role of SAP components in a SAML 2.0 scenario.

INTERACTIVE ELEMENT: Breakout Rooms 1. What are the advantages of SAML 2.0? . . . . . . . . . .

Session Handling Stateful web applications store the application state on the application server. During communication, only the key to this state, also called session identifier or short session ID, is included with each request. In general, the session ID can be transferred as a cookie, through URL parameter, or as a hidden form field.

228




Figure 182: SAML 2.0 with SAP Components


Besides the application state, a security state (or a security session) may exist. A security session starts with the logon to the system and ends with the logoff from the system. SAP security session IDs are only transmitted using non-persistent cookies. An attacker who can obtain a victim’s valid session ID can attack the victim’s system using the full set of the victim’s authorizations. The following types of attacks can exploit session-handling vulnerabilities: ●

Session hijacking In a session hijacking attack, the attacker steals the victim’s valid session ID and sends a request with this session ID to the server. The attacker can steal the ID, for example, by sniffing the network traffic. In some scenarios, the session ID is a part of the URL. The URL can be hijacked if the victim stores it in his or her bookmarks or sends it through e-mail. Assuming that the session ID is still valid, the attacker can act with the full set of the victim’s authorizations.

●

Session fixation In a session fixation attack, the attacker sets the session ID for a certain user before the user authenticates with the application. This can be done by manipulating the URL that is used by the user to access the web application. As a result, after user authentication, both the attacker and the victim know the session ID and can work on the system under the victim’s user ID. Session riding In a session riding attack, the attacker makes the user agent of the victim issue requests to an application server, resulting in undesired and potentially harmful actions.

It is strongly recommended that you implement the following settings on productive systems to improve session security: Product Version

Measure

AS ABAP 6.10 and higher

login/ticket_only_by_https = 1; refer to SAP Note 1531399.

AS ABAP 7.02, 7.20 and higher

HTTP Security Session Management; refer to SAP Note 1322944.

AS ABAP 7.01, 7.10, 7.11

Enable Reauthentication; refer to SAP Note 1277022.

AS ABAP 6.40, 7.00

Enable Reauthentication; refer to SAP Note 1266780.

AS Java 6.40 and higher

SessionIdRegenerationEnabled = true; refer to SAP Note 1310561. SystemCookiesHTTPSProtection = true; refer to SAP Note 1449940.

An ABAP-based application server uses the cookie sap-contextid for identifying both, the application session and the security session. To prevent session fixation and session hijacking attacks, apply the session security measures.


229



●


Reauthentication is done with SAP NetWeaver 6.40, 7.00, 7.01, 7.10, and 7.11. With active reauthentication, the cookie sap-contextid is not enough to enter a session. Authentication credentials are checked every roundtrip. The SAP Notes for various SAP NetWeaver versions are as follows: ● For releases 6.40 and 7.00 of SAP NetWeaver, see SAP Note 1266780. ●

For releases 7.01 and higher of SAP NetWeaver, refer to SAP Notes 1277022 or 1322944.

●

For releases 7.01, 7.10, and 7.11 of SAP NetWeaver, refer to SAP Note 1277022.

●

For releases 7.02, 7.20, and higher of SAP NetWeaver, refer to SAP Note 1322944.

Though the method provided with SAP Note 1277022 still works with the releases SAP NetWeaver 7.02, 7.20, and higher, SAP Note 1322944 describes a new protection mechanism developed for newer releases of SAP NetWeaver. Cookies to Improve Session Security

AS Java uses the session cookie JSESSIONID to identify application and security sessions. A specific protection mechanism adds an additional session identifier named JSESSIONMARKID. If this security mechanism is activated, the security session is identified using the additional non-persistent cookie named JSESSIONMARKID. JSESSIONMARKID changes after authentication and programmatic reauthentication, which counters session fixation and hijacking attacks. SAP NetWeaver 6.40 provides Java parameter SessionIdRegenerationEnabled. This parameter requires a certain support package level. This may require updating your systems as mentioned in SAP Note 1310561. Some applications require additional configurations, such as operating an interaction center with the SAP Customer Relationship Management (CRM) application. Refer to SAP Notes 1420203 and 1532777. It is strongly recommended to use HTTPS for all browser access from end users to SAP software systems to avoid the risk of session cookies being hijacked in the network. To prevent a browser transmitting a session cookie over an unencrypted HTTP communication channel, the secure cookie attribute should be set for session cookies. For more information about how to set the SystemCookiesHTTPSProtection attribute for Java, refer to SAP Note 1449940 and SAP NetWeaver OLibrary. These settings are available starting with version 6.40 of SAP NetWeaver and require a À2š©¿ÌS´LHÔ«f�ÜŁ•ÿšJþ6‹Î*rVÏHØIõòCÊÙ’ô0˙ƒ˝ïØœð'ôÖ†R #pNŠ$k 8b°° q©ËÏ{ß'ÌŸ^R²*Ñ⁄Ł<�/w0]õ;−¿¡°ÿƒycÑõ7ÂÌòbñ«à¨ˇ"û_ê¾wd8çÅS .N·Õ‰×Ç˝öÝıæ¾‰çêUÞ÷�²uçV ×5ðºè� version level. For ABAP systems, set parameter login/ticket_only_by_https = 1. This parameter is available starting with version 6.10 of SAP NetWeaver AS. After enabling this attribute, plain HTTP connections will no longer work, if system cookies are required to make the application work. Refer to SAP Note 1531399 for best practices on how to activate the recommended secure session handling. After applying session security and HTTPS protection measures, careful regression tests have to be performed for modified SAP programs and custom applications.

230




HTTP security session management uses a new separate cookie to identify the security session (SAP_SESSIONID__). A security session ID and the value of the cookie SAP_SESSIONID__ change upon authentication and programmatic reauthentication. For more information, refer to SAP Note 1322944 and SAP NetWeaver À2šƒ¿ÀS¤LHÔ«}�Ëł• š˜þ‹Û*{VÒHšI–òCÊÙ’ë0ƒ ïÜœ$'ñÖ−R˘#5N‘bkH8˙°Š P©¿ÏFßfÌ™˙_²:Ñ’Ł1�{w=]º;Ù¿±°ü‚ykÑî7ÉÌòvÿ«û¨ "¼_ü¾wr8ýÅB I.R·ł‰…Çöfiı²Š‰9çêUòÐ�šQçRV-×:ð¬è¬˘U system accessed from the SAP NetWeaver Portal, you must apply SAP Note 1471069 to the portal.


The SSO experience is provided by using logon tickets with the following known drawbacks: ● Security issues -

-

●

●

URLs containing the cookie sap-contextid allow access to protected resources (session hijacking). A stolen logon ticket (the cookie named MYSAPSSO2) allows an attacker to create a new session - even after the legitimate user has successfully logged off.

Functional aspects -

No automatic logoff (inactivity timeout) is possible.

-

Validity of logon tickets is fixed (defined by ticket issuer; the default time is 8 hours).

-

Sessions cannot be terminated on the server side (for example, by an administrator).

-

Logoff option is provided only by SAP NetWeaver Portal (DSM Terminator).

Robustness -

Conflicts with other systems and in setting the cookie MYSAPSSO2 (cookie is set domain-wide with the same name).

HTTP Security Sessions



Figure 183: HTTP Security Sessions

The purpose of HTTP security sessions is to separate security sessions from application sessions. Application sessions are only required for stateful operations (server-sided state). Security sessions are created during logon and deleted during logoff. In addition, the session identifier is separated from the session context. The session context is kept at the server side (security state). The session identifier is just a reference to the session context, transmitted through cookie.


231


You activate HTTP security sessions using the following procedure: 1. Start HTTP session management (transaction SICF_SESSIONS). A list of all of the clients that exist in the system appears. 2. Select the relevant line and choose Activate. 3. Monitor sessions in transaction SM05.

Hint: The Security Audit Log records this activation or deactivation of HTTP security session management.

HTTP security sessions have the following impact: ● URLs containing the cookie named sap-contextid are no longer sufficient to gain access to protected resources. Instead, the cookie named SAP_SESSIONID__ is required to be transmitted with the same HTTP request. ●

●

●

Public services and services with configured identity will never evaluate or create security sessions (no mixed mode). Security session ID cookie is host specific. Thus, a load balancer is required.

With HTTP security sessions, a session inactivity time-out is introduced in the following way: ● Absence of HTTP communication is treated as inactivity. ●

●

●

●

●

●

232

For outbound HTTP communication, you must modify the default settings of a destination (transaction SM59) to accept cookies.

Processing incoming HTTP requests will update a Least Recently Used (LRU) timestamp. For performance reasons, the LRU timestamp is implemented using a server-specific cache. After every 60 seconds, the cache will be scanned for inactive and expired sessions (by server). Inactive and expired sessions and all associated application contexts (including the allocated server resources) are terminated. Other server nodes are notified of this event. However, in case of associated SAML sessions, no notification is sent to the SAML identity provider. In situations where the cache is full, the system creates security sessions with a fixed validity period. This is an emergency response by the system and results in system log entries. During start-up and controlled shutdown, each server instance deletes its own security contexts (table SEC_CONTEXT_COPY); the last server triggers the system-wide termination of the security context (table SECURITY_CONTEXT).




●

Some browser plug-ins and applets may experience problems; refer to SAP Note 1317545 for details.

Unit 5 Exercise 6 Check Logon Procedure of ICF Service

Business Example [Úý˙ÆI‚–7ŒY²ÜÀ—§É=ÄáªÌÝcÿy¥|™¤3±»×â¯ƒyãÙÒ"ÅÍÿ¡*î�2›‹Z¹$+¾>rÄáž$øTîâTW£²˜ _œäåO³·g¢à ˘> U7v T:EžÙr6ù"n bTn>÷Óã¡è‘&_X‰~ß1‹ï/9Äž2ıïåADò˙Ì˙‹ö«×øL¾ð¬ƒ³�ž Check the logon procedure of the ICF service. In transaction SICF, display any ICF service and check the logon procedure that is configured. 1. Log on to your AS ABAP system using SAP GUI for Windows. Use transaction SICF to check the logon procedure for any ICF service. For example, you can check the service DemoDynamic at path /default_host/sap/bc/webdynpro/sap/. Hint: Please note that the service settings are inherited.




233

Unit 5 Solution 6 Check Logon Procedure of ICF Service

Business Example ÖôÉ‹«g+åìibX”ìzÿL<ö0„2ï&Kà −m6”î H‹»ë�x`¹⁄=gßÅŽ3´ÈÝ⁄¼/¡’¬ßÆO®Ö,y^^\g*ÎÓŁÌ];×#ÙhÝr7mgÐ5Üý™?$¹Tð…³$îïäÇeÃ¡!2ƒU€\ÊZ¶¦UÑÌfïæ[ÏjOÃ9¬�õ6µãúˆÉ=vh;Ï¡˚´©¼”@vÊ™^€Ž Check the logon procedure of the ICF service. In transaction SICF, display any ICF service and check the logon procedure that is configured. 1. Log on to your AS ABAP system using SAP GUI for Windows. Use transaction SICF to check the logon procedure for any ICF service. For example, you can check the service DemoDynamic at path /default_host/sap/bc/webdynpro/sap/.

a) Use SAP GUI for Microsoft Windows to log on to your AS ABAP system and run transaction SICF. b) Choose the Execute pushbutton. c) In the service hierarchy, choose a service. For example, choose default_hostÖôÉq−ı+0sapÖôÉq−ı+0bcÖôÉq−ı+0webdynproÖôÉq−ı+0sap. d) Select any service. For example, in the context menu of DemoDynamic, choose Display Service. e) Check whether the Do Not Include Inherited Settings checkbox on the Service Data tab page is selected. This is important because service settings are inherited. f) Choose the Logon Data tab page and observe the value present in the Procedure field. For example, a possible value is Standard. If the Do Not Include Inherited Settings checkbox is selected, then this is the configured logon procedure for ICF service. If the checkbox is not selected and the Standard setting is the value in the Procedure field, choose ServiceÖôÉq−ı+0Display Inheritance to see the logon procedure that is inherited to this service.

234




Hint: Please note that the service settings are inherited.

Unit 5 Exercise 7 Activate HTTP Security Sessions

Business Example To increase security of your AS ABAP-based SAP system, you need to activate HTTP security sessions. Task 1 Activate HTTP security sessions for client 100 of your AS ABAP-based SAP system. 1. Log on with SAP GUI for Windows to your AS ABAP-based SAP system. In transaction SICF_SESSIONS, check if HTTP security sessions for client 100 are active. If not, activate them. Task 2 Use transaction SM05 to monitor the active HTTP security sessions. 1. Run transaction SM05 to display the active HTTP security sessions. You may need to log on using a web browser to see at least one session.




235

Unit 5 Solution 7 Activate HTTP Security Sessions

Business Example To increase security of your AS ABAP-based SAP system, you need to activate HTTP security sessions. Task 1 Activate HTTP security sessions for client 100 of your AS ABAP-based SAP system. 1. Log on with SAP GUI for Windows to your AS ABAP-based SAP system. In transaction SICF_SESSIONS, check if HTTP security sessions for client 100 are active. If not, activate them.

236

b) Check whether the entry for client 100 is green in the State column of the table. If not, select the row and choose the Activate pushbutton or double-click on the row to make it green. Task 2 Use transaction SM05 to monitor the active HTTP security sessions. 1. Run transaction SM05 to display the active HTTP security sessions. You may need to log on using a web browser to see at least one session. a) Run transaction SM05. If you do not see any active session, log on to the system using a web browser. For example, you can call the Test-BSP it00 (http:// :/sap/bc/bsp/sap/it00).




a) Log on with SAP GUI for Windows and run transaction SICF_SESSIONS.







237




238



1. Which of the following Application Server Java (AS Java) login modules is used for Single Sign-On (SSO) with Kerberos authentication? Choose the correct answer. X

A BasicPasswordLoginModule

X

B CreateTicketLoginModule

X

C SPNegoLoginModule

X

D ClientCertificateLoginModule




239


1. Which of the following Application Server Java (AS Java) login modules is used for Single Sign-On (SSO) with Kerberos authentication? Choose the correct answer. A BasicPasswordLoginModule

X

B CreateTicketLoginModule

X

C SPNegoLoginModule

X

D ClientCertificateLoginModule



X

240


UNIT 6

Security Monitoring with SAP Solution Manager

Lesson 1 Monitoring and Analyzing Security with SAP Solution Manager

242

UNIT OBJECTIVES ●

Monitor security with SAP Solution Manager

●

Analyze security with SAP Solution Manager




241

Unit 6 Lesson 1 Monitoring and Analyzing Security with SAP Solution Manager

LESSON OVERVIEW This lesson explains how to use the security monitoring capabilities of SAP Solution Manager to obtain a landscape-wide overview of the security configuration of your systems. Business Example

●

An understanding of how to use SAP Solution Manager to monitor security

●

An understanding of the SAP Security Optimization Service (SOS)

●

An understanding of SAP EarlyWatch Alert (EWA)

●

An understanding of system recommendations

●

An understanding of the configuration validation of SAP Solution Manager



●


Use SAP Solution Manager to Monitor Security Monitoring the security of a system landscape is an important and complex task for every company that operates one or more SAP systems. The complexity of this task increases with each additional system, component, or extension. The SAP Solution Manager service and support platform from SAP helps you to implement, monitor, and operate SAP security-relevant parameters efficiently throughout your entire SAP system landscape. SAP provides fine-grained monitoring capabilities and recommendations for security improvements by offering several methods, tools, and services. The Computing Center Management System (CCMS) monitoring architecture is used as a basis for information collection from the SAP system in the landscape. It offers a flexible framework to which extensive monitoring and administration functions can be added easily. The elements of the monitoring architecture largely function independent of each other, and they can be further developed and adjusted independently of each other. Based on the

242




You are responsible for security configurations and deal with several SAP systems for parameter validations. This is a time-consuming task. You want to use reports at a central location in an SAP landscape to gain a quick insight into various security-relevant configurations. For this reason, you require the following knowledge:

Lesson: Monitoring and Analyzing Security with SAP Solution Manager

architecture, the CCMS in the SAP Solution Manager ensures central and efficient monitoring of the SAP systems. The various functions provided by SAP Solution Manager are as follows: SAP Security Optimization Service (SAP SOS)

●

SAP SOS is designed to check the security of SAP systems. This service comprises a system analysis and the resulting recommendations for system settings. It addresses system and Customizing settings that impact system security. It focuses on internal and external system security. To improve internal security, SAP SOS checks many critical authorization combinations. SAP SOS improves external security by checking the access possibilities to your system and the authentication methods used. This service checks the configuration of an SAP system on predefined security topics. For more information, refer to SAP Service Marketplace, quick link /sos. ●

SAP EarlyWatch Alert (EWA) SAP EWA monitors the essential administrative areas of SAP components and keeps customers up-to-date on their performance and stability. As a part of SAP EWA, SAP also provides selected checks on security-relevant configuration (including the implementation status of relevant SAP Security Notes). For more information, refer to SAP Note 863362 – Security checks in the SAP EarlyWatch Alert and SAP Service Marketplace, quick link / ewa. System recommendations System recommendations search for SAP Notes in the SAP Support Portal for the selected technical system, and then send the information to SAP Solution Manager. System recommendations are integrated into change management. For example, you can create a change request directly after selecting the relevant notes. For non-ABAP notes, you can confirm loadable Java patches in the maintenance optimizer. For more information, refer to SAP Service Marketplace, quick link /sysrec.

●

Configuration validation Configuration validation reporting delivers a generic framework to verify configurations of connected managed SAP systems. This framework can be used to define expected system configurations according to policies and guidelines, and to compare those expected configurations against the actual configuration of managed SAP systems. For more information on configuration validation, refer to SAP Service Marketplace, quick link / changecontrol.

SAP SOS The SAP SOS is designed to verify and improve the security of SAP systems. It identifies potential security issues and recommends mitigation strategies. If you need to prepare a session to implement SAP SOS, you need to fill a questionnaire. The results of the check on various system components are used to produce recommendations to optimize the configuration of the system or component being analyzed.


243



●

Unit 6: Security Monitoring with SAP Solution Manager

SAP SOS Offerings

244

Hint: The SAP SOS can be used at any time. The best time to use it is during the end of the Go-Live phase. The service is also useful while preparing for internal and external audits. The SAP SOS can be rerun to make sure that the applied changes in the system configuration are successful and that no new vulnerabilities appear. The underlying concept of SAP SOS is to ensure smooth operation of the SAP solution by taking action before severe security problems occur. This check consists of hundreds of checks based on the SAP Security guidelines and the knowledge of the SAP Security consultants. The checks to ensure smooth operation of the SAP solution include the following activities: SAP NetWeaver Application Server:

●

ABAP Basis administration check

●

r-7ÿNš}´ÆãA6KÎŸ0ûîy>R`Ÿ fiÂ!Öš²x¬]‹žZ

●

r-7ùH‹}´flã "KÓŸ4ûûy(R-Ÿ ŁÂ0Ö@š˙ú½

●

r-7ú\‰}´‚ãC%KÄŸqûêy3RhŸ ŒÂuÖ…

●

r-7ùMŠ}´−ã qK•Ÿ!ûûy2RcŸˇ ŸÂ'Öš¯i¬Y‹Vžfi£®"™:Łs¢Qš?©Å€ð²ÛùÞ˙ÜS:ÂŸ]2ê

●

r-7ù|¨}D´¡ãy˚K•Ÿûày5RjŸ ŸÂuÖpšˇ½sJ¬y‹JžÚ£ü"€:²s—QÛ?çÅãð¹ÛôÞ˛Ü[:›ŸÝ

●

r-7éX−}´‘ãJ>KÃŸ0ûýy>R-Ÿ> flÂ;ÖDš˝¿=4¬_‹Cžfl£ù"¼:‘sëQÚ?flÅÓðžÛ¸Þ^ÜS:ÁŸ˘2)%ªFŸ

●

r-7è\ł}´†ã^8KÕŸ?ûíy{RlŸ˘ ›Â=ÖLš³g¬B‹MžŁ£º"Ó:‡s£QŠ?¤ÅëðñÛ1




Figure 184: SAP SOS Offerings


SAP router:

SAP NetWeaver Application Server:

●

îé˘†îi#PR×ŸSe˜�Íþæ ü˝ÿzÜı}q×EÎPŒIæüù8¯H,ðªô¿bUª¸H–nÅûÜ%¿•)éµq*ö

●

îé†ýi6P_ÌÈSc˜…Íú³7üSÿuÜł}w×BÎSŒ˙æôù7¯],ìªò¿�U�¸–lÅçÜ)¿„)ìµq*5ÿłqÛœdLð£…®

●

îé†ài;PT�ÕSm˜�Íïô1üQÿ~Ü†}q× Î^ŒNæáù*¯F,öªô¿wU¥¸˝–dÅüÜ.¿Ã)áµ9*3ÿ’qÕœ'L;

●

îé †ýi8PWÖÔSi˜ÑÍþò&ü]ÿvÜ−}q×HÎMŒ˙æöù*¯L,çªö¿-Ud

●

External authentication check

●

Saprouttab check

●

Operating system access check

●

SNC check

●

Java landscape check

●

Configuration check

●

SSL check

●

Administration check

●

●

SAP Note 696478 – SAP Security Optimization: Preparation and Additional Info SAP Note 837490 – Execution of the Security Optimization Self Service


245



Hint: For more information, refer to the following SAP Notes:


SAP SOS Process Flow

Perform the following steps to run the Security Optimization Self Service: 1. Schedule an automated data collection and transfer by creating an SAP SOS session in SAP Solution Manager. 2. Generate an ST14 SOS download as a secondary data source and send it to SAP Solution Manager. 3. Fill the SAP SOS questionnaire to focus the report on real findings. For example, you can exempt known super users from the report. 4. Run the session that automatically generates all the results. 5. Generate the SAP SOS report. 6. Evaluate the findings and recommendations and take corrective measures for the analyzed system. 7. Derive input for your general SAP security policy and initiate proper security monitoring. For example, as supported by the configuration validation.

SAP EWA SAP EWA is a special service in SAP Solution Manager that offers a regular proactive system diagnosis. SAP EWA makes it possible to identify standard problems before they turn into acute problems. SAP EWA recommends some suitable countermeasures in the resulting reports. The SAP EWA family includes the following types: ● SAP EWA on each of the production systems

246




Figure 185: SAP SOS Process Flow


●

SAP EWA on SAP Solution Manager as a remote service

SAP EWA is a diagnosis that monitors the most important business processes and systems. It helps to identify potential problems at an early stage, avoid bottlenecks, and monitor the performance of your systems. Using this mechanism, you can validate the security status on a weekly basis for a predefined set of parameters. The SAP EWA report also displays an alert when security-critical SAP Notes are missing or are not applied on the analyzed system. SAP EWA is included in the maintenance agreement with SAP at no extra cost. By running and monitoring SAP EWA, you can increase stability, performance, and security for your entire solution landscape. SAP EWA monitors solutions in SAP and non-SAP systems in SAP Solution Manager. SAP Solution Manager processes the downloaded data from SAP or non-SAP systems. You can display the EarlyWatch report as an HTML document. You can also create the report as a Microsoft Word document. You can use these documents as status reports to analyze and avoid potential problems.

Caution: SAP strongly recommends that you activate SAP EWA for all productive systems. EarlyWatch Report The EarlyWatch report analyzes system security in terms of authorization and therefore covers the following topics: ●

SAP Security Notes about ABAP and Kernel Software Corrections

●

Default Passwords of Standard Users

●

Password Policy

●

Gateway and Message Server Security

●

Users with Critical Authorizations

For these topics, refer to SAP Note 863362 – Security Checks in SAP EWA. The data collection and transfer for all remote sessions can be performed automatically. SAP EWA informs the customer about the problems with data collection. For processing and evaluation, relevant data is sent from the satellite systems to the central SAP Solution Manager system. SAP EWA for satellite systems also forms the basis for further analysis. If the overall rating of SAP EWA is red, the service results are automatically sent to SAP Support. If all the sections rated yellow or green, the results are sent to SAP Support once every four weeks. The transferred data includes only the technical data with nonsensitive content, which is transparent and manageable in transaction SDCCN.


247



If SAP EWA displays red flags, it triggers further services. Depending on the status of your system, the triggered services can include the SAP EarlyWatch Check. The SAP EarlyWatch Check is performed over a remote connection by a technical service engineer. During the service, the service engineer analyzes the system, diagnoses particularly complex problems, and develops solutions for these problems. Each productive system is entitled to a maximum of two SAP EarlyWatch checks per year within the maintenance agreement with SAP (valid for SAP customers with Standard Support agreement).


The Service Data Control Center, which can be entered by transaction SDCC, is a service tool that provides an overview of the planned service sessions. It carries out data collection in the SAP system. The collected data is then transferred to either the user’s own SAP Solution Manager system or SAP. The results of SAP EWA are the prerequisites for other SAP services. The examples of SAP services that use the results of SAP EWA as prerequisites are as follows: ● SAP GoingLive Check ●

SAP GoingLive Functional Upgrade Check

●

SAP EarlyWatch Check

The main prerequisites for using SAP EWA are as follows: You have made the settings required in SAP Solution Manager Customizing for SDCCN and SAP EWA.

●

●

You have set up your systems in a solution landscape in SAP Solution Manager.

●

You have set up the SDCCN in the solution landscape systems.

●

●

●

Your SAP system must be of minimum release, that is, any SAP NetWeaver or SAP Web AS in case of ABAP stack, J2EE Engine 6.40 in case of Java stack, or release 3.0D for SAP R/3. ABAP stack requires monitoring jobs to be configured correctly. Check this configuration by implementing SAP Note 69455, running report RTCCTOOL, and following the instructions. Java stack requires that you set up Solution Manager Diagnostics and implement SAP Note 976054.

You can set up the SAP EWA using the following steps: 1. Run transaction SOLMAN_WORKCENTER and choose the System Monitoring tab page. 2. In the left pane, choose Setup. 3. Choose Setup EarlyWatch Alert by choosing the EarlyWatch Alert Administration tab page. 4. You can set up SAP EWA monitoring data collection per system or solution. 5. Select fields according to your requirements.

Hint: For more information, refer to the following SAP Notes:

248

●

SAP Note 1257308 – FAQ: Using EarlyWatch Alert

●

SAP Note 976054 – Availability of EWA for Non-ABAP components

●

SAP Note 1040343 – EarlyWatch Alert (EWA) for Solutions

●

SAP Note 207223 – SAP EarlyWatch Alert processed at SAP




●

You have put the systems in a solution, and there is a remote connection between the SAP component and SAP Solution Manager.


SAP EWA – Example

Figure 186: SAP EWA – Example

INTERACTIVE ELEMENT: Chat 1.



The figure shows an example of SAP EWA.

What is an EarlyWatch report? . . . . . . . . . .


249


System Recommendations

System recommendation is a functionality in SAP Solution Manager that focuses on SAP Notes. It provides a tailored recommendation of Notes that should be applied to a selected managed system. This recommendation is calculated based on the actual Notes status of the system. Questions such as, “Is a specific SAP Note already implemented in the system?”, “Which version do the implemented Notes have?”, or “Are more recent versions available?” are taken into account when calculating the recommendation for a system. System recommendation collects necessary information from the managed systems through a background job that must be scheduled on a regular basis. A refresh of the previously calculated information for a specific system can also be started directly. The calculation is carried out in SAP’s Global Support Backbone, which means that no load is generated on the SAP Solution Manager system or on the managed system. System recommendations are divided into the following categories: ● Security-relevant Notes ●

Performance Notes

●

HotNews

●

Legal change Notes

●

Correction Notes (for ABAP and Java)

Based on the calculated recommendations, you can set various statuses for the recommended Notes. You can specify the statuses for the Notes, such as to be implemented, not relevant, or postponed. This, in combination with a filter displaying only Notes with a certain status, provides an overview of all the recommendations and helps you to keep track of tasks assigned based on the recommendations. System Recommendation Scenario To show a detailed example of how to work with system recommendations, assume this situation: a system and security engineer who is responsible for several SAP systems wants

250




Figure 187: System Recommendations Architecture


to ascertain which patches that SAP released on the monthly patch day are relevant to the security of his system(s). The following steps show how system recommendations help in accomplishing this task: 1. The engineer enters the Change Management work center in the company's SAP Solution Manager system and opens the System Recommendations functionality. 2. To obtain the exact recommendation, the engineer first selects the company’s solution. This shows a list of product systems that are a part of this solution. 3. The engineer then selects the relevant product system. This results in a list of technical systems (ABAP and Java) for this product system. 4. As the recommendations are based on technical systems, the engineer now selects a technical system. 5. The engineer is able to select a filter on the applications component(s) to further limit the amount of recommended SAP Notes. In this example, no filter on application components is set. To start the calculation of the recommendation, the administrator chooses Apply filter.

7. If the background job has not yet run or is not scheduled, the engineer either chooses Refresh to directly start the collection of information or uses the Settings menu to start the background job for data collection. The recommendation is then displayed in the lower part of the window. The list of recommended Notes can be ordered by application component (this is the default setting) or by software component. To change the view, use the View dropdown menu directly above the list of recommended Notes. When using the software component view, one of the following characteristics is displayed for every Note: ● SP relevant SP relevant means that this Note is relevant for the system because the SP level exactly matches the support patches of the SAP system. ●

SP independent SP independent means that this Note can be relevant for the system because the software component and the release match, but the exact SP level cannot be checked.


251



6. If the background job for collecting information from the managed systems has already collected some data, this data is transferred to SAP. In SAP, the actual calculation takes place and is sent back to the customer’s SAP Solution Manager.


System Recommendations – Security Notes

The security engineer finds all the security-relevant SAP Notes on the Security Notes tab page. To get more information on the recommended SAP Notes, the engineer searches each }w3xá«–s-Ñe ò„n�%ŒU|Ñ˜.7š˘™ö8üç¬ÉüöÝRBfim òâÃ‚¥¯syÙŸsgÛî−"C:b·ßó˚ç4]Ñ1Gj‹ÚíˇoÑ,1•ržŁŠG¶Ñ"uø—÷qa½â€¿{L(£}˙˛t—‹ú6 œ%ª}�KA·Þ¤RNl*ø+˛ìA6€–žXÌh£Hö×û¾‚*¥4Rr$Ñv7‰½º‚”0(:ùÖØ%êÝE{Ïæ¹š for every Note. After tracking all security-relevant Notes that need to be implemented, the engineer can filter for a specific status to keep the list view clean. For example, the filter can be for the status To be implemented, which gives a list of all SAP Notes that the engineer has flagged for implementation. With this list, the engineer can start implementing the Notes with transaction SNOTE. System Recommendations and Java Patches System recommendations can also be used for Java systems. The procedure is exactly the same as the procedure described for security Notes. The only difference is that the Java patch Notes are displayed only on the Correction Notes tab page. With the Add to download basket pushbutton, you can directly add the Java patches containing the selected Notes to the download basket in SAP Service Marketplace. Integration with Maintenance Optimizer to approve the download basket is also available. Integration of SAP Notes with Change Request Management For customers using the Change Request Management functionality in SAP Solution Manager, system recommendations provide integration with Change Request Management. This functionality enables you to trigger a Request for Change for the SAP Notes selected for implementation. Integration of SAP Notes into Change Request Management - Prerequisites System recommendation is delivered as of SAP Solution Manager 7.0 SPS26. This functionality is available within the Change Management work center (transaction codes SOLMAN_WORKCENTER or SM_WORKCENTER). Therefore, access to the work centers is a prerequisite.

252




Figure 188: System Recommendations – Security Notes


To ease data collection and to speed up delta calculation, a background job can be scheduled, which automatically collects all the needed information from the managed systems. To control access to system recommendations, the authorization object SM_TABS (in SAP Solution Manager 7.0) or SM_FUNCS (in SAP Solution Manager 7.1) can be used to grant or deny access to different tab pages of system recommendations. Before using system recommendations, SAP strongly recommends that you implement SAP Notes 1554475 and 1577059. SAP also recommends that you configure SAP Solution Manager for automatic update checks. For troubleshooting, check the application log AGS_SR to see the configuration and check logs. In case of any problem, create a customer message under component SV-SMG-SR (System Recommendations for Managed Systems).

Configuration Validation With configuration validation within SAP Solution Manager, SAP offers a tool to validate various kinds of software configuration items. This tool uses a single configuration item repository within SAP Solution Manager to help standardize and harmonize configuration items within the ABAP and Java systems. Configuration validation uses the centrally stored configuration data to validate a large number of systems by using a subset of the collected configuration data for each system. Typical questions to consider while performing configuration validation: ●

●

Have any template configurations for SAP applications or database parameters been applied to all systems? Has it been validated that no kernel release older than six months is present on all the systems?

●

Have the security policies been applied?

●

Are the security default settings in place?

To answer these questions, a target system is defined as a reference system for comparing values. This system can either be a real system or a virtual set of manually maintained configuration items. Based on this reference, the settings are compared in a consistency check. Additional predefined checks, which are not only consistency based, are performed for some settings. Examples of such settings include STANDARD_USERS and the Gateway configuration. The checks that are a part of the standard configuration stores are as follows: ● Whether failed transports can be identified (ABAP_TRANSPORTS). ●

●

●

●

Whether rules for profile parameters can be defined using number ranges and comparison operators. Whether regular expressions can be used for checks of the SAP Gateway configuration files. Whether checks for the status of STANDARD_USERS can be performed. Whether the configuration store ABAP_NOTES allows you to check for software dependencies of SAP Notes. Previously applied SNOTE Notes are included in the ABAP_NOTES configuration store.


253



●

Are all systems on a certain operating system patch level or database patch level?


Online recommendations from the EWA/RSECNOTE are directly imported. Note that dependencies are defined towards component, release, and Support Package, respective to the Kernel patch. If a Note has not been applied, a hint, such as “note should be applied” or “not relevant”, is shown.

Hint: The prerequisites for configuration validation are as follows: ●

SAP Solution Manager with SPS18 in place

●

BI Content 704 with batch level 1

●

SAP Solution Manager with EHP 1

To access the configuration validation in SAP Solution Manager, choose one of the following path: ● Through direct URL – http:////sap/bc/webdynpro/sap/ags_workcenter/ ●

ìûEÍh“ıU£É•«öŠuÖÖ¦‘`èØoı¨ÇDW8£[x²⁄JChange Management Configuration Validation Maintenance/Reporting

The advantages of the configuration validation are as follows: ● Validation of content deliverables

254

●

Easy implementation The configuration validation tool provides predefined reports and templates to ease implementation and minimize efforts for setup and customization.

●

Flexible reference configurations The configuration validation tool provides flexible reference configurations based on existing system configurations, customer-defined configurations or baselines, and Customizing functionalities.

●

Wide range of reporting functionalities The configuration validation tool provides a wide range of reporting functionalities that are accessible from a central entry point and are executed in the browser. The tool also provides interactive drill-down and filter functions, as well as rating, broadcasting, and export functionalities.




The configuration validation tool validates the content deliverables at the platform, database, and application levels.


Configuration Validation – Result

Figure 189: Configuration Validation – Result



●





The figure shows the result of configuration validation.

255




256



1. Which of the following tools enable you to uncover missing security configurations? Choose the correct answer. X

A System recommendations

X

B EarlyWatch Alert

X

C Configuration validation

X

D SAP Security Optimization Service

2. In SAP Security Optimization Services (SAP SOS), the previously implemented SAP Notes can be viewed in the ___________ data store.

X

A ABAP_NOTES

X

B SNOTE

X

C Performance Notes

X

D Correction Notes





257


1. Which of the following tools enable you to uncover missing security configurations?

258

X

A System recommendations

X

B EarlyWatch Alert

X

C Configuration validation

X

D SAP Security Optimization Service

2. In SAP Security Optimization Services (SAP SOS), the previously implemented SAP Notes can be viewed in the ___________ data store. Choose the correct answer. X

A ABAP_NOTES

X

B SNOTE

X

C Performance Notes

X

D Correction Notes





Adm900 en Col10 Vlc Fv Part a4

Recommend Documents