SAP Basis Two ways to use Security Automation - SAP Corner

Direkt zum Seiteninhalt
Two ways to use Security Automation
IT Security
By correctly assessing your own applications for suitability for operation with an external service provider or in the cloud, the enterprise risk of the chosen service form is minimised. Also, possible weak points or aspects that require special attention are known and can be dealt with proactively. A negative consequence during the operational operation can be largely excluded.

This advanced SAP administration training course provides confidence in in-depth administration tasks on your SAP system. For example, SAP administration with WebAS with ABAP and Java, system configuration and system updates, importing patches and corrections, and updating users and authorizations. Furthermore, the program includes the setup of printers, knowledge of system security and system monitoring as well as transport functions. Not to forget the help system and data backup in your SAP systems.
In the SAP Business Objects environment, you can extend the control of permissions using the CMC tab configuration. The tab configuration allows you to easily show or hide specific tabs for users or groups. Enable CMC Tab Configuration By default, the CMC Tab Configuration feature is set to "Don't Limit" and is disabled. For you to be able to use the tab configuration at all, you will need to enable it for now. Note: If you enable the tab configuration, all users that are not under the default Administrators group will not see tabs for the time being. This is because access is denied by default through the CMC tab configuration. Therefore, once enabled, you must maintain tabs for all existing groups. Therefore, make sure you have an account associated with the Administrators Group! To do this, go to Applications, right-click Central Management Console, and select Configure Access to the CMC tab: The CMC can be found under Applications. Now enable the configuration by selecting the Restrict option. Use Restrictions to enable the option. Hide/show tabs If you are now logging in with a user that is not in the default Administrators group, you will not see applications/tabs on the CMC home page. Initially no applications/tabs are visible To display the desired tabs for the groups again, switch to users and groups with your administrator account, right-click on the desired group, and select CMC tab configuration. Enter the tab configuration. In the dialogue that appears, you see that all tabs are denied access by default.

It is possible to specify a trace level for each rule in the ACL file to monitor each communication channel individually. It can be used with SNC without any further configuration. The use of the file is controlled by the gw/acl_file parameter by simply setting it to the appropriate file name. Use of external programmes If an external programme wants to communicate with your SAP system, it must first register at the gateway. The programmes which this is approved are controlled by the reginfo ACL file. This defines rules that allow or prohibit certain programmes. The syntax of the file allows you to define not only the name of the programme, but also the host on which the programme runs and hosts that can use and exit the programme. The gw/reg_info parameter must be set to use this file. In addition, there is the ACL file secinfo, which allows to configure which users can start an external programme. This defines rules that allow certain usernames from the SAP system to use certain external programmes. In addition, you can also define the hosts on which these programmes will run. For example, it is possible to allow a user to run the programme "BSP" on the host "XYZ", but not on the host "ABC". This file is controlled by the gw/sec_info parameter. Using the gateway as a proxy Since the gateway of your SAP system can also serve as a proxy server, the prxyinfo ACLDatei should also be activated via the gw/prxy_info parameter. Suppose you have 3 SAP systems in your network: SRC, TRG and PRX. If SRC cannot communicate directly with TRG, but both with PRX it would be possible to use the gateway of the PRX system as a proxy server, i.e. to communicate via it. So, in order to prevent this from happening to everyone, this property should be urgently restricted. As with the other ACL files, rules are defined which hosts can communicate with which hosts via the gateway. The syntax of the different ACL files may vary depending on the release level. It is therefore advisable to read them in the appropriate SAP documentation before activating the ACL files. You can also find more support for using ACL files in the SAP Community Wiki.

For administrators, a useful product - "Shortcut for SAP Systems" - is available in the SAP basis area.

At best, for the time in which an emergency user is in service, a separate log of the activities undertaken is written, which can then be evaluated.

The website offers many useful information about SAP basis.

It defines requirements for the implementation and operation, which it aligns with the operator or with the necessary expression of the Subject Matter Expert.
SAP Corner
Zurück zum Seiteninhalt