This page describes the use of Configuration Validation with focus on ABAP security within the management dashboard using the delivered security apps.
As a prerequisite please read ABAP security.
The user must have the authorization to read the data of the config stores including security related config stores for which the following authorization is needed:
Authorization-Object AI_CCDB_SC "CCDB Store Content
SECURITY or *
Authorization object is included in Role SAP_CV_ALL. However, it is necessary to activate auth-obj AI_CCDB_SC first (it's shipped inactive).
The security applications (apps) are designed to use a target system based on the template 0SEC_NEW, which delivers the corresponding config stores. Config stores added to the target systems are only validated if they are also used the security apps queries.
Your management would like to have an overview over the compliance / non compliance of your productive SAP ABAP systems related to certain security related settings.
The security apps can help to identify systems that are not compliant related to selected items.
The dashboard apps are supposed to deliver aggregated data only. For the detailed information about the single items and their validation use the Configuration Validation.
Delivered security apps and the used BW queries
With SP03 three security apps are delivered:
In SP08 the following apps are provided:
The Security Overview app counts the Non Compliant, Undefined, and Compliant systems. The Security Details app validates the systems for the categories Software, Configuration and User and builds the sum. The Security List app displays the systems by extended SID with their validation result for the categories.
A system or a category of a system is validated as Non Compliant (NC) as soon as one configuration item (software level, setting, parameter or service) is rated as non compliant. Compliant (C) is the result, if all investigated items had been validated as compliant. Undefined means that no non compliant item had been found and not all items had been validated as compliant.
The Earliest timestamp is related to the config store which validity has the earliest time stamp: No Data means that at least one config store did not deliver such a time stamp, the config store was empty.
The names of the security apps and their BW queries are:
The categories and the assigned config stores are defined in the queries as:
Config stores assigned
If you run the dashboard the first time it will be empty. You can add and save apps to your personal dashboard then.
Where can I find the security apps and run the dashboard ?
Run the "Personal Dashboard" application (WebDynpro application MY_DASHBOARD).
URL: https://<host>:<port>/sap/bc/webdynpro/sap/my_dashboard?sap-language=EN (replace <host> and <port> by the corresponding values)
Press the ‘Configure’ and then ‘Add New App’ get the available apps. Select ‘Cross application’:
Select the app and press ‘OK’
The configuration screen will be shown
- Adjust the Header description
- Select a Target System
- Select the Comparison Systems which you would like to validate
- Add the Comparison Systems
- After that, press ‘Apply Selection’ and
- Finally the ‘Apply’.
This will run the application with your settings.
After that you can add another or the same application and configure it. A Target System is defined in the Configuration Validation – Target System Maintenance.
Don’t forget to press ‘Save Dashboard’:
Which dashboad app shall I use?
Dashboard app Security Overview has no content dependendcies. All other dashbaord apps expect a target system which is derived from the 0SEC_NEW template and expects at least one config store per category.
You are most flexible if you use target systems with one config store and then based on those target systems you could use app Security Overview to create a dashboard which shows the different check areas as single dashboard like the example below: