Adm900 en Col10 Vlc Fv Part a4

ADM900

.

PARTICIPANT HANDBOOK VIRTUAL LIVE CLASSROOM

. Course Version: 10 Course Duration: 2 Day(s) Material Number: 50117500

Duplication is prohibited.

Duplication is prohibited.

SAP System Security Fundamentals

SAP Copyrights and Trademarks

© 2013 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. ●

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

●

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.

●

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

●

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or

●

Oracle is a registered trademark of Oracle Corporation

●

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

●

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

●

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

●

●

Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

●

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

●

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.

●

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company.

Duplication is prohibited.

Duplication is prohibited.

other countries.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

Duplication is prohibited.

Duplication is prohibited.

© Copyright . All rights reserved.

iii

Duplication is prohibited.

Duplication is prohibited.

iv

© Copyright . All rights reserved.

VLC About This Handbook About This Handbook This handbook provides you with basic information for attending your virtual live classroom session. Adobe Connect Support Information Web and audio support is available by: ●

Pressing *0 from within the audio-conferencing

●

Calling the support hotline numbers listed below

●

Emailing the PGI support hotline below

Global PGI Support Hotline for SAP Education (24/7) Tel: +1 800-368-1945 Tel: +1 719-234-7915 Note: After dialing in, press option 2 for technical support. You will then be presented with two options – press 1 for Audio support, or press 2 for Web support. Email: [email protected]

Ideally you want to be in a private room when participating in a synchronous (live) event. In reality, you ³N¤õ,ÿKâ4ÑŁ0/XHWWÐ]ıµÎí³¸±Òo‹@/¹YÌ*)UµÉ•p|ð‘iØüÖs+AË· èØV0`˙ÝʲˆØe³'=Ëk˜H1XT)*õ\DQ~·7Dë=ËŁÏÒÒó¹só@łÝI¿-¢.c¶RŒ:2¾J†G~
oÙnZıÞƒ‹„Áár[¨§òRTÅà&¸MmåîG�j@ñ:ÁJ†‰v o/ H˙WÝ]ŸµÎí½¸ýÒ`‹]@.¹DÌX*)U«ÉÒprð⁄i�÷Ö¹MûöñGtÏfš@h³?_+%ã˚¬‹Vý#�ÐL‰×™rmZm±˜ {wÝC´ó~9qNÉG¨TËÜ̙ÛŁ° SAP_BC_USR_CUA_SETUP_CLIENT and SAP_BC_USR_CUA_CLIENT. However, you should not assign the delivered SAP roles to the technical users, but rather copies of these roles for which you have created authorization profiles with role maintenance (transaction PFCG). For simplicity, name the copies of the SAP roles by adding Z_ to the start of the name, that is, Z_SAP_BC_USR_CUA_SETUP_CLIENT and Z_SAP_BC_USR_CUA_CLIENT.

Hint: Note that the technical user in the child system requires the role Z_SAP_BC_USR_CUA_SETUP_CLIENT only while you are setting up CUA. You can then remove this role from the technical user.

84

© Copyright . All rights reserved.

Duplication is prohibited.

Duplication is prohibited.

Note: For more information about CUA minimum authorizations for communication users, see SAP Note 492589. The composite role SAP_BC_USR_CUA groups together the various roles for service users of CUA. The composite role is used only for documentation purposes. The single roles that it contains are assigned directly to the service users.

Lesson: Implement Central User Administration (CUA)

Hint: To increase the security and performance of your system, you can use the role Z_SAP_BC_USR_CUA_CLIENTŽÇœœ˜bæ„ØiÖÇ˝â}ÕŁ×3(y˙á…b‰;¬�-ûª¸UrłP²ò‡3mì3“Ÿ−ñÉÞ]Šc¿ìÝÃ÷Zk²
¡wÍòj¬kê‰ authorizations required to receive the IDocs of CUA and update them. However, the subrole Z_SAP_BC_USR_CUA_CLIENT_RFC (create this in the same way as the roles described earlier) contains only authorization to receive the IDocs. Furthermore, the role Z_SAP_BC_USR_CUA_CLIENT_BATCH contains the update authorization for the inbound IDocs. Assign the first role Z_SAP_BC_USR_CUA_CLIENT to the technical user. However, you assign the role Z_SAP_BC_USR_CUA_CLIENT_BATCH to a system user to allow the user to change user master records. This user is used (in the child systems) to schedule a periodic background job that implements the CUA changes in the child systems (periodically).

RFC Connections from the Child Systems to the Central System

Hint: Because RFC connections can be used cross-client (all clients of a system can use a shared RFC connection), you need to create only one RFC connection to the central system if there are multiple child systems in one SAP system. The connection from the child system to the central system uses a technical user of the type System that must be known in the central system. This user should have the ID CUA_. In this case, stands for the system ID of the child system that communicates with the central system using this user. This user requires authorizations for the roles Z_SAP_BC_USR_CUA_SETUP_CENTRAL, Z_SAP_BC_USR_CUA_CENTRAL, and Z_SAP_BC_USR_CUA_CENTRAL_BDIST. Create the roles by copying the template roles (the template names have the same names as the specified roles, but without Z_ at the start of the name) and generating the profiles for them using transaction PFCG. The first role listed, Z_SAP_BC_USR_CUA_SETUP_CENTRAL, is required only while setting up CUA.

Caution: The role Z_SAP_BC_USR_CUA_CENTRAL_BDIST is required by the user in the RFC connection if the attributes in transaction SCUM are set to Redistribution.

© Copyright . All rights reserved.

85

Duplication is prohibited.

Duplication is prohibited.

RFC connections are also required from the child systems to the central system. Every child system must be able to open an RFC connection to the central system.

Unit 3: Advanced User Administration Topics

Caution: In addition to the RFC connections from the child systems to the central system, you also require an RFC connection from the central system to itself (loopback). This connection also uses the user with ID CUA_, where is the ID of the central system. The required authorizations are contained in the roles Z_SAP_BC_USR_CUA_SETUP_CENTRAL, Z_SAP_BC_USR_CUA_CENTRAL, and Z_SAP_BC_USR_CUA_CENTRAL_BDIST.

Figure 43: Required RFC Connections and Technical Users for CUA

The figure shows the required RFC connections and technical users as well as the roles they require in a very simple CUA scenario.

Hint: For background information about the required authorizations and roles 2§÷0¢‚}é~“ÜÐoçaÂŹà$÷rÚÃÓß00ñQ^íÐD£%íœåßT•/¶TÜÕXõ7Ô¢w°y˝ÿ'ÀÓ9tI¡úÕ·¢5½s½w+m jD²žfi„:»Üg,ŁnÞ�™1Ziäëú.)ÚEtèV#?.BÝ Wè,⁄ ®9 Minimum authorizations for communication users.. After you create the users (as shown in the figure) with the appropriate role assignments in all of the clients involved, you need to define only the RFC connections in transaction SM59. You can do so by performing the following steps: 1. In transaction SALE in the central system, choose Communication 2§3U‚± Create RFC Connections (transaction SM59). 2. Choose the Create pushbutton.

86

© Copyright . All rights reserved.

Duplication is prohibited.

Duplication is prohibited.

Required RFC Connections and Technical Users for CUA

Lesson: Implement Central User Administration (CUA)

3. Enter the following data in the respective fields: Field Name

Value

RFC Destination

For example, QASCLNT200 or DEVCLNT200 (this entry must be in uppercase letters)

Connection Type

3

Description

Connection to child system

Caution: The RFC destination name must be identical to the logical system that you want to address with the RFC connection. The RFC connection must be specified in uppercase letters. 4. Press the Return key. On the Technical Settings tab page, make the following settings: ●

If you do not want to use load distribution, specify the name of the host on which the central instance of your target system is running as Target Host and specify the instance number of the central instance.

5. On the Logon & Security tab page, specify the client of the required logical system and the technical user CUA__### (for example, CUA_QAS_200 or CUA_DEV_200) and password (in your training course, this password is specified by the instructor before the start of the course). 6. Save this connection. 7. Choose Utilities w)&]n£ Test w)&]n£ Connection Test (CTRL + F3) and Utilities w)&]n£ Test w)&]n£ Authorization Test (CTRL + F4) to test the connection using the functions. To set up the required RFC connection from the child system to the central system, log on to the child system and perform steps 1 to 7 again. Use the user CUA_, where is the system ID of your child system. You should also set up the RFC connection from the central system to itself.

Note: You can also use trusted RFC connections for the CUA communication. This increases the security of your CUA communication further. For information about configuring CUA using trusted RFC connections, see the online documentation. CUA Activation After you successfully activate CUA, you will no longer be able to create users in the linked child systems using transaction SU01. Before you activate CUA, it is still possible to create new users using transaction SU01 in a child system.

© Copyright . All rights reserved.

87

Duplication is prohibited.

Duplication is prohibited.

●

If you want to restrict the function of CUA to a particular server group, you can specify the logon group after selecting the Load Balance: Yes radio button and choosing the Return pushbutton.

Unit 3: Advanced User Administration Topics

The activation of CUA has been significantly simplified and a number of necessary configuration steps are performed automatically by the system. To perform the CUA activation, follow the steps below: 1. Log on to the central system. 2. Access the Implementation Guide (transaction SALE), choose Modelling and Implementing Business Processes a×Xhz š, Configure Predefined ALE Business Processes a×Xhz š, CrossApplication Business Processes a×Xhz š, Central User Administration a×Xhz š, Select Model View for Central Administration (transaction SCUA). 3. Enter the name of your distribution model, such as CUA. 4. Choose Create. 5. Enter the names of all the child systems to be connected in the Recipient column. 6. Save your entries. 7. The result screen Display logs appears. If you expand the nodes for the individual systems, you see the following message for each system:

Note: If problem messages are displayed here, follow the procedure in SAP Note 333441 – CUA: Tips for problem analysis. CUA Configuration When CUA is activated, the system carries out the following configuration steps automatically: 1. The corresponding ALE model is created or adjusted to match the new CUA model if changes have been made. 2. Partner profiles are created in the system. 3. Text comparison with the child systems is carried out for roles (and profiles). The ALE distribution model defines which applications communicate with each other in the distributed systems and which data types are distributed. You require a separate ALE distribution model for CUA. In the central system, you define the structure of your CUA in the model view, which you then distribute to the child systems. In the ALE distribution model to be defined for CUA, the following types of data are distributed: ● User master data (including assigned roles and profiles) ●

Company addresses

In the distribution model, two methods are required to distribute user data and company addresses. To implement these methods, the distribution model uses the Clone method from

88

© Copyright . All rights reserved.

Duplication is prohibited.

Duplication is prohibited.

ALE distribution model was saved Central User Administration activated Text comparison was started

Lesson: Implement Central User Administration (CUA)

the Business Application Programming Interfaces (BAPIs) of the USER and User Company Business Objects. You can view the partner model in transaction BD64. Partner profiles define the conditions for electronic data exchange through the IDoc interface. If a partner profile does not exist, you cannot communicate with the partner through the IDoc interface. You can display these partner profiles in transaction WE20. The check tables and texts for roles, profiles, and license data in the individual child systems are saved temporarily in the central system. This means that they can be displayed quickly. If they have been changed, you have to run the text comparison. If you run the text comparison in the central system, you can select the child systems from which the data is to be read. If you run the text comparison in a child system, the current data is sent to the CUA central system.

Hint: The functions of transaction SCUA have been improved through Support Packages. For more information, see SAP Note 952349.

Parameters for Field Distribution For each field of transaction SU01, you can use transaction SCUM to determine the system in which the field content can be administered. The parameters to maintain for field distribution are as follows: ● Global You can maintain only data in the central system. The data is then automatically distributed to the child systems. The values for the corresponding fields cannot be changed there; the values can only be displayed. ●

Local You can maintain only data in the child system. Changes are not distributed to other systems.

●

Proposal You have maintained a default value in the central system that is automatically distributed to the child systems when you create a user. After distribution, the data is maintained only locally and is no longer distributed if you change it in the central or child system.

●

Redistribution (Redist) You can maintain the data both centrally and locally. Every time the data is changed, the change is distributed back to the central system and is then forwarded from there to the other child systems.

●

Everywhere (Evrywhr)

© Copyright . All rights reserved.

89

Duplication is prohibited.

Duplication is prohibited.

Caution: Even if users can no longer be created in the child systems, CUA is fully operational only after the steps have been carried out.

Unit 3: Advanced User Administration Topics

You can find this option only on the Lock tab page and for initial passwords (the Logon Data tab page). You can maintain initial passwords and lock data both centrally and locally. However, only the changes made to the data in the central system are distributed to the other systems. Local changes in child systems are not distributed.

Caution: If you subsequently change the distribution from Local or Proposal to Global or Redistribution, inconsistent data can be created. The only exception is that you can reset the indicators on the Lock tab page any time without danger. Ensure that you take into account SAP Note 611972 – SCUM: Change to field distribution parameters.

Hint: The settings of the distribution parameters are automatically forwarded to the child systems. Recommendations for Transaction SCUM

Field

Setting

Print parameters (under Defaults)

Proposal

Parameters

Proposal

User group (under Logon Data)

Proposal

Fields for data that the users maintain themselves

Redistribution or Local

The recommendation for a Global setting applies to all the fields that are not listed (with the exception of locks).

Caution: For information about lock management for your users (for example, due to too many failed logon attempts), see the online documentation. Configuration of IDoc Processing Changes to company addresses and users that affect a child system are transferred to the child system(s) as an IDoc using the RFC connection. To optimize the ALE distribution of CUA, you can execute (separately) the outbound processing and inbound processing of the IDoc in the background.

90

© Copyright . All rights reserved.

Duplication is prohibited.

Duplication is prohibited.

The following table lists the recommendations for the configuration of the parameter distribution for a number of fields:

Lesson: Implement Central User Administration (CUA)

Note: You can find more information about this in the online documentation under the Activated Background Processing keyword. IDoc Inbound Processing in the Child System In standard systems, the activation of CUA (using transaction SCUA) generates partner profiles in the child systems that allow immediate (synchronous) processing (online).

Note: To check partner profiles, run transaction WE20 in the child system. Navigate to the partner profile by choosing Partner Profiles FEM:JaÊ Partner Type LS FEM:JaÊ . On the first tab page, double-click inbound parameters for message types CCLONE and USERCLONE. Take note of the Processing by Function Module setting on the Inbound Options tab page.

Note: Scheduling of the background job is controlled by the entries in the table TEDEF. In the standard systems, this table (for the current clients) contains an entry with values EVENTT = TRFC-IDOC and ROUTID = BATCHJOB. If you change the table entry to EVENTT = TRFC-IDOC and ROUTID = SYNCHRON, the system updates all IDocs from the dialog work process that are currently used for the RFC communication. Across all applications, the table TEDEF controls the processing of all IDocs that are sent to the current clients. You can use the report RSESYNMESTYP to convert IDoc processing to synchronous processing, depending on the sent message type, IDoc type, or extension. The message types CCLONE and USERCLONE are relevant to CUA.

Note: The report RSESYNMESTYP sets the field ACTFLAG in the table EDIMSG for the selected objects. Synchronization of the Company Addresses As company address data has already been maintained in all systems of the future CUA, you must first ensure that at least the central system contains all valid company addresses. Then, distribute this complete company address set to all the child systems so that a consistent status exists for the company addresses in the entire CUA.

© Copyright . All rights reserved.

91

Duplication is prohibited.

Duplication is prohibited.

In standard systems, the receipt of the IDoc is separated from the IDoc processing (see SAP Note 555229). The dialog work process reserved for the RFC communication does not process the transferred IDocs itself. If an IDoc cannot be processed immediately because no dialog work processes are available, the system schedules a background job (with the step RBDAPP01) for this IDoc with an immediate start. The user that is used for the RFC communication requires additional authorizations for this scenario (see SAP Note 492589).

Unit 3: Advanced User Administration Topics

You can use transaction SUCOMP to administrate company address data. You can use transaction SCUG in the central system to perform the synchronization activities between the central system and child systems. This synchronization is done by selecting your child system on the initial screen of transaction SCUG and then choosing Synchronize Company Addresses in the Central System. For more information, see the online documentation.

Note: For more information about this, see the online documentation. Alternatively, you can compare company addresses using transaction SCUC. You cannot transfer user data in this transaction. Synchronization of User Groups To be able to transfer users from a child system to the central system or distribute them from the central system to a child system, the user group to which the user is assigned must exist in all the systems in which the user exists. Transfer of Users to Central Administration

The user transfer options are as follows: ● New users These users are not yet contained in CUA. By choosing Transfer users, you can transfer the selected users to the central system. All user parameters (such as address, logon data, and so on), profiles, and roles are transferred. The user is maintained centrally in the future. ●

Identical users There are users with identical user IDs (the user ID or ID is the string that you enter in the User field on the SAP Logon screen). For example, these could be user IDs with identical first and last names. You can transfer the roles and profile data of this user to the central system. The user is then distributed as it exists in the central system. Local data is overwritten. In such cases, it is assumed that, for example, the ID MOOREJ that exists in multiple logical systems, with the last name Moore and the first name Jane, always belongs to the same person. In large companies, this assumption is not always correct. For this reason, you should use unique character strings, such as the personnel number as the user ID.

●

Different users These user IDs exist both in the central and child systems, but the user has a different first and/or last name. If, in an individual case, these IDs actually refer to the same user, you can transfer the roles and profile data pertaining to the user to the central system. The user is then distributed as it exists in the central system. If the IDs do not refer to the same user, use CUA to create a new user ID in the child system for one of the users and delete the old ID in the child system.

92

© Copyright . All rights reserved.

Duplication is prohibited.

Duplication is prohibited.

After you synchronize the company addresses, you can transfer the users from the newly connected child systems to central administration. You can do so using transaction SCUG in the central system. On the initial screen of transaction SCUG, select your child system and then choose Copy Users to the Central System.

Lesson: Implement Central User Administration (CUA)

Alternatively, you can assign a new ID to the user in the child system (if different employees have an identical ID in different clients). For this purpose, you can start transaction SU01 in the child system and choose Users ¹Àu2¢ã¹ Rename. If the user transfer is restarted, the user is listed as a New User rather than a Different User. ●

Already central user These users already exist in CUA and are only administered centrally.

Hint: A function is available for copying users. You can access this function using pushbuttons in transaction SCUG if the Already central user tab page is selected. Using these pushbuttons, you can transfer role assignments, profile assignments, and the license classification of users from the child systems, particularly in cases in which (despite CUA being in use) the corresponding administration was carried out until now in the child systems (in line with the settings in transaction SCUM).

Hint: Until the user transfer is completed, the child systems affected still contain (unexpected) processing options for users who have not been transferred, such as the delete function for users in transaction SU01. Distribution Status Check You use the log display (transaction SCUL) primarily to check the status of IDoc distribution when changing company addresses or users. If you change a company address in the central ¹ÀuÖIãj+3w¥ï
â°ÌJ×D{ã˛q_S`ˇSê¤ìö´rpòÇÕ¡1iºœ7$Łnî¤ØÞ©ÌŸîð0®Œ4ÍâÎ6%− º?ÿ=ý „�˚ECCLONE IDoc is sent to each child system of CUA. If you change a user in the CUA central system, the user data is also distributed to the child systems assigned to this user. At most, three USERCLONExx IDocs are sent for each user: user attributes (USER), profile assignment (PROFILE), and role assignment (ACTGRP). You can then see in the results list of the log display whether the user or company address was replicated successfully to the child systems.

Hint: It may not be possible to completely process IDocs with user changes in the child system (status Unconfirmed in transaction SCUL) because not enough dialog work processes are available (in the child system or contacted instance). In this case, you can start post-processing of the IDocs in the child system using transaction BD87 or opt for inbound processing of the IDocs in background processing. For more information about IDocs, see SAP Note 399271 – CUA: Tips for optimizing ALE distribution performance.

© Copyright . All rights reserved.

93

Duplication is prohibited.

Duplication is prohibited.

Note: For more information, see SAP Note 704412 – CUA support for license data maintenance.

Unit 3: Advanced User Administration Topics

Duplication is prohibited.

Duplication is prohibited.

94

© Copyright . All rights reserved.

Unit 3 Exercise 4 Distribute User Data with CUA

Business Example You need to maintain user profiles in the database and provide authorization to users from a central system. You need to use CUA. Task 1 Create a new role in the child system. 1. In your CUA child system, copy SAP role template SAP_BC_ENDUSER to Z_SAP_BC_ENDUSER. Also create an authorization profile for the new role. 2. Within your CUA child system, trigger a text comparison. You continue to work in your CUA child system. Make sure you are on the start screen of transaction PFCG.

Create a new user for the child system using CUA. 1. In your CUA central system, create a new user, CHILD##. Make sure that this user gets the Z_SAP_BC_ENDUSER role in your CUA child system (but no master record in the central system). Also, maintain additional data, such as the telephone number, fax number, and so on. 2. In your CUA central system, check the distribution log for your new user, CHILD##. You continue to work in your CUA central system. Make sure you are on the start screen of transaction SU01 and user ID CHILD## is selected for the User field. 3. In your CUA child system, check the user master record of your new user, CHILD##. 4. Log on to your CUA child system as user CHILD## and maintain your own (user) data. 5. Log on to your CUA central system as user CHILD## and maintain your own (user) data. 6. In your CUA central system, use transaction SUIM to check which roles are assigned to the user you just created in all the systems connected to CUA.

© Copyright . All rights reserved.

95

Duplication is prohibited.

Duplication is prohibited.

Task 2

Unit 3 Solution 4 Distribute User Data with CUA

Business Example You need to maintain user profiles in the database and provide authorization to users from a central system. You need to use CUA. Task 1 Create a new role in the child system. 1. In your CUA child system, copy SAP role template SAP_BC_ENDUSER to Z_SAP_BC_ENDUSER. Also create an authorization profile for the new role. a) Log on to your CUA child system as administration user ID CHILD_OF_.

c) On the Role Maintenance screen, choose Views and then choose Single Roles. d) Choose the SAP_BC_ENDUSER single role. e) Choose Copy . f) Enter Z_SAP_BC_ENDUSER, in the to role field. g) Choose the Copy all pushbutton. h) Open the new role, Z_SAP_BC_ENDUSER, in Change mode. i) Open the Authorizations tab page and then choose the Change Authorization Data pushbutton. j) Choose the yellow traffic light at the top and confirm the popup regarding full (*) authorizations that will be assigned to the Z_SAP_BC_ENDUSER role. k) Choose the Generate pushbutton and confirm the proposed profile name and text. Go back to the previous screen. l) Note: You cannot assign users on the User tab page. 2. Within your CUA child system, trigger a text comparison. You continue to work in your CUA child system. Make sure you are on the start screen of transaction PFCG. a) Choose Environment ”ýüà‹4sR Text Comparison for CUA Central System. Hint: This will trigger the text comparison for the name and description of all ”ýü2©Ésž®÷ò™½ÈŒk"…0ObU(Qß…2zìË˝çr91 ùÕP=n{ifN¥ÓZ{ß ßQ

96

© Copyright . All rights reserved.

Duplication is prohibited.

Duplication is prohibited.

b) Run transaction PFCG.

Lesson: Implement Central User Administration (CUA)

Task 2 Create a new user for the child system using CUA. 1. In your CUA central system, create a new user, CHILD##. Make sure that this user gets the Z_SAP_BC_ENDUSER role in your CUA child system (but no master record in the central system). Also, maintain additional data, such as the telephone number, fax number, and so on. a) Log on to your CUA central system as administration user ID -##. b) Run transaction SU01. c) On the User Maintenance: Initial Screen, enter CHILD## in the User field and then choose the Create pushbutton. d) On the Address tab page, enter some data (in particular, for the Last Name field). e) On the Logon data tab page, enter any password in the Initial password field. Enter the same password in the Repeat password field. f) On the Parameters tab page, provide some Parameter ID (for example, BUK = 42).

h) Press ENTER. You will see a notification that a new (logical) system is assigned to this user. You can verify this by opening the Systems tab page. i) Save the new user record. 2. In your CUA central system, check the distribution log for your new user, CHILD##. You continue to work in your CUA central system. Make sure you are on the start screen of transaction SU01 and user ID CHILD## is selected for the User field. a) Choose Environment ÒØ VÊÚ¾⁄ Distribution log. b) Keep all the default values, but select Successful on the Users tab page. c) Choose Execute pushbutton. Green indicators imply successful distribution. 3. In your CUA child system, check the user master record of your new user, CHILD##. a) Log on to your CUA child system as administration user ID CHILD_OF_. b) Run transaction SU01. c) Enter CHILD## in the User field and then choose the Display pushbutton. d) Note the data on all the tab pages. Note the Last Changed On field. Note the changeability when you enter the change mode: Only some fields that are ready for input (these should be the fields that you did not set to Global in transaction SCUM for maintaining field distribution parameters). e) Close the user master record. 4. Log on to your CUA child system as user CHILD## and maintain your own (user) data.

© Copyright . All rights reserved.

97

Duplication is prohibited.

Duplication is prohibited.

g) On the Roles tab page, use the F4 help for a blank line to select the (logical) system of your CUA child system. In the same line, use the F4 help to select your new role, Z_SAP_BC_ENDUSER (for this, you may need to search for roles Z_SAP*).

Unit 3: Advanced User Administration Topics

a) Log on to your CUA child system as new user CHILD##. You have to enter the initial password and a new password (twice). b) To maintain your own user data, you may do the following: ●

On the SAP Easy Access screen, choose Menu Â…&m!·- User Menu Â…&m!·- Basis Functions Â…&m!·- Maintain Own User Data (Address, Default Values, Parameters).

●

Choose System Â…&m!·- User Profile Â…&m!·- Own Data.

●

Run transaction SU3.

c) Note the restricted changeability of the fields. Change some data. d) Save your data. 5. Log on to your CUA central system as user CHILD## and maintain your own (user) data. a) Log on to your CUA central system as new user CHILD##. You will see a status message that you cannot log on to the CUA central system because of a missing CUA system assignment. 6. In your CUA central system, use transaction SUIM to check which roles are assigned to the user you just created in all the systems connected to CUA. a) Log on to your CUA central system as administration user ID -##.

98

c) On the User Information System screen, choose User Information System Â…&m!·- User Â…&m!·Cross-System Information (Central User Administration) -> Users by Roles. d) Run the Users by Roles report. e) On the Report Cross-System Information/Role screen, enter CHILD## in the User Name field. f) Choose the Execute pushbutton.

© Copyright . All rights reserved.

Duplication is prohibited.

Duplication is prohibited.

b) Run transaction SUIM (User Information System).

Lesson: Implement Central User Administration (CUA)

LESSON SUMMARY You should now be able to: ●

Explain Central User Administration (CUA)

●

Set up Central User Administration (CUA)

Duplication is prohibited.

Duplication is prohibited.

© Copyright . All rights reserved.

99

Unit 3 Lesson 2 Work with Directory Services

LESSON OVERVIEW This lesson describes how to work with directory services. Business Example Your company uses a directory service to centrally store personnel data. As a member of the user administration team for SAP systems, you need to get an overview of directory services and find out how you can connect your SAP system to this directory service. For this reason, you require the following knowledge: ●

An understanding of directory services

●

Duplication is prohibited.

Duplication is prohibited.

LESSON OBJECTIVES After completing this lesson, you will be able to: Explain directory services

Directory Services

Figure 44: Properties of Directory Services

On the Internet, as well as in company networks, there is a danger that information can be lost because it is made available in an unstructured way, it may become obsolete, or no one knows that it exists. Therefore, a modern information system such as a directory server is needed. A directory server is an information system for particular information.

100

© Copyright . All rights reserved.

Lesson: Work with Directory Services

Directory services act as a central repository for data that is used by various applications. Directory services are typically used to store information about users, documents, or hardware resources, but can also be used to store other types of object. Directory services help us in answering questions such as “What is the project leader’s e-mail address?” or “Where is the nearest color printer?” Directory services are similar to the yellow pages that help in finding a lawyer or the nearest florist. Unlike a relational database management system (RDBMS) where information is stored in two-dimensional tables, directory services use a hierarchical (tree) structure to organize data. Another difference is the relationship of write to read accesses. Directory services are designed so that multiple users can have read access at the same time. However, unlike relational databases, directory services do not support transaction lock concepts, or expensive queries such as joins.

Figure 45: Example Scenario with a Directory Service

Directory services can fully demonstrate their strengths in heterogeneous system landscapes (where products from different vendors are used). In the figure, the example shows a scenario in which a company hires a new employee. The details of this employee are first entered in the HR system (which can be an SAP system or come from a different vendor). Some of the employee details, such as name, personnel number, telephone number, e-mail address, department, and group assignment, are transferred to the corporate directory server. On the other hand, details, such as date of employment, manager, and salary, are deliberately held only in the HR system. Connecting different applications to the directory service offers the following advantages: ● The new employee can immediately log on to the corporate domain at the operating system level. ●

The employee has a functioning e-mail account immediately.

© Copyright . All rights reserved.

101

Duplication is prohibited.

Duplication is prohibited.

Example Scenario with a Directory Service

Unit 3: Advanced User Administration Topics

●

The telephone and fax numbers are assigned to the user centrally.

●

The employee can log on to SAP NetWeaver Portal.

●

●

The employee can access certain SAP systems such as SAP Supplier Relationship Management (SAP SRM) to place orders. Other external systems can be easily integrated.

Conversely, if an employee leaves the company, information about the employee is deleted from the HR system and, therefore, also from the directory. Consequently, the system deletes or locks all accounts of the employee, which is not an easy task if it has to be performed manually. Lightweight Directory Access Protocol (LDAP) LDAP describes how operations are to be formulated for a directory service. The most common operation is querying entries, however, it is also possible to create, change, or delete entries.

LDAPv2 was implemented in 1995 by Yeong, Howes, and Kille at the University of Michigan. This was implemented to minimize the complexity of clients to help facilitate widespread deployment of applications capable of utilizing the directory. LDAP uses a Transmission Control Protocol/Internet Protocol (TCP/IP) stack and simplifies access to X.500 servers. The current version of LDAP is LDAPv3.

Note: For more information about the technical details of LDAP protocol, see Request for Comments (RFC) 2251 and for RFCs, see www.ietf.org. An X.500 server is no longer required; various vendors offer standalone servers that can be addressed using LDAP. In addition to commercial products (such as, eDirectory from Novell, Java System Directory Server from Sun and now Oracle, DirX from Siemens, and Active Directory from Microsoft), there is also an Open Source development.

Note: For more information about Open Source development, see www.openldap.org.

The Data Model There are a number of models for LDAP. In addition to the access protocol, these define how information is stored and identified, and how access is protected. A directory contains entries that consist of one or more attributes. An attribute consists of a type (frequently abbreviated strings, such as cn for common name, c for country, or mail for e-mail address) and one or more values. Certain attributes are required, while others are optional; this is controlled with LDAP using a special attribute, object class. Object classes have an inheritance hierarchy. The information about object classes and attribute types is stored in schemas, which are provided by Internet organizations and vendors of directory servers (which can be customized by the user).

102

© Copyright . All rights reserved.

Duplication is prohibited.

Duplication is prohibited.

LDAP follows the client/server model. In this model, one or more servers hold the information that the client(s) access. Originally, LDAP implemented only communication with an X.500 server, as described by the International Organization for Standardization (ISO).

Lesson: Work with Directory Services

Hierarchy of Object Classes

Figure 46: Hierarchy of Object Classes

Duplication is prohibited.

Duplication is prohibited.

The figure shows the hierarchy of object classes. Entry in a Directory

Figure 47: Entry in a Directory

The entries in a directory are organized in a hierarchical tree structure. Each entry contains a name that is unique across the directory and is also known as Distinguished Name (DN). The DN is created by describing the path from the entry to the root of the tree in the form of a comma-separated list, for example, cn=LHeepmann, ou=instructors, o=sap_lgd, c=de. An individual component of the DN is called the Relative Distinguished Name (RDN), which always identifies the node uniquely, relative to the superordinate node in the tree. Two nodes under the same superordinate node, therefore, cannot have the same RDN.

© Copyright . All rights reserved.

103

Unit 3: Advanced User Administration Topics

Directory Information Tree (DIT)

The figure shows the DIT structure. The entire tree of entries (which can be stored physically across multiple hosts) is called the DIT. SAP and Directory Services SAP has provided ways to connect SAP systems to directory services for a number of years. In 1997, the LDAP Gateway, a program that runs independent of the application server, was delivered in Java with SAP Basis 4.0A (supported up to SAP Basis 4.6B). Integration into the application server came with the LDAP Connector, which has been available since SAP Basis 4.6A. With Application Server ABAP (AS ABAP) 6.10, user-friendly functions for user master synchronization (mapping, delta management, and synchronization) were added in the SAP systems. The SAP partner directory (http://www.sap.com/partners/customers/directories/ SearchSolution.epx, ) contains a list of partners certified by SAP for the directory server interface . SAP NetWeaver Portals also require storage for user data such as master data and group assignment (user persistence store). SAP Enterprise Portal 5.0 (first delivered at the end of 2001) uses one or more directory servers for this purpose. The system checks the user data against these directory servers when the users log on to the portal. As of Application Server Java (AS Java) 6.20, the User Management Engine (UME) offers different options to store the user data (called data sources). Directory servers are used for most portal implementations.

104

© Copyright . All rights reserved.

Duplication is prohibited.

Duplication is prohibited.

Figure 48: DIT

Lesson: Work with Directory Services

Central User Administration (CUA) and Directory Services

Both CUA and directory services allow you to maintain user data at one location and to synchronize user data in multiple systems. Both concepts can be implemented independently and you can also connect them with each other. In this way, you can use CUA to connect SAP systems with SAP Basis 4.5 or 4.6, while other SAP systems based on AS ABAP 6.10 or above can also be connected directly to the directory service. In a scenario of this type, LDAP synchronization works as a remote control for CUA, which means that all prerequisites and restrictions of CUA continue to apply.

INTERACTIVE ELEMENT: Breakout Rooms 1. What are the advantages of connecting different applications to the directory server? . . . . . . . . . .

© Copyright . All rights reserved.

105

Duplication is prohibited.

Duplication is prohibited.

Figure 49: CUA and Directory Services

Unit 3: Advanced User Administration Topics

LESSON SUMMARY You should now be able to: Explain directory services

Duplication is prohibited.

Duplication is prohibited.

●

106

© Copyright . All rights reserved.

Unit 3 Lesson 3 Describe SAP Governance, Risk, and Compliance (GRC) 10.0

LESSON OVERVIEW This lesson explains SAP governance, risk, and compliance (GRC) and how this solution helps companies proactively balance risk and opportunity. The lesson also explains compliance initiatives from various regions of the world and the benefits of an integrated solution. Business Example You are managing an ERP system and you need to detect any potential risks and compliance violations in your environment. You also have to come up with a strategy how to integrate SAP GRC into your landscape.

●

An understanding of SAP GRC solutions

●

An understanding of SAP GRC convergence

●

An understanding of the key features and benefits of SAP GRC

●

An understanding of SAP GRC integration

●

An understanding of GRC apps

●

An understanding of how to run reports and view dashboards

Duplication is prohibited.

Duplication is prohibited.

For this reason, you require the following knowledge:

LESSON OBJECTIVES After completing this lesson, you will be able to: ●

Explain SAP Governance, Risk, and Compliance (GRC) 10.0

© Copyright . All rights reserved.

107

Unit 3: Advanced User Administration Topics

Introduction to SAP Governance, Risk, and Compliance (GRC) 10.0

Figure 50: Risk – Overview

Companies with an advanced perspective of risk and mature management practices recognize that risk is present throughout their business.

Duplication is prohibited.

Duplication is prohibited.

Companies need to realize that risks can have a detrimental impact on performance. They should understand the link between risk and performance and also understand how to optimize their business in light of risks to which they are exposed. The GRC solutions help companies to prevent, manage, and respond to risks. GRC Initiatives

Figure 51: GRC initiatives

GRC requirements are pervasive. Knowledge of their business, related risks, compliance, and policy requirements is critical for everyone, everywhere. Regardless of your industry, regardless of where you sit in the organization, there is a set of questions that you need to ask yourself.

108

© Copyright . All rights reserved.

Lesson: Describe SAP Governance, Risk, and Compliance (GRC) 10.0

The Cost of Not Knowing the Different Risks

Figure 52: The Cost of Not Knowing the Different Risks

The operational cost can be significant in the following instances: ● If you are not able to answer important questions about your business. ●

If you cannot link your investments in GRC programs to performance.

Duplication is prohibited.

Duplication is prohibited.

●

If you cannot confidently address complex and constantly changing regulatory requirements.

Balance of Risk and Opportunity

Figure 53: Proactively Balance Risk and Opportunity

SAP GRC solutions help companies to proactively balance risk and opportunity through the following objectives: The objectives of GRC solutions ● Customers can better manage risk, compliance, and other GRC initiatives.

© Copyright . All rights reserved.

109

Unit 3: Advanced User Administration Topics

●

Customers can better protect their value.

●

Organizations can perform better.

The goal of SAP GRC solutions is to enable organizations to see all risks and compliance issues so that they can make optimal decisions in light of both the opportunity ahead and the related risks. SAP GRC Solutions Capability Model

110

The model illustrates the broad range of capabilities incorporated with SAP GRC solutions.

Note: This capability model is not meant to represent the technical architecture in any way. SAP GRC solutions consist of the following main areas of capabilities: Analyze

●

●

Manage

●

Monitor

© Copyright . All rights reserved.

Duplication is prohibited.

Duplication is prohibited.

Figure 54: SAP GRC Solutions Capability Model

Lesson: Describe SAP Governance, Risk, and Compliance (GRC) 10.0

SAP GRC Solutions

Figure 55: SAP GRC Solutions

SAP GRC solutions are delivered through four primary solutions as shown in the figure. These solutions help customers automate risk and compliance, protect their value, and optimize their performance. Enterprise GRC – Risk-Intelligent Management

Duplication is prohibited.

Duplication is prohibited.

Figure 56: Enterprise GRC – Risk-Intelligent Management

If companies focus on the three core capabilities listed in the figure, they are able to build a level of risk intelligence and leverage this risk intelligence to increase performance. The core capabilities of Enterprise GRC are as follows: ● Companies are able to automate the key risk and compliance management activities that are often manual, time consuming, resource intensive, and costly. Automation allows companies to be much more efficient and effective in how they manage these activities, which helps improve performance.

© Copyright . All rights reserved.

111

Unit 3: Advanced User Administration Topics

●

●

Companies are able to leverage real-time monitoring capabilities to monitor KRIs and compliance effectiveness. This is done to enable the companies to proactively identify and respond to any increased risk exposure or compliance violation before the business is negatively impacted. The companies are able to minimize the impact and duration of, if not prevent altogether, risk events and compliance violations. Companies are able to incorporate risk and compliance into the strategic planning and operations processes so that core business processes are executed in a risk-intelligent manner.

Access Risk Management

The business challenge today is that companies continue to struggle to effectively manage access risk, with segregation of duties (SoD) and excessive access rights being the top contributors to fraud and audit findings. Regulatory requirements increase, often resulting in multiple compliance teams across departments and reliance on manual compliance processes. With thousands of users, roles, and processes to test and with multiple compliance applications taxing the IT resources, excessive time is spent documenting processes for auditors instead of focusing on business operations. This fragmented and costly approach for managing access risk leads to reactive – rather than proactive – access risk prevention, inefficient compliance processes, and a lack of real-time visibility into access risk. The solution is SAP Access Control, which addresses these challenges by enabling businesses to confidently manage and reduce access risk across the enterprise. It helps prevent unauthorized access including SoD and critical access, while providing real-time monitoring of access risk and minimizing the time and cost of access risk management. The SAP Access Control application unifies access risk analysis and remediation, business role management, compliant identity management, and emergency privilege management. As a result, this application provides a holistic, enterprise-wide view in real time. It can help ensure day-to-day compliance, provide a comprehensive overview to management, and perform effective and complete audits. The result is an improved ability to protect information and prevent fraud while minimizing the time and cost of access risk management.

112

© Copyright . All rights reserved.

Duplication is prohibited.

Duplication is prohibited.

Figure 57: Access Risk Management

Lesson: Describe SAP Governance, Risk, and Compliance (GRC) 10.0

Global Trade Services

Figure 58: Global Trade Services

The Global Trade Services application helps companies automate trade compliance and accomplish the following goals: ● Global Trade Services enables better management of global trade operations by automating many critical trade processes and also integrating directly with supply chain systems. The result of this action is the ongoing trade compliance at a reduced effort, time, and cost. ●

●

Global Trade Services helps companies to ensure ongoing compliance by providing one comprehensive and integrated global trade compliance solution. Critical capabilities are built in, such as sanctioned-party list screening (to avoid inappropriate and illegal trade) and the ability to manage multiple global trade compliance programs cohesively. Global Trade Services allows companies to optimize the cross-border supply chain by automating and optimizing trade activities to speed transactions and consistently meet customer commitments.

© Copyright . All rights reserved.

113

Duplication is prohibited.

Duplication is prohibited.

The global environment today is increasingly dynamic and unpredictable – making international trade risky, volatile, and costly. These realities include complex trade compliance demands, fluctuating transportation costs, and increasing cross-border regulations and drive the need for advanced global trade solutions.

Unit 3: Advanced User Administration Topics

Continuous Transaction Monitoring

Figure 59: Continuous Transaction Monitoring

The SAP Continuous Transaction Monitoring solution allows you to identify and correct errors, waste, abuse, policy violations, and potential fraud. These issues can be revealed only through the in-depth analysis of transactions that are recorded as completed business activities. The key benefits of Continuous Transaction Montoring are as follows: Customers can identify potential problems and, therefore, speed up and improve the quality of business processes. This allows customers to decrease the effort and cost of inspection and increase both throughput and accuracy. This also reduces the operational cost of business processes. Many customers are able to correct problems as they occur. A few customers go on to identify and eliminate systemic problems that lead to repeated occurrences.

114

●

●

Customers are able to increase insight into their business activities, which allows them to know and understand what is really happening and to identify individual occurrences of potential policy or procedure violations. This ensures greater transparency and allows customers to drive a change in behavior. Customers are able to increase margin contribution. For example, by reviewing all purchase transactions, customers are able to make better purchase decisions. Similarly, by reviewing sales orders, they are able to make better sales decisions. Thus, optimizing the discounts, costs, and revenues can help reduce the selling price of the goods sold by the company.

© Copyright . All rights reserved.

Duplication is prohibited.

Duplication is prohibited.

●

Lesson: Describe SAP Governance, Risk, and Compliance (GRC) 10.0

Key Benefits of the SAP GRC Solutions

Figure 60: Key Benefits of the SAP GRC Solutions

Some key benefits of the GRC solutions are as follows: The GRC solutions provide the most comprehensive set of capabilities. As illustrated in the solution architecture capability model, SAP has the most comprehensive set of capabilities available. SAP delivers the broadest capabilities to analyze, manage, and monitor activities across risk and compliance management, internal audit, and policy management activities that help SAP customers to perform better across both SAP and non-SAP systems

●

The GRC solutions ensure proactive monitoring across KRIs and compliance effectiveness. SAP combines proactive montoring with comprehensive management capabilities across the governance, risk, and compliance KRIs. Proactive monitoring actually allows customers to prevent a risk or violation from occurring. SAP customers are leveraging this ability to proactively monitor risk and compliance effectiveness. This allows SAP customers to focus their time, resources, and investments on executing and managing their core business activities, rather than reacting to a risk, compliance violation, or loss event

●

The GRC solutions offer industry-specific risk, compliance, and process content. SAP solutions are delivered with industry-specific risk, compliance, and process content so that customers can quickly realize the value in their GRC investments and can manage risks and regulatory requirements specific to them

●

The GRC solutions are proven. SAP GRC solutions are enabling global customers to know their business and optimize performance across virtually every industry. This is made possible by helping customers to better manage their governance, risk, and compliance programs, to better protect against risk events, and, ultimately, to link risk to performance in order to achieve remarkable results

Governance, Risk, and Compliance Key Processes in GRC 10.0 SAP GRC solutions are designed to support companies in managing their Governance, Risk and Compliance (GRC) initiatives. SAP GRC offers several solutions that will help companies

© Copyright . All rights reserved.

115

Duplication is prohibited.

Duplication is prohibited.

●

Unit 3: Advanced User Administration Topics

to comply with legal compliance regulations and internal company policies . Key processes are described here to show how they work in the GRC solutions. Products in GRC Solutions include the following: ●

Access Control - Manage Segregation of Duties , security role, user access, and emergency access

●

Process Control - Review, monitor and document processes and remediation of issues

●

Risk Management – Review, monitor and document Key Risk Indicators (KRI)

●

●

Global Trade Services – Manage and document trade information globally; produce documentation for Customs officials for cross-border shipments Electronic Invoicing for Brazil (Nota Fiscal Eletronica) – Brazilian Electronic Invoice requirement

116

Figure 61: Key Processes - Risk Management

The Risk Management process allows a company to identify, mitigate, and monitor critical business risks that may have a negative impact on the performance, goals, and objectives of the company. The Enterprise Risk Management (ERM) process often allows management to prioritize scarce resources to mitigate the highest-risk areas of the company.

© Copyright . All rights reserved.

Duplication is prohibited.

Duplication is prohibited.

Key Processes - Risk Management

Lesson: Describe SAP Governance, Risk, and Compliance (GRC) 10.0

Key Processes – Compliance Management

Figure 62: Key Processes – Compliance Management

Compliance evaluation includes self-assessments and management assessments (using user-definable surveys), manual testing (using test plans), and automated testing and monitoring (using business rules). If the system identifies exceptions during the evaluation process, it creates issues and assigns them for remediation. When the issues are identified, users need to review and determine how these issues are processed. Key Processes – Audit Management

Figure 63: Key Processes – Audit Management

© Copyright . All rights reserved.

117

Duplication is prohibited.

Duplication is prohibited.

The Compliance Management process provides you with documentation on compliance structures and related compliance initiatives. A risk-based approach to scoping helps a company to focus on compliance evaluation for those control activities that are most likely to fail with a potentially negative impact on the company.

Unit 3: Advanced User Administration Topics

The Audit Management process involves risk-based audit planning, preparation, fieldwork, execution, and reporting. This involves the use of the SAP NetWeaver Audit Management application. Key Processes – Policy Management

The Policy Management process enables end-to-end management of corporate policies aligned with risk and compliance management, including creation, localization, distribution, and acknowledgement of policies. Key Processes – Access Risk Management

Figure 65: Key Processes – Access Risk Management

The Access Risk Management process provides the ability to manage and monitor user privileges while ensuring compliance with security policies related to SoD and restriction of critical permissions. You can prevent, monitor, and manage access conflicts present at the system, infrastructure, and application levels.

118

© Copyright . All rights reserved.

Duplication is prohibited.

Duplication is prohibited.

Figure 64: Key Processes – Policy Management

Lesson: Describe SAP Governance, Risk, and Compliance (GRC) 10.0

Key Processes – Trade Management

The Trade Management process involves controlling the risk and cost of international trade by ensuring compliance with global regulations, accelerating trade activities, and minimizing duties. For example, SAP Electronic Invoicing for Brazil (Nota Fiscal Eletronica) supports companies in complying with the requirements of the Brazilian authorities for electronic invoicing.

SAP GRC Convergence

Figure 67: GRC Convergence Survey Response

In terms of governance, risk, and compliance, SAP and executives from across the world believe strongly in convergence. In February 2010, KPMG released a global survey on GRC. Working with the Economist Intelligence Unit (EIU), KPMG surveyed 542 executives from a wide range of industries and regions, with approximately a third from each major region of the world. One of the very consistent themes that arose in this survey was that almost two-thirds of the respondents (64%) said GRC convergence was a priority for their organizations. As per the report and many SAP customers, GRC is a topic that has become too unwieldy in most organizations. As the users try to manage GRC, they find that it is too costly, requires too many resources, and leaves them exposed to undue risk. Customers believe that GRC

© Copyright . All rights reserved.

119

Duplication is prohibited.

Duplication is prohibited.

Figure 66: Key Processes – Trade Management

Unit 3: Advanced User Administration Topics

convergence will help them address these issues by reducing their costs and risk exposure and improving the overall performance of their businesses. Importance of GRC Convergence

120

Business Example: Leadership sets a strategy to increase penetration in some of the markets that the company serves. In this example, a variety of related operational initiatives are put into place by different lines of business. Sales and marketing analyzes the demand to establish and accept a target for the expanded penetration. The analysis is communicated to the production planning and they plan to increase production. The manufacturing team works with strategic sourcing to establish the amount of increase in supply of raw materials. They decide on two suppliers for a critical component based upon known performance and other factors that can meet the demand. Manufacturing ramps up additional capacity and pushes more product off the line. Distribution works to get the product into the targeted markets. Sales and marketing work to get the product into customers’ hands and, ultimately, achieve success.

© Copyright . All rights reserved.

Duplication is prohibited.

Duplication is prohibited.

Figure 68: Example Depicting the Importance of GRC Convergence

Lesson: Describe SAP Governance, Risk, and Compliance (GRC) 10.0

Disconnection Between Risks, Policies, and Compliance

Figure 69: Disconnection Between Risks, Policies, and Compliance

Add to this the complex composition of most modern companies – a multitude of business processes spanning organizations across several regions, coupled with differing compliance requirements – and the answer is that, unfortunately, you cannot close the performance loop. There is a lot of duplication of effort as organizations try to solve this problem and often there are duplicate activities and technologies in addressing this issue. But even more important is the fact that without getting a clear view into these elements and understanding them, most companies face undue or even catastrophic risks that they are unable to identify or remediate. SAP believes that GRC convergence can help address this problem and is uniquely qualified to deliver solutions to support this movement.

© Copyright . All rights reserved.

121

Duplication is prohibited.

Duplication is prohibited.

The core issue is how do you close the performance loop when there is a clear disconnect between risks, policies, and compliance.

Unit 3: Advanced User Administration Topics

Comprehensive Approach in GRC

122

Enterprise GRC refers to a platform that enables organizations to gain visibility into and efficiently manage all of their risk and compliance activities across the disciplines of Risk Management, Compliance Management, Audit Management, Policy Management, and Access Management. SAP is committed to enabling customers to realize GRC convergence, a key aspect of which is to ensure that GRC is optimized for SAP but not tethered to SAP. Many customers maintain hybrid environments or have chosen a different business process platform. The SAP GRC 10.0 solution is designed to tightly integrate with SAP and also to leverage adapters from technology partners and open APIs, such as web services, to loosely work with other platforms as well. While the application process stack is important, partnership with vendors such as CA, Novell, and Sensage extends the GRC platform across the IT stack, including IT infrastructure and applications, together with categories such as Identity Management integration. The content framework of the GRC solution allows close work with both system integrators and technology service providers to provide out-of-the-box content. This content provides a starting point for customers with specific business scenarios. Through integration with SAP Performance Management, GRC is truly able to close the performance loop by ensuring that risks are tied closely to KPIs in the strategic management process, that risk influences the planning or supply chain process, and that the controls can be tied to consolidation processes to ensure a compliant close.

© Copyright . All rights reserved.

Duplication is prohibited.

Duplication is prohibited.

Figure 70: Comprehensive Approach in GRC

Lesson: Describe SAP Governance, Risk, and Compliance (GRC) 10.0

Key Features in SAP GRC 10.0

Figure 71: Purpose and Value of a Common Technical Platform

SAP GRC 10.0 reduces the total cost of ownership (TCO) due to lower overall implementation, administrative, and maintenance costs because the GRC solutions leverage a common technology (ABAP) platform and appropriately shared Implementation Guide (IMG). Enhancements and Benefits of a Common Technical Platform

Figure 72: Enhancements and Benefits of a Common Technical Platform

© Copyright . All rights reserved.

123

Duplication is prohibited.

Duplication is prohibited.

The unified Risk Management, Access Control, and Process Control data model and technology platform enables optional sharing of selected risk and compliance data and functions. Sharing is optional because some customers prefer a silo approach whereas others seek to consolidate and integrate their GRC activities.

Unit 3: Advanced User Administration Topics

Enhanced Visualization and Streamlined Navigation

Figure 73: Purpose and Value of Enhanced Visualization and Streamlined Navigation

Streamlined user navigation with shared work centers emphasizes function rather than component. This significantly reduces duplication of menu items (for example, one inbox and not three) and facilitates sharing of data and functions.

Enhancements and Key Benefits of Visualization and Streamlined Navigation

Figure 74: Enhancements and Key Benefits of Visualization and Streamlined Navigation

124

© Copyright . All rights reserved.

Duplication is prohibited.

Duplication is prohibited.

The menu items that the individual user sees within each work center are controlled by the GRC roles of that user. This also enables data shared across components to be viewed differently by different users.

Lesson: Describe SAP Governance, Risk, and Compliance (GRC) 10.0

Configurable User Interface

The configurable user interface allows the configuration to determine the field status by application components. For example, the organization field Average Cost per Control can be shown for the users authorized for SAP Process Control and hidden from the users unauthorized for Access Control. Field statuses (the Required field, the Optional field, the Displayed field, or the Hidden field) can be selected by field, component, or even regulation, if applicable. Changes to the field status are reflected on the user interface without requiring programming. Enhancements and Benefits of the Configurable User Interface

Figure 76: Enhancements and Benefits of the Configurable User Interface

© Copyright . All rights reserved.

125

Duplication is prohibited.

Duplication is prohibited.

Figure 75: Purpose and Value of the Configurable User Interface

Unit 3: Advanced User Administration Topics

Improved Reporting

Figure 77: Purpose and Value of Improved Reporting

GRC reporting leverages the SAP BusinessSuite ABAP List Viewer (ALV)-crystal integration framework to present and personalize ABAP (WebDynpro) reports and convert the reports into SAP Crystal Reports. This lowers TCO and extends the benefits and functionality of Crystal Reports without the need for a separate SAP BusinessObjects Enterprise Server. Enhancements and Benefits of Reporting

Duplication is prohibited.

Duplication is prohibited.

Figure 78: Enhancements and Benefits of Reporting

Existing reports are refined on the basis of customer feedback to make them more usable and to facilitate exception management for continuous control monitoring. Dashboard technology enables reporting across all continuous monitoring results and exceptions for better visibility and to facilitate remediation for continuous monitoring. The SAP BusinessObjects Enterprise Server is optional for using the Crystal Reports framework.

126

© Copyright . All rights reserved.

Lesson: Describe SAP Governance, Risk, and Compliance (GRC) 10.0

Enhanced Policy Management

Figure 79: Purpose and Value of Enhanced Policy Management

Policy Management provides complete lifecycle management for corporate policies, and it aligns policies with risk and compliance management activities. Effective policy management reduces enterprise risk and improves corporate governance with management guidance for the behavior, actions, and decision-making processes of an organization. Enhancements and Benefits of Policy Management

Duplication is prohibited.

Duplication is prohibited.

Figure 80: Enhancements and Benefits of Policy Management

As a common function, Policy Management is available to customers who purchase Process Control or Risk Management. In a compliance scenario, a policy is related to organizations, processes, risks, and controls. As part of enterprise risk management, a policy is used as a risk response and can also be related to organizational activities. In general, the user measures the adherence to policies with acknowledgements, surveys, or quizzes.

© Copyright . All rights reserved.

127

Unit 3: Advanced User Administration Topics

Enhanced Business Rule Framework

Figure 81: Purpose and Value of the Enhanced Business Rule Framework

The enhanced, user-configurable rule engine gives customers maximum flexibility in defining their automated rules for automated testing and monitoring. You can monitor a much wider range of back-end systems, consume data from non-SAP systems without needing thirdparty tools, process asynchronous events, and automatically analyze SAP Basis change logs. Enhancements and Benefits of the Business Rule Framework

Duplication is prohibited.

Duplication is prohibited.

Figure 82: Enhancements and Benefits of the Business Rule Framework

The enhanced Business Rule Framework empowers business users by reducing dependency on IT resources.The load on expensive IT resources are also lessened.

128

© Copyright . All rights reserved.

Lesson: Describe SAP Governance, Risk, and Compliance (GRC) 10.0

Content Lifecycle Management (CLM)

Figure 83: Purpose and Value of CLM

CLM supports check-in, version control, comparisons, and deployment of packaged content. CLM also formalizes the ability to export structured content to Microsoft Excel and check changes back in the system. This is an enormous productivity boost for making initial implementations, getting content into GRC from legacy or reference systems, making periodic updates, and expanding implementations. Enhancements and Benefits of CLM

Duplication is prohibited.

Duplication is prohibited.

Figure 84: Enhancements and Benefits of CLM

SAP GRC Integration The SAP GRC 10.0 solution integrates with several other systems and applications, both across the solution and for specific solution components. The following integrations are applicable across the SAP GRC 10.0 solution:

© Copyright . All rights reserved.

129

Unit 3: Advanced User Administration Topics

Figure 85: .GRC 10.0 Solution Integration Overview

Access Control Integration

●

HR Triggers integration

●

Identity Management (IdM) integration

Duplication is prohibited.

Duplication is prohibited.

Access Control 10.0 includes capabilities for the following integrations: ● Process Control and Risk Management integration for shared Master Data

Access Control Integration - Shared Master Data

Figure 86: Access Control Integration for Shared Master Data

Access Control Integration – HR Triggers The HR Triggers functionality of Access Control 10.0 allows the creation of automatic access requests, corresponding to changes in the master data in SAP or non-SAP HR systems. When an event is triggered in the SAP HR system, such as hiring a new employee, rules are applied and a corresponding action to create a workflow request is initiated in the Access Control

130

© Copyright . All rights reserved.

Lesson: Describe SAP Governance, Risk, and Compliance (GRC) 10.0

solution. The workflow processes the request and provisions to the back-end system by direct assignment or indirect assignment. The configuration of HR Triggers in Access Control 10.0 includes the configuration of actions, rules, and field mapping.

Note: Users do not need to complete an access request form.

Figure 87: HR Integration Process Flow

Access Control and Identity Management Integration Overview Identity Management solutions provide the key infrastructure to manage user accounts in multiple back-end systems. Access Control currently provides integration with Identity Management solutions for enterprise-wide compliant provisioning. This integration enables customers to deploy an automated business and risk-driven Access Control solution enterprise-wide. With this solution, business owners can control access, security posture, and risk on the basis of business-relevant values without requiring domain-specific knowledge of each IT system. SAP Access Control provides robust integration with Identity Management solutions and continues to focus on its own core competencies of risk, SoD, and remediation. To support this strategy, Access Control integrates with market-leading Identity Management vendors, such as Oracle, SUN, and Novell, and integrates and optimizes with SAP NetWeaver Identity Management.

© Copyright . All rights reserved.

131

Duplication is prohibited.

Duplication is prohibited.

HR Integration Process Flow

Unit 3: Advanced User Administration Topics

User Provisioning Scenarios with Identity Management Integration

Figure 88: Access Control - Identity Management Supported Scenarios

GRC-driven provisioning is initiated in the GRC solutions, provisioned by the GRC solutions for SAP systems, and provisioned in Identity Management for non-SAP solutions.

Duplication is prohibited.

Duplication is prohibited.

Identity Management-driven provisioning is initiated in Identity Management, submitted to the GRC solutions through web services, provisioned by the GRC solutions for SAP systems, and provisioned in Identity Management for non-SAP systems. GRC-Driven Provisioning Process Flow

Figure 89: GRC-Driven Provisioning Process Flow

GRC-driven provisioning process flow: 1. The user logs on to the Access Control application and creates an access request. 2. The request follows the approval process.

132

© Copyright . All rights reserved.

Lesson: Describe SAP Governance, Risk, and Compliance (GRC) 10.0

3. Access risk analysis and remediation is carried out in the GRC application for requested roles. 4. The approver either approves or rejects the request. If the request is approved, access to SAP systems is provisioned by the GRC application and non-SAP requests are sent to Identity Management for provisioning.

Figure 90: Identity Management-Driven Provisioning

Identity Management-driven provisioning process flow: 1. The user logs on to the Identity Management application, creates an access request, and submits it to the GRC application. 2. The request follows the approval process in the GRC application. 3. Access risk analysis and remediation is carried out in the GRC application for requested roles. 4. The approver either approves or rejects the request. If the request is approved, access to SAP systems is provisioned by the GRC application and non-SAP requests are sent to Identity Management for provisioning. Process Control Integration Integrations for Process Control 10.0 include the following types of integration: Process Integration

●

●

SoD Integration

© Copyright . All rights reserved.

133

Duplication is prohibited.

Duplication is prohibited.

Identity Management-Driven Provisioning

Unit 3: Advanced User Administration Topics

Process Integration

Figure 91: Process Integration

Process Control – SoD Integration

Duplication is prohibited.

Duplication is prohibited.

The Process Integration proxy is used to monitor another system, so only Outbound Proxy is supported. Process Integration allows you to monitor deficiencies in other systems. The Process Integration proxy must be complete before you proceed on the portal.

Figure 92: SoD Integration

SoD Integration allows you to perform the following tasks: ● Use SoD analysis results from the Access Control’s solution to mitigate a risk identified in the Process Control applications. The frequency of the AC SoD analysis can be automatically, weekly, or monthly. ●

View job step results for SoD Integration in the Job Monitor.

If you identify a risk in the Process Control application, you can use SoD analysis results of Access Control to mitigate that risk. The monitor allows you to see all job results without receiving a task.

134

© Copyright . All rights reserved.

Lesson: Describe SAP Governance, Risk, and Compliance (GRC) 10.0

Risk Management Integration

Figure 93: Risk Management Integration Overview

Risk Management integrates with several other systems to help users identify and manage risk from one location. The risk manager is responsible to check the current status of the scenarios.

Duplication is prohibited.

Duplication is prohibited.

© Copyright . All rights reserved.

135

Unit 3: Advanced User Administration Topics

Duplication is prohibited.

Duplication is prohibited.

136

© Copyright . All rights reserved.

Unit 3 Exercise 5 Run Reports and View Dashboards

Business Example You want to review information about access risks and other risks for your company and its compliance status. With the Harmonized Reporting Framework, you can view reports and dashboards for all of these areas from one work center, Reports and Analytics. System Data System: ZMC Client: 800 User ID: XX-CUSTOM (where XX is your user ID) Password: Password was changed by participant upon initial logon Task 1

1. Launch SAP NetWeaver Business Client or log on to the SAP GUI in system ZMC using the user xx-CUSTOM with password ‘initial’. 2. Choose the Reports and Analytics work center. 3. Under the Management work set, you will find dashboards for Risk Management. Choose Heatmap. 4. Choose a currency and then choose the OK pushbutton. 5. Explore the Risk Heatmap. 6. Close the Risk Heatmap when finished.

Task 2 View Compliance Dashboards for Process Control from the Reports and Analytics work center. 1. Choose the Risk-based Compliance Management Status dashboard under the Compliance work set.

Task 3 View Access Management Dashboards for Access Control in the Reports and Analytics work center. 1. Under the Access Management work set, choose User Authorization Analysis.

© Copyright . All rights reserved.

137

Duplication is prohibited.

Duplication is prohibited.

View Management dashboards for Risk Management.

Unit 3: Advanced User Administration Topics

2. Select Year for Period, current year for Year, and SOX for Regulation. Then choose the Go pushbutton.

Duplication is prohibited.

Duplication is prohibited.

138

© Copyright . All rights reserved.

Unit 3 Solution 5 Run Reports and View Dashboards

Business Example You want to review information about access risks and other risks for your company and its compliance status. With the Harmonized Reporting Framework, you can view reports and dashboards for all of these areas from one work center, Reports and Analytics. System Data System: ZMC Client: 800 User ID: XX-CUSTOM (where XX is your user ID) Password: Password was changed by participant upon initial logon Task 1

1. Launch SAP NetWeaver Business Client or log on to the SAP GUI in system ZMC using the user xx-CUSTOM with password ‘initial’. a) From the ABAP client, enter /nnwbc and then choose /nwbc in the NWBC window. 2. Choose the Reports and Analytics work center. 3. Under the Management work set, you will find dashboards for Risk Management. Choose Heatmap. a) Choose Reports and Analytics þœ‰˛ÿÆ Management þœ‰˛ÿÆ Heatmap. 4. Choose a currency and then choose the OK pushbutton. 5. Explore the Risk Heatmap. 6. Close the Risk Heatmap when finished.

Task 2 View Compliance Dashboards for Process Control from the Reports and Analytics work center. 1. Choose the Risk-based Compliance Management Status dashboard under the Compliance work set. a) Select Year for Period, current year for Year, and SOX for Regulation. Then choose the Go pushbutton.

Task 3

© Copyright . All rights reserved.

139

Duplication is prohibited.

Duplication is prohibited.

View Management dashboards for Risk Management.

Unit 3: Advanced User Administration Topics

View Access Management Dashboards for Access Control in the Reports and Analytics work center. 1. Under the Access Management work set, choose User Authorization Analysis. a) Choose Reports and Analytics ”ùÇn í¾ Access Management ”ùÇn í¾ User Risk Violation. 2. Select Year for Period, current year for Year, and SOX for Regulation. Then choose the Go pushbutton.

Duplication is prohibited.

Duplication is prohibited.

140

© Copyright . All rights reserved.

Lesson: Describe SAP Governance, Risk, and Compliance (GRC) 10.0

GRC Apps The SAP GRC applications are available as apps for smartphones. The GRC apps enable users, such as managers, to perform the following: ● Review and approve time-sensitive and operational-critical access requests. ●

Allow only authorized employees to gain access to systems.

●

Access systems using smartphones.

●

Attend their work in a timely manner.

●

Display lists of user and firefighter access requests.

●

Review user and firefighter access requests, with access details.

●

Review risks associated with a request (if risk analysis has already been performed).

●

Call or e-mail users to request additional information.

●

Add comments before approving or rejecting requests. Forward requests to people in your contacts list in case further analysis and simulation is needed.

Using the apps, users, such as managers, can review any risks associated with the access request and add comments before approving or rejecting the request, as appropriate. Integration with the built-in contacts application makes it quick and easy to contact users for additional information or to forward requests to colleagues for further analysis.

© Copyright . All rights reserved.

141

Duplication is prohibited.

Duplication is prohibited.

●

Unit 3: Advanced User Administration Topics

LESSON SUMMARY You should now be able to: Explain SAP Governance, Risk, and Compliance (GRC) 10.0

Duplication is prohibited.

Duplication is prohibited.

●

142

© Copyright . All rights reserved.

Unit 3 Lesson 4 Work with Identity Management

LESSON OVERVIEW This lesson provides an overview of Identity Management and how to work with it. Business Example You need to manage authorizations for systems within the company and execute the business processes efficiently. For this reason, you require the following knowledge: ●

An understanding of the Identity Management issues in heterogeneous system landscapes

●

An understanding of the SAP NetWeaver Identity Management architecture

●

An understanding of the Identity Center database

●

Understand the purpose of Identity Management

●

Explain Identity Management

●

Explain the history of SAP NetWeaver Identity Management

Duplication is prohibited.

Duplication is prohibited.

LESSON OBJECTIVES After completing this lesson, you will be able to:

What Is the Purpose of Identity Management?

Figure 94: What Is the Purpose of Identity Management?

© Copyright . All rights reserved.

143

Unit 3: Advanced User Administration Topics

SAP NetWeaver Identity Management Overview

Figure 95: SAP NetWeaver Identity Management Overview

The figure shows an overview of SAP NetWeaver Identity Management. User Life Cycle

Duplication is prohibited.

Duplication is prohibited.

Figure 96: User Life cycle

The figure shows how an identity develops throughout its life cycle and demonstrates the potential risks associated with the ineffective management of identities. In the example shown, as Chuck Brown progresses through the company, his permissions and access set increases. He still has some of the permissions that are no longer aligned with his job role and function. Even when he resigns, his permissions are in effect. This scenario has the following issues:

144

© Copyright . All rights reserved.

Lesson: Work with Identity Management

●

The user takes a long time to become productive.

●

The user needs to follow manual steps to get access.

●

The user still has authorizations for the systems because there is no de-provisioning of authorizations.

Partial User Management Centralization Before SAP offered the SAP NetWeaver Identity Management component, companies used Central User Administration (CUA) to centralize their user management processes. However, CUA is only supported for ABAP-based systems. For interoperability with Java systems that use a Lightweight Directory Access Protocol (LDAP) directory as a user store and for integration with non-SAP applications, users can be synchronized with an LDAP directory using the ABAP LDAP connector. For the central management of a heterogeneous system landscape, companies still need a third-party Identity Management product.

Figure 97: Holistic Identity Management Approach

With SAP NetWeaver Identity Management, SAP offers integrated Identity Management capabilities for heterogeneous system landscapes (SAP and non-SAP software), driven by business processes. The key components of SAP NetWeaver Identity Management are as follows: ● Central identity store The central identity store consolidates identity data from different source systems (for example, SAP ERP HCM) and then distributes this information to the target systems. ●

Approval workflows Workflows distribute the responsibility for authorization assignments to business process owners and managers.

●

Identity virtualization or identity as a service

© Copyright . All rights reserved.

145

Duplication is prohibited.

Duplication is prohibited.

Holistic Identity Management Approach

Unit 3: Advanced User Administration Topics

Identity virtualization provides access to the data within SAP NetWeaver Identity Management using services and standard protocols such as LDAP. ●

SAP Business Suite integration The integration of SAP ERP HCM as one of the possible source systems for identity information is a key functionality for enabling business-driven Identity Management.

●

Compliance checks for GRC The integration of heterogeneous systems with Compliant User Provisioning offers extensive functions for assuring compliance and segregation of duties in the role and authorization assignment process.

●

Definition and rule-based assignment of business roles Definition and rule-based assignment of business roles enables you to define different rule sets to assign roles to users. This means that the assignment can be performed automatically, based on the attributes of the identity.

●

Monitoring and audit Monitoring and audit provides auditors with one central place to check authorizations of employees in all systems. This information is also available for former employees.

●

Password management

●

Distribution of users and role assignments Distribution of users and role assignments handles user accounts and role assignments of SAP and non-SAP applications.

SAP NetWeaver Identity Management within the Technology Platform

Figure 98: SAP NetWeaver Identity Management within the Technology Platform

Identity Management is an integral part of the SAP NetWeaver technology platform. Some of the functions of Identity Management are as follows: It enables efficient and secure management of identity information.

●

146

●

It supports both SAP-only and heterogeneous system landscapes.

●

It integrates with the SAP NetWeaver platform and business applications.

●

It complements integrated SAP NetWeaver security frameworks.

© Copyright . All rights reserved.

Duplication is prohibited.

Duplication is prohibited.

A centralized password management system reduces calls to the help desk for password resets and enables password provisioning across a heterogeneous landscape.

Lesson: Work with Identity Management

Identity Management Components - Applications and Repositories

Figure 99: Applications and Repositories

Duplication is prohibited.

Duplication is prohibited.

Data Services

Figure 100: Data Services

© Copyright . All rights reserved.

147

Unit 3: Advanced User Administration Topics

Identity Store

Figure 101: Identity Store

The identity store is a relational database and not a directory server. The LDAP directory server is designed for returning small amounts of data. Extracting information about all employees from a directory server is not optimal, compared to extracting information from a relational database.

The LDAP filter is useful in searching for specific identities but cannot perform combined searches, such as INNER JOINS, which you can do in Structured Query Language (SQL). There are also cases where the Identity Management (and meta directory) suppliers want the customers to use the Identity Management supplier’s directory server only. The identity store has the following features: ● Dynamic storage of identity data ●

Meeting point for all identities

Identity Services

Figure 102: Identity Services

148

© Copyright . All rights reserved.

Duplication is prohibited.

Duplication is prohibited.

Traditionally, the LDAP servers are slow for updating data.

Lesson: Work with Identity Management

Identity Applications

Figure 103: Identity Applications

Figure 104: SAP NetWeaver Identity Management Architecture

The SAP NetWeaver Identity Management architecture consists of the following components: ● Virtual Directory Server (VDS) ●

Identity Center (IC)

VDS The VDS acts as a single access point for clients retrieving or updating data in multiple data repositories. VDS provides a unified view of the data in real time. You can use it, for example, to consolidate multiple repositories and then as a data source for the IC. You then use the IC for provisioning and performing Identity Management function

© Copyright . All rights reserved.

149

Duplication is prohibited.

Duplication is prohibited.

SAP NetWeaver Identity Management Architecture

Unit 3: Advanced User Administration Topics

Identity Center (IC) The IC is the primary component used for Identity Management It includes functions for identity provisioning, workflow, password management, logging, and reporting. The IC uses a database to store information about identities as well as configuration information. The workflow UI allows end users to access tasks such as requests or approvals. The monitoring UI is based on the same technology as the workflow UI. The monitoring UI enables administrators to access the audit and monitoring functionality as well as the status of the provisioning tasks. The management console is an add-on for the Microsoft management console. The management console is used to configure the processing logic of the Identity Center (that is, connect target systems, define workflow processes, and so on). The dispatcher is based on the runtime engine. The runtime engine is responsible for provisioning. The Identity Center retrieves data from the repositories, consolidates the data, transforms the data into the necessary formats, and publishes the data back to the various decentralized repositories.

Duplication is prohibited.

Duplication is prohibited.

Management Console

Figure 105: Management Console

The management console serves the following purposes: Administration

●

●

150

Development

© Copyright . All rights reserved.

Lesson: Work with Identity Management

Identity Management UI

Figure 106: Identity Management UI

The Identity Management UI is based on WebDynpro Java.

Duplication is prohibited.

Duplication is prohibited.

The Identity Management UI provides the main workflow interface for users and managers. This interface provides a web interface for registration and approvals, self-service interface, and password reset. The interface also provides monitoring and audit interfaces, such as logs and queues, for administrators.

Figure 107: Administration User Interface

© Copyright . All rights reserved.

151

Unit 3: Advanced User Administration Topics

Dispatcher

Figure 108: Dispatcher

The purpose of the dispatcher is to evaluate container tasks and start the runtime engine when tasks and jobs are to be executed.

152

The dispatcher runtime engine has the following features: Responsible for executing jobs

●

●

An advanced version of the runtime engine

●

Same basics as of the other runtime engines.

It is based on Microsoft Windows and Java. Event Agent The purpose of an event agent is to reduce data transfer latency. The event agent detects changes in repositories by using database triggers, LDAP change logs, and Java objects. The event agent schedules jobs for execution.

© Copyright . All rights reserved.

Duplication is prohibited.

Duplication is prohibited.

The dispatcher runs as a service on each machine executing jobs.

Lesson: Work with Identity Management

IC Database

Figure 109: Identity Center Database

The IC database is the core of the IC product. It contains tables, stored procedures, and triggers. The IC database holds the following information: Jobs ●

Logs

●

Audit data

●

Delta information

●

Status

●

Scheduling

Duplication is prohibited.

Duplication is prohibited.

●

The IC database works as an identity store.

© Copyright . All rights reserved.

153

Unit 3: Advanced User Administration Topics

Database Centric

Figure 110: Database Centric

Everything, including customer data availability and consistency, is based on the database. High availability is possible by maintaining a copy of the database.

The databases supported by SAP NetWeaver Identity Management are as follows: ● Microsoft SQL Server ●

Oracle

●

IBM DB2

Publishing Identity Data An LDAP directory server is used to publish the identity data. The identity data is published in the following ways: ● On the wire standard Based on LDAP or Services Provisioning Markup Language (SPML) and published by combining all the data together. ●

Inheritance The policy applied at the higher level is inherited down the hierarchy.

It is recommended to use SAP virtual directory to provide LDAP or SPML access to the IC database.

154

© Copyright . All rights reserved.

Duplication is prohibited.

Duplication is prohibited.

Database consistency assures continued processing, even if the system crashes.

Lesson: Work with Identity Management

A Little History

Duplication is prohibited.

Duplication is prohibited.

Figure 111: A Little History (1)

Figure 112: A Little History (2)

Figure 113: A Little History (3)

LESSON SUMMARY You should now be able to: ●

Understand the purpose of Identity Management

●

Explain Identity Management

●

Explain the history of SAP NetWeaver Identity Management

© Copyright . All rights reserved.

155

Unit 3: Advanced User Administration Topics

Duplication is prohibited.

Duplication is prohibited.

156

© Copyright . All rights reserved.

Unit 3 Learning Assessment

1. Identify the key benefits of using Central User Administration (CUA). Choose the correct answers. X

A You can maintain roles in one place.

X

B You can reduce the cost of user administration.

X

C You can create user data from multiple places.

X

D You can provide secure user administration by centralizing the work.

2. For which of the following purposes are Remote Function Call (RFC) connections used in the CUA scenario?

X

A To distribute user data from the central system to child systems

X

B To distribute user data from one child system to another

X

C To send changes to the data in the central system to the child systems

X

D To send status reports back to the central system

3. A path from an entry to the root of the tree is automatically defined when a Distinguished Name (DN) is created for an entry. Determine whether this statement is true or false. X

True

X

False

© Copyright . All rights reserved.

157

Duplication is prohibited.

Duplication is prohibited.

Choose the correct answers.

Unit 3: Learning Assessment

4. For Identity Management, which of the following scenarios does the SAP Governance, Risk, and Compliance (GRC) Access Control solution support? Choose the correct answers. X

A GRC solution-driven provisioning

X

B Segregation of duties (SoD) integration

X

C Identity Management-driven provisioning

X

D Enhancement Health and Security Risk Assessment

5. Which component of the SAP Governance, Risk, and Compliance (GRC) solution provides the ability to manage and monitor user privileges?

158

X

A Risk Management

X

B SAP Access Control

X

C SAP Process Control

X

D Global Trade Services

6. Which of the following are features of SAP Identity Management (IdM)? Choose the correct answers. X

A Integration of the different databases of SAP and non-SAP systems

X

B Compatible with integrated SAP NetWeaver security frameworks

X

C Performs as a Lightweight Directory Access Protocol (LDAP) connector

X

D Integration with SAP NetWeaver platform and business applications

© Copyright . All rights reserved.

Duplication is prohibited.

Duplication is prohibited.

Choose the correct answer.

Unit 3 Learning Assessment - Answers

1. Identify the key benefits of using Central User Administration (CUA). Choose the correct answers. X

A You can maintain roles in one place.

X

B You can reduce the cost of user administration.

X

C You can create user data from multiple places.

X

D You can provide secure user administration by centralizing the work.

2. For which of the following purposes are Remote Function Call (RFC) connections used in the CUA scenario?

X

A To distribute user data from the central system to child systems

X

B To distribute user data from one child system to another

X

C To send changes to the data in the central system to the child systems

X

D To send status reports back to the central system

3. A path from an entry to the root of the tree is automatically defined when a Distinguished Name (DN) is created for an entry. Determine whether this statement is true or false. X

True

X

False

© Copyright . All rights reserved.

159

Duplication is prohibited.

Duplication is prohibited.

Choose the correct answers.

Unit 3: Learning Assessment - Answers

4. For Identity Management, which of the following scenarios does the SAP Governance, Risk, and Compliance (GRC) Access Control solution support? Choose the correct answers. X

A GRC solution-driven provisioning

X

B Segregation of duties (SoD) integration

X

C Identity Management-driven provisioning

X

D Enhancement Health and Security Risk Assessment

5. Which component of the SAP Governance, Risk, and Compliance (GRC) solution provides the ability to manage and monitor user privileges?

160

X

A Risk Management

X

B SAP Access Control

X

C SAP Process Control

X

D Global Trade Services

6. Which of the following are features of SAP Identity Management (IdM)? Choose the correct answers. X

A Integration of the different databases of SAP and non-SAP systems

X

B Compatible with integrated SAP NetWeaver security frameworks

X

C Performs as a Lightweight Directory Access Protocol (LDAP) connector

X

D Integration with SAP NetWeaver platform and business applications

© Copyright . All rights reserved.

Duplication is prohibited.

Duplication is prohibited.

Choose the correct answer.

UNIT 4

Infrastructure Security

Lesson 1 Review Network Topology

162

Lesson 2 Enable Secure Network Communication (SNC)

174

Lesson 3 189

UNIT OBJECTIVES ●

Explain networking concepts

●

Explain Secure Network Communication (SNC)

●

Explain Secure Socket Layer (SSL)

© Copyright . All rights reserved.

Duplication is prohibited.

Duplication is prohibited.

Enable Secure Socket Layer (SSL)

161

Unit 4 Lesson 1 Review Network Topology

LESSON OVERVIEW This lesson explains the basics of networks and the network communication in the SAP environment. Business Example

●

An understanding of the network protocols

●

An understanding of the Open Systems Interconnection (OSI) model

●

An understanding of the Transmission Control Protocol/Internet Protocol (TCP/IP)

●

An understanding of the default ports and firewalls

●

An understanding of load balancing

Duplication is prohibited.

Duplication is prohibited.

You need to understand the basic network terms and concepts. For this reason, you require the following knowledge:

LESSON OBJECTIVES After completing this lesson, you will be able to: ●

Explain networking concepts

Network Protocols

Figure 114: Network Protocols

The figure shows the communication protocols and the firewall in a network.

162

© Copyright . All rights reserved.

Lesson: Review Network Topology

Protocols

Figure 115: Protocols

A protocol is a set of rules that define how communication takes place between communication partners. Different protocols are used when telephoning compared to broadcasting. In computer communication, different issues are handled at different levels.

●

How many volts pulse is a 0 and 1?

●

How to determine the end of a message?

●

How to handle lost messages?

●

How to identify computers?

●

How to connect to a computer?

●

How do applications communicate on a network?

© Copyright . All rights reserved.

Duplication is prohibited.

Duplication is prohibited.

Protocols deal with the following issues:

163

Unit 4: Infrastructure Security

OSI Model

Figure 116: Networking - Why do you need a Standard?

Due to the heterogeneous systems and communication media, there is a need to have a standard to enable communication between different partners.

Open system means that a system can communicate with any other system, which follows the specified standards, formats, and semantics. ISO-OSI Model

Figure 117: ISO-OSI Model

The OSI reference model describes how information from a software application in one computer moves through a network medium to a software application in another computer.

164

© Copyright . All rights reserved.

Duplication is prohibited.

Duplication is prohibited.

The International Organization for Standardization (ISO) has developed a standard model for communication called the OSI model.

Lesson: Review Network Topology

The OSI reference model is a conceptual model composed of seven layers, each specifying particular network functions.

Layer

Name

Function

7

Application

Enables program-to-program communication

6

Presentation

Manages data representation and conversion, for example, the presentation layer converts data from EBCDIC to ASCII

5

Session

Establishes and maintains communication channels – in practice, this layer is often combined with the transport layer

4

Transport

Ensures end-to-end integrity of data transmission

3

Network

Routes data from one node to another

2

Data link

Passes data from one node to another, including error detection

1

Physical

Places data on the network media and takes the data off the network

TCP/IP – An Overview

Figure 118: TCP/IP Terms

© Copyright . All rights reserved.

165

Duplication is prohibited.

Duplication is prohibited.

The seven layers of the OSI model and their functions are described in the following table:

Unit 4: Infrastructure Security

The data to be transmitted is passed down the stack from one layer to the next, until the data is transmitted across the network by the network access layer protocols. The four layers in this reference model (as shown in the figure) are designed to distinguish between the different ways that the data is handled as it passes down the protocol stack from the application layer to the underlying physical network. At the remote end, the data is passed up the stack to the receiving application. The individual layers do not know how the layers above or below them function; the layer knows only how to pass data to the other layers. Each layer in the stack adds control information, such as destination address, routing controls, and checksum, to ensure the proper delivery of data. This control information is called a header and/or a trailer because it is placed at the beginning or end of the data to be transmitted. Each layer treats all the information received from the layer above it as data and places its own header and/or trailer around that information. These wrapped messages are then passed to the layer below with additional control information, some of which may be forwarded or derived from the higher layer. When a message exits the system on a physical link, such as a wire, the original message is enveloped in multiple nested wrappers, one for each layer of the protocol through which the data passes. When a protocol uses headers or trailers to package the data from another protocol, the process is called encapsulation.

Duplication is prohibited.

Duplication is prohibited.

Default Ports

Figure 119: Default TCP Ports

Information sent across a network is not intended only for a computer but for a program on the computer. Every application that receives data from a TCP/IP network acquires a TCP port. These programs are distinguished by their ports. The TCP port is a 16-bit number (0-65535), which uniquely belongs to that application on that particular host. The application listens on that port for incoming messages. Some ports have numbers that are pre-assigned to services or programs by the Internet Assigned Numbers Authority (IANA). Port numbers can range from 0 through 65536, but port numbers from 0 through 1023 are reserved for privileged services and designated as wellknown ports. This list of well-known port numbers specifies the port used by the server process as its contact port. By default, these well-known ports are defined in the file etc/services.

166

© Copyright . All rights reserved.

Lesson: Review Network Topology

Command netstat -a displays all the connections and ports listening on your computer.

Firewalls

A firewall is a system or a combination of systems that protects a networked system from unauthorized access. Firewalls can be implemented in hardware or software, or a combination of both. There are several types of firewall techniques that filter the traffic at different levels. Different Types of Firewalls

Figure 121: Different Types of Firewalls

The common types of firewalls are as follows: ● Packet filter Packet filters can filter the network traffic up to the TCP layer by looking at IP addresses, port numbers, and the type of protocol used. ●

Application level gateway

© Copyright . All rights reserved.

167

Duplication is prohibited.

Duplication is prohibited.

Figure 120: Firewalls

Unit 4: Infrastructure Security

Application level gateways can analyze and control commands of the application protocol. IP Packet Filtering

Figure 122: IP Packet Filtering

168

The routers can filter IP packets for the following fields: Source IP address

●

●

Destination IP address

●

TCP source port

●

TCP destination port

Packet filters cannot filter information sent at the application level, so an application level gateway is used.

© Copyright . All rights reserved.

Duplication is prohibited.

Duplication is prohibited.

s„äR˝)ÕŸÕ}>Æ·Æ¥®˚ÎXêîÅflÝ,âž·gk[‡Ë%�ªcR˜D;łÛÃX�‚*›§YI[ML8V†þé@PÜœ…,_0ãã±”iæ…6‰u>/Ômt’88-PHÆav¸r-:“ú¼É§Ú–’AP»³€; "%.@™Pé!‹* interfaces of the router.

Lesson: Review Network Topology

Application Level Gateway

Application level gateways do not allow any direct network connections between computers from one network to the other. Instead, all the connections from the external network must be made to the gateway, which interprets the protocol traffic and makes connections to the internal network on behalf of the outside requestor. The application level gateway consists of two TCP/IP stacks and application level proxies for each protocol. An application level proxy analyzes and controls the commands for its specific protocol, for example, HTTP. It may also provide additional authentication functionality. Firewall Architecture

Figure 124: Firewall Architecture and Demilitarized Zone (DMZ)

© Copyright . All rights reserved.

169

Duplication is prohibited.

Duplication is prohibited.

Figure 123: Application Level Gateway

Unit 4: Infrastructure Security

You should not connect the servers that are accessible from the Internet directly to the internal network. You should use a two-layer firewall solution that provides additional security for internal networks, even if servers connected to the Internet are compromised. The network zone in between the two firewalls is often called the demilitarized zone (DMZ). If a server located in the DMZ is hacked, the hacker is still not able to access internal systems as the inner firewall limits the access. The DMZ protects valuable resources (for example, application systems) from direct exposure to an untrusted environment. Sometimes, it is also called a perimeter network. Services such as web servers, e-mail servers, and proxies are located in the DMZ.

Hint: The DMZ concept can also be applied to the internal network architecture.

Figure 125: IDS

An IDS is a product that automatically identifies attacks to networks or hosts. In case of an important event, security administrators can be notified about the intrusion. The basic types of IDS are as follows: ● Network-based IDS A network-based IDS monitors and analyzes the traffic for a whole network. ●

Host-based IDS A host-based IDS monitors and analyzes the network traffic, operation system, and file system of a single host.

If the two types of IDS are combined and their data is sent to a central server, it is called a distributed IDS.

Note: Bear in mind that no system automatically provides full security.

170

© Copyright . All rights reserved.

Duplication is prohibited.

Duplication is prohibited.

Intrusion Detection System (IDS)

Lesson: Review Network Topology

Intrusion Prevention System (IPS)

Figure 126: IPS

An IPS is an extension of an IDS. Compared to IDS, the IPS is placed inline to actively prevent and block detected intrusions. The system is able to identify attacks and differences in the bit pattern of data traffic using signatures, abnormal algorithms, and advanced patterns. IPS can then take actions by sending an alarm, dropping the malicious packets, resetting the connection, or blocking the traffic from the offending IP address.

Load Balancing

Duplication is prohibited.

Duplication is prohibited.

Figure 127: Load Balancing Mechanisms

However, do not confuse load balancing with High Availability (HA). The various load balancing mechanisms are as follows: ● Redirections This mechanism is simple in terms of balancing load but has drawbacks with regard to user experience and maintenance (if there is a single load balancer, the application is not accessible while the load balancer is being maintained). ●

DNS-based methods

© Copyright . All rights reserved.

171

Unit 4: Infrastructure Security

This mechanism is suitable for an intranet scenario and global load balancing. However, it is not suitable for server load balancing. ●

Load balancing device This mechanism is transparent for the client. It always uses the same URL. It has one official IP address for all application servers and has one server certificate for all servers. Even though it is technically challenging, it is still usually preferable.

Figure 128: Stateful User Sessions

Stateful applications impose special requirements on the load balancing mechanisms. HTTP is a stateless protocol, which means that the network connection does not last for the duration of a user session. The protocol provides no options to return a subsequent request to an already established session. While processing a request, the load balancer directs the user to a particular application server. If the load balancer directs the user to a different server for subsequent requests, the second server would not know what had already occurred on the first server. As a result, session context information is lost. For example, if the first context holds any locks on the data, the second session cannot access these locked items. There is a conflict between the application that uses stateful information and the stateless protocol. As a result, the load balancing device must ensure that all requests from an application session are always directed to the same application server.

172

© Copyright . All rights reserved.

Duplication is prohibited.

Duplication is prohibited.

Stateful User Sessions

Lesson: Review Network Topology

Stateful User Sessions – Options

Figure 129: Stateful User Sessions – Options

To make sure that the client is always directed to the correct server, the application server can use a session ID. The application server either saves the session ID in a web browser cookie or inserts it in the URL of the user. In this case, the load balancer does not have to maintain the session information. The server information is contained in the cookie or the URL. As a result, you need access to the plain text information in the request. You cannot use Secure Socket Layer (SSL) for encryption. ●

IP address of the client To make sure that the client is always directed to a particular server, the load balancer uses the IP address of the client. This method works when using encrypted traffic, but there are a few problems. Proxies ÊA⁄-Š‰ç²>}ıÝÈ ÚŒµV$± 8@J)§’½ß~ªûÏœ j6½²Þˇ0ÙIwÛ°.¬…®UNxŠ“àžÂÜŁ*ıµNKÈ«£#Ö‘oÒ8ý¤P«k»Tu`ZúÊU_.üü8ÚºÎÃY¹–ÖÏ¿ªÎ4\µ’ygBÀ§º+G assigned the standard PSE.

© Copyright . All rights reserved.

199

Duplication is prohibited.

Duplication is prohibited.

Creating the SSL Server PSE

Unit 4: Infrastructure Security

Generate the Certificate Requests

Figure 161: Generate the Certificate Requests

You generate a certificate request for each SSL server PSE determined by a unique DN.

200

●

Generate an individual request for each individual PSE.

●

Generate one request for a shared PSE.

Send each request to your CA according to the CA’s policy.

Note: For the SAP CA, see the SAP trust center service at http://service.sap.com/tcs.

© Copyright . All rights reserved.

Duplication is prohibited.

Duplication is prohibited.

The certificate requests for different SSL server PSE are as follows: ● Generate one request for the standard PSE, if used.

Lesson: Enable Secure Socket Layer (SSL)

Import the Certificate Request Responses

Figure 162: Import the Certificate Request Responses

Import the response into the corresponding PSE. You have to import the response only once for a shared PSE. Shared PSEs are distributed to all the application servers.

Caution: Make sure you import the response into the PSE where the corresponding request was created. Establish Trust Relationships (1)

Figure 163: Establish Trust Relationships (1)

© Copyright . All rights reserved.

201

Duplication is prohibited.

Duplication is prohibited.

After you send the requests to the CA, you receive a response from the CA. This response is the certificate signed by the server.

Unit 4: Infrastructure Security

The next step is to establish the trust relationships. Remember that to verify the server’s certificate when using SSL, the user must trust the CA that issued a certificate to the server. As a result, the user must import the CA root certificate into his or her web browser.

Note: Many CA root certificates are stored by default in the most commonly used web browsers.

Figure 164: Establish Trust Relationships (2)

If you also use SSL to authenticate your users by mutual authentication, then the SAP NetWeaver AS must trust the CA that has issued certificates to the users. As a result, you need to import the trusted CA root certificates into the SSL server PSE. In this case, you have to import the certificates into only one SSL server PSE. The list of trusted CAs is distributed to the entire SSL server PSEs, regardless of their type. Some CA root certificates are delivered with the SAP NetWeaver AS in the Trust Manager’s certificate database. The SAP NetWeaver AS is now ready to use SSL for connections where the NetWeaver AS is the server component.

202

© Copyright . All rights reserved.

Duplication is prohibited.

Duplication is prohibited.

Establish Trust Relationships (2)

Lesson: Enable Secure Socket Layer (SSL)

Roadmap to Create SSL Client PSE

Figure 165: Roadmap to Create SSL Client PSE

Creating the Standard SSL Client PSE

Duplication is prohibited.

Duplication is prohibited.

The figure illustrates the roadmap to create SSL client PSE.

Figure 166: Creating the Standard SSL Client PSE

In addition, use the Trust Manager transaction STRUST to maintain the SSL client PSEs. Use the as the CN part of the DN. If the server functions as a client component for connections where SSL is used, create a certificate request and send it to your CA. Import the corresponding response into the standard SSL client PSE.

© Copyright . All rights reserved.

203

Unit 4: Infrastructure Security

Establish trust relationships by importing the CA root certificates from CAs that you trust into the PSE‘s certificate list. Create the Anonymous SSL Client PSE

Figure 167: Create the Anonymous SSL Client PSE

The anonymous SSL client PSE is optional. You need this PSE only for connections where the SAP NetWeaver AS is not to be authenticated for the connection.

Because the SAP NetWeaver AS is not authenticated when using this PSE, you do not need to use a certificate signed by a CA, so you can skip the certificate request handling steps. However, you need to establish the trust relationships. Import the trusted CA root certificates into this PSE’s certificate list. Create an Individual SSL Client PSE

Figure 168: Create an Individual SSL Client PSE

204

© Copyright . All rights reserved.

Duplication is prohibited.

Duplication is prohibited.

The CN part of the DN is automatically determined by the system as CN = anonymous.

Lesson: Enable Secure Socket Layer (SSL)

To create an individual SSL client PSE, perform the following steps: 1. Make an entry in the SSL client identity table by choosing Environmentz ¥>IVÂGSSL Client Identities in the Trust Manager menu to access the table. 2. z ¥Ëh·Â‡tø"$tÖ˛œ½é-+ÇÊä•÷•˚5ö¢¡L*n»…1¤uê ´†ÿÒâRp̹*PP9À1Co PÀ¬räŸà®azùÑflÐt'©c傽ÇÜ)�‰�w,ÎÚ
¦�Ë¥×˙ì2Ð=Ł5=⁄s½k‡_©R}RaXl‚äpv‡ª@Bbn(÷Š}m⁄òÇž{±~pBß�‹u)ĹÓaVï0³â entry. There are no restrictions on the DNs for individual SSL client PSEs. 3. After creating the SSL client PSE(s), restart the ICM.

Figure 169: Assign Connection with SSL client PSE

Create the HTTP connection using transaction SM59. The types of HTTP connection are as follows: ● Type G – To a different web server ●

Type H – To another SAP NetWeaver AS

Under Technical Settings, specify the host, URL, and HTTPS port to use for the target system. The steps that specify the authentication method to use for the login under Logon/ Security options are as follows: 1. Specify the logon method for SAP NetWeaver AS connections of the type H: ●

If SSL client authentication is to be used, select Basic Authentication.

●

Otherwise, select SAP Standard or SAP Trusted System.

2. Activate SSL and specify the SSL identity to use for the connection. 3. Specify the language or target client, if these values are different from the default values. 4. Maintain user mapping in the target system using table USREXTID if you want Single SignOn (SSO) to another SAP NetWeaver AS. This table maps the DN of the client SAP NetWeaver AS to the user ID used for the connection. 5. Test the connection.

© Copyright . All rights reserved.

205

Duplication is prohibited.

Duplication is prohibited.

Assign Connection with SSL client PSE

Unit 4: Infrastructure Security

Enable SSL on the SAP NetWeaver AS Java

206

The figure provides an overview of how to enable SSL for SAP NetWeaver AS Java up to release 7.02. LESSON SUMMARY You should now be able to: ●

Explain Secure Socket Layer (SSL)

© Copyright . All rights reserved.

Duplication is prohibited.

Duplication is prohibited.

Figure 170: Roadmap for Configuring SSL for AS Java

Unit 4 Learning Assessment

1. Which of the following is often combined with the transport layer and is known for êášKGàÞ#%f" ⁄g«íX,1X}ƒXüt!œ “¯^ˇJå¬qø§•l−P´˜|€àh@b+b+^î€Ðã¿òj*»õ¸w ÌLF"ÛùC4k+S÷Ù7&fi"õûìLùLP£\Zð˛% Choose the correct answer. X

A Application layer

X

B Presentation layer

X

C Network layer

X

D Session layer

2. When you enable Secure Network Communication (SNC) on SAP NetWeaver AS, the environment variable SECUDIR should be set to the location of the license ticket.

X

True

X

False

3. Which of the following types of Secure Socket Layer (SSL) server Personal Security Environments (PSE) can be used by hosts? Choose the correct answers. X

A Standard

X

B Anonymous

X

C Individual

X

D Shared

© Copyright . All rights reserved.

207

Duplication is prohibited.

Duplication is prohibited.

Determine whether this statement is true or false.

Unit 4 Learning Assessment - Answers

1. Which of the following is often combined with the transport layer and is known for žŒaáÌeSÐæéFxoÿIðBIùo ˘•NÂö{¥Ì˛|jÔ._¹á qÛ÷®òá‚oæ¼¹,Öòàþ¬L9ÁâΞ'd¼êÓÿaÓ;•mfisj«piÛ1¼:Vzí ½ö$®À¤é


208

X

A Application layer

X

B Presentation layer

X

C Network layer

X

D Session layer

2. When you enable Secure Network Communication (SNC) on SAP NetWeaver AS, the environment variable SECUDIR should be set to the location of the license ticket. Determine whether this statement is true or false. X

True

X

False

3. Which of the following types of Secure Socket Layer (SSL) server Personal Security Environments (PSE) can be used by hosts? Choose the correct answers. X

A Standard

X

B Anonymous

X

C Individual

X

D Shared

© Copyright . All rights reserved.

Duplication is prohibited.

Duplication is prohibited.

Choose the correct answer.

UNIT 5

Single Sign on in SAP Systems

Lesson 1 Implementing Single Sign-On (SSO) in SAP Systems Exercise 6: Check Logon Procedure of ICF Service Exercise 7: Activate HTTP Security Sessions

210 233 235

UNIT OBJECTIVES ●

Explain Single Sign-On (SSO) in SAP systems

Duplication is prohibited.

Duplication is prohibited.

© Copyright . All rights reserved.

209

Unit 5 Lesson 1 Implementing Single Sign-On (SSO) in SAP Systems

LESSON OVERVIEW This lesson explains the configuration of Single Sign-On (SSO) for SAP NetWeaver Application Server (SAP NetWeaver AS)-based systems. The lesson also explains how to secure SAP NetWeaver AS. Business Example

210

●

An understanding of SSO

●

An understanding of user authentication works and SSO

●

An understanding of Security Assertion Markup Language (SAML) 2.0

●

An understanding of session handling

●

●

An understanding of how to check the logon procedure of the Internet Communication Framework (ICF) service An understanding of how to activate HTTP security sessions

LESSON OBJECTIVES After completing this lesson, you will be able to: ●

Explain Single Sign-On (SSO) in SAP systems

© Copyright . All rights reserved.

Duplication is prohibited.

Duplication is prohibited.

You need to configure SSO for SAP NetWeaver AS-based systems. For this reason, you require the following knowledge:

Lesson: Implementing Single Sign-On (SSO) in SAP Systems

SSO Overview

Users access multiple systems, including SAP and non-SAP systems. Some systems reside in a dedicated network zone in the intranet, but many systems reside on different networks or on the Internet. Users need to have different IDs and passwords to access these systems. Each of these systems also enforces its own password policy. For example, in the SAP HR system, the user needs to change his or her password every 30 days. In another system, the user might need to change his or her password every 90 days. In yet another system, the user might not need to regularly change his or her password at all. As a result of this, users often forget their passwords, which means that the administrator constantly has to reset passwords. Situations like these lead to password frenzy.

© Copyright . All rights reserved.

211

Duplication is prohibited.

Duplication is prohibited.

Figure 171: Password Frenzy

Unit 5: Single Sign on in SAP Systems

Solution to Password Frenzy - SSO

Figure 172: Solution to Password Frenzy- SSO

User Authentication and SSO The Application Server ABAP (AS ABAP) and the Application Server Java (AS Java) are the underlying technologies for authenticating users with SAP NetWeaver. The following table provides an overview of the mechanisms available for each application server and indicates whether the mechanism is used directly for user authentication or for SSO: Mechanism

User SSO Authenticatio n

AS ABAP

AS Java

User ID and password

x

x

x

x

Secure Network Communicati ons (SNC); for example with SAP NetWeaver SSO

x

x

x

x

x

SAP Logon Tickets

212

x

© Copyright . All rights reserved.

Duplication is prohibited.

Duplication is prohibited.

The solution to the problem of password frenzy is SSO. SSO allows users to access multiple systems based on single authentication.

Lesson: Implementing Single Sign-On (SSO) in SAP Systems

Mechanism

User SSO Authenticatio n

AS ABAP

AS Java

Secure Socket Layer (SSL) and X. 509 client certificates

x

x

x

SAML

Java Authenticatio n and Authorization Service (JAAS)

x

SAML 1.x

x

SAML 2.0

x x

x As of release 7.02

x

As of release 7.20 x

For authentication on an SAP NetWeaver AS that allows SSO for other systems, you can have the system issue logon tickets to the users. The user can then access other systems using the logon ticket as the authentication token instead of having to repeatedly enter his or her user ID and password. SAML is a standard that defines a language to exchange security information between partners. The SAML standard is driven by the Organization for the Advancement of Structured Information Standards (OASIS). SAML uses assertions that contain statements about subjects, authentications, authorizations, and attributes. SAML Token Profile is developed by the OASIS Web Services Security (WS Security) Technical Committee as a standard to integrate and use SAML for WS Security. Although both the SAML token profile and the SAML browser artifact use the SAML standard flo:Mx¶µB(£Š›á4ïùh:zëˇK>ävfløš%#kj~Y#Ã*¦d…ÔNùÕŠøwà\NéÜP5 –F‡‰‡¬–�wν“×Þr@3Z`Ł!³é:0Zû•:ê"lD 9µ8\ðjCxqÏdy½±k#áò¦Á³°ÊÖ·ƒflû@ƒ™M•yVN½c�í/"ѯ+±AY¬�6 ¡bÞ¯u$ ŠeZš\¦ê^j+ ,ôuõ]6ŽÂA„4¸ýlDP÷Óã¡è‘&_X‰~ß1‹ï/9Äž2ıïåADò˙Ì˙‹ö«×øL¾ð¬ƒ³�ž Check the logon procedure of the ICF service. In transaction SICF, display any ICF service and check the logon procedure that is configured. 1. Log on to your AS ABAP system using SAP GUI for Windows. Use transaction SICF to check the logon procedure for any ICF service. For example, you can check the service DemoDynamic at path /default_host/sap/bc/webdynpro/sap/. Hint: Please note that the service settings are inherited.

Duplication is prohibited.

Duplication is prohibited.

© Copyright . All rights reserved.

233

Unit 5 Solution 6 Check Logon Procedure of ICF Service

Business Example ÖôÉ‹«g+åìibX”ìzÿLR`Ÿ fiÂ!Öš²x¬]‹žZ

●

r-7ùH‹}
´flã "KÓŸ4ûûy(R-Ÿ ŁÂ0Ö@š˙ú½

●

r-7ú\‰}´‚ãC%KÄŸqûêy3RhŸ ŒÂuÖ…

●

r-7ùMŠ}´−ã qK•Ÿ!ûûy2RcŸˇ ŸÂ'Öš¯i¬Y‹Vžfi£®"™:Łs¢Qš?©Å€ð²ÛùÞ˙ÜS:Ÿ]2ê

●

r-7ù|¨}D´¡ãy˚K•Ÿûày5RjŸ
ŸÂuÖpšˇ½sJ¬y‹JžÚ£ü"€:²s—QÛ?çÅãð¹ÛôÞ˛Ü[:›ŸÝ

●

r-7éX−}´‘ãJ>Kß0ûýy>R-Ÿ> flÂ;ÖDš˝¿=4¬_‹Cžfl£ù"¼:‘sëQÚ?flÅÓðžÛ¸Þ^ÜS:ÁŸ˘2)%ªFŸ 

●

r-7è\ł}´†ã^8KÕŸ?ûíy{RlŸ˘ ›Â=ÖLš³g¬B‹MžŁ£º"Ó:‡s£QŠ?¤ÅëðñÛ1

© Copyright . All rights reserved.

Duplication is prohibited.

Duplication is prohibited.

Figure 184: SAP SOS Offerings

Lesson: Monitoring and Analyzing Security with SAP Solution Manager

SAP router:

SAP NetWeaver Application Server:

●

î领îi#PRןSe˜�Íþæ ü˝ÿzÜı}q×EÎPŒIæüù8¯H,ðªô¿bUª¸H–nÅûÜ%¿•)éµq*ö

●

îé†ýi6P_ÌÈSc˜…Íú³7üSÿuÜł}w×BÎSŒ˙æôù7¯],ìªò¿�U�¸–lÅçÜ)¿„)ìµq*5ÿłqÛœdL𣅮

●

îé†ài;PT�ÕSm˜�Íïô1üQÿ~܆}q× Î^ŒNæáù*¯F,öªô¿wU¥¸˝–dÅüÜ.¿Ã)áµ9*3ÿ’qÕœ'L;

●

îé †ýi8PWÖÔSi˜ÑÍþò&ü]ÿvÜ−}q×HÎMŒ˙æöù*¯L,çªö¿-Ud

●

External authentication check

●

Saprouttab check

●

Operating system access check

●

SNC check

●

Java landscape check

●

Configuration check

●

SSL check

●

Administration check

●

●

SAP Note 696478 – SAP Security Optimization: Preparation and Additional Info SAP Note 837490 – Execution of the Security Optimization Self Service

© Copyright . All rights reserved.

245

Duplication is prohibited.

Duplication is prohibited.

Hint: For more information, refer to the following SAP Notes:

Unit 6: Security Monitoring with SAP Solution Manager

SAP SOS Process Flow

Perform the following steps to run the Security Optimization Self Service: 1. Schedule an automated data collection and transfer by creating an SAP SOS session in SAP Solution Manager. 2. Generate an ST14 SOS download as a secondary data source and send it to SAP Solution Manager. 3. Fill the SAP SOS questionnaire to focus the report on real findings. For example, you can exempt known super users from the report. 4. Run the session that automatically generates all the results. 5. Generate the SAP SOS report. 6. Evaluate the findings and recommendations and take corrective measures for the analyzed system. 7. Derive input for your general SAP security policy and initiate proper security monitoring. For example, as supported by the configuration validation.

SAP EWA SAP EWA is a special service in SAP Solution Manager that offers a regular proactive system diagnosis. SAP EWA makes it possible to identify standard problems before they turn into acute problems. SAP EWA recommends some suitable countermeasures in the resulting reports. The SAP EWA family includes the following types: ● SAP EWA on each of the production systems

246

© Copyright . All rights reserved.

Duplication is prohibited.

Duplication is prohibited.

Figure 185: SAP SOS Process Flow

Lesson: Monitoring and Analyzing Security with SAP Solution Manager

●

SAP EWA on SAP Solution Manager as a remote service

SAP EWA is a diagnosis that monitors the most important business processes and systems. It helps to identify potential problems at an early stage, avoid bottlenecks, and monitor the performance of your systems. Using this mechanism, you can validate the security status on a weekly basis for a predefined set of parameters. The SAP EWA report also displays an alert when security-critical SAP Notes are missing or are not applied on the analyzed system. SAP EWA is included in the maintenance agreement with SAP at no extra cost. By running and monitoring SAP EWA, you can increase stability, performance, and security for your entire solution landscape. SAP EWA monitors solutions in SAP and non-SAP systems in SAP Solution Manager. SAP Solution Manager processes the downloaded data from SAP or non-SAP systems. You can display the EarlyWatch report as an HTML document. You can also create the report as a Microsoft Word document. You can use these documents as status reports to analyze and avoid potential problems.

Caution: SAP strongly recommends that you activate SAP EWA for all productive systems. EarlyWatch Report The EarlyWatch report analyzes system security in terms of authorization and therefore covers the following topics: ●

SAP Security Notes about ABAP and Kernel Software Corrections

●

Default Passwords of Standard Users

●

Password Policy

●

Gateway and Message Server Security

●

Users with Critical Authorizations

For these topics, refer to SAP Note 863362 – Security Checks in SAP EWA. The data collection and transfer for all remote sessions can be performed automatically. SAP EWA informs the customer about the problems with data collection. For processing and evaluation, relevant data is sent from the satellite systems to the central SAP Solution Manager system. SAP EWA for satellite systems also forms the basis for further analysis. If the overall rating of SAP EWA is red, the service results are automatically sent to SAP Support. If all the sections rated yellow or green, the results are sent to SAP Support once every four weeks. The transferred data includes only the technical data with nonsensitive content, which is transparent and manageable in transaction SDCCN.

© Copyright . All rights reserved.

247

Duplication is prohibited.

Duplication is prohibited.

If SAP EWA displays red flags, it triggers further services. Depending on the status of your system, the triggered services can include the SAP EarlyWatch Check. The SAP EarlyWatch Check is performed over a remote connection by a technical service engineer. During the service, the service engineer analyzes the system, diagnoses particularly complex problems, and develops solutions for these problems. Each productive system is entitled to a maximum of two SAP EarlyWatch checks per year within the maintenance agreement with SAP (valid for SAP customers with Standard Support agreement).

Unit 6: Security Monitoring with SAP Solution Manager

The Service Data Control Center, which can be entered by transaction SDCC, is a service tool that provides an overview of the planned service sessions. It carries out data collection in the SAP system. The collected data is then transferred to either the user’s own SAP Solution Manager system or SAP. The results of SAP EWA are the prerequisites for other SAP services. The examples of SAP services that use the results of SAP EWA as prerequisites are as follows: ● SAP GoingLive Check ●

SAP GoingLive Functional Upgrade Check

●

SAP EarlyWatch Check

The main prerequisites for using SAP EWA are as follows: You have made the settings required in SAP Solution Manager Customizing for SDCCN and SAP EWA.

●

●

You have set up your systems in a solution landscape in SAP Solution Manager.

●

You have set up the SDCCN in the solution landscape systems.

●

●

●

Your SAP system must be of minimum release, that is, any SAP NetWeaver or SAP Web AS in case of ABAP stack, J2EE Engine 6.40 in case of Java stack, or release 3.0D for SAP R/3. ABAP stack requires monitoring jobs to be configured correctly. Check this configuration by implementing SAP Note 69455, running report RTCCTOOL, and following the instructions. Java stack requires that you set up Solution Manager Diagnostics and implement SAP Note 976054.

You can set up the SAP EWA using the following steps: 1. Run transaction SOLMAN_WORKCENTER and choose the System Monitoring tab page. 2. In the left pane, choose Setup. 3. Choose Setup EarlyWatch Alert by choosing the EarlyWatch Alert Administration tab page. 4. You can set up SAP EWA monitoring data collection per system or solution. 5. Select fields according to your requirements.

Hint: For more information, refer to the following SAP Notes:

248

●

SAP Note 1257308 – FAQ: Using EarlyWatch Alert

●

SAP Note 976054 – Availability of EWA for Non-ABAP components

●

SAP Note 1040343 – EarlyWatch Alert (EWA) for Solutions

●

SAP Note 207223 – SAP EarlyWatch Alert processed at SAP

© Copyright . All rights reserved.

Duplication is prohibited.

Duplication is prohibited.

●

You have put the systems in a solution, and there is a remote connection between the SAP component and SAP Solution Manager.

Lesson: Monitoring and Analyzing Security with SAP Solution Manager

SAP EWA – Example

Figure 186: SAP EWA – Example

INTERACTIVE ELEMENT: Chat 1.

Duplication is prohibited.

Duplication is prohibited.

The figure shows an example of SAP EWA.

What is an EarlyWatch report? . . . . . . . . . .

© Copyright . All rights reserved.

249

Unit 6: Security Monitoring with SAP Solution Manager

System Recommendations

System recommendation is a functionality in SAP Solution Manager that focuses on SAP Notes. It provides a tailored recommendation of Notes that should be applied to a selected managed system. This recommendation is calculated based on the actual Notes status of the system. Questions such as, “Is a specific SAP Note already implemented in the system?”, “Which version do the implemented Notes have?”, or “Are more recent versions available?” are taken into account when calculating the recommendation for a system. System recommendation collects necessary information from the managed systems through a background job that must be scheduled on a regular basis. A refresh of the previously calculated information for a specific system can also be started directly. The calculation is carried out in SAP’s Global Support Backbone, which means that no load is generated on the SAP Solution Manager system or on the managed system. System recommendations are divided into the following categories: ● Security-relevant Notes ●

Performance Notes

●

HotNews

●

Legal change Notes

●

Correction Notes (for ABAP and Java)

Based on the calculated recommendations, you can set various statuses for the recommended Notes. You can specify the statuses for the Notes, such as to be implemented, not relevant, or postponed. This, in combination with a filter displaying only Notes with a certain status, provides an overview of all the recommendations and helps you to keep track of tasks assigned based on the recommendations. System Recommendation Scenario To show a detailed example of how to work with system recommendations, assume this situation: a system and security engineer who is responsible for several SAP systems wants

250

© Copyright . All rights reserved.

Duplication is prohibited.

Duplication is prohibited.

Figure 187: System Recommendations Architecture

Lesson: Monitoring and Analyzing Security with SAP Solution Manager

to ascertain which patches that SAP released on the monthly patch day are relevant to the security of his system(s). The following steps show how system recommendations help in accomplishing this task: 1. The engineer enters the Change Management work center in the company's SAP Solution Manager system and opens the System Recommendations functionality. 2. To obtain the exact recommendation, the engineer first selects the company’s solution. This shows a list of product systems that are a part of this solution. 3. The engineer then selects the relevant product system. This results in a list of technical systems (ABAP and Java) for this product system. 4. As the recommendations are based on technical systems, the engineer now selects a technical system. 5. The engineer is able to select a filter on the applications component(s) to further limit the amount of recommended SAP Notes. In this example, no filter on application components is set. To start the calculation of the recommendation, the administrator chooses Apply filter.

7. If the background job has not yet run or is not scheduled, the engineer either chooses Refresh to directly start the collection of information or uses the Settings menu to start the background job for data collection. The recommendation is then displayed in the lower part of the window. The list of recommended Notes can be ordered by application component (this is the default setting) or by software component. To change the view, use the View dropdown menu directly above the list of recommended Notes. When using the software component view, one of the following characteristics is displayed for every Note: ● SP relevant SP relevant means that this Note is relevant for the system because the SP level exactly matches the support patches of the SAP system. ●

SP independent SP independent means that this Note can be relevant for the system because the software component and the release match, but the exact SP level cannot be checked.

© Copyright . All rights reserved.

251

Duplication is prohibited.

Duplication is prohibited.

6. If the background job for collecting information from the managed systems has already collected some data, this data is transferred to SAP. In SAP, the actual calculation takes place and is sent back to the customer’s SAP Solution Manager.

Unit 6: Security Monitoring with SAP Solution Manager

System Recommendations – Security Notes

The security engineer finds all the security-relevant SAP Notes on the Security Notes tab page. To get more information on the recommended SAP Notes, the engineer searches each }w3xá«–s-Ñe ò„n�%ŒU|ј.7š˘™ö8üç¬ÉüöÝRBfim òâÂ¥¯syÙŸsgÛî−"C:b·ßó˚ç4]Ñ1Gj‹ÚíˇoÑ,1•ržŁŠG¶Ñ"uø—÷qa½â€¿{L(£}˙˛t—‹ú6 œ%ª}�KA·Þ¤RNl*ø+˛ìA6€–žXÌh£Hö×û¾‚*¥4Rr$Ñv7‰
½º‚”0(:ùÖØ%êÝE{Ï湚 for every Note. After tracking all security-relevant Notes that need to be implemented, the engineer can filter for a specific status to keep the list view clean. For example, the filter can be for the status To be implemented, which gives a list of all SAP Notes that the engineer has flagged for implementation. With this list, the engineer can start implementing the Notes with transaction SNOTE. System Recommendations and Java Patches System recommendations can also be used for Java systems. The procedure is exactly the same as the procedure described for security Notes. The only difference is that the Java patch Notes are displayed only on the Correction Notes tab page. With the Add to download basket pushbutton, you can directly add the Java patches containing the selected Notes to the download basket in SAP Service Marketplace. Integration with Maintenance Optimizer to approve the download basket is also available. Integration of SAP Notes with Change Request Management For customers using the Change Request Management functionality in SAP Solution Manager, system recommendations provide integration with Change Request Management. This functionality enables you to trigger a Request for Change for the SAP Notes selected for implementation. Integration of SAP Notes into Change Request Management - Prerequisites System recommendation is delivered as of SAP Solution Manager 7.0 SPS26. This functionality is available within the Change Management work center (transaction codes SOLMAN_WORKCENTER or SM_WORKCENTER). Therefore, access to the work centers is a prerequisite.

252

© Copyright . All rights reserved.

Duplication is prohibited.

Duplication is prohibited.

Figure 188: System Recommendations – Security Notes

Lesson: Monitoring and Analyzing Security with SAP Solution Manager

To ease data collection and to speed up delta calculation, a background job can be scheduled, which automatically collects all the needed information from the managed systems. To control access to system recommendations, the authorization object SM_TABS (in SAP Solution Manager 7.0) or SM_FUNCS (in SAP Solution Manager 7.1) can be used to grant or deny access to different tab pages of system recommendations. Before using system recommendations, SAP strongly recommends that you implement SAP Notes 1554475 and 1577059. SAP also recommends that you configure SAP Solution Manager for automatic update checks. For troubleshooting, check the application log AGS_SR to see the configuration and check logs. In case of any problem, create a customer message under component SV-SMG-SR (System Recommendations for Managed Systems).

Configuration Validation With configuration validation within SAP Solution Manager, SAP offers a tool to validate various kinds of software configuration items. This tool uses a single configuration item repository within SAP Solution Manager to help standardize and harmonize configuration items within the ABAP and Java systems. Configuration validation uses the centrally stored configuration data to validate a large number of systems by using a subset of the collected configuration data for each system. Typical questions to consider while performing configuration validation: ●

●

Have any template configurations for SAP applications or database parameters been applied to all systems? Has it been validated that no kernel release older than six months is present on all the systems?

●

Have the security policies been applied?

●

Are the security default settings in place?

To answer these questions, a target system is defined as a reference system for comparing values. This system can either be a real system or a virtual set of manually maintained configuration items. Based on this reference, the settings are compared in a consistency check. Additional predefined checks, which are not only consistency based, are performed for some settings. Examples of such settings include STANDARD_USERS and the Gateway configuration. The checks that are a part of the standard configuration stores are as follows: ● Whether failed transports can be identified (ABAP_TRANSPORTS). ●

●

●

●

Whether rules for profile parameters can be defined using number ranges and comparison operators. Whether regular expressions can be used for checks of the SAP Gateway configuration files. Whether checks for the status of STANDARD_USERS can be performed. Whether the configuration store ABAP_NOTES allows you to check for software dependencies of SAP Notes. Previously applied SNOTE Notes are included in the ABAP_NOTES configuration store.

© Copyright . All rights reserved.

253

Duplication is prohibited.

Duplication is prohibited.

●

Are all systems on a certain operating system patch level or database patch level?

Unit 6: Security Monitoring with SAP Solution Manager

Online recommendations from the EWA/RSECNOTE are directly imported. Note that dependencies are defined towards component, release, and Support Package, respective to the Kernel patch. If a Note has not been applied, a hint, such as “note should be applied” or “not relevant”, is shown.

Hint: The prerequisites for configuration validation are as follows: ●

SAP Solution Manager with SPS18 in place

●

BI Content 704 with batch level 1

●

SAP Solution Manager with EHP 1

To access the configuration validation in SAP Solution Manager, choose one of the following path: ● Through direct URL – http:////sap/bc/webdynpro/sap/ags_workcenter/ ●

ìûEÍh“ıU£É•«öŠuÖÖ¦‘`èØoı¨ÇDW8£[x²⁄JChange Management Configuration Validation Maintenance/Reporting

The advantages of the configuration validation are as follows: ● Validation of content deliverables

254

●

Easy implementation The configuration validation tool provides predefined reports and templates to ease implementation and minimize efforts for setup and customization.

●

Flexible reference configurations The configuration validation tool provides flexible reference configurations based on existing system configurations, customer-defined configurations or baselines, and Customizing functionalities.

●

Wide range of reporting functionalities The configuration validation tool provides a wide range of reporting functionalities that are accessible from a central entry point and are executed in the browser. The tool also provides interactive drill-down and filter functions, as well as rating, broadcasting, and export functionalities.

© Copyright . All rights reserved.

Duplication is prohibited.

Duplication is prohibited.

The configuration validation tool validates the content deliverables at the platform, database, and application levels.

Lesson: Monitoring and Analyzing Security with SAP Solution Manager

Configuration Validation – Result

Figure 189: Configuration Validation – Result

LESSON SUMMARY You should now be able to: ●

Monitor security with SAP Solution Manager

●

Analyze security with SAP Solution Manager

© Copyright . All rights reserved.

Duplication is prohibited.

Duplication is prohibited.

The figure shows the result of configuration validation.

255

Unit 6: Security Monitoring with SAP Solution Manager

Duplication is prohibited.

Duplication is prohibited.

256

© Copyright . All rights reserved.

Unit 6 Learning Assessment

1. Which of the following tools enable you to uncover missing security configurations? Choose the correct answer. X

A System recommendations

X

B EarlyWatch Alert

X

C Configuration validation

X

D SAP Security Optimization Service

2. In SAP Security Optimization Services (SAP SOS), the previously implemented SAP Notes can be viewed in the ___________ data store.

X

A ABAP_NOTES

X

B SNOTE

X

C Performance Notes

X

D Correction Notes

© Copyright . All rights reserved.

Duplication is prohibited.

Duplication is prohibited.

Choose the correct answer.

257

Unit 6 Learning Assessment - Answers

1. Which of the following tools enable you to uncover missing security configurations?

258

X

A System recommendations

X

B EarlyWatch Alert

X

C Configuration validation

X

D SAP Security Optimization Service

2. In SAP Security Optimization Services (SAP SOS), the previously implemented SAP Notes can be viewed in the ___________ data store. Choose the correct answer. X

A ABAP_NOTES

X

B SNOTE

X

C Performance Notes

X

D Correction Notes

© Copyright . All rights reserved.

Duplication is prohibited.

Duplication is prohibited.

Choose the correct answer.