Security-relevant innovations in NetWeaver

A new Security Audit Log (SAL) was delivered with NetWeaver 7.50, SP3. SAP Note 2191612 describes the new features of the audit log.

The previous audit log has many weaknesses, such as the limited number of filters, the lack of tamper detection, the lack of archiving capabilities, and the insufficient options for specifying users to be monitored.

The new Security Audit Log (transactions RSAU_*) now offers several new functionalities:

• The logs can be stored and managed partially or completely in the database.
• The maximum number of filters per profile has been increased from 10 to 90.
• User groups can also be specified for logging or explicitly excluded.
• Integrity protection can be implemented to detect tampering with the log files.
• Audit log configurations can be exported and imported to share between different systems.

The old functionality (transactions SM18, SM19, SM20, SM20N) will no longer be developed further. For a transitional period, they will remain available in the previous scope of functions. However, SAP recommends switching to the new audit log.

Another new functionality provides protection against role manipulation in production systems. Previously, role maintenance was restricted by not assigning the corresponding authorizations for it.

Using the switch CLIENT_SET_FOR_ROLES in table PRGN_CUST, role maintenance can now be linked to the Customizing lock that can be set for individual clients using table T000 (SAP Note 1723881).

The maintenance of user assignments is then still possible, but the maintenance of authorization values is no longer possible. There are also some new features for the maintenance of roles. Mass changes are possible with the transaction PFCGMASSVAL or the report PFCG_MASS_VAL (note 2177996).

This includes changing organizational levels as well as field values in an authorization object or an authorization field (for different objects).

A long-term trace is also available for determining required authorizations (note 2220030: transaction STUSERTRACE). In contrast to the conventional authorization trace, the logs are condensed, which means that an authorization check logged once is not recorded a second time for the user in question.

This recording is also suitable for logging the authorization checks of interface and background users. These can be recorded over a longer period of time and then automatically transferred to a role using transaction PFCG.

New as of NetWeaver 7.50, SP3, is the ability to lock transactions on a client-specific basis (note 2234192). Previously, transaction locks were always valid system-wide. With transaction SM01_CUS, transactions can now also be locked for individual clients. New authorization checks are also implemented on a regular basis.

Z. For example, authorizations in the transport system can also be assigned on a system-specific basis (authorization objects S_CTS_SADM and S_SYS_RWBO). For the so-called law-critical authorizations, note the authorization objects S_RFCRAIAR (authorization for function module RFC_ABAP_INSTALL_AND_RUN) and S_SCD0_OBJ (authorization for change document objects).

The examples show the need to integrate the respective NetWeaver innovations into the existing security concepts. In addition, the security patches published every second Tuesday of the month as part of the SAP Security Patchday (support.sap.com/securitynotes) must be observed. Security notes for components in productive use must be applied promptly.