The global and independent platform for the SAP community.
The opinion of the SAP community, IT Security Column, MAG 17-05

Security-relevant innovations in NetWeaver

SAP regularly expands the functional scope of its products, also with regard to security components. Staying "up to date" is essential here, as the fundamental security of SAP systems depends on it.
Thomas Tiede, IBS
May 4, 2017
Content:
It Security
avatar
This text has been automatically translated from German to English.

A new Security Audit Log (SAL) was delivered with NetWeaver 7.50, SP3. SAP Note 2191612 describes the new features of the audit log.

The previous audit log has many weaknesses, such as the limited number of filters, the lack of tamper detection, the lack of archiving capabilities, and the insufficient options for specifying users to be monitored.

The new Security Audit Log (transactions RSAU_*) now offers several new functionalities:

  • The logs can be stored and managed partially or completely in the database.
  • The maximum number of filters per profile has been increased from 10 to 90.
  • User groups can also be specified for logging or explicitly excluded.
  • Integrity protection can be implemented to detect tampering with the log files.
  • Audit log configurations can be exported and imported to share between different systems.

The old functionality (transactions SM18, SM19, SM20, SM20N) will no longer be developed further. For a transitional period, they will remain available in the previous scope of functions. However, SAP recommends switching to the new audit log.

Another new functionality provides protection against role manipulation in production systems. Previously, role maintenance was restricted by not assigning the corresponding authorizations for it.

Using the switch CLIENT_SET_FOR_ROLES in table PRGN_CUST, role maintenance can now be linked to the Customizing lock that can be set for individual clients using table T000 (SAP Note 1723881).

The maintenance of user assignments is then still possible, but the maintenance of authorization values is no longer possible. There are also some new features for the maintenance of roles. Mass changes are possible with the transaction PFCGMASSVAL or the report PFCG_MASS_VAL (note 2177996).

This includes changing organizational levels as well as field values in an authorization object or an authorization field (for different objects).

A long-term trace is also available for determining required authorizations (note 2220030: transaction STUSERTRACE). In contrast to the conventional authorization trace, the logs are condensed, which means that an authorization check logged once is not recorded a second time for the user in question.

This recording is also suitable for logging the authorization checks of interface and background users. These can be recorded over a longer period of time and then automatically transferred to a role using transaction PFCG.

New as of NetWeaver 7.50, SP3, is the ability to lock transactions on a client-specific basis (note 2234192). Previously, transaction locks were always valid system-wide. With transaction SM01_CUS, transactions can now also be locked for individual clients. New authorization checks are also implemented on a regular basis.

Z. For example, authorizations in the transport system can also be assigned on a system-specific basis (authorization objects S_CTS_SADM and S_SYS_RWBO). For the so-called law-critical authorizations, note the authorization objects S_RFCRAIAR (authorization for function module RFC_ABAP_INSTALL_AND_RUN) and S_SCD0_OBJ (authorization for change document objects).

The examples show the need to integrate the respective NetWeaver innovations into the existing security concepts. In addition, the security patches published every second Tuesday of the month as part of the SAP Security Patchday (support.sap.com/securitynotes) must be observed. Security notes for components in productive use must be applied promptly.

avatar
Thomas Tiede, IBS

Thomas Tiede is managing director of IBS Schreiber.


All articles of the author

Write a comment

Success factor holistic process approach

SAP is at an all-time high and pushing into the cloud

Audit risks: Oracle Java usage

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork.

Venue

More information will follow shortly.

Event date

Wednesday, May 21, and
Thursday, May 22, 2025

Early Bird Ticket

Available until Friday, January 24, 2025
EUR 390 excl. VAT

Regular ticket

EUR 590 excl. VAT

Venue

Hotel Hilton Heidelberg
Kurfürstenanlage 1
D-69115 Heidelberg

Event date

Wednesday, March 5, and
Thursday, March 6, 2025

Tickets

Regular ticket
EUR 590 excl. VAT
Early Bird Ticket

Available until December 20, 2024

EUR 390 excl. VAT
The event is organized by the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes attendance at all presentations of the Steampunk and BTP Summit 2025, a visit to the exhibition area, participation in the evening event and catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due course.