Security Optimization Service

Security optimization session

In SAP solution manager there is a free out-of-the-box tool available to quickly scan for security items in your system: the Security Optimization Service.

Questions that will be answered in this blog are:

  • How to run the Security Optimization Service?
  • How does the questionnaire work?
  • How does a sample result look like?

How to run Security Optimization Service

In solution manager 7.2 goto the tile Active Sessions for Service Delivery:

Service delivery Sessions

You now arrive in the sessions overview screen:

Sessions overview

If you are first time using: hit the button Content Update to fetch the latest content from SAP. When done, you are ready to run.

Select the button create to make a new service. From the list choose the option SAP Security Optimization:

New security optimization service

Then select the system for which you want to run the service. Do this by clicking the Add button in the Technical System section:

Select system

Finish the roadmap. After the final step the detailed roadmap will appear:

Security optimization session roadmap

In the first step select the logon and test the connection:

Select system logon

In the next step you need to assign a questionaire:

Create and assign questionaire

If you run the SOS before you can re-use or change the template. The first time you need to create the questionaire:

Questionaire maintenance

In the questionaire you can maintain whitelist. In the example above user from the basis team is added to the list of system administrators. These users will no longer appear in the report as exceptions.

More background information on the questionaire and the impact can be found in OSS note 2036188 - How questionnaire influences results of Security Optimization Service.

Save the questionaire and return to the roadmap.

Next step is to start the data collection:

Data collection

If you have a recent run, you can select it here. If no run is present, hit the button Schedule new ST14 analysis run. Pending on your system size and speed the run will take between 5 and 60 minutes. If the run is finished select the run and complete the roadmap.

The SOS session is now scheduled.

Results

Usually the run is done overnight and you can fetch the results next day. Goto the active services tile, select your run and goto the column Documents. Click on the document to get the results.

Example of an SOS report can be found at this URL.

Follow up

If you find issues: solve them and rerun the report.

If you find many users with too many rights: start to revoke the rights and rerun the report.

If you find basis and authorization staff in the list with rights they should have, add their user ID’s to the corresponding section in the questionaire, and rerun the report.

In general it will take a few runs to come to a more cleaned up system.

Referring OSS notes

Relevant OSS notes:

2687176 – SOS: Check “Users are authorized to access tables with user data (0013)” does not take table authorization group SPWD into consideration

 

2 thoughts on “Security Optimization Service”

  1. Hello SAPTechnicalGuru,

    thanks for the greate step-by-step guide on how to execute the SOS on a SAP Solution Manager that already has the Fiori tiles!
    We could only find guides that showed it in older versions of the SolMan (which are quite different in some areas).

    We ran into one problem however:
    After executing the data collection in the backend system and transferring the results into the SolMan SOS-Session, the Word-Report document is not getting created.

    In your guide you state
    “Usually the run is done overnight and you can fetch the results next day.”
    are you refering to the data collection in the backend here, or do we have to run a specific job in the SolMan to create the Report file somehow ?

    We have run numerous SOS sessions, but the SolMan just will not create the Report document.

    Thanks in advance!

    1. Unfortunately when the report does not come out, the only thing you can do is to raise an OSS support message.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.