Security Optimization Service

In SAP solution manager there is a free out-of-the-box tool available to quickly scan for security items in your system: the Security Optimization Service.

Questions that will be answered in this blog are:

  • How to run the Security Optimization Service?
  • How does the questionnaire work?
  • How does a sample result look like?

How to run Security Optimization Service

In solution manager 7.2 goto the tile Active Sessions for Service Delivery:

Service delivery Sessions

You now arrive in the sessions overview screen:

Sessions overview

If you are first time using: hit the button Content Update to fetch the latest content from SAP. When done, you are ready to run.

Select the button create to make a new service. From the list choose the option SAP Security Optimization:

New security optimization service

Then select the system for which you want to run the service. Do this by clicking the Add button in the Technical System section:

Select system

Finish the roadmap. After the final step the detailed roadmap will appear:

Security optimization session roadmap

In the first step select the logon and test the connection:

Select system logon

In the next step you need to assign a questionaire:

Create and assign questionaire

If you run the SOS before you can re-use or change the template. The first time you need to create the questionaire:

Questionaire maintenance

In the questionaire you can maintain whitelist. In the example above user from the basis team is added to the list of system administrators. These users will no longer appear in the report as exceptions.

More background information on the questionaire and the impact can be found in OSS note 2036188 - How questionnaire influences results of Security Optimization Service.

Save the questionaire and return to the roadmap.

Next step is to start the data collection:

Data collection

If you have a recent run, you can select it here. If no run is present, hit the button Schedule new ST14 analysis run. Pending on your system size and speed the run will take between 5 and 60 minutes. If the run is finished select the run and complete the roadmap.

The SOS session is now scheduled.

Results

Usually the run is done overnight and you can fetch the results next day. Goto the active services tile, select your run and goto the column Documents. Click on the document to get the results.

Example of an SOS report can be found at this URL.

Follow up

If you find issues: solve them and rerun the report.

If you find many users with too many rights: start to revoke the rights and rerun the report.

If you find basis and authorization staff in the list with rights they should have, add their user ID’s to the corresponding section in the questionaire, and rerun the report.

In general it will take a few runs to come to a more cleaned up system.

Referring OSS notes

Relevant OSS notes:

2036188 – How questionnaire influences results of Security Optimization Service

2687176 – SOS: Check “Users are authorized to access tables with user data (0013)” does not take table authorization group SPWD into consideration

2743813 – SOS: “System Profiles Are Not Consistent (0153)” might get false positives

2813809 – SOS: Release dependent changes of the data collector

2860015 – Incomplete check in EWA/SOS for Message Server Access Control List