Blog for SAP technical guru's: SAP basis, SAP security and authorization, SAP ABAP, SAP Focused Run
security
On the SU01 user maintenance screen there is a nice tab to capture documentation for that user. But how to list all documentation for all users?
To get the user documentation listing program, apply OSS note 3113345 – SUIM | Reporting for User Documentation. This will deliver program SUIM_SHOW_USDOCU:
Run the program for your selection to get the result list:
Click on a documentation line to see all the history.
CVA is a licensed SAP tool to scan custom code for potential security issues.
CVA is built in code inspector and analysis is run via the ATC tool.
Questions that will be answered in this blog are:
SAP CVA Code Vulnerability Analysis is a licensed tool. You need to activate it before you can use it. To activate run program RSLIN_SEC_LICENSE_SETUP:
The activation refers to OSS note 1855773 – Security checks for customer-specific ABAP programs which explains the license, restrictions, etc.
Call to SAP: if you really think security is important for your customers and their custom programs, don't ask money for CVA tool, but allow free usage!
Check the bug fix OSS notes below. Apply them before your first run.
The SAP CVA checks can be seen in SCI variant SLIN_SEC:
And then open the variant and click the information button for details:
A full list of checks can also be found on this SAP blog.
And per netweaver version the checks are listed in OSS note 1921820 – SAP Code Vulnerability Analyzer – support package planning.
Start transaction ATC and press Schedule Run:
First create a new variant and refer to SCI variant SLIN_SEC:
Now schedule the run for your Z code:
The run can take a few hours.
More on ATC set up and running can be found in this blog.
Start transaction ATC and go to the results part:
Select your run:
The ATC result screen will show, but list can be very long:
Both Z programs and user exits will be shown (starting with S or X).
Press the Statistics View button top right to get a better overview:
The result list is now sorted per security item:
Don't let yourself be impressed by high numbers of the first run. Most issues are in old code: consider clean up. Focus on the priority 1 and priority 2 first. Finetune result set for priority 3 to lower the numbers.
Now you can zoom in to the issue per item by clicking on the line:
The details show the issue: hard coded user name. Clicking on the underlined code name in column Object Name will zoom into the code point to fix:
In this case hard coded break for a user. Fix is easy: delete the line of code.
It is possible to use ATC remote analysis (see blog) for CVA. The full setup is explained in this SAP online help link. See also OSS note 2232083 – ATC/CI: SAP NetWeaver Application Server add-on for code vulnerability analysis – remote check runs – installation.
Run program RSLIN_SEC_LICENSE_SETUP to check license usage:
Or run this from transaction SLIN_ADMIN.
Generic presentation on SAP CVA can be found on this link.
CVA FAQ: follow this link.
CVA full list of checks: follow this link.
CVA as part of CI/CD development pipeline: follow this link.
ABAP code security issues explained: follow this link.
Bug fix and improvement OSS notes:
Via ST04 SQL commands, an administrator, or hacker can fire any SQL statement provided he has the authorizations.
Once the authorizations on S_DBCON are there, any SQL can be used to read and update any table.
Start transaction ST04 and open the SQL editor in the Diagnostics section:
Now enter your SQL statement and press execute.
Result is shown:
If you don’t want people to use this function, withdraw the rights to do so. Authorization object S_DBCON is used to protect this.
Note that the SQL is fired using the SAP user of the system, not the ABAP user logged on.
The SAP password hash can be deciphered. See for example this blog. By increasing the complexity of the hash, you can slow down this process.
Questions that will be answered in this blog are:
Main blog for SAP password hash algorithm is 1458262 – ABAP: recommended settings for password hash algorithms. Note 2140269 – ABAP password hash: supporting salt sizes up to 256 bits describes the actual parameter value.
In RZ11 you need to set parameter login/password_hash_algorithm to exactly this value: encoding=RFC2307, algorithm=iSSHA-512, iterations=15000, saltsize=256.
Make sure you follow the correct syntax. The syntax is listed in OSS note 991968 - List of values for "login/password_hash_algorithm". If you don't do it properly, you might get the issue reported in OSS note 3043774 - Iterated salted hash is empty after having assigned or changed a password.
Example for a test user. Before the setting the PWDSALTEDHASH field has this value:
After change of the parameter we reset the password of the user and the hash now looks like this:
Really more complex, hence more complex to decipher: the hashes are far stronger now. It can still be cracked, but it takes far more time on either single password or large group of passwords.
The parameter only effects new passwords. Not the existing ones.
If you use CUA, the password can be distributed from CUA. If you CUA system and connected systems are modern enough there is no issue at all. See the CUA section of OSS note 1458262 – ABAP: recommended settings for password hash algorithms.
When you run a system for longer time, you might see that users have roles assigned that are obsolete (end validity date in the past), or having a role assigned multiple times.
With the role user assignment compression program you can clean up.
Questions that will be answered in this blog are:
Start program PRGN_COMPRESS_TIMES:
Select the Delete Expired Assignments to delete role assignments with validity date in the past as well.
If you want you can first run with the simulation option to see what the program will do, and run without the simulation option to perform the actual clean up.
For issues, do check notes:
If you run a CUA system, the compression program needs to run on the CUA system and not on the local system. See OSS note 1692243 – Report PRGN_COMPRESS_TIMES cannot be used in CUA.
SAP support portal is used in your company for many items: EWA’s, reporting issues, downloading software.
Protection of the accounts on SAP support portal for your company is required.
This blog will explain the setup of the security feature for mail filtering.
If you don’t set this up, your user overview will continuously show this warning:
Go to the support page for mail filtering:
Use the Add Domain button to add a new domain.
Domains to add:
Background of this feature can be found in OSS note 3025172 – How to add or remove email domains for my customer number – SAP ONE Support Launchpad.
If you convert your ECC system to S4HANA or upgrade a S4HANA system to a higher version, you should check the security parameters. A lot of parameters have a different recommendation in S4HANA.
Questions that are answered in this blog are:
OSS note 2926224 – Collection Note: New security settings for SAP S/4HANA and SAP BW/4HANA using SL Toolset and SUM is the master note. This note contains an important excel attachment that is listing all the changes and recommendations per S4HANA target version.
This note is also referring to OSS note 2926224 – Collection Note: New security settings for SAP S/4HANA and SAP BW/4HANA using SL Toolset and SUM, in which more details are explained on the background.
After your upgrade to S4HANA, you can run program RSPFRECOMMENDED to check how well the security parameters are implemented:
As company you are relying on SAP to provide support and services. But how do you know if SAP is doing a good job on this part?
If an internal auditor or external auditor asks you to show or explain the elements of SAP delivered support, where do you get the information?
SAP has a good site to start with this information: the SAP trust center.
Here you can find:
Not all reports are public. For some you must be customer of the product or service. Some parts require acknowledgement of non-disclosure agreement before you can get the report.
Another good document is the SAP security white paper.
Tables are protected for data access by the S_TABU_DIS object. An important input here is the authorization group. The relationship between tables and authorization group is stored in table TDDAT. STDDAT has functions to mass maintain and check the authorization group to table relationships.
Questions that will be answered in this blog are:
When you start transaction STDDAT, hit the button Consistency in the first screen:
Wait for the results:
Select the entries and delete with or without transport.
In the Authorisation group there are two types of entries to check:
Select these on the first screen as input for field Authorization Group and press execute:
Select the entries you want to change and press the Assign button:
Save the result in transport.
For versions 7.40 and 7.50 you need to apply OSS note 2577419 – STDDAT | consistency check for table TDDAT to get the consistency check button.
Generic FAQ on table access: 1434284 – FAQ | Authorization concept for generic table access.
For emergency cases you might need to edit table data directly. This blog will describe the emergency edit mode of SE16N.
Questions that will be answered are:
The SE16N emergency edit mode is standard installed as of S4HANA 2020. For older versions, you need to apply OSS note 2911103 – SE16N: Alternative edit mode.
The SE16N emergency mode is started via transaction SE16N_EMERGENCY. This transaction is locked by default:
Please consult your security team before unlocking this powerful transaction.
Use transaction SM01_CUS to unlock the SE16N_EMERGENCY transaction. Read this blog on the use of SM01_CUS.
Use of the emergency mode is pretty simple. Start transaction SE16N_EMERGENCY enter the table and you are launched into edit mode immediately. Example is here for table T001:
For more different ways of direct table hacking, read this blog.
Checking SE16N usage is explained in this blog.
Or configure audit log after applying/checking this OSS note: 3140539 – SAL | New event definition for change access in SE16N.
Bug fix note:
