In SAP solution manager there is a free out-of-the-box tool available to quickly scan for security items in your system: the Security Optimization Service.
Questions that will be answered in this blog are:
- How to run the Security Optimization Service?
- How does the questionnaire work?
- How does a sample result look like?
How to run Security Optimization Service
In solution manager 7.2 go to the tile Active Sessions for Service Delivery:
You now arrive in the sessions overview screen:
If you are first time using: hit the button Content Update to fetch the latest content from SAP. When done, you are ready to run.
Select the button create to make a new service. From the list choose the option SAP Security Optimization:
There might be multiple. In that case select this one (the others won’t work):
Then select the system for which you want to run the service. Do this by clicking the Add button in the Technical System section:
Finish the roadmap. After the final step the detailed roadmap will appear:
In the first step select the logon and test the connection:
In the next step you need to assign a questionnaire:
If you run the SOS before you can re-use or change the template. The first time you need to create the questionnaire:
In the questionnaire you can maintain whitelist. In the example above user from the basis team is added to the list of system administrators. These users will no longer appear in the report as exceptions.
More background information on the questionnaire and the impact can be found in OSS note 2036188 - How questionnaire influences results of Security Optimization Service.
Save the questionnaire and return to the roadmap.
Next step is to start the data collection:
If you have a recent run, you can select it here. If no run is present, hit the button Schedule new ST14 analysis run. Pending on your system size and speed the run will take between 5 and 60 minutes. If the run is finished select the run and complete the roadmap.
The SOS session is now scheduled.
Authorizations
You need authorizations in the backend system for ST14. If that is missing you get this message:
This refers to OSS note 696478 – SAP Security Optimization: Preparation, additions.
Results
Usually the run is done overnight and you can fetch the results next day. Go to the active services tile, select your run and go to the column Documents. Click on the document to get the results.
Example of an SOS report can be found at this URL.
Follow up
If you find issues: solve them and rerun the report.
If you find many users with too many rights: start to revoke the rights and rerun the report.
If you find basis and authorization staff in the list with rights they should have, add their user ID’s to the corresponding section in the questionnaire, and rerun the report.
In general it will take a few runs to come to a more cleaned up system.
Referring OSS notes
Relevant OSS notes:
- 2036188 – How questionnaire influences results of Security Optimization Service
- 2687176 – SOS: Check “Users are authorized to access tables with user data (0013)” does not take table authorization group SPWD into consideration
- 2743813 – SOS: “System Profiles Are Not Consistent (0153)” might get false positives
- 2813809 – SOS: Release dependent changes of the data collector
- 2860015 – Incomplete check in EWA/SOS for Message Server Access Control List
- 2918586 – SOS: ST14 data collection job issue (Runtime error catched in /SSA/EXC)
- 2927167 – EWA/SOS: Data collection issue (runtime error SAPSQL_SELECT_TAB_TOO_SMALL in GRAC_GET_ROLENAME)
- 3015620 – Security Optimization Service (SOS) Session Does Not List All Critical Users
- 3053829 – SOS: No or wrong check results about profile parameters for combined ABAP/HANADB systems
- 3228325 – EWA|SOS: “Users Authorized to Administer RFC Connections” – Too many users found
- 3261919 – Security Optimization Service (SOS) Report Missing Human Resources Section
Hello SAPTechnicalGuru,
thanks for the greate step-by-step guide on how to execute the SOS on a SAP Solution Manager that already has the Fiori tiles!
We could only find guides that showed it in older versions of the SolMan (which are quite different in some areas).
We ran into one problem however:
After executing the data collection in the backend system and transferring the results into the SolMan SOS-Session, the Word-Report document is not getting created.
In your guide you state
“Usually the run is done overnight and you can fetch the results next day.”
are you refering to the data collection in the backend here, or do we have to run a specific job in the SolMan to create the Report file somehow ?
We have run numerous SOS sessions, but the SolMan just will not create the Report document.
Thanks in advance!
Unfortunately when the report does not come out, the only thing you can do is to raise an OSS support message.
Hi, We are trying to create the SOS report and unable to generate even after multiple runs. Could you please let me know if you are able to fix the issue?
Hi Manoj,
You can check OSS note 1484124 – Guided Security Optimization Self Service – Prerequisites.
Also check authorizations.
If both are ok, raise a message to SAP with component SV-SMG-SER.
Hi, If I Using Security Optimization Self Service . What Benefits for my organization ?
Thanks,
Edy
Hi Edy,
If you run the SOS you get a quick overview of the main security points for your SAP system. This can help you to secure your system better and to prepare yourself in case you system is audited by either an internal or an external auditor. You can count on the fact that any decent auditor will check most of the points of the SOS.