SAP Basis USE OF THE SECURITY AUDIT LOG - SAP Basis

Direkt zum Seiteninhalt
USE OF THE SECURITY AUDIT LOG
Introduction/training of the in-memory database
A secure SAP system does not only include a good role concept. It is also necessary to check whether a user should (still) have a specific role. Regular verification of role assignment is called recertification. In this blog post, I'd like to introduce you to the need for recertifications and our own tool, EasyReCert. The need for recertification - scenarios: Example 1: The "apprentice problem" Imagine the following scenario: A new employee (e.g. apprenticeship or trainee) will go through various departments as part of his or her training and will work on various projects. Of course, an SAP User will be made available to your employee right at the beginning, which is equipped with appropriate roles. As each project and department passes, the employee repeatedly needs new permissions to meet the requirements. After the employee has successfully completed his or her induction and is now in a permanent position, he or she still has permissions that are not necessary to perform his or her duties. This violates the principle of "last privilede" and represents a potential security risk for your company. Example 2: The change of department The change of department is one scenario that probably occurs in every company. If a change of department does not automatically involve a complete reallocation of roles and the employee simply takes his old permissions with him, critical combinations of permissions can occur very quickly. For example, an employee who has permissions in accounts payable and accounts receivable violates the SoD ("Segregation of Duties") principle and poses a potential security risk to your company. Recertification as part of a revision: The two examples above show that a regular review of role allocation identifies potential security risks for your business and can be addressed.

Using profile parameters, we can configure everything in the SAP system. Some parameters are dynamically modifiable, which means that they can be changed without restarting the system. However, these changes are not permanent, i.e. after a system restart, the pre-set profile parameters are used again. Other parameters, however, are static, i.e. only with a restart and only permanently modifiable. Most profile parameters for memory allocation are actually static. However, there is the possibility to adapt it dynamically with the report RSMEMORY. Read how to find out if a parameter is static or dynamic and how to use the RSMEMORY report to dynamically adjust the memory allocation parameters. RZ11 - Maintenance of profile parameters The transaction RZ10 gives us information about profiles, which in turn contain different profile parameters. In the transaction RZ11, however, it is possible to view information about individual parameters, provided that you know their name. As you can read in our Memory Parameter Post, the following 5 parameters are particularly important for memory management: abap/heap_area_total abap/heap_area_dia abap/heap_area_nondia ztta/roll_extension_dia ztta/roll_extension_nondia If you don't know exactly what a parameter might be called, it's worth using the F4 help here. For example, for the parameter abab/heap_area_dia, the RZ11 outputs: Description of the parameter abap/heap_area_dia in the RZ11 As you can see here, it is not a dynamic parameter. Now it is rather sorry if you want to test whether there is enough memory available to restart the system again and again. For this purpose, there is the RSMEMORY report. RSMEMORY - Test your memory allocation strategy Report RSMEMORY Report View No documentation or value help available here, but SAP documentation tells you how to use the report. This first distinguishes between dialogue and non-dialogue work processes. That is, in the first area you can set Extended Memory (Storage Class 1) and Heap Memory (Storage Class 2) for Dialogue Workprocesses, and in the second area you can set it for non-dialogue workprocesses.
Transaction Code Description
Each SAP Basis system must be controlled and managed by an administrator. This person is responsible for the smooth operation of the system. This can be an internal administrator or it can be handed over to external service providers.

SAP Basis refers to the administration of SAP system that includes activities like installation and configuration, load balancing, and performance of SAP applications running on Java stack and SAP ABAP. This includes the maintenance of different services related to database, operating system, application and web servers in SAP system landscape and stopping and starting the system. Here you can find some useful information about SAP Basis: www.sap-corner.de.

ABAP is therefore the tool of the trade for SAP developers. ABAP programs are executed on an SAP NetWeaver application server, which in turn is operated by SAP Basis employees.

Tools such as "Shortcut for SAP Systems" are extremely useful in basic administration.

Note 97660 when capturing the problem message.

Several empirical studies were also carried out in the course of the work.

To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.
SAP BASIS
Zurück zum Seiteninhalt