SAP security baseline template

This blog will explain the use of SAP security baseline template.

Questions that will be answered in this blog are:

  • Where to find the SAP security baseline template?
  • What does the SAP security baseline template cover?
  • How can I use the SAP security baseline template?

The SAP security baseline template

Background information and the current download link to the SAP security baseline template can be found in OSS note 2253549 – The SAP Security Baseline Template. Or using following path: https://support.sap.com/sos → Media Library → SAP Security Baseline Template.

Current version is 2.5 from April 2024.

The content

The security baseline template contains a large 150 page word document from SAP covering all the topics of the SAP secure operations road map:

security baseline template overview

For each topic SAP will give must do actions, recommendations, tips and best practices.

This makes the SAP security baseline document a good document for:

  1. Starting security set up for a new greenfield implementation
  2. As as check list for existing implementations

Security baseline validation

SAP Focused run has a tool called security and baseline validation. Read more in this blog.

Security baseline updates

S4HANA has a special program to check for newly updated security baseline parameters after an upgrade. Read more on this topic in this blog.

Data archiving improvement notes 2018

In 2018 SAP ran an improvement project which resulted into a set of OSS notes that will make data archiving more robust and easy.

All of these notes come with manual work. Select the ones really useful.

Archiving write process improvements

Write variant maintenance has been made easier by allowing copying of variants (useful if you have many plants and company codes and want to store each one in different archive file): 2520093 – Archive administration: Enhanced variant maintenance (writing, preprocessing, and postprocessing).

To be able to detail the written file name of the archive file implement this oss note: 2637105 – Print list for archiving write jobs: Placeholders for session numbers, archive file key in title.

Archiving storage process improvements

Archiving system technical check button is available in OAC0, but not in SARA. After applying this note you can also check it in the technical settings in SARA: 2599263 – Connection test for storage systems for archiving object.

Deletion process improvements

To be able to quickly continue with interrupted archiving sessions apply this note 2520094 – Continue: Information on existence of interrupted or incomplete archiving sessions.

This note will implement checks to warn you about uncompleted previous store and delete runs: 2586921 – Run selection for deletion: Information about the existence of unstored archive files.

Some archiving object use the AIS (archiving information system) to enable the end user a quick retrieval of archiving information. This note will give warning before start of deletion if the AIS is note active for the object: 2624077 – Starting delete jobs: Check for active info structures.

Archiving overview and logging improvement

To get a better overall overview of all logs apply OSS note 2433546 – Archive administration logs: Information about errors in hierarchy display. Showing only success message is possible after applying OSS note 2855641 – Logs: New option “Success Messages Only” for detail log.

Direct navigation to Archive File Browser: apply OSS note 2544517 – Archive administration: Direct navigation to ArchiveFileBrowser. This note only gives you a link. You can already start the archive file browser using transaction AS_AFB:

Archive file browser

Note 2823924 – Archive File Browser: Messages that do not belong to the Archive File Browser are output solves a bug in the Archive File Browser.

ANST for webapplications and FIORI

In the blog on ANST we focused on searching notes for ABAP GUI applications. This blog will focus on web application that run ABAP code in the backend (such as FIORI, BSP, webdynpro for ABAP).

Questions that will be answered in this blog are:

  • How do I use ANST for web applications?
  • What do I need to do to prepare my system for this?
  • What do I need to do for using ANST for FIORI back end recording?

System preparation for ANST for web applications

First you need to follow the instructions in OSS note 2286869 – ANST: Trace On/Off error “Dynamic Start and Stop cancelled by user” to get rid of the trace error. Unfortunately this note is not really clear. The short instruction on what to do follows now. Go to transaction FILE and search for the ANST_TRACES_GLOBAL. It should look like this:

ANST delete assignment of paths

Then select the logical file definition and delete the line for Physical path. Should look like this:

Now we are good to go for the web part recording, but not yet for FIORI.

ANST for FIORI

To use ANST for FIORI you first need to install OSS note
2605555 – ANST: Enahcement to support Fiori applications
. Please follow also the manual steps in the note very carefully.

Tip: this note contains a very good PDF attachment as manual for ANST.

Run ANST for web application

Running ANST for web applications is not very much different from running on SAP GUI. Upon start of the ANST tool select your web application (which is bit different per application):

ANST FIORI

After you now start with Execute you get a popup screen to confirm recording start:

ASNT FIORI start

After pressing start your web browser will start and you can perform the actions you want to trace. To stop go back to the ABAP screen and press the Stop Recording button:

ANST FIORI stop

The rest of the ANST processing is the same as usual.

Reference OSS notes

Reference and bug fix notes:


TAANA improvement to count dynamic subfields

SAP has done an improvement on TAANA to count dynamic subfields. This blog will explain how. More generic information on TAANA can be found in this blog.

Questions that will be answered in this blog are:

  • How to get the new TAANA function for dynamic subfields?
  • How to run TAANA dynamic subfields?

How to get the new TAANA function for dynamic subfields?

Simply apply improvement OSS note 2614476 – TAANA: Several dynamic subfields with reference to same reference field.

How to run dynamic subfields in TAANA?

We will use table JEST as example. This table as a pretty annoying setup. The main field OBJNR is in fact 2 fields: the first 2 characters are object identification, and the second part is a number for the object. But if you want to analyze how many objects type you have this is problematic with SE16.

JEST table content

In TAANA we can use the dynamic subfields. Start transaction TAANA and create an Ad Hoc Anlysis for table JEST. First hit Execute to start, enter table JEST and in this screen hit the Ad Hoc Variant button:

TAANA JEST Create Ad Hoc Variant

Now select the OBJNR field:

Ad hoc analysis with offset and subfield length

In the Offset field fill 0. And in Subfield length 2. This means take first 2 characters of field OBJNR. Press ok and start the run in the background.

The end result is a cross section with counts on the types of the first 2 characters in JEST-OBJNR:

TAANA JEST results

SE16S and SE16H

For some searches, also have a look at SE16S and SE16H.