On the SU01 user maintenance screen there is a nice tab to capture documentation for that user. But how to list all documentation for all users?
List of all user documentation
To get the user documentation listing program, apply OSS note
3113345 – SUIM | Reporting for User Documentation. This will deliver program SUIM_SHOW_USDOCU:
Run the program for your selection to get the result list:
Click on a documentation line to see all the history.
CVA is a licensed SAP tool to scan custom code for potential security issues.
CVA is built in code inspector and analysis is run via the ATC tool.
Questions that will be answered in this blog are:
What checks does CVA perform? How to activate CVA? Is CVA licensed? Where to find more information on CVA? Activating CVA
SAP CVA Code Vulnerability Analysis is a licensed tool. You need to activate it before you can use it. To activate run program RSLIN_SEC_LICENSE_SETUP:
The activation refers to OSS note
1855773 – Security checks for customer-specific ABAP programs which explains the license, restrictions, etc. Call to SAP: if you really think security is important for your customers and their custom programs, don't ask money for CVA tool, but allow free usage!
Check the bug fix OSS notes below. Apply them before your first run.
Checks in detail
The SAP CVA checks can be seen in SCI variant SLIN_SEC:
And then open the variant and click the information button for details:
A full list of checks can also be found on this
And per netweaver version the checks are listed in OSS note
1921820 – SAP Code Vulnerability Analyzer – support package planning. Setting up ATC variant and run
Start transaction ATC and press Schedule Run:
First create a new variant and refer to SCI variant SLIN_SEC:
Now schedule the run for your Z code:
The run can take a few hours.
More on ATC set up and running can be found in this
blog. Run results
Start transaction ATC and go to the results part:
Select your run:
The ATC result screen will show, but list can be very long:
Both Z programs and user exits will be shown (starting with S or X).
Press the Statistics View button top right to get a better overview:
The result list is now sorted per security item:
Don't let yourself be impressed by high numbers of the first run. Most issues are in old code: consider clean up. Focus on the priority 1 and priority 2 first. Finetune result set for priority 3 to lower the numbers.
Now you can zoom in to the issue per item by clicking on the line:
The details show the issue: hard coded user name. Clicking on the underlined code name in column Object Name will zoom into the code point to fix:
In this case hard coded break for a user. Fix is easy: delete the line of code.
It is possible to use ATC remote analysis (see
blog) for CVA. The full setup is explained in this SAP online help link. See also OSS note 2232083 – ATC/CI: SAP NetWeaver Application Server add-on for code vulnerability analysis – remote check runs – installation. Checking license usage
Run program RSLIN_SEC_LICENSE_SETUP to check license usage:
Or run this from transaction SLIN_ADMIN.
SAP reference material
Generic presentation on SAP CVA can be found on this
CVA FAQ: follow this
CVA full list of checks: follow this
CVA as part of CI/CD development pipeline: follow this
ABAP code security issues explained: follow this
link. Bug fix and improvement notes
Bug fix and improvement OSS notes:
Via ST04 SQL commands, an administrator, or hacker can fire any SQL statement provided he has the authorizations.
Once the authorizations on S_DBCON are there, any SQL can be used to read and update any table.
Firing SQL command via ST04
Start transaction ST04 and open the SQL editor in the Diagnostics section:
Now enter your SQL statement and press execute.
Result is shown:
How to avoid this?
If you don’t want people to use this function, withdraw the rights to do so. Authorization object S_DBCON is used to protect this.
Note that the SQL is fired using the SAP user of the system, not the ABAP user logged on.
The SAP password hash can be deciphered. See for example this
blog. By increasing the complexity of the hash, you can slow down this process.
Questions that will be answered in this blog are:
How can I strengthen my SAP password hash? Does it also work when I use CUA? Password hash algorithm strength
Main blog for SAP password hash algorithm is
1458262 – ABAP: recommended settings for password hash algorithms. Note 2140269 – ABAP password hash: supporting salt sizes up to 256 bits describes the actual parameter value.
In RZ11 you need to set parameter login/password_hash_algorithm to exactly this value: encoding=RFC2307, algorithm=iSSHA-512, iterations=15000, saltsize=256.
Make sure you follow the correct syntax. The syntax is listed in OSS note 991968 - List of values for "login/password_hash_algorithm". If you don't do it properly, you might get the issue reported in OSS note 3043774 - Iterated salted hash is empty after having assigned or changed a password. End result
Example for a test user. Before the setting the PWDSALTEDHASH field has this value:
After change of the parameter we reset the password of the user and the hash now looks like this:
Really more complex, hence more complex to decipher: the hashes are far stronger now. It can still be cracked, but it takes far more time on either single password or large group of passwords.
The parameter only effects new passwords. Not the existing ones.
If you use
CUA, the password can be distributed from CUA. If you CUA system and connected systems are modern enough there is no issue at all. See the CUA section of OSS note 1458262 – ABAP: recommended settings for password hash algorithms.
When you run a system for longer time, you might see that users have roles assigned that are obsolete (end validity date in the past), or having a role assigned multiple times.
With the role user assignment compression program you can clean up.
Role user assignment compression program
Start program PRGN_COMPRESS_TIMES:
Select the Delete Expired Assignments to delete role assignments with validity date in the past as well.
If you want you can first run with the simulation option to see what the program will do, and run without the simulation option to perform the actual clean up.
For issues, do check notes:
Clean up on a CUA managed landscape
If you run a
CUA system, the compression program needs to run on the CUA system and not on the local system. See OSS note 1692243 – Report PRGN_COMPRESS_TIMES cannot be used in CUA.
SAP support portal is used in your company for many items: EWA’s, reporting issues, downloading software.
Protection of the accounts on SAP support portal for your company is required.
This blog will explain the setup of the security feature for mail filtering.
If you don’t set this up, your user overview will continuously show this warning:
Setting up mail filtering
Go to the
support page for mail filtering:
Use the Add Domain button to add a new domain.
Domains to add:
Your company mail domain(s) sap.com domain (for support from SAP) Domain of your supplier maintaining your SAP system, in case they use their own mail ID Background
Background of this feature can be found in OSS note
3025172 – How to add or remove email domains for my customer number – SAP ONE Support Launchpad.
If you convert your ECC system to S4HANA or upgrade a S4HANA system to a higher version, you should check the security parameters. A lot of parameters have a different recommendation in S4HANA.
Questions that are answered in this blog are:
Where can I find information on security parameter changes after S4HANA conversion or upgrade? How can I check if the changed security parameter are properly implemented in my S4HANA system? Security parameter changes S4HANA
2926224 – Collection Note: New security settings for SAP S/4HANA and SAP BW/4HANA using SL Toolset and SUM is the master note. This note contains an important excel attachment that is listing all the changes and recommendations per S4HANA target version.
This note is also referring to OSS note
2926224 – Collection Note: New security settings for SAP S/4HANA and SAP BW/4HANA using SL Toolset and SUM, in which more details are explained on the background. Checking implementation of security parameter changes in the system itself
After your upgrade to S4HANA, you can run program RSPFRECOMMENDED to check how well the security parameters are implemented:
As company you are relying on SAP to provide support and services. But how do you know if SAP is doing a good job on this part?
If an internal auditor or external auditor asks you to show or explain the elements of SAP delivered support, where do you get the information?
SAP trust center
SAP has a good site to start with this information: the
SAP trust center.
Here you can find:
Security policies Security frameworks List of sub-processors employed by SAP to provide services (sub-processor can be on infrastructure level like AWS, Azure, etc, but also manpower like Accenture, TCS, etc.) Compliance documents like SOC1, SOC2, ISO 27001, ISO 9001, etc reports (or go directly to the compliance finder)
Not all reports are public. For some you must be customer of the product or service. Some parts require acknowledgement of non-disclosure agreement before you can get the report.
Security white paper
Another good document is the
SAP security white paper.
Tables are protected for data access by the S_TABU_DIS object. An important input here is the authorization group. The relationship between tables and authorization group is stored in table TDDAT. STDDAT has functions to mass maintain and check the authorization group to table relationships.
Questions that will be answered in this blog are:
How do I find and remove inconsistent entries in TDDAT table? How do I find dangerous items in TDDAT table? Consistency check
When you start transaction STDDAT, hit the button Consistency in the first screen:
Wait for the results:
Select the entries and delete with or without transport.
Finding dangerous entries in TDDAT
In the Authorisation group there are two types of entries to check:
Space: what will happen?? Vague! &NC&: everybody can access
Select these on the first screen as input for field Authorization Group and press execute:
Select the entries you want to change and press the Assign button:
Save the result in transport.
For versions 7.40 and 7.50 you need to apply OSS note
2577419 – STDDAT | consistency check for table TDDAT to get the consistency check button.
Generic FAQ on table access:
1434284 – FAQ | Authorization concept for generic table access.
For emergency cases you might need to edit table data directly. This blog will describe the emergency edit mode of SE16N.
Questions that will be answered are:
How to get the SE16N emergency edit mode? How to enable the SE16N emergency edit mode? How to use the SE16N emergency edit mode? Getting the SE16N emergency edit mode
The SE16N emergency edit mode is standard installed as of S4HANA 2020. For older versions, you need to apply OSS note
2911103 – SE16N: Alternative edit mode. Enabling SE16N emergency mode
The SE16N emergency mode is started via transaction SE16N_EMERGENCY. This transaction is locked by default:
Please consult your security team before unlocking this powerful transaction.
Use transaction SM01_CUS to unlock the SE16N_EMERGENCY transaction. Read this blog on the use of
SM01_CUS. Use of the SE16N emergency mode
Use of the emergency mode is pretty simple. Start transaction SE16N_EMERGENCY enter the table and you are launched into edit mode immediately. Example is here for table T001:
For more different ways of direct table hacking, read this
blog. Checking usage
Checking SE16N usage is explained in this
Or configure audit log after applying/checking this OSS note:
3140539 – SAL | New event definition for change access in SE16N. Bug fix OSS notes
Bug fix note: