Security Optimization Service

Security optimization session

In SAP solution manager there is a free out-of-the-box tool available to quickly scan for security items in your system: the Security Optimization Service.

Questions that will be answered in this blog are:

  • How to run the Security Optimization Service?
  • How does the questionnaire work?
  • How does a sample result look like?

How to run Security Optimization Service

In solution manager 7.2 go to the tile Active Sessions for Service Delivery:

Service delivery Sessions

You now arrive in the sessions overview screen:

Sessions overview

If you are first time using: hit the button Content Update to fetch the latest content from SAP. When done, you are ready to run.

Select the button create to make a new service. From the list choose the option SAP Security Optimization:

New security optimization service

There might be multiple. In that case select this one (the others won’t work):

Then select the system for which you want to run the service. Do this by clicking the Add button in the Technical System section:

Select system

Finish the roadmap. After the final step the detailed roadmap will appear:

Security optimization session roadmap

In the first step select the logon and test the connection:

Select system logon

In the next step you need to assign a questionnaire:

Create and assign questionaire

If you run the SOS before you can re-use or change the template. The first time you need to create the questionnaire:

Questionaire maintenance

In the questionnaire you can maintain whitelist. In the example above user from the basis team is added to the list of system administrators. These users will no longer appear in the report as exceptions.

More background information on the questionnaire and the impact can be found in OSS note 2036188 - How questionnaire influences results of Security Optimization Service.

Save the questionnaire and return to the roadmap.

Next step is to start the data collection:

Data collection

If you have a recent run, you can select it here. If no run is present, hit the button Schedule new ST14 analysis run. Pending on your system size and speed the run will take between 5 and 60 minutes. If the run is finished select the run and complete the roadmap.

The SOS session is now scheduled.

Authorizations

You need authorizations in the backend system for ST14. If that is missing you get this message:

This refers to OSS note 696478 – SAP Security Optimization: Preparation, additions.

Results

Usually the run is done overnight and you can fetch the results next day. Go to the active services tile, select your run and go to the column Documents. Click on the document to get the results.

Example of an SOS report can be found at this URL.

Follow up

If you find issues: solve them and rerun the report.

If you find many users with too many rights: start to revoke the rights and rerun the report.

If you find basis and authorization staff in the list with rights they should have, add their user ID’s to the corresponding section in the questionnaire, and rerun the report.

In general it will take a few runs to come to a more cleaned up system.

Referring OSS notes

Relevant OSS notes:

6 thoughts on “Security Optimization Service”

  1. Hello SAPTechnicalGuru,

    thanks for the greate step-by-step guide on how to execute the SOS on a SAP Solution Manager that already has the Fiori tiles!
    We could only find guides that showed it in older versions of the SolMan (which are quite different in some areas).

    We ran into one problem however:
    After executing the data collection in the backend system and transferring the results into the SolMan SOS-Session, the Word-Report document is not getting created.

    In your guide you state
    “Usually the run is done overnight and you can fetch the results next day.”
    are you refering to the data collection in the backend here, or do we have to run a specific job in the SolMan to create the Report file somehow ?

    We have run numerous SOS sessions, but the SolMan just will not create the Report document.

    Thanks in advance!

    1. Unfortunately when the report does not come out, the only thing you can do is to raise an OSS support message.

    2. Hi, We are trying to create the SOS report and unable to generate even after multiple runs. Could you please let me know if you are able to fix the issue?

      1. Hi Manoj,

        You can check OSS note 1484124 – Guided Security Optimization Self Service – Prerequisites.
        Also check authorizations.

        If both are ok, raise a message to SAP with component SV-SMG-SER.

    1. Hi Edy,

      If you run the SOS you get a quick overview of the main security points for your SAP system. This can help you to secure your system better and to prepare yourself in case you system is audited by either an internal or an external auditor. You can count on the fact that any decent auditor will check most of the points of the SOS.

Leave a Reply to Edy Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.