In SAP solution manager there is a free out-of-the-box tool available to quickly scan for security items in your system: the Security Optimization Service.
Questions that will be answered in this blog are:
- How to run the Security Optimization Service?
- How does the questionnaire work?
- How does a sample result look like?
How to run Security Optimization Service
In solution manager 7.2 go to the tile Active Sessions for Service Delivery:
You now arrive in the sessions overview screen:
If you are first time using: hit the button Content Update to fetch the latest content from SAP. When done, you are ready to run.
Select the button create to make a new service. From the list choose the option SAP Security Optimization:
There might be multiple. In that case select this one (the others won’t work):
Then select the system for which you want to run the service. Do this by clicking the Add button in the Technical System section:
Finish the roadmap. After the final step the detailed roadmap will appear:
In the first step select the logon and test the connection:
In the next step you need to assign a questionnaire:
If you run the SOS before you can re-use or change the template. The first time you need to create the questionnaire:
In the questionnaire you can maintain whitelist. In the example above user from the basis team is added to the list of system administrators. These users will no longer appear in the report as exceptions.
More background information on the questionnaire and the impact can be found in OSS note 2036188 - How questionnaire influences results of Security Optimization Service.
Save the questionnaire and return to the roadmap.
Next step is to start the data collection:
If you have a recent run, you can select it here. If no run is present, hit the button Schedule new ST14 analysis run. Pending on your system size and speed the run will take between 5 and 60 minutes. If the run is finished select the run and complete the roadmap.
The SOS session is now scheduled.
You need authorizations in the backend system for ST14. If that is missing you get this message:
This refers to OSS note 696478 – SAP Security Optimization: Preparation, additions.
Usually the run is done overnight and you can fetch the results next day. Go to the active services tile, select your run and go to the column Documents. Click on the document to get the results.
Example of an SOS report can be found at this URL.
If you find issues: solve them and rerun the report.
If you find many users with too many rights: start to revoke the rights and rerun the report.
If you find basis and authorization staff in the list with rights they should have, add their user ID’s to the corresponding section in the questionnaire, and rerun the report.
In general it will take a few runs to come to a more cleaned up system.
Referring OSS notes
Relevant OSS notes:
- 2036188 – How questionnaire influences results of Security Optimization Service
- 2687176 – SOS: Check “Users are authorized to access tables with user data (0013)” does not take table authorization group SPWD into consideration
- 2743813 – SOS: “System Profiles Are Not Consistent (0153)” might get false positives
- 2813809 – SOS: Release dependent changes of the data collector
- 2860015 – Incomplete check in EWA/SOS for Message Server Access Control List
- 2918586 – SOS: ST14 data collection job issue (Runtime error catched in /SSA/EXC)
- 2927167 – EWA/SOS: Data collection issue (runtime error SAPSQL_SELECT_TAB_TOO_SMALL in GRAC_GET_ROLENAME)
- 3015620 – Security Optimization Service (SOS) Session Does Not List All Critical Users
- 3053829 – SOS: No or wrong check results about profile parameters for combined ABAP/HANADB systems
- 3228325 – EWA|SOS: “Users Authorized to Administer RFC Connections” – Too many users found
- 3261919 – Security Optimization Service (SOS) Report Missing Human Resources Section