The SAP Security Optimization Self-Service performssecurity checks to ensure that these requirements are met:
Systems are operational and functional atany given moment.When the target system is up andrunning,the self-service checks for critical authorizationsthat might influence the availability of the system.
Data is valid and cannot be compromised.Theself-service checks for critical authorizations that mightbe misused to compromise data (using the developer ordebugging authorization,for example).
Users are who they claim to be.The self-service checks the secure handling of super users and thequality of the password policy to ensure that every personcan only use his personal logon.
Only authorized users access informa-tion.The self-service checks for critical authorizations toensure that direct table access is extremely limited.(Toensure confidentiality of application data,however,thecustomer has to run additional tests.)
The system security setup is in accordancewith established guidelines.The Security OptimizationSelf-Service can be used as part of the checks andbalances needed to ensure that regulatory compliancerequirements are and continue to be met.
A complete check for corporate governance and compliance — determining,forexample,if a system is Sarbanes-Oxley compliant — is not within the scope ofthe self-service,as topics outside the security area would also need to be checkedto guarantee full compliance to these requirements.
What Exactly Does the Self-Service Check For?
Transaction ST13 to Maintain Specific Critical Authorizations
The system where the self-servicetool resides
The CRM, ERP, SCM, or other systemwhere you are running the security check
SAP Solution Manager (release 3.1or higher),with a system landscapedefinition that includes the targetsystem to be checked
ST-SER plug-in,release 2005 1
ST-A/PI plug-in,release 01F
,inorder to collect the data in thesystem to be checked
Must be connected to SAP SolutionManager
Current ST-PI plug-in
Current ST-A/PI plug-in
Implementation of SAP Note696478,namely creating a specialauthorization for the user whoperforms the ST14 data collection,and installing the ST-A/PI plug-in,version 01D
The asterisks next to 01F and 01D represent the relevant SAP application.Because there is only one ST-A/PIplug-in for each system,you must be careful to install the correct version.
System Prerequisites for Executing the Security OptimizationSelf-Servicetransaction ST13.For every criticalauthorization,you can enter up to fourdifferent authorization objects,includingrelevant authorization values (see
).In addition,you can add any numberof transactions to a critical authoriza-tion.This means that for every criticalauthorization,you can select all usersthat either have all of the authorizationsspecified or that are authorized for atleast one of the transactions specified.For example,if a user were authorizedto maintain any table,you would enterthe following critical authorizations:
Authorization object:S_TABU_DISwith field ACTVT value “02”and fieldDICBERCLASS value “*”The key challenge here is determiningwhich critical authorizations in mySAPERP are most important for your system.To help,we recommend using the
SAP Compliance Calibrator by VirsaSystems
in addition to the full SecurityOptimization Service (see sidebar on thenext page) to analyze your completeauthorization concept.The ComplianceCalibrator is sold by SAP,comes with anextensive database of predefined critical