Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
cancel
Showing results for 
Search instead for 
Did you mean: 
kai_bauer
Explorer
7,590

Introduction

In modern times of industrial espionage, leaked information and blackmailing, it is essential to deal with the security of SAP Systems.

Centralized and summarized presentation of current configuration parameters becomes more and more necessary to gain an ideal overview of the security status of IT landscapes. This is what so-called "Dashboards" can do.

Recent survey results¹ of the German-speaking SAP user group "DSAG" showed that the majority of respondents do not use a central SAP Security Dashboard.

On this topic there is a lot of information in different places. This blog post aims to give a summarized step by step guide on how to use Solution Manager "Configuration Validation" and "Dashboard Builder"² to implement custom fiori-based Security Dashboards.

As a simple example, the following profile parameters for password minimum requirements³ are used:


SettingProfile ParameterRecommendation
Minimum password lengthlogin/min_password_lng8
Number of lowercase letterslogin/min_password_lowercase1
Number of uppercase letterslogin/min_password_uppercase1
Number of digitslogin/min_password_digits1
Number of letterslogin/min_password_letters1
Number of special characterslogin/min_password_specials1




 

Contents

This blog post is structured into the following parts:

  1. Where can I find Solution Manager Dashboard Builder?

  2. Create a new Dashboard

    1. Create Category

    2. Create Dashboard

    3. Create Group

  3. Create a Configuration Validation Report

    1. Create Target System

      1. Create Target System from selected Source System

      2. Adjust Configuration Items in the Configuration Store

    2. Create Comparison List

    3. Run Validation Report

  4. Display Configuration Validation Report results in the Dashboard

    1. Create Dashboard Tiles

      1. Choose the Configuration Validation Target System

      2. Choose the Configuration Validation Comparison List

      3. Further configuration

    2. Create Drill-Down view

    3. View the Dashboard

    4. Detailed Dashboard Tiles configuration parameters

  5. Extended Concept(s)

  6. Appendix

    1. Useful Configuration Stores for Security Reporting

 

Step 1: Where can I find Solution Manager Dashboard Builder?

Dashboard Builder is accessible in the Fiori Launchpad tile "Configuration Analytics and Dashboards", which is hidden in the standard view.



You can enable the tile by personalizing the Home Page:


Transaction "SM_WORKCENTER" >> bottom right corner >> Personalize Home Page
My Home >> "+" Tile (Open App Finder)
Catalog "SAP Solution Manager Configuration" >> Tile "Configuration Analytics and Dashboards" >> "+" Button (Add tile to group "My Home")
Top left corner >> Home Button
Bottom right corner >> Exit Action Mode
The tile for starting Dashboard Builder has been enabled

 

Step 2: Create a new Dashboard

Individual Dashboards in "Dashboard Builder" are structured in Categories. Each Dashboard consists of Groups and Tiles:



 

2.1: Create Category

 

Bottom right corner >> New Dashboard
Edit Category
Add new Category
Enter a custom name
Save in $TMP (we are in a development environment and do not want to transport)
The Dashboard Category "Security" is available


 

2.2: Create Dashboard

 

Bottom right corner >> New Dashboard


Enter a custom name (in this case "Test Security Dashboard")

Choose the Category "Security"

Enable 15 Minute(s) auto refresh (Optional)
Save in $TMP (we are in a development environment and do not want to transport)
Within the Category "Security", the (empty) Dashboard "Test Security Dashboard" is available


 

2.3: Create Group

 

Bottom right corner >> Create Group
Enter a custom name (in this case "Password Requirements")
Again, save in $TMP (we are in a development environment and do not want to transport)
Within the Dashboard "Test Security Dashboard", the Group "Password Requirements" is available


Before the Group can be filled with tiles, it is necessary to create a Report in Configuration Validation. Its results are then displayed in the dashboard.

 

Step 3: Create a Configuration Validation Report

In the Solution Manager Launchpad, the tile "Configuration Validation" can be found in the "Root Cause Analysis" Group:



Configuration Validation compares the configuration of SAP systems in a system comparison list with a predefined state of a target system:



 

3.1: Create Target System

A target system is created from an existing source system. This includes various Configuration Stores with individual Configuration Items.

The parameters mentioned in the example are Configuration Items in the Configuration Store "ABAP_INSTANCE_PAHI" (Store for profile parameters).

 

3.1.1: Create Target System from selected Source System 

 

Switch to "Target System Maintenance"
Select "Display all" for choosing a Source System


Select a (AS ABAP) Source System

Select Config Store "ABAP_INSTANCE_PAHI"

Push "Create from selected Stores"
Save the new Target System
>> Saving was successful, the Target System has been created

 

3.1.2: Adjust Configuration Items in the Configuration Store

 

Switch to "Edit"
Select Target System "TST"
Open Config. Store "ABAP_INSTANCE_PAHI"
Select the relevant items
Delete unselected items
Adjust Operators and Values
Save, the Target System "TST" for validating password minimum requirements has been created

 

3.2: Create Comparison List

 

Switch to "Comparison List Maintenance"
Create new "Dynamic" Compare List (so future new systems will be added automatically)


Enter a custom Name and Description

Filter for System type "ABAP*"

"Refresh" to verify the list
Save the Comparision List
The Comparision List "ALL ABAP" for validating against all ABAP Systems has been created

 

3.3: Run Validation Report

 

Switch to "Report Execution"
Create new record
Select Validation Template
Transfer Report "0TPL_0SMD_VCA2_CITEMS_REF"
Select Reference System
Transfer Target System "TST"
Select Comparison List
Transfer Comparison List "ALL ABAP"


Expand "Optional Settings"

Check "Suppress query variable pop-up"

Number of rows displayed "100"
Save current selection in Report Directory
Start Report
The Configuration Validation Report about password minumum requirements has been created


 

Step 4: Display Configuration Validation Report results in the Dashboard

Back in Solution Manager Dashboard Builder, the tiles can now be created.
 

4.1: Create Dashboard Tiles


Bottom right corner >> Create Custom Tile


Enter Name and Description

Change Data Source Type from "BW Query" to "Function Module"


The Function Module DIAGCPL_CV_DSH is the Dashboard Builder interface to Configuration Validation

>> Enter to activate the configuration

 

4.1.1: Choose the Configuration Validation Target System "TST"

(as created in "3.1: Create Target System")


Right Click "Available Fields - Reference SID"
Enter Value "TST" >>  OK


 

4.1.2: Choose the Configuration Validation Comparison List "ALL ABAP"

(as created in "3.2: Create Comparison List")


Right Click "Available Fields - Comparison List of Systems"
Enter Value "ALL ABAP" >>  OK

 

4.1.3: Further configuration


Right Click "Columns - Key Figures" >> Filter >> Select Filter Value
Change Value to "All"
Right Click "Available Fields - Aggregate on System Level" >> Filter >> Select Filter Value
Change Value to "X" (each system should be counted only once, despite the multiple password parameters)
Right Click "Available Fields - Compliance" >> Filter >> Select Filter Value
Enter Values "No" and "Item not found" (both statuses should be considered as "not compliant")
Right Click "Columns - Key Figures" >> Thresholds >> Define Thresholds
Enter custom threshold values (depends on infrastructure size)
Bottom right corner >> Save
Within the the Group “Password Requirements”, the tile is available

 

4.2: Create Drill-Down view


>> Tile Settings


Change Details Page Template to "Drill-Down views"

>> Save
Click tile to enter Drill-Down page
Add a new Drill-Down view


Enter a custom name

Use the Function Module DIAGCPL_CV_DSH as interface to Configuration Validation

>> Enter to activate the configuration
Remove "Columns - Key Figures"
Add fields, that should be columns in the Drill-Down table (the table columns are defined in the "Rows" Section...)
In this example: Extended System ID, Store Name, Configuration Item, Configuration Item Value, Configuration Item Value Rule, Compliance, Store Timestamp
Right Click "Extended System ID" >> Sort >> Ascending


Choose the Configuration Validation Target System "TST" (as in 4.1.1: Choose the Configuration Validation Target System)


Choose the Configuration Validation Comparison List "ALL ABAP" (as in 4.1.2: Choose the Configuration Validation Comparison List)


>> Save

The Drill-Down view is available


 

4.3: View the Dashboard


Top right corner >> View mode


The dashboard is now in "View mode"

The generated URL can be used for distribution

 

4.4: Detailed Dashboard Tiles configuration parameters 

 

Tile: Password Requirements


ParameterValue
KPI TypeCustom
NamePassword Requirements
Subhead 
Descriptionnot compliant
VisualizationNumber-based
Size1 X 1
Unit 
Data Source TypeFunction Module
Data Source NameDIAGCPL_CV_DSH
Detail Page TemplateDrill-Down views
Rows 
ColumnsKey Figures
Filter 1Key Figures: All
Filter 2Aggregate on System Level: X
Filter 3Comparison List of Systems: ALL ABAP
Filter 4Reference SID: TST
Filter 5Compliance: No && Item not found
ThresholdsAll Less or Equal 0 show as Green
All Between 1 and 10 show as Yellow
All Greater or Equal 11 show as Red

 

Drill-Down View


ParameterValue
NameDrill-Down View
Data Source TypeFunction Module
Data Source NameDIAGCPL_CV_DSH
VisualizationTable
Disable Visualization Switch 
Jump to Application 
RowsExtended System ID (Sort Ascending), Store Name, Configuration Item, Configuration Item Value, Configuration Item Value Rule, Compliance, Store Timestamp
Columns 
Filter 1Comparison List of Systems: ALL ABAP
Filter 2Reference SID: TST
 

Tile: Password Requirements Compliance (Pie chart)

 

 
ParameterValue
KPI TypeCustom
NamePassword Requirements
SubheadCompliance
Descriptionnot compliant
VisualizationPie chart
Size2 X 2
Data Source TypeFunction Module
Data Source NameDIAGCPL_CV_DSH
Detail Page TemplateNone
RowsCompliance
ColumnsKey Figures
Filter 1Key Figures: All
Filter 2Aggregate on System Level: X
Filter 3Comparison List of Systems: ALL ABAP
Filter 4Reference SID: TST

 

Tile: Minimum password length


ParameterValue
KPI TypeCustom
NameMinimum password length
Subhead 
Descriptionnot compliant
VisualizationNumber-based
Size1 X 1
Unit 
Data Source TypeFunction Module
Data Source NameDIAGCPL_CV_DSH
Detail Page TemplateNone
Rows 
ColumnsKey Figures
Filter 1Key Figures: All
Filter 2Comparison List of Systems: ALL ABAP
Filter 3Reference SID: TST
Filter 4Configuration Item: login/min_password_lng
Filter 5Compliance: No
ThresholdsAll Less or Equal 0 show as Green
All Between 1 and 10 show as Yellow
All Greater or Equal 11 show as Red


The remaining tiles

  • Number of lowercase letters
  • Number of uppercase letters
  • Number of digits
  • Number of letters
  • Number of special characters

are identical. Only Filter 4 "Configuration Item" needs to be adjusted.

 

Extended concept(s):

For a clearer presentation, it is a good idea to create multiple dashboards. For example, a central SAP Security Dashboard could be structured as follows:

  • General System Overview⁴
  • SAP Security Baseline⁵ ⁶
  • Company-specific Security Projects (e.g. high-priority topics from the SAP Security Patch Day)





 

Appendix

 

Useful Configuration Stores for Security Reporting


SystemtypeConfiguration StoreDescription
ABAPABAP_INSTANCE_PAHIContains the ABAP profile parameter configuration
ABAPABAP_NOTESContains information about currently installed SAP Notes
ABAPABAP_COMP_RELEASEContains the release levels of installed ABAP components
ABAPAUDIT_CONFIGURATIONContains the Security Audit Configuration
ABAPAUTH_ROLE_USERContains information about users with the rights SAP_ALL and SAP_NEW
ABAPCLIENTSContains the available clients
ABAPGLOBALContains the status of the system change option
ABAPGW_REGINFOContains the "reginfo" gateway security rules
ABAPGW_SECINFOContains the "secinfo" gateway security rules
ABAPSICF_SERVICESContains information about SICF services
ABAPSTANDARD_USERSContrains information about standard users (e.g. SAP*, DDIC)
ABAPUSER_PASSWD_HASH_USAGEContains information about the usage of different password hash algorithms
HANAHDB_PARAMETERContains the HANA parameter configuration
JAVAcom.sap.security.core.ume.serviceContains the User Management Engine (UME) parameter configuration
JAVAJ2EE_COMP_SPLEVELContains the release levels of installed JAVA components
JAVAParametersContains the JAVA profile parameter configuration
JAVAxmlhardener_srvContains the status of XML Hardening

 

Sources and related content

¹ DSAG-Umfrage zur IT-Sicherheit im SAP-Umfeld: https://www.dsag.de/externe-news/dsag-umfrage-zur-it-sicherheit-im-sap-umfeld

² SAP Solution Manager 7.2 – Dashboard Builder: https://blogs.sap.com/2017/02/28/sap-solution-manager-7.2-dashboard-builder/

³ Securing SAP NetWeaver AS ABAP Systems against password attacks: https://blogs.sap.com/2018/02/14/securing-sap-netweaver-as-abap-systems-against-password-attacks/

⁴ How to realize a Solution Manager LMDB System Overview in Dashboard Builder: https://blogs.sap.com/2018/04/24/how-to-realize-a-solution-manager-lmdb-system-overview-in-dashboard...

⁵ Security Baseline Template & Security Notes Webinar: https://support.sap.com/en/offerings-programs/support-services/security-optimization-services-portfo...

⁶ 2253549 - The SAP Security Baseline Template: https://launchpad.support.sap.com/#/notes/2253549

ConfVal_Home - Technical Operations - SCN Wiki: https://wiki.scn.sap.com/wiki/display/TechOps/ConfVal_Home

2 Comments
Labels in this area