In modern times of industrial espionage, leaked information and blackmailing, it is essential to deal with the security of SAP Systems.
Centralized and summarized presentation of current configuration parameters becomes more and more necessary to gain an ideal overview of the security status of IT landscapes. This is what so-called "Dashboards" can do.
Recent survey results¹ of the German-speaking SAP user group "DSAG" showed that the majority of respondents do not use a central SAP Security Dashboard.
On this topic there is a lot of information in different places. This blog post aims to give a summarized step by step guide on how to use Solution Manager "Configuration Validation" and "Dashboard Builder"² to implement custom fiori-based Security Dashboards.
As a simple example, the following profile parameters for password minimum requirements³ are used:
Setting | Profile Parameter | Recommendation |
Minimum password length | login/min_password_lng | 8 |
Number of lowercase letters | login/min_password_lowercase | 1 |
Number of uppercase letters | login/min_password_uppercase | 1 |
Number of digits | login/min_password_digits | 1 |
Number of letters | login/min_password_letters | 1 |
Number of special characters | login/min_password_specials | 1 |
This blog post is structured into the following parts:
Where can I find Solution Manager Dashboard Builder?
Create a new Dashboard
Create Category
Create Dashboard
Create Group
Create a Configuration Validation Report
Create Target System
Create Target System from selected Source System
Adjust Configuration Items in the Configuration Store
Create Comparison List
Run Validation Report
Display Configuration Validation Report results in the Dashboard
Create Dashboard Tiles
Choose the Configuration Validation Target System
Choose the Configuration Validation Comparison List
Further configuration
Create Drill-Down view
View the Dashboard
Detailed Dashboard Tiles configuration parameters
Extended Concept(s)
Appendix
Useful Configuration Stores for Security Reporting
Dashboard Builder is accessible in the Fiori Launchpad tile "Configuration Analytics and Dashboards", which is hidden in the standard view.
You can enable the tile by personalizing the Home Page:
Transaction "SM_WORKCENTER" >> bottom right corner >> Personalize Home Page | |
My Home >> "+" Tile (Open App Finder) | |
Catalog "SAP Solution Manager Configuration" >> Tile "Configuration Analytics and Dashboards" >> "+" Button (Add tile to group "My Home") | |
Top left corner >> Home Button | |
Bottom right corner >> Exit Action Mode | |
The tile for starting Dashboard Builder has been enabled |
Individual Dashboards in "Dashboard Builder" are structured in Categories. Each Dashboard consists of Groups and Tiles:
Bottom right corner >> New Dashboard | |
Edit Category | |
Add new Category | |
Enter a custom name | |
Save in $TMP (we are in a development environment and do not want to transport) | |
The Dashboard Category "Security" is available |
Bottom right corner >> New Dashboard | |
Enter a custom name (in this case "Test Security Dashboard") Choose the Category "Security" Enable 15 Minute(s) auto refresh (Optional) | |
Save in $TMP (we are in a development environment and do not want to transport) | |
Within the Category "Security", the (empty) Dashboard "Test Security Dashboard" is available |
Bottom right corner >> Create Group | |
Enter a custom name (in this case "Password Requirements") | |
Again, save in $TMP (we are in a development environment and do not want to transport) | |
Within the Dashboard "Test Security Dashboard", the Group "Password Requirements" is available |
Before the Group can be filled with tiles, it is necessary to create a Report in Configuration Validation. Its results are then displayed in the dashboard.
In the Solution Manager Launchpad, the tile "Configuration Validation" can be found in the "Root Cause Analysis" Group:
Configuration Validation compares the configuration of SAP systems in a system comparison list with a predefined state of a target system:
A target system is created from an existing source system. This includes various Configuration Stores with individual Configuration Items.
The parameters mentioned in the example are Configuration Items in the Configuration Store "ABAP_INSTANCE_PAHI" (Store for profile parameters).
Switch to "Target System Maintenance" | |
Select "Display all" for choosing a Source System | |
Select a (AS ABAP) Source System Select Config Store "ABAP_INSTANCE_PAHI" Push "Create from selected Stores" | |
Save the new Target System | |
>> Saving was successful, the Target System has been created |
Switch to "Edit" | |
Select Target System "TST" | |
Open Config. Store "ABAP_INSTANCE_PAHI" | |
Select the relevant items | |
Delete unselected items | |
Adjust Operators and Values | |
Save, the Target System "TST" for validating password minimum requirements has been created |
Switch to "Comparison List Maintenance" | |
Create new "Dynamic" Compare List (so future new systems will be added automatically) | |
Enter a custom Name and Description Filter for System type "ABAP*" "Refresh" to verify the list | |
Save the Comparision List | |
The Comparision List "ALL ABAP" for validating against all ABAP Systems has been created |
Switch to "Report Execution" | |
Create new record | |
Select Validation Template | |
Transfer Report "0TPL_0SMD_VCA2_CITEMS_REF" | |
Select Reference System | |
Transfer Target System "TST" | |
Select Comparison List | |
Transfer Comparison List "ALL ABAP" | |
Expand "Optional Settings" Check "Suppress query variable pop-up" Number of rows displayed "100" | |
Save current selection in Report Directory | |
Start Report | |
The Configuration Validation Report about password minumum requirements has been created |
Back in Solution Manager Dashboard Builder, the tiles can now be created.
Bottom right corner >> Create Custom Tile | |
Enter Name and Description Change Data Source Type from "BW Query" to "Function Module" | |
The Function Module DIAGCPL_CV_DSH is the Dashboard Builder interface to Configuration Validation >> Enter to activate the configuration |
(as created in "3.1: Create Target System")
Right Click "Available Fields - Reference SID" | |
Enter Value "TST" >> OK |
(as created in "3.2: Create Comparison List")
Right Click "Available Fields - Comparison List of Systems" | |
Enter Value "ALL ABAP" >> OK |
Right Click "Columns - Key Figures" >> Filter >> Select Filter Value | |
Change Value to "All" | |
Right Click "Available Fields - Aggregate on System Level" >> Filter >> Select Filter Value | |
Change Value to "X" (each system should be counted only once, despite the multiple password parameters) | |
Right Click "Available Fields - Compliance" >> Filter >> Select Filter Value | |
Enter Values "No" and "Item not found" (both statuses should be considered as "not compliant") | |
Right Click "Columns - Key Figures" >> Thresholds >> Define Thresholds | |
Enter custom threshold values (depends on infrastructure size) | |
Bottom right corner >> Save | |
Within the the Group “Password Requirements”, the tile is available |
>> Tile Settings | |
Change Details Page Template to "Drill-Down views" >> Save | |
Click tile to enter Drill-Down page | |
Add a new Drill-Down view | |
Enter a custom name Use the Function Module DIAGCPL_CV_DSH as interface to Configuration Validation >> Enter to activate the configuration | |
Remove "Columns - Key Figures" | |
Add fields, that should be columns in the Drill-Down table (the table columns are defined in the "Rows" Section...) | |
In this example: Extended System ID, Store Name, Configuration Item, Configuration Item Value, Configuration Item Value Rule, Compliance, Store Timestamp | |
Right Click "Extended System ID" >> Sort >> Ascending | |
Choose the Configuration Validation Target System "TST" (as in 4.1.1: Choose the Configuration Validation Target System) Choose the Configuration Validation Comparison List "ALL ABAP" (as in 4.1.2: Choose the Configuration Validation Comparison List) | |
>> Save The Drill-Down view is available |
Top right corner >> View mode | |
The dashboard is now in "View mode" The generated URL can be used for distribution |
Parameter | Value |
KPI Type | Custom |
Name | Password Requirements |
Subhead | |
Description | not compliant |
Visualization | Number-based |
Size | 1 X 1 |
Unit | |
Data Source Type | Function Module |
Data Source Name | DIAGCPL_CV_DSH |
Detail Page Template | Drill-Down views |
Rows | |
Columns | Key Figures |
Filter 1 | Key Figures: All |
Filter 2 | Aggregate on System Level: X |
Filter 3 | Comparison List of Systems: ALL ABAP |
Filter 4 | Reference SID: TST |
Filter 5 | Compliance: No && Item not found |
Thresholds | All Less or Equal 0 show as Green All Between 1 and 10 show as Yellow All Greater or Equal 11 show as Red |
Parameter | Value |
Name | Drill-Down View |
Data Source Type | Function Module |
Data Source Name | DIAGCPL_CV_DSH |
Visualization | Table |
Disable Visualization Switch | |
Jump to Application | |
Rows | Extended System ID (Sort Ascending), Store Name, Configuration Item, Configuration Item Value, Configuration Item Value Rule, Compliance, Store Timestamp |
Columns | |
Filter 1 | Comparison List of Systems: ALL ABAP |
Filter 2 | Reference SID: TST |
Parameter | Value |
KPI Type | Custom |
Name | Password Requirements |
Subhead | Compliance |
Description | not compliant |
Visualization | Pie chart |
Size | 2 X 2 |
Data Source Type | Function Module |
Data Source Name | DIAGCPL_CV_DSH |
Detail Page Template | None |
Rows | Compliance |
Columns | Key Figures |
Filter 1 | Key Figures: All |
Filter 2 | Aggregate on System Level: X |
Filter 3 | Comparison List of Systems: ALL ABAP |
Filter 4 | Reference SID: TST |
Parameter | Value |
KPI Type | Custom |
Name | Minimum password length |
Subhead | |
Description | not compliant |
Visualization | Number-based |
Size | 1 X 1 |
Unit | |
Data Source Type | Function Module |
Data Source Name | DIAGCPL_CV_DSH |
Detail Page Template | None |
Rows | |
Columns | Key Figures |
Filter 1 | Key Figures: All |
Filter 2 | Comparison List of Systems: ALL ABAP |
Filter 3 | Reference SID: TST |
Filter 4 | Configuration Item: login/min_password_lng |
Filter 5 | Compliance: No |
Thresholds | All Less or Equal 0 show as Green All Between 1 and 10 show as Yellow All Greater or Equal 11 show as Red |
The remaining tiles
are identical. Only Filter 4 "Configuration Item" needs to be adjusted.
For a clearer presentation, it is a good idea to create multiple dashboards. For example, a central SAP Security Dashboard could be structured as follows:
Systemtype | Configuration Store | Description |
ABAP | ABAP_INSTANCE_PAHI | Contains the ABAP profile parameter configuration |
ABAP | ABAP_NOTES | Contains information about currently installed SAP Notes |
ABAP | ABAP_COMP_RELEASE | Contains the release levels of installed ABAP components |
ABAP | AUDIT_CONFIGURATION | Contains the Security Audit Configuration |
ABAP | AUTH_ROLE_USER | Contains information about users with the rights SAP_ALL and SAP_NEW |
ABAP | CLIENTS | Contains the available clients |
ABAP | GLOBAL | Contains the status of the system change option |
ABAP | GW_REGINFO | Contains the "reginfo" gateway security rules |
ABAP | GW_SECINFO | Contains the "secinfo" gateway security rules |
ABAP | SICF_SERVICES | Contains information about SICF services |
ABAP | STANDARD_USERS | Contrains information about standard users (e.g. SAP*, DDIC) |
ABAP | USER_PASSWD_HASH_USAGE | Contains information about the usage of different password hash algorithms |
HANA | HDB_PARAMETER | Contains the HANA parameter configuration |
JAVA | com.sap.security.core.ume.service | Contains the User Management Engine (UME) parameter configuration |
JAVA | J2EE_COMP_SPLEVEL | Contains the release levels of installed JAVA components |
JAVA | Parameters | Contains the JAVA profile parameter configuration |
JAVA | xmlhardener_srv | Contains the status of XML Hardening |
¹ DSAG-Umfrage zur IT-Sicherheit im SAP-Umfeld: https://www.dsag.de/externe-news/dsag-umfrage-zur-it-sicherheit-im-sap-umfeld
² SAP Solution Manager 7.2 – Dashboard Builder: https://blogs.sap.com/2017/02/28/sap-solution-manager-7.2-dashboard-builder/
³ Securing SAP NetWeaver AS ABAP Systems against password attacks: https://blogs.sap.com/2018/02/14/securing-sap-netweaver-as-abap-systems-against-password-attacks/
⁴ How to realize a Solution Manager LMDB System Overview in Dashboard Builder: https://blogs.sap.com/2018/04/24/how-to-realize-a-solution-manager-lmdb-system-overview-in-dashboard...
⁵ Security Baseline Template & Security Notes Webinar: https://support.sap.com/en/offerings-programs/support-services/security-optimization-services-portfo...
⁶ 2253549 - The SAP Security Baseline Template: https://launchpad.support.sap.com/#/notes/2253549
ConfVal_Home - Technical Operations - SCN Wiki: https://wiki.scn.sap.com/wiki/display/TechOps/ConfVal_Home
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
11 | |
8 | |
7 | |
6 | |
5 | |
5 | |
4 | |
4 | |
4 | |
3 |