SAP Basis Technical changes

Technical changes

Activation of the email function for all events in the Security Audit Log

Remove weak password hashes from the system: Only updating the profile parameter does not provide you with the necessary security. There are still many weak hash values in your database that can be used to attack your system. These must be completely removed from the database. To do this, use the report CLEANUP_PASSWORD_HASH_VALUES. To do this, call the transaction SA38 and enter the name of the report in the input field. Run or F8 executes the programme and cleans your database Report CLEANUP_PASSWORD_HASH_VALUES This programme removes the outdated hash values across all clients. Have you already experienced this attack method or any other comments on this topic? Share your experiences with us in the form of a comment under this article.

An important area of SAP Security is the analysis of the customer's own SAP programs, which are classically written in the proprietary SAP language ABAP. Here, too, as in all programming languages, security vulnerabilities can be programmed - whether consciously or unconsciously. However, the patterns of security vulnerabilities in ABAP code differ from those in Java stacks or Windows programs. The goal of these conventional programs is usually to either crash the program (buffer overflow) or to artificially execute the program's own code (code injection). Both is not possible in ABAP, since a crash of a process causes nothing else than the creation of an entry in the log database (Dump ST22) and a subsequent termination of the report with return to the menu starting point. So a direct manipulation as in other high level languages or servers is not possible. However, there are other manipulation possibilities.

If you want to get more information about SAP basis, visit the website www.sap-corner.de.

Tasks and activities

In the area of SAP Basic Administration there are many tasks that occur at long but irregular intervals, such as adjusting the system modifiability. As a result, the know-how is often lacking and it is quickly taken to the next search engine, where long and partially incomplete forum entries make finding the right approach even more difficult. For this reason, I will regularly record recurring tasks from the SAP basis Administration for you in simple tutorials. This blog post will start with the topic system modifiability and client control. If you want to jump directly to a step-by-step guide, just scroll down to the bottom, where I summarised everything once. System Modifiability - What Is It? The system modifiability allows you to set which objects of the repository and the client-independent customisation are modifiable or not. Repository objects can also be customised even further, with respect to the software component and the namespace. You can choose whether an object should be modifiable, restricted, or non-modifiable. In this context, restrictively modifiable means that repository objects can only be created as non-originals (small note: for packages the setting "restricted modifiable" and "modifiable" is identical in the function). Let us now turn to the direct approach to the changeover to system variability. Change system modifiability As a preparation, you should clarify how long the modifiability should take place in your system. I have learned from my clients that it is often desired to set the system to "changeable" for certain tasks from the specialist areas only temporarily. If you have organised this, call the transaction SE06 in the 000 client and click on the button "System Modification". If you do not have permissions for this transaction, you can try either the transaction SE03 —> System Modifiability or the transaction SE09 -> Jump -> Transport Organiser Tools -> System Modifiability (under "Administration"). The following screenshot shows the way across the SE03: Here you can change the desired namespaces and software components depending on your request.

Although you always make sure that authorization roles are generated when administering them, it happens again and again that there are red lights in the user assignment in the production systems. Have you considered user matching?

Use "Shortcut for SAP Systems" to accomplish many tasks in the SAP basis more easily and quickly.

To avoid problems, play all support packages as they are deployed.

So much information... how can you keep it so that you can find it again when you need it? Scribble Papers is a "note box" that makes this very easy.

Transporting transport orders from one system line to another or importing third-party transport orders into the SAP system is also an occasional task for an SAP basis administrator.