https://raw.githubusercontent.com/ajmaradiaga/feeds/main/scmt/topics/Security-qa.xml SAP Community - Security 2025-02-10T00:01:48.413102+00:00 python-feedgen Security Q&A in SAP Community https://community.sap.com/t5/technology-q-a/no-where-used-list-for-the-authorization-object-in-se80-su21-after-s-4-hana/qaq-p/13891355 No Where-Used List for the Authorization Object in SE80/SU21 after S/4 HANA 2023 Upgrade 2024-10-07T20:27:38.712000+02:00 SAPSupport https://community.sap.com/t5/user/viewprofilepage/user-id/121003 <P>After the system upgrade from S/4 HANA 2021 to S/4 HANA 2023, the Where-Used List for authorization objects in SE80/SU21 disappeared.</P><BR />------------------------------------------------------------------------------------------------------------------------------------------------<BR /><B>Learn more about the SAP Support user and program <A target="_blank" href="https://community.sap.com/t5/enterprise-resource-planning-blogs-by-sap/maximizing-the-power-of-sap-community-at-product-support/ba-p/13501276">here</A>.</B> 2024-10-07T20:27:38.712000+02:00 https://community.sap.com/t5/technology-q-a/same-profile-naming-in-development-and-quality-systems/qaq-p/13892906 Same profile naming in development and quality systems 2024-10-08T18:03:22.664000+02:00 SAPSupport https://community.sap.com/t5/user/viewprofilepage/user-id/121003 <P>Hi,<BR />SHD an SHQ were our development and quality systems, but now, we have a new system:<BR />SDH (development system)<BR />SQH (quality System)<BR />So, when we created new role and a new profile is assigned automatically in old systems, this profile name was T-SDxxxxxx (DEV) and T-SQxxx (QAS) respectively.<BR />Now, when we create new roles and profiles automatically in new systems, the profile name begins with same nomenclature T-SHxxxx and it is generating incidents.<BR />Could you please help us with this issue?<BR />Is these any OSS Note to apply? or could you tell us how change the beginning of the profile name T-YYxxxxx?</P><BR />------------------------------------------------------------------------------------------------------------------------------------------------<BR /><B>Learn more about the SAP Support user and program <A target="_blank" href="https://community.sap.com/t5/enterprise-resource-planning-blogs-by-sap/maximizing-the-power-of-sap-community-at-product-support/ba-p/13501276">here</A>.</B> 2024-10-08T18:03:22.664000+02:00 https://community.sap.com/t5/technology-q-a/oauth-2-0-client-to-access-external-service-provider-resource/qaq-p/13904125 OAuth 2.0 client to access external service provider resource 2024-10-18T14:29:35.354000+02:00 konstantinos_vassiliadis https://community.sap.com/t5/user/viewprofilepage/user-id/292283 <P>Hello experts,</P><P>I am trying to implement an OAuth2.0 connection between SAP and an external service provider. I went through all relevant material ranging from creating a profile through to configuring a client (<A href="https://help.sap.com/docs/SAP_NETWEAVER_750/3c4e8fc004cb4401a4fdd737f02ac2b9/81c09e3f183e49e4b1eb6959ccbe6e84.html?version=7.5.6" target="_blank" rel="noopener noreferrer">https://help.sap.com/docs/SAP_NETWEAVER_750/3c4e8fc004cb4401a4fdd737f02ac2b9/81c09e3f183e49e4b1eb6959ccbe6e84.html?version=7.5.6</A>&nbsp;and sub-sections). Then I have a test ABAP program to test the configuration and get an authorization code using the authorization endpoint; after that, I want to call the access token endpoint to get the access token and start calling the resources I want using the obtained access token. The external service provider requires an Authorization Code grant type to be obtained before using it to invoke the access token endpoint.</P><P>I have the following questions:</P><P>1) according to&nbsp;<A href="https://help.sap.com/docs/SAP_NETWEAVER_750/3c4e8fc004cb4401a4fdd737f02ac2b9/d7b8d91ad2ef40e6aee5fb071bb75193.html?version=7.5.6," target="_blank" rel="noopener noreferrer">https://help.sap.com/docs/SAP_NETWEAVER_750/3c4e8fc004cb4401a4fdd737f02ac2b9/d7b8d91ad2ef40e6aee5fb071bb75193.html?version=7.5.6,</A>&nbsp;I create an http client but the URL is the target endpoint of the requested resource?</P><P>2) when I use the set_token method of the OAuth2.0 client instance - created using the client profile and client configuration - I get the following exception message:</P><P>"No access token available for current user."</P><P>I attach screenshots from the configuration of the client (transaction&nbsp;OA2C_CONFIG):</P><P>The following part of the configuration screen has pre-filled value in the placeholder "Target Endpoint" and it is editable. Do I have to modify it or leave it as it is? if I have to modify it, what value from the service provider should I specify?</P><P>Also, the Redirection URI is non-editable and is made up of the Redirection URI server and other stuff.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="konstantinos_vassiliadis_0-1729254082953.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/180869iE46A4791EEE205F2/image-size/medium?v=v2&amp;px=400" role="button" title="konstantinos_vassiliadis_0-1729254082953.png" alt="konstantinos_vassiliadis_0-1729254082953.png" /></span></P><P>Does anyone have any example implementations of such a scenario where we want SAP to consume protected resource in an external service provider?&nbsp;</P><P>Thank you in advance,</P><P>Konstantinos</P><P>&nbsp;</P> 2024-10-18T14:29:35.354000+02:00 https://community.sap.com/t5/technology-q-a/integrating-authorizations-for-external-applications-in-public-cloud-and/qaq-p/13916760 Integrating authorizations for external applications in Public Cloud and Tools 2024-10-23T11:13:45.794000+02:00 madziszn https://community.sap.com/t5/user/viewprofilepage/user-id/1658950 <P><SPAN>Is it possible to use SAP Public Cloud as a platform to manage authorizations for both SAP and external applications? If so, what tools are available to facilitate this process?</SPAN></P> 2024-10-23T11:13:45.794000+02:00 https://community.sap.com/t5/technology-q-a/we-require-non-expiry-sap-user-id-for-the-interface-with-other-software-s/qaq-p/13928515 we require non expiry sap user ID for the interface with other software's 2024-11-05T09:38:00.992000+01:00 SAPSupport https://community.sap.com/t5/user/viewprofilepage/user-id/121003 <P>Hi,</P><BR /><P>we are using the SAP user id to post the interface data in to the sap and we maintained the sap user id and password in the all interface API and CPI to post the data in sap s4 PERSON_NAME. but every 6 months sap user id password is expiring due to that interfaces are failing.</P><BR /><P>we required non expiry password for SAP user id to use in the interface.</P><BR /><P>&nbsp;</P><BR /><P>Regards,</P><BR /><P>Manjunatha Reddy.</P><BR />------------------------------------------------------------------------------------------------------------------------------------------------<BR /><B>Learn more about the SAP Support user and program <A target="_blank" href="https://community.sap.com/t5/enterprise-resource-planning-blogs-by-sap/maximizing-the-power-of-sap-community-at-product-support/ba-p/13501276">here</A>.</B> 2024-11-05T09:38:00.992000+01:00 https://community.sap.com/t5/enterprise-resource-planning-q-a/how-to-synch-data-from-pa30-pa20-actions-of-user-group-to-su01-of-basis/qaq-p/13937958 How to synch data from PA30/PA20 actions of user group to SU01 of BASIS Tcode 2024-11-14T11:14:30.938000+01:00 Ashish07 https://community.sap.com/t5/user/viewprofilepage/user-id/1861989 <P>I am writing to request your assistance in synchronizing user transfer and resignation data between the Personnel Administration (PA20/PA30) and User Management (SU01) transactions within our SAP system. This synchronization will help us streamline the process of distinguishing and managing SAP users based on their respective organizational sites and departments.</P><P>Currently, as part of our user management process, we rely on data maintained in PA20/PA30 to track employee transfers, resignations, and other HR-related changes. However, this information does not automatically reflect in SU01, which is crucial for managing SAP access and ensuring that users are properly aligned with their current roles, locations, and organizational structures.</P> 2024-11-14T11:14:30.938000+01:00 https://community.sap.com/t5/technology-q-a/how-to-achieve-spro-full-access-module-based-without-sap-all/qaq-p/13938172 how to achieve SPRO full access module-based without SAP_ALL? 2024-11-14T14:04:47.146000+01:00 kertdelrosario05 https://community.sap.com/t5/user/viewprofilepage/user-id/1735861 <P>Hello Security Experts,</P><P>We need to remove SAP_ALL from the dev environment for auditing purposes and create roles with full SPRO access and module-based permissions (e.g., FI, MM, SD). What’s the best approach to implement this?</P><P><SPAN>I followed this link below but the step 12 is a bit confusing. Can you advise?</SPAN></P><P><SPAN><A href="https://community.sap.com/t5/enterprise-resource-planning-blogs-by-members/how-to-create-and-give-module-wise-project-img-access-to-sap-consultants/ba-p/13152750" target="_blank">https://community.sap.com/t5/enterprise-resource-planning-blogs-by-members/how-to-create-and-give-module-wise-project-img-access-to-sap-consultants/ba-p/13152750</A></SPAN></P><P><SPAN><a href="https://community.sap.com/t5/c-khhcw49343/Security/pd-p/49511061904067247446167091106425" class="lia-product-mention" data-product="1143-1">Security</a>&nbsp;<BR /><a href="https://community.sap.com/t5/c-khhcw49343/SAP+Community/pd-p/486157991894093153608181816584982" class="lia-product-mention" data-product="1161-1">SAP Community</a>&nbsp;<BR /><a href="https://community.sap.com/t5/c-khhcw49343/SAP+BTP+Security/pd-p/842ea649-eeef-464c-b80c-a64b03e40158" class="lia-product-mention" data-product="99-1">SAP BTP Security</a>&nbsp;</SPAN></P> 2024-11-14T14:04:47.146000+01:00 https://community.sap.com/t5/technology-q-a/encryption-using-a-public-key-with-function-ssf-krn-envelope/qaq-p/13940704 Encryption using a public key with function SSF_KRN_ENVELOPE 2024-11-18T12:43:59.624000+01:00 Jose_Pablo https://community.sap.com/t5/user/viewprofilepage/user-id/1604582 <P>Hi,</P><P>We need to encrypt a KEY, like&nbsp;</P><P>&lt;KEY&gt;290B0B57A7C7AD3D9DF170511C1C9D209DAB1C7F7675D370&lt;/KEY&gt;</P><P>For this we need to use a public key using algorithm PKCS v1.2., to get a key of 512 hexadecimal characters.</P><P>We are trying the following:</P><P>* We have defined a new SSF application.</P><P>* We have used transaction&nbsp;<SPAN>STRUST to upload the certificate that contains the public key to be used for the encryption.</SPAN></P><P><SPAN>* We have configured the SSF parameters for this new application:</SPAN></P><P><SPAN>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;HASHALG ==&gt;&nbsp;SHA512</SPAN></P><P><SPAN>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;ENCRALG ==&gt;&nbsp;TRIPLE-DES</SPAN></P><P><SPAN>* We use functions:</SPAN></P><P><SPAN>&nbsp; &nbsp; &nbsp;==&gt; SSF_GET_PARAMETER(Read certificates included in SSFA)</SPAN></P><P>&nbsp; &nbsp; &nbsp;==&gt;&nbsp;SSFC_GET_CERTIFICATELIS (to get&nbsp;&nbsp;the information of each certificate)</P><P>&nbsp; &nbsp; &nbsp;==&gt;&nbsp;<SPAN>SSFC_PARSE_CERTIFICATE&nbsp;</SPAN></P><P><SPAN>&nbsp; &nbsp; &nbsp;==&gt;&nbsp;SSF_KRN_ENVELOPE (to encrypt), here we complete:</SPAN></P><P><SPAN>ostr_input_data&nbsp;with the string we want to encrypt:</SPAN><SPAN><SPAN class="">&lt;KEY&gt;290B0B57A7C7AD3D9DF170511C1C9D209DAB1C7F7675D370&lt;/KEY&gt;</SPAN>&nbsp;</SPAN></P><P><SPAN>we are not sure wich value we need to populte field&nbsp;<!-- StartFragment -->&nbsp;ostr_input_data_l&nbsp;.Based on&nbsp;method EXTERNAL_ENCYPTING of class CL_PCA_SECURITY, we are applying the same logic:</SPAN></P><P><SPAN><!-- StartFragment --><SPAN class="">*&nbsp;preparations</SPAN><BR />&nbsp;&nbsp;&nbsp;&nbsp;lv_length&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<SPAN class="">=&nbsp;</SPAN><SPAN class="">strlen</SPAN><SPAN class="">(&nbsp;</SPAN>iv_card_number&nbsp;<SPAN class="">)</SPAN><SPAN class="">.</SPAN><BR /><SPAN class="">*&nbsp;Unicode&nbsp;or&nbsp;Non-unicode&nbsp;systems</SPAN><BR />&nbsp;&nbsp;&nbsp;&nbsp;lv_length&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<SPAN class="">=&nbsp;</SPAN>lv_length&nbsp;*&nbsp;lv_bytes<SPAN class="">.</SPAN><BR /><BR /></SPAN></P><P>So in our case we are getting: <SPAN>ostr_input_data_l =&nbsp;</SPAN>118</P><P>The function&nbsp;<SPAN>SSF_KRN_ENVELOPE returns&nbsp;<!-- StartFragment -->ostr_enveloped_data, we have try to apply different conversions to this encrypted data but we get 510 characters instead of 512, so we not sure if we are missing something.</SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> 2024-11-18T12:43:59.624000+01:00 https://community.sap.com/t5/technology-q-a/default-tls-1-2-in-sap-api-management-how-to-check/qaq-p/13942999 Default TLS 1.2 in SAP API Management - How to check? 2024-11-20T09:01:05.428000+01:00 azeem_abdullah https://community.sap.com/t5/user/viewprofilepage/user-id/159050 <P>Hello experts,</P><P>As per the below SAP post, the TLSv 1.2 has automatically been enforced in SAP API Management. So, my understanding is , any request from SAP API Management to backend system would be TLSv 1.2 secured protocol. But I would like to know, from consumer of API perspective, is it also the the same (request from consumer of the API to the SAP API Management) that the request is secured with TLSv 1.2 protocol?. Is there a way to check the TLS version in SAP API Management?. Much appreciate for any response!.</P><P><A href="https://help.sap.com/docs/integration-suite/sap-integration-suite/limits-in-api-management" target="_self" rel="noopener noreferrer">Limits in API Management</A>&nbsp;</P><P>Thanks,</P><P>Azeem</P> 2024-11-20T09:01:05.428000+01:00 https://community.sap.com/t5/technology-q-a/pfcg-indirect-user-assignments-cannot-be-manually-changed/qaq-p/13945062 PFCG: indirect user assignments cannot be manually changed 2024-11-22T09:14:17.508000+01:00 SAPSupport https://community.sap.com/t5/user/viewprofilepage/user-id/121003 <P>Hi SAP Team,</P><P>&nbsp;</P><P>When we try to remove user assignment from roles, we have encountered that "Indirect user assignments cannot be manually changed" and cannot proceed further.</P><P>Message number S#082.</P><P>Please help us to fix this issue.</P><P>&nbsp;</P><P>Regards,</P><P>&nbsp;</P><P>Basis Team</P><BR />------------------------------------------------------------------------------------------------------------------------------------------------<BR /><B>Learn more about the SAP Support user and program <A target="_blank" href="https://community.sap.com/t5/enterprise-resource-planning-blogs-by-sap/maximizing-the-power-of-sap-community-at-product-support/ba-p/13501276">here</A>.</B> 2024-11-22T09:14:17.508000+01:00 https://community.sap.com/t5/technology-q-a/remove-button-in-su10-without-using-screen-personas/qaq-p/13948109 Remove button in SU10 without using Screen Personas 2024-11-25T21:24:52.761000+01:00 SAPSupport https://community.sap.com/t5/user/viewprofilepage/user-id/121003 <P>Hi,<BR />Our team wants to remove the button for editing single user in tcode SU01.<BR />They say that the only way to achieve this is to install Screen Personas add-on.<BR />However, we in the Basis team are wondering if another solution exist, to avoid having to install an new add-on just to remove 1 button in SU10.<BR />See attachment to view the relevant button.<BR />&nbsp;<BR />Do you know of another solution for this?<BR />Thanks.<BR />&nbsp;<BR /><BR /><BR /></P><BR />------------------------------------------------------------------------------------------------------------------------------------------------<BR /><B>Learn more about the SAP Support user and program <A target="_blank" href="https://community.sap.com/t5/enterprise-resource-planning-blogs-by-sap/maximizing-the-power-of-sap-community-at-product-support/ba-p/13501276">here</A>.</B> 2024-11-25T21:24:52.761000+01:00 https://community.sap.com/t5/enterprise-resource-planning-q-a/sap-s-4hana-upgrade-a-comprehensive-security-framework/qaq-p/13950910 SAP S/4HANA Upgrade: A Comprehensive Security Framework 2024-11-28T13:03:29.858000+01:00 Mirza_Hasan https://community.sap.com/t5/user/viewprofilepage/user-id/1735748 <P><STRONG>SAP S/4HANA Upgrade: A Comprehensive Security Framework</STRONG></P><P><SPAN>Upgrading to SAP S/4HANA is a critical milestone for businesses seeking enhanced performance, modern features, and future-proof systems. However, amid all the planning, testing, and execution, </SPAN><STRONG>security</STRONG><SPAN> often takes a backseat — a risk no organization can afford.</SPAN></P><P><SPAN>This guide walks you through a step-by-step approach to upgrading SAP S/4HANA with security as a priority. Let’s dive into the technical roadmap to ensure your system remains robust and secure throughout the transition.</SPAN></P><H2 id="toc-hId-1076511110"><STRONG>Step 1: Pre-Upgrade Assessment</STRONG></H2><H3 id="toc-hId-1009080324"><STRONG>1.1 Analyze the Current Security Setup</STRONG></H3><P><SPAN>Before starting the upgrade, analyze your current SAP ECC system for potential security gaps:</SPAN></P><UL><LI><STRONG>Authorization Review</STRONG><SPAN>: Extract and evaluate user roles and profiles using tools like </SPAN><STRONG>SUIM</STRONG><SPAN> or </SPAN><STRONG>AGR_1251</STRONG><SPAN>. Identify and eliminate inactive users and outdated roles.</SPAN></LI><LI><STRONG>Custom Code Security</STRONG><SPAN>: Use tools like </SPAN><STRONG>SAP Code Inspector (SCI)</STRONG><SPAN> or </SPAN><STRONG>ABAP Test Cockpit (ATC)</STRONG><SPAN> to detect vulnerabilities in custom code. This ensures compatibility with S/4HANA’s simplified data model.</SPAN></LI><LI><STRONG>Security Notes Compliance</STRONG><SPAN>: Apply the latest SAP Security Notes via transaction </SPAN><STRONG>SNOTE</STRONG><SPAN>, and address any unresolved gaps to ensure compliance.</SPAN></LI></UL><H3 id="toc-hId-812566819"><STRONG>1.2 System Readiness Check</STRONG></H3><P><SPAN>Run the </SPAN><STRONG>SAP Readiness Check</STRONG><SPAN> to uncover technical and security prerequisites, such as unsupported add-ons, custom objects, or authorization gaps. Verify compatibility with the latest SAP HANA database version.</SPAN></P><H3 id="toc-hId-616053314"><STRONG>1.3 Establish a Security Baseline</STRONG></H3><P><SPAN>Establish a robust security baseline:</SPAN></P><UL><LI><SPAN>Compare current system parameters (</SPAN><SPAN>rz10</SPAN><SPAN>/</SPAN><SPAN>rz11</SPAN><SPAN>) with SAP's recommended values for S/4HANA.</SPAN></LI><LI><SPAN>Document system configurations, user roles, and access permissions as a reference for post-upgrade validation.</SPAN></LI></UL><H2 id="toc-hId-290457090"><STRONG>Step 2: Preparing for the Upgrade</STRONG></H2><H3 id="toc-hId-223026304"><STRONG>2.1 Secure the System Landscape</STRONG></H3><UL><LI><STRONG>Create a Sandbox Environment</STRONG><SPAN>: Clone your production system into a sandbox for upgrade testing. Mask sensitive data to prevent unauthorized access.</SPAN></LI><LI><STRONG>Strengthen Network Security</STRONG><SPAN>: Validate and restrict connections between your systems using firewalls, encryption, and secure network communication protocols.</SPAN></LI></UL><H3 id="toc-hId-26512799"><STRONG>2.2 Hardening Security Settings</STRONG></H3><UL><LI><STRONG>System Parameters</STRONG><SPAN>: Adjust parameters like </SPAN><SPAN>login/fails_to_user_lock</SPAN><SPAN> and </SPAN><SPAN>login/password_expiration_time</SPAN><SPAN> to enforce stricter authentication rules.</SPAN></LI><LI><STRONG>User Authentication</STRONG><SPAN>: Implement Multi-Factor Authentication (MFA) for admin users and integrate Single Sign-On (SSO) through a trusted Identity Provider (IdP).</SPAN></LI></UL><H3 id="toc-hId--170000706"><STRONG>2.3 Role and Authorization Adjustments</STRONG></H3><P><SPAN>The </SPAN><STRONG>SU25</STRONG><SPAN> transaction is your go-to tool for upgrading roles and authorization objects:&nbsp;</SPAN></P><UL><LI><SPAN>Synchronize existing roles with new S/4HANA transactions.</SPAN></LI><LI><SPAN>Identify obsolete roles or transactions and clean them up.</SPAN></LI><LI><SPAN>Adjust roles to include updated or newly introduced authorization objects, especially for </SPAN><STRONG>Fiori apps</STRONG><SPAN>.</SPAN></LI><LI><SPAN>Transport the Customer Table</SPAN></LI></UL><H3 id="toc-hId--366514211"><STRONG>Note:</STRONG></H3><P><SPAN>The activities mentioned above align with the specific steps of the </SPAN><STRONG>SU25 transaction</STRONG><SPAN> during the SAP S/4HANA upgrade. Each step plays a crucial role in ensuring that the authorization framework is seamlessly transitioned to the upgraded system. Below is the mapping of these activities to the SU25 process:</SPAN></P><UL><LI><STRONG>Step 2A: Automatic Comparison with SU22 Data</STRONG><STRONG><BR /></STRONG><SPAN>Compares the existing customer-specific authorization values with SAP-delivered SU22 defaults to align with the updated S/4HANA standards.</SPAN></LI><LI><STRONG>Step 2B: Modification Comparison with SU22 Data</STRONG><STRONG><BR /></STRONG><SPAN>Identifies and evaluates customer-specific modifications to SAP-delivered proposals, allowing informed decisions on retaining, adapting, or discarding these changes.</SPAN></LI><LI><STRONG>Step 2C: Roles to Be Checked</STRONG><STRONG><BR /></STRONG><SPAN>Highlights roles impacted by changes in transactions or authorization objects, requiring adjustments to ensure compatibility with the new system.</SPAN></LI><LI><STRONG>Step 2D: Search for Obsolete Applications</STRONG><STRONG><BR /></STRONG><SPAN>Locates and flags roles or transactions linked to deprecated functionality in S/4HANA, ensuring the removal or replacement of these obsolete elements.</SPAN></LI><LI><STRONG>Step 3: Transport the Customer Tables</STRONG><STRONG><BR /></STRONG><SPAN>Facilitates the migration of updated authorization objects, roles, and changes to test and production systems via standard transport mechanisms.</SPAN></LI></UL><H2 id="toc-hId--692110435"><STRONG>Step 3: Upgrade Execution</STRONG></H2><H3 id="toc-hId--834772590"><STRONG>3.1 Perform Data Migration Securely</STRONG></H3><UL><LI><SPAN>Encrypt system backups during data transfer using </SPAN><STRONG>SAP Data Volume Management (DVM)</STRONG><SPAN>. Validate data integrity with checksum tools.</SPAN></LI><LI><SPAN>Use the </SPAN><STRONG>Simplification Item Check</STRONG><SPAN> to ensure custom developments and data structures align with S/4HANA.</SPAN></LI></UL><H3 id="toc-hId--1031286095"><STRONG>3.2 Secure Downtime Activities</STRONG></H3><UL><LI><SPAN>Enable </SPAN><STRONG>audit logging (SM19)</STRONG><SPAN> to monitor all activities during the upgrade.</SPAN></LI><LI><SPAN>Restrict system access to critical users using an access whitelist.</SPAN></LI><LI><SPAN>Isolate the system by temporarily disabling non-critical integrations.</SPAN></LI></UL><H3 id="toc-hId--1227799600"><STRONG>3.3 Execute the Upgrade</STRONG></H3><P><SPAN>Use </SPAN><STRONG>SAP Software Update Manager (SUM)</STRONG><SPAN>:</SPAN></P><UL><LI><SPAN>Select security settings, such as database encryption for the HANA database.</SPAN></LI><LI><SPAN>Monitor </SPAN><STRONG>SUM_Security logs</STRONG><SPAN> to address issues with roles or security objects during the upgrade process.</SPAN></LI></UL><H2 id="toc-hId--1130910098"><STRONG>Step 4: Post-Upgrade Validation</STRONG></H2><H3 id="toc-hId--1620826610"><STRONG>4.1 Validate Authorizations</STRONG></H3><UL><LI><SPAN>Use </SPAN><STRONG>SU53</STRONG><SPAN> to test for missing authorizations and resolve issues promptly.</SPAN></LI><LI><SPAN>Assign roles for newly introduced S/4HANA features, such as Fiori apps.</SPAN></LI></UL><H3 id="toc-hId--1817340115"><STRONG>4.2 Review System Security Settings</STRONG></H3><UL><LI><SPAN>Cross-check system parameters against your baseline, especially for authentication and encryption.</SPAN></LI><LI><SPAN>Re-enable critical background jobs (</SPAN><STRONG>SM37</STRONG><SPAN>) while ensuring they comply with security standards.</SPAN></LI></UL><H3 id="toc-hId--2013853620"><STRONG>4.3 Patch and Secure the System</STRONG></H3><UL><LI><SPAN>Update the SAP kernel and apply the latest Security Notes.</SPAN></LI><LI><SPAN>Perform vulnerability checks using the </SPAN><STRONG>SAP EarlyWatch Alert</STRONG><SPAN> and address any security concerns.</SPAN></LI></UL><H2 id="toc-hId--1916964118"><STRONG>Step 5: Post-Upgrade Monitoring</STRONG></H2><H3 id="toc-hId-1888086666"><STRONG>5.1 Enable Continuous Monitoring</STRONG></H3><UL><LI><SPAN>Leverage tools like </SPAN><STRONG>SAP Solution Manager</STRONG><SPAN> or </SPAN><STRONG>SAP Enterprise Threat Detection</STRONG><SPAN> to monitor security events in real time.</SPAN></LI><LI><SPAN>Configure alerts for unauthorized access or suspicious activity.</SPAN></LI></UL><H3 id="toc-hId-1691573161"><STRONG>5.2 Conduct Periodic Security Audits</STRONG></H3><UL><LI><SPAN>Regularly review user roles and authorizations using </SPAN><STRONG>SUIM</STRONG><SPAN>.</SPAN></LI><LI><SPAN>Use SAP Configuration Validation to ensure your system adheres to established security standards.</SPAN></LI></UL><H3 id="toc-hId-1663243347"><STRONG>5.3 Educate and Train Users</STRONG></H3><UL><LI><SPAN>Train users on security best practices and changes introduced by SAP S/4HANA.</SPAN></LI><LI><SPAN>Provide detailed documentation for administrators to manage upgraded security features effectively.<BR /><BR /><a href="https://community.sap.com/t5/c-khhcw49343/Security/pd-p/49511061904067247446167091106425" class="lia-product-mention" data-product="1143-1">Security</a>&nbsp;</SPAN></LI></UL> 2024-11-28T13:03:29.858000+01:00 https://community.sap.com/t5/technology-q-a/calling-secured-iflow-from-sapui5/qaq-p/13951051 Calling Secured iFlow from SAPUI5 2024-11-28T15:35:13.878000+01:00 Rostyslav https://community.sap.com/t5/user/viewprofilepage/user-id/1865158 <P>Can somebody explain how can I call the Integration Flow SECURED Endpoint from SAP UI5? To call it in Postman, I first fetch the acess_token with token endpoint then request the json resource with that token. How do I implement it with SAP UI5, so the token of the currently logged in users is user? Also how make the SAP UI5 get the token when user logins? I implemented this scenario 100 time in Angluar and React with custom backend scenarios. There is literally 0 documentation on how to do this in the SAP environment.</P> 2024-11-28T15:35:13.878000+01:00 https://community.sap.com/t5/technology-q-a/is-it-a-good-decision-for-someone-without-an-it-background-to-learn-sap/qaq-p/13957282 Is it a good decision for someone without an IT background to learn SAP Security GRC? 2024-12-06T13:27:37.658000+01:00 KSridharReddy https://community.sap.com/t5/user/viewprofilepage/user-id/1904039 <P>&nbsp;</P><P>Hi All,</P><P>I have 5.3 years of experience working in an MNC in a non-IT role (BPO), and I am now looking to shift my career towards IT, specifically in SAP Security GRC, for better growth opportunities. I am not interested in programming languages, and have found limited opportunities in my current field.</P><P>I would greatly appreciate insights from individuals who have transitioned into SAP Security GRC from non-IT backgrounds or from those currently working in this domain. Is it a good decision to pursue SAP Security GRC for long-term career growth?</P><P>Additionally, I would like to know:</P><P>1. What is the average salary package for someone with 3 to 3.5 years of experience in SAP Security GRC?<BR />&nbsp; &nbsp; Are there any current job openings for candidates with this level of experience? What is the demand for&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; SAP Security GRC professionals in the market?<BR />2. Are there opportunities for freshers in this field?<BR />3. Could you recommend any reputable training institutes in Hyderabad for SAP Security GRC with contacts?<BR />4. Is certification required after completing the course, and if so, what is the cost?<BR />5. Is any programming knowledge (like Java, Python, etc.) required to learn SAP Security GRC? Is it a "no&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; coding" field?<BR />6. Is certification necessary to get job calls and Interviews? If so, what is the certification fee?<BR /><BR />Looking forward to your valuable feedback.</P><P>Regards,<BR />Sridhar.</P> 2024-12-06T13:27:37.658000+01:00 https://community.sap.com/t5/enterprise-resource-planning-q-a/prevent-transport-owner-from-transporting-to-production/qaq-p/13963549 prevent transport owner from transporting to production 2024-12-14T02:45:28.160000+01:00 Mukhizam https://community.sap.com/t5/user/viewprofilepage/user-id/1651946 <P>Hi all,</P><P>Our system version is ERP EHP8.</P><P>I have this request form client to disable the transport admin access from moving Transport Request to Production which owner is their own ID. At the same time, transport admin still can move transport to Production for others.</P><P>Is there a control that can be placed by identifying the user group to prevent certain user group from transporting their own transport to Production but can transport for other user group to Production?</P><P>&nbsp;</P><P>Thanks.</P><P>Best regards,</P><P>Scott</P> 2024-12-14T02:45:28.160000+01:00 https://community.sap.com/t5/enterprise-resource-planning-q-a/s4hana-upgrade-from-2021-to-2023/qaq-p/13969752 S4HANA Upgrade from 2021 to 2023 - 2024-12-21T14:35:16.109000+01:00 Shubham024 https://community.sap.com/t5/user/viewprofilepage/user-id/1781590 <P>S4HANA Upgrade from 2021 to 2023 -</P><P>Please let me know the checklist for SAP Security consultant.&nbsp;</P><P>Checklist means - What needs to be done from Security side as a part of assessment.</P><P><a href="https://community.sap.com/t5/c-khhcw49343/SAP+Community/pd-p/486157991894093153608181816584982" class="lia-product-mention" data-product="1161-1">SAP Community</a>&nbsp;<a href="https://community.sap.com/t5/c-khhcw49343/UI+SAP+GUI+for+Windows/pd-p/345385326078662132058122667685214" class="lia-product-mention" data-product="1125-1">UI SAP GUI for Windows</a>&nbsp;<a href="https://community.sap.com/t5/c-khhcw49343/SAP+Fiori/pd-p/73554900100700000977" class="lia-product-mention" data-product="18-1">SAP Fiori</a>&nbsp;</P> 2024-12-21T14:35:16.109000+01:00 https://community.sap.com/t5/enterprise-resource-planning-q-a/security-test-rise/qaq-p/13970725 Security Test Rise 2024-12-23T20:55:58.921000+01:00 LucasBeraldi https://community.sap.com/t5/user/viewprofilepage/user-id/149568 <P>What can I test in my RISE environment by hiring a Pentest for my entire virtual environment?</P> 2024-12-23T20:55:58.921000+01:00 https://community.sap.com/t5/technology-q-a/s2s-vpn-requirement/qaq-p/13983542 S2S VPN requirement? 2025-01-12T21:27:10.836000+01:00 DGMagni https://community.sap.com/t5/user/viewprofilepage/user-id/154914 <P>Hello Experts:</P><P>I have inserted two images here for my question.&nbsp;</P><P>Our client is an existing SAP customer (installed base) on ECC. They are moving to RISE with SAP and are raising questions about the requirement for a S2S VPN connection - as shown here from "Customer Premise" in the upper left hand corner.</P><P>They want to know WHY it a S2S VPN is mandatory. They would prefer not to have to use one.&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image (6).png" style="width: 838px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/211029iED638187ED880CCD/image-size/large?v=v2&amp;px=999" role="button" title="image (6).png" alt="image (6).png" /></span></P><P>This customer would prefer to explore THIS option.</P><P>The reason why they prefer this option is that they do not want to have remote users - i.e. those working from home or in their offices and already "in the cloud" - to have to activate a VPN before logging into their SAP environment on RISE.&nbsp;</P><P>Why is a S2S VPN mandatory?&nbsp;</P><P>Thank you in advance</P><P>Dan Magni</P><P>Daniel.Magni@Ameri100.com</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image (7).png" style="width: 802px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/211030i6146656BF7085D9A/image-size/large?v=v2&amp;px=999" role="button" title="image (7).png" alt="image (7).png" /></span></P> 2025-01-12T21:27:10.836000+01:00 https://community.sap.com/t5/technology-q-a/enquiry-on-sql-anywhere-17-0-10-6089-quot-sap-jre-quot-jre180-security/qaq-p/14008865 Enquiry on SQL Anywhere 17.0.10.6089: "SAP JRE" JRE180 Security Vulnerability 2025-02-06T09:35:55.819000+01:00 yy25 https://community.sap.com/t5/user/viewprofilepage/user-id/1985745 <P><SPAN>Hi, I'm currently using SAP Anywhere 17.0.10.6089 as the database for our application. SAP JRE located at `C:\Program Files\SQL Anywhere 17\bin64\jre180`. The insta</SPAN><SPAN>lled JRE version is 8.0.31.</SPAN></P><P><SPAN>Did this version of SAP JRE (8.0.31) have any known security vulnerabilities? If so, I would appreciate guidance on how to obtain and apply the necessary updates or patches to mitigate the risks.</SPAN></P><P>Thank you.</P> 2025-02-06T09:35:55.819000+01:00 https://community.sap.com/t5/technology-q-a/sac-data-leakage-prevention/qaq-p/14010764 SAC Data Leakage Prevention 2025-02-07T14:58:43.544000+01:00 Khaan https://community.sap.com/t5/user/viewprofilepage/user-id/1420914 <P>Hello SAC Technology Community</P><P>In different scenarios, I've been facing the question of how can we prevent data leakage on SAC. How can this be monitored elegantly? And are there options to get alerted by unusual activities?</P><P>It would be great if you have any ideas.</P> 2025-02-07T14:58:43.544000+01:00