SAP Solution Manager®(Solman) is a central system to manage and control the rest of SAP® systems of the company, like the main configuration, transports (ChaRM), and also security.
In Solman system, there are some many tools to check the security, however, the most important ones are:
- System Recommendations
- Configuration Validation
- Early Watch
- Self-Optimization Service
System Recommendations
Tt is good to know first the context of it.
The second Tuesday of every month, SAP® publishes a list of new Notes (SAP® Security Path Day) with their priority and CVSS (Common Vulnerability Scoring System), and it is possible to open SAP® Portal from this page and see all the notes available to the different systems of the organization. However, to check the status of all these notes, it is necessary to access to the different environments of the systems to see it.
System recommendations, as it is a central system, can check the status of all notes in all systems of the organization without access to the systems. This tool has available different options like:
- One view with all systems and the notes which affect them: Security Notes, Hot News (security notes with Very High Priority), Performance Notes, Legal Change Notes or License Audit Notes.
- Filter the notes with different options, like system, type of note, Processing Status, priority, etc.
- Prerequisites of the notes, to check if have to be done some actions before to implement it.
- Impact analysis of the notes.
- Transport notes.
- Objects affected if the note is implemented.
- And some more…
In the list of notes, it is possible also to change the processing status, or create a new status, by the user so it is easier to have a good maintenance of notes.
To sums up, System Recommendations it is a very useful tool to manage the notes and check the status in order to implement or not, and everything in a simple view.
Configuration Validation
This tool allows to compare the configuration and the parameters of Security of the different systems of an Organization to a Best practice system.
This Best practice system is called Golden Client or Target system and can be configured as the organization wants. For example, the parameter of the length of the password, can be configured in the target system with 10 characters, and the tool will compare this parameter in all systems that organization wants and indicate if it is less, high or equal. The same with all parameters and security configuration.
To do easier the configuration of the golden client, the parameters and security configuration are included in small stores, so it is possible only to compare one or some stores, not all of them. Of course, it is possible to create different golden clients with different stores on it.
The reports which give this information can be run when the user wants or periodically.
Early Watch
This report gives the information of the Security parameters and configuration of the systems of an organization.
As it is a quite similar to Configuration Validation, Early Watch it is not necessary to configure a Golden Client, because it is a report which sends the status and values of the configuration and Security parameters, but also on performance and stability of the systems.
This report also gives explanations of several points and in some cases also recommendations, as for example the length of the password. In the Note “2425024 – Early Watch Alert: Sample Reports” there are examples of the report of the Early Watch for different systems.
Security Optimizations Service
This security report it is related with the authorizations of the users, security parameters and security reviews.
This tool allows to configure a Rule Set and run an analysis to know which user have the same authorizations as there are in the Rule Set. It is a very useful tool to configure, for example, the Critical actions of IT, and check which users have it.
Of course, it is not a similar Risk Analysis as the one of GRC tool, but it is an easy way to check in a central system the users who have critical authorizations in all the system of the organization.
To sum up¸ Solution Manager it is a central system with lot of functionalities and tools which can help to ensure the Security and configuration of the systems of the organizations.
The main security tools allow to check and review the status of the notes, all the security parameters, to have reports of the configuration or run risk analysis.