Skip to Content
Author's profile photo Jim Spath

beware of geeks baring grifts

[Kudos to]

ASUG.COM (Americas SAP Users Group) has an ongoing discussion forum thread titled: “Security Influence Council”

Multiple posters from well known companies discuss their wish lists for improvements in security management. I’ll paraphrase their ideas as best I can, shrouding their identities. ASUG.COM posts are “members-only” and Influence Councils often are subject to non-disclosure agreements, so I’m partly obfuscating here for effect. Members have exclusive access to SAP product management through channels designed to maximize the community voice of a large number of SAP customers.

The thread started in mid-October, just after SAP TechED 07 US concluded, with the potent question from G.C., “Have you noted flaws in the SAP security design? Do you have requests for enhancement?” It linked to the October 2007 ASUG BITI newsletter [], which summarized recent Security Influence Council requests. While SAP responded to open requests at TechEd, the customer concerns persist.

Thread capsule summaries

[2] PD:
“Authorization Group” AKA field BGRU usage seems to be incredibly complex cannot find good documentation … should be redesigned and simplified

[3] GL:

See Executive Keynote
1 hr and ~38 minutes in, SAP acknowledges the wide variety of authorization concepts contributes to the burden and expense of [enterprise] security support.

*** Identity Management has the potential for managing users, but no impact on improving authorization/role management***

Holger Mack [well-known SAP security product definition expert] later spoke about simplifying documentation; fewer authorization concepts is desirable.

[4] SL: silent authorizations confusing. SAP said: “No attribute for identifying ‘silent checks’ in the trace file”. Would like to see return code in trace file designating silent checks, and the checks not appear in SU53 as user errors.

[5] SG#1: SUIM reports should be 100% reliable.

[6] SG#2: SU53 is not 100% reliable; generic error that the S_CTS_ADM is missing with certain values. In all these cases, my analysis proved that the error shown is completely irrelevant to the error itself.

[7] LH: Job (role) based security in HR, with SAP focusing on Java development, where portal and Java gear toward user-based roles. Says Java is transparent [but ye editor thinks this means opaque].

[8] WM: Prior false starts (“Global User Manager”) [leaves experienced admins leery of the latest product announcements]. SU24 CRM backend has never been accurately updated with auth objects that link to BSPs. “should sell our USOBT_C table to other CRM customers.” 😉
like one of those russian doll nightmares where I keep opening up one, and there is yet another small one inside.. =)

[9] JA: Identiy Management 7.0. The only training was in Germany when I looked in 2007. Now the training site says that training materials have not yet been developed. need more standalone classes solely dedicated to security for this new technology. (We have purchased the online training for NetWeaver, but that is a poor substitute for hands-on training).

[10] GM: would like to see a standard best practice process documented and supported by SAP that distributes SAP Security Business Application control to individuals in the business depts.
many companies put too much on the shoulders of the technical security administrator and do not require enough hands on tasks for business owners, or delegated Super users for their departments.

[11] PR: struggling with the UME in NetWeaver since 2005 and haven’t found a good way to trace what a user is doing other than to try to decipher the java logs themselves. Those are extremely cumbersome. The other way I have found is to look into the Visual Administrator.

What Else?


I am sure the author of this SAP SDN Threats to the community- Government working with Businessintended the complete opposite of what I think — “Threats to the community – Government working with Business.” Just as I think the founders of the U.S. were on the right track separating church from state, it is right to separate business from government, from lobbyists, to telecommunications corporations giving away our privacy without due cause, warrants or legal review. Not to mention outsourcing mercenary activities to the lowest bidders. Cause for concern in my opinion!


I read this Single Sign-on – is it really desirable?and completely agree that different problems require different solutions. Follow up posters seem mainly to be from those interested in providing security solutions. Not so much noise from the harried security administrators who need to execute the goals.


An issue many software vendors gloss over is that customers may already have solutions in place, incompatible with the latest and greatest versions the account representative wants to unload. I don’t know how many times I’ve heard the pitch – “we bought (or developed, or whatever) this new solution to your problem”. “But we already have a solution that works”. “This one is better.” Not cheaper, not faster, and rarely easier. It’s just the product of the month. I usually ask, “will you pay to retrofit my customizations and configurations, train my users and staff the help desk for the first 90 days as part of this wonderful deal?” The answer never seems to be “no problem.”

For SAP, I keep hitting this with Solution Manager. “Oh it has Change Control”. Well, gosh, we’ve been using a third party change management system for years. I believe ChArM might be better, but where was it when we needed it?


I’m no security expert, but I know a few. What they tell me is that the SAP Identity Management product approach is geared towards provisioning users, not towards the real goal they own, which is asset protection. There are many products that SAP has acquired or developed outside the core functionality of R/3 (the “Enterprise Resource Planning” – remember what Enterprisemeans???) with completely foreign methods of managing access control. Other vendors provide similar tools (anyone not running Windows desktops in their Enterprise, with Active Directory, or another LDAP directory not from SAP?).

When your company merges with another, acquires or is acquired, what do you find? They’ve implemented security and identity management in a completely different way. During those times, it is good to be the acquirer, but only slightly, as all the remaining staff need to be re-provisioned in order to gain those fabled synergies the folks in shiny shoes promised.


ASUG Webcast: Central User Management with Windows Active Directory

WAS HELD FEB 7, 2008


  • Learn how to simplify user management
  • Understand how the J2EE engine accesses LDAP data
  • Understand the LDAP synchronization tools for ABAP provided by SAP


Tobias Waldvogel, SecurIntegration GmbH. Tobias is an SAP Security Consultant employed by SecurIntegration GmbH.


I Don’t Want Identity Management, I Want Identity Theft Protection, Or Insurance.

{other than the folks I liberally quoted from above, all opines are mine alone}
Steve Wallach … coined the phrase, “I’m not puttin’ a bag on the side of the Eclipse.”

This blog was inspired by Gali, who claims to believe that I can write about any topic.  I got an extra day this month but almost missed.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Gali Kling Schneider
      Gali Kling Schneider
      During the migration process problems have been reported for this blog. The blog content may look corrupt due to not supported HTML code on this platform. Please adjust the blog content manually before moving it to an official community.
      Author's profile photo Former Member
      Former Member
      Hello Jim,

      There are a number of threads here in the SDN Security Forum which support some of the points your ASUG colleagues have pointed out (I do not have access to the details within the ASUG site though).

      However, with some trickery we have been able to solve the majority of them. I think the problem in many cases is that the skills required to deploy the tips & tricks and keep the security concept intact are too high. Many folks misunderstand the concepts.

      In my opinion it is a matter of complexity management, but then again no one said it was easy (PS: I dont have contact to the account managers :-).


      Author's profile photo Jim Spath
      Jim Spath
      Blog Post Author
      Julius: sounds like you are on the user end of the stick rather than the account teams.  We've learned over the years to cut through the ad maze.  Sounds like you do the same in your region.  Do you belong to another SAP community (beyond SDN/BPX)? I know there is an SAP Users Group - DSAG - in Germany; don't know about Switzerland (if I read your flag decal rightly). Jim
      Author's profile photo Former Member
      Former Member
      Hello Jim,

      Actually, I am on the accounting end of the stick, but am interested in security.

      No, I am not a member of any other SAP community, only SDN as a bit of a hobby which got out of hand.

      FYI: It is BEGRU and not BGRU -> In my opinion a clever concept for having optional security which can be built from the bottom up, particularly considering that granular security is often retro-fitted... (a.k.a cleaning up your own backyard 🙂

      Another good example is the switch from RFC_TYPE FUGR to FUNC. Very usefull security mechanisms, if the customer chooses to use it...


      Author's profile photo Former Member
      Former Member
      Hello Jim,

      Spurred by your blog, I joined some SAP User Groups (including ASUG, as we have systems in the US), read many interesting things, learnt a lot and also contributed to some of the current and old unanswered discussion topics, in the past 2 weeks.

      I am personally convinced that the (bigger) security problems (including myself) are firmly located in the interface between the chair and the keyboard (and the BANF objects - if used)... 🙂

      Cheers, and thanks for introducing me to the SAP User Groups.


      Author's profile photo Jim Spath
      Jim Spath
      Blog Post Author
      Julius -- To quote Humphrey Bogart from _Casablanca_ "... I think this is the beginning of a beautiful friendship."  I sincerely appreciate your challenging (and continuing) feedback.  Later. Jim