Skip to Content

Dante’s epic poem, Divine Comedy, opens with an oft quoted verse:

Nel mezzo del cammin di nostra vita
mi ritrovai per una selva oscura,
ché la diritta via era smarrita.

In the middle of the journey of our life
I found myself within a dark wood,
For the straightforward pathway had been lost.

A verse perfectly capturing my sense of stumbling through the wilderness of SAP Solution Manager security after 15+ years of confident and largely successful work in SAP security; I have found myself quite flummoxed with repeated security issues in our SolMan system. Every time I turn around, or so it seems, my Basis team reports another authorization failure. Fix one hole and the security model would spring another leak somewhere else. These issues started long before I arrived on the scene, but now they are mine to resolve.

My first thought was to find some SAP education on SolMan security; unfortunately:

4-3-2013 10-03-15 AM.png

Searches of the SAP Education curricula turned up nothing at all, not even virtual learning. A similar search on SCN turned up a discussion with nothing for a response but recommendation and link to the security guide, a sad state of affairs to be sure. In the distant past, I had taken SAP courses that offered some security content even if the majority of the curriculum was not security, just to get the learning, but even that relatively expensive option seems to be not an option here. When one of our Basis guys returned to the office after taking a SolMan course, I quizzed him, So what did they say about security in your course? Nothing, he said.

My second thought was to leverage the learning that surely must exist, or so I told myself, within our user group. So I posted a question on the ASUG Security SIG discussion, pleading for anyone with SolMan security expertise to do a web cast for us. Not a single response – zip, zilch, nada.

In the meantime I was scheduled to speak at the ASUG All Texas Chapters Meeting in Plano last November, where I attended an excellent presentation on SolMan given by SAP’s Brad Saxon, Solution Manager 7.1: How to best utilize the capabilities you already own. Although the presentation was not intended for a security audience, it did at least give me a sense of the wide range of capabilities and scenarios of SolMan 7.1, and I came away with a new appreciation for the complexity of designing a security model for such a solution.

After reaching out in my personal network, my SAP Mentor colleague and the Security SIG’s SAP Point of Contact extraordinaire,Peter McNulty, came to my rescue, as he so often does. Peter located me a Solution Manager developer, Dr. Annett Michel at SAP AG, to present to us on Solution Manager security. In a one hour web cast, there was only so much that Dr. Michel could cover, but I took away the key differences between two types of roles in SolMan, navigation roles and authorization roles, how to identify one kind from the other, and why they should be handled differently by security admins at upgrade time. She did concede that SolMan security is quite complex and is best handled by the Basis team and security team working together, each bringing their own expertise to the discussion, but that begs the question, how to get the necessary expertise, since many of the key authorization objects in SolMan are unlike those in other components. She also convinced me that I was going to have to break down and attempt to download a SolMan security guide. If you have not yet attempted it, yes, with enough time, patience, fortitude, and strong coffee, it can be done. Make enough attempts and all 66.7 mB of it will eventually download, and then you, too, will be the proud owner of 500+ pages of sleep-inducing- er,  that is, reference material. Not that slogging though hundreds of pages of technical reading is my preferred learning mode, but one takes what one can get.

First thing I did was a keyword search on the process at the heart of our current security breakdown, end-to-end monitoring.  That term was found exactly once in the entire document, and the content was not detailed enough to provide any kind of quick fix. So much for that thought. Now I am following Dr. Michel’s suggestion of focusing on Chapter 9 to start, leaving the other 24 Chapters/ 400+ pages for another day/year/incarnation.  I have found some clues on one of our current issues, and I am hopeful that I will soon find my way to Paradiso, or at least, out of the dark wood and into some enlightenment.

To report this post you need to login first.

19 Comments

You must be Logged on to comment or reply to a post.

    1. Gretchen Lindquist Post author

      Tammy,

      We started our SolMan security model with copies of the standard delivered roles, but I am finding that they come with quite a few open auths that I hesitate to plug with wild cards, so there is still a lot of trial and error. I also conferred with SolMan expert John Krakowski when we were in Atlanta at the ASUG volunteer meeting, and he concurred that simply copying the delivered roles was not enough, that a good bit of further adjustments would be required or security problems would result.

      But thanks for the link to that wiki, I seem to recall finding it once upon a time, and now I have a link to it again.

      I appreciate your comments.

      Cheers,

      Gretchen

      (0) 
      1. Tammy Powlas

        I totally agree, adjustments need to be made after copying standard roles.  Somehow we made it all “work” but we are not using all the components of SolMan (yet) – just a subset. 

        The wiki has been a big help.

        (0) 
  1. Jim Spath

    “No results matched your search query.” I get that a lot.  Thanks for sharing. We’re starting to rip out 7.0 and install 7.1. But I think few will notice the absence.

    (0) 
    1. Gretchen Lindquist Post author

      Jim,

      You failed to rise to the bait; I was expecting you to call me out for using that naughty word, Basis. However, after the SolMan developer used it herself, in fact more than once during our web cast(!), I felt safe in including it here.  The Basis-guys-by-any-other-name  can laugh, but that is what we still call it here.

      Good luck on your upgrade. I will look forward to your reporting on it.

      Gretchen

      (0) 
      1. Jim Spath

        It’s not a bad word in my world, only for those inside the mothership…

        She also convinced me that I was going to have to break down and attempt to download a SolMan security guide

        URL please?

        😎

        (0) 
        1. Gretchen Lindquist Post author

          Jim,

          They are in the Service Marketplace, under Support Portal> Installation and Upgrade Guides> SAP Components> SAP Solution Manager> (your release) Operations.

          There is one for each SP, which is a bit scary in and of itself (does SolMan security really change that much from one SP to the next that it takes a new 66 mB guide to sort it out? Perhaps so).

          https://service.sap.com/~form/sapnet?_SCENARIO=01100035870000000202&

          Gretchen

          (0) 
  2. Raquel Pereira da Cunha

    Hi Gretchen,

      I agree that security in Solution Manager is a dark wood. I have suffered a lot during all these years, but I have to confess that it’s much better now than when I started. I had many times to read the SolMan codes searching for authorization checks and run trace in order to understand how things work and correct missing objects in the standard roles. It happened once that I had some ChaRM roles with important CRM transaction types missing and after an OSS message SAP released a note to correct, because the process would never work with the standard role the way it was. But that was a loong time ago, in SolMan 3.2.

    The security guide is very long and complex but many times has explained important information that I could not find in any other document. But we still need a more clear documentation or specific training for that to became less complicated. Everytime I go to a new customer and give the Security Guide to their security team (which almost 100% of times is the Basis team with very few people) they want to: “kill” me, “shoot” me, “run away” from me..etc. So, at least for my specific areas (ChaRM, QGM and Incident Management) I usually do everything by myself and give them the roles ready to use.

    Only copying the standard roles never worked, first because they used to come with everything open waiting for us to define, and there was not enough documentation helping to understand what should be included in each object, so it was a hard work to activate them. Then, a lot of roles started to come with everything green (some poeple can think “oh good, now we don’t need to spend a lot of time putting * in everything with which we didn’t know what to do in order to activate the roles to start working”), but at the same time we need to adjust and make them work the way they should according to the customer definitions. Objects are very different from other SAP Solutions (most people I work with are aware of ERP objects only). In ChaRM and Incident Mgt we have to work mostly with CRM objects, which are not common for people who never worked with CRM, and now with the WEB UI became even more complex. And besides that, if you copied the roles when you were, for instance, in SP4 and you go to SP5, surprise! You have new objects being checked that you don’t even have in the new version of the roles delivered with SP5, but you find out about it after your process fails and you find a SAP Note. And that happens a little bit often when you have a new SP, so you need to download the long Security Guide for every SP, and adjust the existing roles very often.

    I wish you good luck in your dark wood climbing and hope you find your way out. If you need some help, at least with roles for ChaRM, QGM and Incident, don’t hesitate to contact me. I would be glad to help.

    Best regards,

    Raquel

    (0) 
    1. Gretchen Lindquist Post author

      Raquel,

      Thank you for your kind offer; I may take you up on it if I don’t get this security sorted out soon. I am sure that they will want to install another SP this year, and you are telling me that then I will very likely be facing a wholly new set of issues. Yikes!

      You perfectly described our experiences with the SAP delivered roles; when the auths are open, it is very tricky to determine the correct values, and one cannot assume that wild card is always necessary or safe.

      Thanks for your comments. I will plan to follow with an update on how things turned out for us.

      Cheers,

      Gretchen

      (0) 
  3. Jansi Rani Murugesan

    Hi,

    Its what I felt the world is very small!!!

    exactly last month with my new SolmanUp Project, I faced the same problem,the first constrain from my client is the same as yours, to control the auth object based on the responsibility, (Like key user, end user) , second constrain  is about secure connection which I shared in my earlier blog,

    Setting Up Highly Secured SAP Solution Manager Environment!!

    Hope you would have read the half story in my blog.

    Here one more constrain which I not added is , the client has their self defined list of Auth objects which considered as very critical, could not be assigned to any one except the super user. Means I need to manually go through each and every used role of solman, remove the client defined critical auth object.

    so we have 3 things in our hand to do, with respect to the solman security in my client side.

    I also downloaded the security guide of 70 MB almost 550 pages, was totally lost. I afraid that the deadline given less than a month, but after reading some parts of security guide I can easily understand the solution manager security strategy.

    Its quiet different from other ECC products, in Solman all roles (both navigation and auth roles) are grouped under the roof of respective functions. so you can easily adjust by your wish.

    We taken this as a Project, we are 5 in a Team, very co operative, we divided the topics in security guide, like Technical monitoring roles taken care by 1, the other take care Project management like this. I felt Even our security guide is designed to work like this only.

    I worked for project management roles, I assigned the navigation roles and controlled them using auth objects, means my BASIS1 team only can view the projects, can go to workcenters, but only Display access.

    Similarly, all the managers can execute the solman_setup tcode, but they dont have edit auth. We adjusted as Z roles.

    Our journey not stopped yet, we also planned to create the user groups and sync the roles and auth with them.

    so I could suggest you, before start with this, make a clear plan, this are the changes I need to do in my system. once the clear aim is fixed, you can work on it and deliver it. Best of Luck!!

    Please update us your story 🙂

    Thanks

    Jansi

    (0) 
    1. Gretchen Lindquist Post author

      Jansi,

      Thank you for sharing your experiences. After reading about your approach, I must confess that I am even more concerned, as this is not a “project” for me, just something I do in my “spare time” when I can carve time away from my #1 priority, which is being a PM on our migration to GRC 10.0. I will certainly share your comments with my management so that they are aware of the resource intensiveness such an effort may require if they want to do it right.

      And yes, I did find your blog, and I plan to utilize it as a resource. Thanks for posting it!

      Cheers,

      Gretchen

      (0) 
  4. Jeanne Carboni

    Hi Gretchen,

    Thanks for the combination of poetry and technology. A great reminder for all of us that it is possible to combine the right and left brain activities for such a comparison. I’ve not worked with SolMan, so I can’t help out with that, but I’m getting pretty knowledgible on the Jive platform. 😉  

    Please do keep us posted on your story, with poetry.

    Jeanne

    (0) 
    1. Maria Cecilia Calzada de Neumann

      Estimado Fabio, Le contacto por ser SAP Mentor. Si me podría enviar tu dirección de email. Tal vez nos pueda ayudar en SAP University Alliances y el contacto con estudiantes,
      clientes, partners en SAP University Alliances en América Latina.

      Muchas gracias!

      Un saludo cordial, Maria Calzada

      (0) 
  5. Gretchen Lindquist Post author

    Thanks, everyone, for your comments. I am really surprised that no one has asked me yet, why it took me so long to get around to downloading the security guide. Besides it being huge and  a time-consuming endeavor, I honestly thought that if security in Solution Manager was all that different from everything else, SAP would be offering training on it, and since they do not, how difficult could it be? Well, plenty difficult as it turns out. It still astonishes me that SAP offers no security education on a component that is becoming so essential in our landscapes and is inherently risky. If anyone from SAP Education would like to comment on that decision, I would welcome some enlightenment.

    Gretchen

    (0) 
    1. Tammy Powlas

      Gretchen Lindquist

      There is an Expert Guided Implementation (EGI) for Solution Manager called “Tool & Process Setup: Roles and Authorization Concept  – Enterprise Support Customers can register for free for open courses at http://service.sap.com/esacademy

      I took it last year – memory is a little fuzzy as I got up early in the morning for it (it was on European time).  EGI’s are great as you spend 2 hours in lecture and then the rest of the day “homework” with expert help.  It is a commitment of time on your side, however.

      I checked and there are 2 more upcoming sessions (one during ASUG Annual Conference)

      Still, I think this might be better than any other education offering as SolMan does change between SP’s

      Regards,

      Tammy

      (0) 
      1. Gretchen Lindquist Post author

        Tammy,

        Thanks for pointing out that offering. I applaud that you got up so very early to do that training! 10 AM CET is really early in Houston, but I may have to break down and do it in June if that is my only option. Or perhaps we could convince SAP to offer it at a more hospitable hour for North America.

        Cheers,

        Gretchen

        (0) 

Leave a Reply