Climbing out of my “dark wood” of Solution Manager 7.1 security
Dante’s epic poem, Divine Comedy, opens with an oft quoted verse:
Nel mezzo del cammin di nostra vita
mi ritrovai per una selva oscura,
ché la diritta via era smarrita.
In the middle of the journey of our life
I found myself within a dark wood,
For the straightforward pathway had been lost.
A verse perfectly capturing my sense of stumbling through the wilderness of SAP Solution Manager security after 15+ years of confident and largely successful work in SAP security; I have found myself quite flummoxed with repeated security issues in our SolMan system. Every time I turn around, or so it seems, my Basis team reports another authorization failure. Fix one hole and the security model would spring another leak somewhere else. These issues started long before I arrived on the scene, but now they are mine to resolve.
My first thought was to find some SAP education on SolMan security; unfortunately:
Searches of the SAP Education curricula turned up nothing at all, not even virtual learning. A similar search on SCN turned up a discussion with nothing for a response but recommendation and link to the security guide, a sad state of affairs to be sure. In the distant past, I had taken SAP courses that offered some security content even if the majority of the curriculum was not security, just to get the learning, but even that relatively expensive option seems to be not an option here. When one of our Basis guys returned to the office after taking a SolMan course, I quizzed him, So what did they say about security in your course? Nothing, he said.
My second thought was to leverage the learning that surely must exist, or so I told myself, within our user group. So I posted a question on the ASUG Security SIG discussion, pleading for anyone with SolMan security expertise to do a web cast for us. Not a single response – zip, zilch, nada.
In the meantime I was scheduled to speak at the ASUG All Texas Chapters Meeting in Plano last November, where I attended an excellent presentation on SolMan given by SAP’s Brad Saxon, Solution Manager 7.1: How to best utilize the capabilities you already own. Although the presentation was not intended for a security audience, it did at least give me a sense of the wide range of capabilities and scenarios of SolMan 7.1, and I came away with a new appreciation for the complexity of designing a security model for such a solution.
After reaching out in my personal network, my SAP Mentor colleague and the Security SIG’s SAP Point of Contact extraordinaire,Peter McNulty, came to my rescue, as he so often does. Peter located me a Solution Manager developer, Dr. Annett Michel at SAP AG, to present to us on Solution Manager security. In a one hour web cast, there was only so much that Dr. Michel could cover, but I took away the key differences between two types of roles in SolMan, navigation roles and authorization roles, how to identify one kind from the other, and why they should be handled differently by security admins at upgrade time. She did concede that SolMan security is quite complex and is best handled by the Basis team and security team working together, each bringing their own expertise to the discussion, but that begs the question, how to get the necessary expertise, since many of the key authorization objects in SolMan are unlike those in other components. She also convinced me that I was going to have to break down and attempt to download a SolMan security guide. If you have not yet attempted it, yes, with enough time, patience, fortitude, and strong coffee, it can be done. Make enough attempts and all 66.7 mB of it will eventually download, and then you, too, will be the proud owner of 500+ pages of sleep-inducing- er, that is, reference material. Not that slogging though hundreds of pages of technical reading is my preferred learning mode, but one takes what one can get.
First thing I did was a keyword search on the process at the heart of our current security breakdown, end-to-end monitoring. That term was found exactly once in the entire document, and the content was not detailed enough to provide any kind of quick fix. So much for that thought. Now I am following Dr. Michel’s suggestion of focusing on Chapter 9 to start, leaving the other 24 Chapters/ 400+ pages for another day/year/incarnation. I have found some clues on one of our current issues, and I am hopeful that I will soon find my way to Paradiso, or at least, out of the dark wood and into some enlightenment.