How to extract Security Optimization Service Report (SOS)

Hello Everyone… So, this post is about how to run Security Optimization Service (SOS) Report in Solman 7.2. I am writing this because i could not find much about this on internet. Firstly, SOS report identifies potential security issues and provides recommendations on how to improve the security of your system. SOS report can be run on Solman 7.0, 7.1 and 7.2 versions.

Please follow the below steps to run the SOS report in Solman 7.2

1. Login to Solman system, run the TCODE -> SM_Workcenter and then navigate to SAP Engagement and Service Delivery tile.
2. A new tab will open and Click on My Sessions. Then click on Create new session.
3. Choose Security Optimization Service Session from the list and click on Next:
4. Assign the Technical system and then click on Next
5. Mention the details about the report and click on Next:
6. Click on Finish in review stage, a new tab will open
   1. There are three main steps viz. Prepare, Analyse and Report. And 4 sub steps of 1^st step i.e. Prepare. Click on Next and go to step 1 Select Logon to Managed System. There will be 2-4 types of options available.
   2. You can use Trusted “Current User” option, it will try with your ID, but make sure you have the ST14 access in the target system.
   3. If you do not have the access to ST14, you may use other option which is Login Screen. In this option, the logon pop-up will open, and you must put user ID and password which has ST14 access in target system.
7. Select the option and click on Test Selected Destination. Accordingly, put the credentials and Click Ok.The status will go Green, if not then some issues with the ST14 access. Click on Next and navigate to 1.2 Assign Questionnaire.Note -> there will be multiple options with 000 and productive clients based on the RFC’s. You can choose Productive client and it will extract the data from all the clients.
8. We can assign questionnaire in this step, i.e. we can maintain the exception list of administrators who should have elevated access. The same names will not appear in the SOS report. Will write another post on how to maintain the questionnaire. Here we are skipping this step. Click on next and navigate to step 1.3 Choose/Schedule Data Collection.
9. In this step, we have to run the ST14 job, which will run in the backend system and extract the data for the system and all the clients. Click on Schedule New ST14 Analysis run. It might ask for credentials again, if it does, please maintain one which has access to ST14 in the target system. Right away the job will be released. Navigate to the next step, i.e. 1.4 Customize Report Output. Or you may use the data from earlier run of ST14 job.
10. Navigate to next step, i.e. Customize Report Output. In this step, we can customize the report output.
    • Default – Will give you no of violations and 5 examples for each violation.
    • All – Will give you the list of all users.
    • None – Will just give the no of violations and the object details, but no examples.
    • Customer – Will give the no of violations and custom no of violations.
11. Click on Next and it will take to 2^nd Step, Analyze. You cannot Run analysis unless the Data Collection job is complete. It usually takes 5-10 minutes with minimal load on system. Once the Data Collection is complete, the status will turn to Green from Yellow.Click on Perform Analysis.This will show the SOS report output on the screen. We can still delete the entries from this output such as if there are any exceptions and not maintained in Questionnaire already. And the same will not be part of the final report.
12. To generate the report in PDF or word format, navigate to 3^rd Step, i.e. Report. You will get the confirmation box, click on Yes. And then click on Create Report and choose one option among SOS Report or SOS Report with questionnaire. The report generation takes 2-10 minutes based on the output of report. Once the report is generated, it will be available for download in the same session.

The objectives of SAP Security Optimization are:
– To analyze the technical configuration of your SAP system for security risks
– To provide a summarized overview of the implemented security level

The security checks of SAP Security Optimization are performed for the following security aspects:
– Availability,Integrity, Authenticity, Confidentiality, Compliance

For the violations related to critical access, the report shows the number of violations in system across clients and even the object details which causes the violation, e.g. fr control “Users – other than System Administrators – are Authorized to Maintain Trusted Systems (0240)” the object details are mentioned as below:

The report can work as a customized dashboard, we can maintain the exceptions and save it in questionnaire, those exceptions will not pop up in the SOS reports.