Skip to Content
Technical Articles

How to create fiori-based Security Dashboards in Solution Manager Dashboard Builder

Introduction

In modern times of industrial espionage, leaked information and blackmailing, it is essential to deal with the security of SAP Systems.

Centralized and summarized presentation of current configuration parameters becomes more and more necessary to gain an ideal overview of the security status of IT landscapes. This is what so-called “Dashboards” can do.

Recent survey results¹ of the German-speaking SAP user group “DSAG” showed that the majority of respondents do not use a central SAP Security Dashboard.

On this topic there is a lot of information in different places. This blog post aims to give a summarized step by step guide on how to use Solution Manager “Configuration Validation” and “Dashboard Builder”² to implement custom fiori-based Security Dashboards.

As a simple example, the following profile parameters for password minimum requirements³ are used:

Setting Profile Parameter Recommendation
Minimum password length login/min_password_lng 8
Number of lowercase letters login/min_password_lowercase 1
Number of uppercase letters login/min_password_uppercase 1
Number of digits login/min_password_digits 1
Number of letters login/min_password_letters 1
Number of special characters login/min_password_specials 1

 

Contents

This blog post is structured into the following parts:

  1. Where can I find Solution Manager Dashboard Builder?
  2. Create a new Dashboard
    1. Create Category
    2. Create Dashboard
    3. Create Group
  3. Create a Configuration Validation Report
    1. Create Target System
      1. Create Target System from selected Source System
      2. Adjust Configuration Items in the Configuration Store
    2. Create Comparison List
    3. Run Validation Report
  4. Display Configuration Validation Report results in the Dashboard
    1. Create Dashboard Tiles
      1. Choose the Configuration Validation Target System
      2. Choose the Configuration Validation Comparison List
      3. Further configuration
    2. Create Drill-Down view
    3. View the Dashboard
    4. Detailed Dashboard Tiles configuration parameters
  5. Extended Concept(s)
  6. Appendix
    1. Useful Configuration Stores for Security Reporting

 

Step 1: Where can I find Solution Manager Dashboard Builder?

Dashboard Builder is accessible in the Fiori Launchpad tile “Configuration Analytics and Dashboards”, which is hidden in the standard view.

You can enable the tile by personalizing the Home Page:

Transaction “SM_WORKCENTER” >> bottom right corner >> Personalize Home Page
My Home >> “+” Tile (Open App Finder)
Catalog “SAP Solution Manager Configuration” >> Tile “Configuration Analytics and Dashboards” >> “+” Button (Add tile to group “My Home”)
Top left corner >> Home Button
Bottom right corner >> Exit Action Mode
The tile for starting Dashboard Builder has been enabled

 

Step 2: Create a new Dashboard

Individual Dashboards in “Dashboard Builder” are structured in Categories. Each Dashboard consists of Groups and Tiles:

 

2.1: Create Category

 

Bottom right corner >> New Dashboard
Edit Category
Add new Category
Enter a custom name
Save in $TMP (we are in a development environment and do not want to transport)
The Dashboard Category “Security” is available

 

2.2: Create Dashboard

 

Bottom right corner >> New Dashboard

Enter a custom name (in this case “Test Security Dashboard”)

Choose the Category “Security”

Enable 15 Minute(s) auto refresh (Optional)

Save in $TMP (we are in a development environment and do not want to transport)
Within the Category “Security”, the (empty) Dashboard “Test Security Dashboard” is available

 

2.3: Create Group

 

Bottom right corner >> Create Group
Enter a custom name (in this case “Password Requirements”)
Again, save in $TMP (we are in a development environment and do not want to transport)
Within the Dashboard “Test Security Dashboard”, the Group “Password Requirements” is available

Before the Group can be filled with tiles, it is necessary to create a Report in Configuration Validation. Its results are then displayed in the dashboard.

 

Step 3: Create a Configuration Validation Report

In the Solution Manager Launchpad, the tile “Configuration Validation” can be found in the “Root Cause Analysis” Group:

Configuration Validation compares the configuration of SAP systems in a system comparison list with a predefined state of a target system:

 

3.1: Create Target System

 

A target system is created from an existing source system. This includes various Configuration Stores with individual Configuration Items.

The parameters mentioned in the example are Configuration Items in the Configuration Store “ABAP_INSTANCE_PAHI” (Store for profile parameters).

 

3.1.1: Create Target System from selected Source System

 

Switch to “Target System Maintenance”
Select “Display all” for choosing a Source System

Select a (AS ABAP) Source System

Select Config Store “ABAP_INSTANCE_PAHI”

Push “Create from selected Stores”

Save the new Target System
>> Saving was successful, the Target System has been created

 

3.1.2: Adjust Configuration Items in the Configuration Store

 

Switch to “Edit”
Select Target System “TST”
Open Config. Store “ABAP_INSTANCE_PAHI”
Select the relevant items
Delete unselected items
Adjust Operators and Values
Save, the Target System “TST” for validating password minimum requirements has been created

 

3.2: Create Comparison List

 

Switch to “Comparison List Maintenance”
Create new “Dynamic” Compare List (so future new systems will be added automatically)

Enter a custom Name and Description

Filter for System type “ABAP*”

“Refresh” to verify the list

Save the Comparision List
The Comparision List “ALL ABAP” for validating against all ABAP Systems has been created

 

3.3: Run Validation Report

 

Switch to “Report Execution”
Create new record
Select Validation Template
Transfer Report “0TPL_0SMD_VCA2_CITEMS_REF”
Select Reference System
Transfer Target System “TST”
Select Comparison List
Transfer Comparison List “ALL ABAP”

Expand “Optional Settings”

Check “Suppress query variable pop-up”

Number of rows displayed “100”

Save current selection in Report Directory
Start Report
The Configuration Validation Report about password minumum requirements has been created

 

Step 4: Display Configuration Validation Report results in the Dashboard

Back in Solution Manager Dashboard Builder, the tiles can now be created.

 

4.1: Create Dashboard Tiles

 

Bottom right corner >> Create Custom Tile

Enter Name and Description

Change Data Source Type from “BW Query” to “Function Module

The Function Module DIAGCPL_CV_DSH is the Dashboard Builder interface to Configuration Validation

>> Enter to activate the configuration

 

4.1.1: Choose the Configuration Validation Target System “TST”

(as created in “3.1: Create Target System“)

Right Click “Available Fields – Reference SID
Enter Value “TST” >>  OK

 

4.1.2: Choose the Configuration Validation Comparison List “ALL ABAP”

(as created in “3.2: Create Comparison List“)

Right Click “Available Fields – Comparison List of Systems
Enter Value “ALL ABAP” >>  OK

 

4.1.3: Further configuration

Right Click “Columns – Key Figures” >> Filter >> Select Filter Value
Change Value to “All”
Right Click “Available Fields – Aggregate on System Level” >> Filter >> Select Filter Value
Change Value to “X” (each system should be counted only once, despite the multiple password parameters)
Right Click “Available Fields – Compliance” >> Filter >> Select Filter Value
Enter Values “No” and “Item not found” (both statuses should be considered as “not compliant”)
Right Click “Columns – Key Figures” >> Thresholds >> Define Thresholds
Enter custom threshold values (depends on infrastructure size)
Bottom right corner >> Save
Within the the Group “Password Requirements”, the tile is available

 

4.4: Create Drill-Down view

 

>> Tile Settings

Change Details Page Template to “Drill-Down views”

>> Save

Click tile to enter Drill-Down page
Add a new Drill-Down view

Enter a custom name

Use the Function Module DIAGCPL_CV_DSH as interface to Configuration Validation

>> Enter to activate the configuration

Remove “Columns – Key Figures”
Add fields, that should be columns in the Drill-Down table (the table columns are defined in the “Rows” Section…)
In this example: Extended System ID, Store Name, Configuration Item, Configuration Item Value, Configuration Item Value Rule, Compliance, Store Timestamp
Right Click “Extended System ID” >> Sort >> Ascending

Choose the Configuration Validation Target System “TST” (as in 4.1.1: Choose the Configuration Validation Target System)


Choose the Configuration Validation Comparison List “ALL ABAP” (as in 4.1.2: Choose the Configuration Validation Comparison List)

>> Save

The Drill-Down view is available

 

4.3: View the Dashboard

 

Top right corner >> View mode

The dashboard is now in “View mode”

The generated URL can be used for distribution

 

4.4: Detailed Dashboard Tiles configuration parameters

 

Tile: Password Requirements

Parameter Value
KPI Type Custom
Name Password Requirements
Subhead
Description not compliant
Visualization Number-based
Size 1 X 1
Unit
Data Source Type Function Module
Data Source Name DIAGCPL_CV_DSH
Detail Page Template Drill-Down views
Rows
Columns Key Figures
Filter 1 Key Figures: All
Filter 2 Aggregate on System Level: X
Filter 3 Comparison List of Systems: ALL ABAP
Filter 4 Reference SID: TST
Filter 5 Compliance: No && Item not found
Thresholds All Less or Equal 0 show as Green
All Between 1 and 10 show as Yellow
All Greater or Equal 11 show as Red

Drill-Down View

Parameter Value
Name Drill-Down View
Data Source Type Function Module
Data Source Name DIAGCPL_CV_DSH
Visualization Table
Disable Visualization Switch
Jump to Application
Rows Extended System ID (Sort Ascending), Store Name, Configuration Item, Configuration Item Value, Configuration Item Value Rule, Compliance, Store Timestamp
Columns
Filter 1 Comparison List of Systems: ALL ABAP
Filter 2 Reference SID: TST

Tile: Password Requirements Compliance (Pie chart)

Parameter Value
KPI Type Custom
Name Password Requirements
Subhead Compliance
Description not compliant
Visualization Pie chart
Size 2 X 2
Data Source Type Function Module
Data Source Name DIAGCPL_CV_DSH
Detail Page Template None
Rows Compliance
Columns Key Figures
Filter 1 Key Figures: All
Filter 2 Aggregate on System Level: X
Filter 3 Comparison List of Systems: ALL ABAP
Filter 4 Reference SID: TST

Tile: Minimum password length

Parameter Value
KPI Type Custom
Name Minimum password length
Subhead
Description not compliant
Visualization Number-based
Size 1 X 1
Unit
Data Source Type Function Module
Data Source Name DIAGCPL_CV_DSH
Detail Page Template None
Rows
Columns Key Figures
Filter 1 Key Figures: All
Filter 2 Comparison List of Systems: ALL ABAP
Filter 3 Reference SID: TST
Filter 4 Configuration Item: login/min_password_lng
Filter 5 Compliance: No
Thresholds All Less or Equal 0 show as Green
All Between 1 and 10 show as Yellow
All Greater or Equal 11 show as Red

The remaining tiles

  • Number of lowercase letters
  • Number of uppercase letters
  • Number of digits
  • Number of letters
  • Number of special characters

are identical. Only Filter 4 “Configuration Item” needs to be adjusted.

 

Extended concept(s):

For a clearer presentation, it is a good idea to create multiple dashboards. For example, a central SAP Security Dashboard could be structured as follows:

  • General System Overview⁴
  • SAP Security Baseline⁵ ⁶
  • Company-specific Security Projects (e.g. high-priority topics from the SAP Security Patch Day)

 

Appendix

Useful Configuration Stores for Security Reporting

 

Systemtype Configuration Store Description
ABAP ABAP_INSTANCE_PAHI Contains the ABAP profile parameter configuration
ABAP ABAP_NOTES Contains information about currently installed SAP Notes
ABAP ABAP_COMP_RELEASE Contains the release levels of installed ABAP components
ABAP AUDIT_CONFIGURATION Contains the Security Audit Configuration
ABAP AUTH_ROLE_USER Contains information about users with the rights SAP_ALL and SAP_NEW
ABAP CLIENTS Contains the available clients
ABAP GLOBAL Contains the status of the system change option
ABAP GW_REGINFO Contains the “reginfo” gateway security rules
ABAP GW_SECINFO Contains the “secinfo” gateway security rules
ABAP SICF_SERVICES Contains information about SICF services
ABAP STANDARD_USERS Contrains information about standard users (e.g. SAP*, DDIC)
ABAP USER_PASSWD_HASH_USAGE Contains information about the usage of different password hash algorithms
HANA HDB_PARAMETER Contains the HANA parameter configuration
JAVA com.sap.security.core.ume.service Contains the User Management Engine (UME) parameter configuration
JAVA J2EE_COMP_SPLEVEL Contains the release levels of installed JAVA components
JAVA Parameters Contains the JAVA profile parameter configuration
JAVA xmlhardener_srv Contains the status of XML Hardening

 

Sources and related content

¹ DSAG-Umfrage zur IT-Sicherheit im SAP-Umfeld: https://www.dsag.de/externe-news/dsag-umfrage-zur-it-sicherheit-im-sap-umfeld

² SAP Solution Manager 7.2 – Dashboard Builder: https://blogs.sap.com/2017/02/28/sap-solution-manager-7.2-dashboard-builder/

³ Securing SAP NetWeaver AS ABAP Systems against password attacks: https://blogs.sap.com/2018/02/14/securing-sap-netweaver-as-abap-systems-against-password-attacks/

⁴ How to realize a Solution Manager LMDB System Overview in Dashboard Builder: https://blogs.sap.com/2018/04/24/how-to-realize-a-solution-manager-lmdb-system-overview-in-dashboard-builder/

⁵ Security Baseline Template & Security Notes Webinar: https://support.sap.com/en/offerings-programs/support-services/security-optimization-services-portfolio.html

⁶ 2253549 – The SAP Security Baseline Template: https://launchpad.support.sap.com/#/notes/2253549

ConfVal_Home – Technical Operations – SCN Wiki: https://wiki.scn.sap.com/wiki/display/TechOps/ConfVal_Home

1 Comment
You must be Logged on to comment or reply to a post.