Introduction

In modern times of industrial espionage, leaked information and blackmailing, it is essential to deal with the security of SAP Systems.

Centralized and summarized presentation of current configuration parameters becomes more and more necessary to gain an ideal overview of the security status of IT landscapes. This is what so-called “Dashboards” can do.

Recent survey results¹ of the German-speaking SAP user group “DSAG” showed that the majority of respondents do not use a central SAP Security Dashboard.

On this topic there is a lot of information in different places. This blog post aims to give a summarized step by step guide on how to use Solution Manager “Configuration Validation” and “Dashboard Builder”² to implement custom fiori-based Security Dashboards.

As a simple example, the following profile parameters for password minimum requirements³ are used:

Contents

This blog post is structured into the following parts:

1. Where can I find Solution Manager Dashboard Builder?
2. Create a new Dashboard
   1. Create Category
   2. Create Dashboard
   3. Create Group
3. Create a Configuration Validation Report
   1. Create Target System
      1. Create Target System from selected Source System
      2. Adjust Configuration Items in the Configuration Store
   2. Create Comparison List
   3. Run Validation Report
4. Display Configuration Validation Report results in the Dashboard
   1. Create Dashboard Tiles
      1. Choose the Configuration Validation Target System
      2. Choose the Configuration Validation Comparison List
      3. Further configuration
   2. Create Drill-Down view
   3. View the Dashboard
   4. Detailed Dashboard Tiles configuration parameters
5. Extended Concept(s)
6. Appendix
   1. Useful Configuration Stores for Security Reporting

Step 1: Where can I find Solution Manager Dashboard Builder?

Dashboard Builder is accessible in the Fiori Launchpad tile “Configuration Analytics and Dashboards”, which is hidden in the standard view.

You can enable the tile by personalizing the Home Page:

Transaction “SM_WORKCENTER” >> bottom right corner >> Personalize Home Page
My Home >> “+” Tile (Open App Finder)
Catalog “SAP Solution Manager Configuration” >> Tile “Configuration Analytics and Dashboards” >> “+” Button (Add tile to group “My Home”)
Top left corner >> Home Button
Bottom right corner >> Exit Action Mode
The tile for starting Dashboard Builder has been enabled

Step 2: Create a new Dashboard

Individual Dashboards in “Dashboard Builder” are structured in Categories. Each Dashboard consists of Groups and Tiles:

2.1: Create Category

Bottom right corner >> New Dashboard
Edit Category
Add new Category
Enter a custom name
Save in $TMP (we are in a development environment and do not want to transport)
The Dashboard Category “Security” is available

2.2: Create Dashboard

Bottom right corner >> New Dashboard
Enter a custom name (in this case “Test Security Dashboard”) Choose the Category “Security” Enable 15 Minute(s) auto refresh (Optional)
Save in $TMP (we are in a development environment and do not want to transport)
Within the Category “Security”, the (empty) Dashboard “Test Security Dashboard” is available

2.3: Create Group

Bottom right corner >> Create Group
Enter a custom name (in this case “Password Requirements”)
Again, save in $TMP (we are in a development environment and do not want to transport)
Within the Dashboard “Test Security Dashboard”, the Group “Password Requirements” is available

Before the Group can be filled with tiles, it is necessary to create a Report in Configuration Validation. Its results are then displayed in the dashboard.

Step 3: Create a Configuration Validation Report

In the Solution Manager Launchpad, the tile “Configuration Validation” can be found in the “Root Cause Analysis” Group:

Configuration Validation compares the configuration of SAP systems in a system comparison list with a predefined state of a target system:

3.1: Create Target System

A target system is created from an existing source system. This includes various Configuration Stores with individual Configuration Items.

The parameters mentioned in the example are Configuration Items in the Configuration Store “ABAP_INSTANCE_PAHI” (Store for profile parameters).

3.1.1: Create Target System from selected Source System

Switch to “Target System Maintenance”
Select “Display all” for choosing a Source System
Select a (AS ABAP) Source System Select Config Store “ABAP_INSTANCE_PAHI” Push “Create from selected Stores”
Save the new Target System
>> Saving was successful, the Target System has been created

3.1.2: Adjust Configuration Items in the Configuration Store

Switch to “Edit”
Select Target System “TST”
Open Config. Store “ABAP_INSTANCE_PAHI”
Select the relevant items
Delete unselected items
Adjust Operators and Values
Save, the Target System “TST” for validating password minimum requirements has been created

3.2: Create Comparison List

Switch to “Comparison List Maintenance”
Create new “Dynamic” Compare List (so future new systems will be added automatically)
Enter a custom Name and Description Filter for System type “ABAP*” “Refresh” to verify the list
Save the Comparision List
The Comparision List “ALL ABAP” for validating against all ABAP Systems has been created

3.3: Run Validation Report

Switch to “Report Execution”
Create new record
Select Validation Template
Transfer Report “0TPL_0SMD_VCA2_CITEMS_REF”
Select Reference System
Transfer Target System “TST”
Select Comparison List
Transfer Comparison List “ALL ABAP”
Expand “Optional Settings” Check “Suppress query variable pop-up” Number of rows displayed “100”
Save current selection in Report Directory
Start Report
The Configuration Validation Report about password minumum requirements has been created

Step 4: Display Configuration Validation Report results in the Dashboard

Back in Solution Manager Dashboard Builder, the tiles can now be created.

4.1: Create Dashboard Tiles

Bottom right corner >> Create Custom Tile
Enter Name and Description Change Data Source Type from “BW Query” to “Function Module“
The Function Module DIAGCPL_CV_DSH is the Dashboard Builder interface to Configuration Validation >> Enter to activate the configuration

4.1.1: Choose the Configuration Validation Target System “TST”

(as created in “3.1: Create Target System“)

Right Click “Available Fields – Reference SID”
Enter Value “TST” >>  OK

4.1.2: Choose the Configuration Validation Comparison List “ALL ABAP”

(as created in “3.2: Create Comparison List“)

Right Click “Available Fields – Comparison List of Systems”
Enter Value “ALL ABAP” >>  OK

4.1.3: Further configuration

Right Click “Columns – Key Figures” >> Filter >> Select Filter Value
Change Value to “All”
Right Click “Available Fields – Aggregate on System Level” >> Filter >> Select Filter Value
Change Value to “X” (each system should be counted only once, despite the multiple password parameters)
Right Click “Available Fields – Compliance” >> Filter >> Select Filter Value
Enter Values “No” and “Item not found” (both statuses should be considered as “not compliant”)
Right Click “Columns – Key Figures” >> Thresholds >> Define Thresholds
Enter custom threshold values (depends on infrastructure size)
Bottom right corner >> Save
Within the the Group “Password Requirements”, the tile is available

4.4: Create Drill-Down view

>> Tile Settings
Change Details Page Template to “Drill-Down views” >> Save
Click tile to enter Drill-Down page
Add a new Drill-Down view
Enter a custom name Use the Function Module DIAGCPL_CV_DSH as interface to Configuration Validation >> Enter to activate the configuration
Remove “Columns – Key Figures”
Add fields, that should be columns in the Drill-Down table (the table columns are defined in the “Rows” Section…)
In this example: Extended System ID, Store Name, Configuration Item, Configuration Item Value, Configuration Item Value Rule, Compliance, Store Timestamp
Right Click “Extended System ID” >> Sort >> Ascending
Choose the Configuration Validation Target System “TST” (as in 4.1.1: Choose the Configuration Validation Target System) Choose the Configuration Validation Comparison List “ALL ABAP” (as in 4.1.2: Choose the Configuration Validation Comparison List)
>> Save The Drill-Down view is available

4.3: View the Dashboard

Top right corner >> View mode
The dashboard is now in “View mode” The generated URL can be used for distribution

4.4: Detailed Dashboard Tiles configuration parameters

Tile: Password Requirements

Drill-Down View

Tile: Minimum password length

The remaining tiles

• Number of lowercase letters
• Number of uppercase letters
• Number of digits
• Number of letters
• Number of special characters

are identical. Only Filter 4 “Configuration Item” needs to be adjusted.

Extended concept(s):

For a clearer presentation, it is a good idea to create multiple dashboards. For example, a central SAP Security Dashboard could be structured as follows:

• General System Overview⁴
• SAP Security Baseline⁵ ⁶
• Company-specific Security Projects (e.g. high-priority topics from the SAP Security Patch Day)
  

Appendix

Useful Configuration Stores for Security Reporting

Sources and related content

¹ DSAG-Umfrage zur IT-Sicherheit im SAP-Umfeld: https://www.dsag.de/externe-news/dsag-umfrage-zur-it-sicherheit-im-sap-umfeld

² SAP Solution Manager 7.2 – Dashboard Builder: https://blogs.sap.com/2017/02/28/sap-solution-manager-7.2-dashboard-builder/

³ Securing SAP NetWeaver AS ABAP Systems against password attacks: https://blogs.sap.com/2018/02/14/securing-sap-netweaver-as-abap-systems-against-password-attacks/

⁴ How to realize a Solution Manager LMDB System Overview in Dashboard Builder: https://blogs.sap.com/2018/04/24/how-to-realize-a-solution-manager-lmdb-system-overview-in-dashboard-builder/

⁵ Security Baseline Template & Security Notes Webinar: https://support.sap.com/en/offerings-programs/support-services/security-optimization-services-portfolio.html

⁶ 2253549 – The SAP Security Baseline Template: https://launchpad.support.sap.com/#/notes/2253549

ConfVal_Home – Technical Operations – SCN Wiki: https://wiki.scn.sap.com/wiki/display/TechOps/ConfVal_Home