Technical Articles
How to create fiori-based Security Dashboards in Solution Manager Dashboard Builder
Introduction
In modern times of industrial espionage, leaked information and blackmailing, it is essential to deal with the security of SAP Systems.
Centralized and summarized presentation of current configuration parameters becomes more and more necessary to gain an ideal overview of the security status of IT landscapes. This is what so-called “Dashboards” can do.
Recent survey results¹ of the German-speaking SAP user group “DSAG” showed that the majority of respondents do not use a central SAP Security Dashboard.
On this topic there is a lot of information in different places. This blog post aims to give a summarized step by step guide on how to use Solution Manager “Configuration Validation” and “Dashboard Builder”² to implement custom fiori-based Security Dashboards.
As a simple example, the following profile parameters for password minimum requirements³ are used:
| Setting | Profile Parameter | Recommendation |
| Minimum password length | login/min_password_lng | 8 |
| Number of lowercase letters | login/min_password_lowercase | 1 |
| Number of uppercase letters | login/min_password_uppercase | 1 |
| Number of digits | login/min_password_digits | 1 |
| Number of letters | login/min_password_letters | 1 |
| Number of special characters | login/min_password_specials | 1 |
Contents
This blog post is structured into the following parts:
- Where can I find Solution Manager Dashboard Builder?
- Create a new Dashboard
- Create a Configuration Validation Report
- Display Configuration Validation Report results in the Dashboard
- Extended Concept(s)
- Appendix
Step 1: Where can I find Solution Manager Dashboard Builder?
Dashboard Builder is accessible in the Fiori Launchpad tile “Configuration Analytics and Dashboards”, which is hidden in the standard view.
You can enable the tile by personalizing the Home Page:
| Transaction “SM_WORKCENTER” >> bottom right corner >> Personalize Home Page |  |
| My Home >> “+” Tile (Open App Finder) |  |
| Catalog “SAP Solution Manager Configuration” >> Tile “Configuration Analytics and Dashboards” >> “+” Button (Add tile to group “My Home”) |  |
| Top left corner >> Home Button |  |
| Bottom right corner >> Exit Action Mode |  |
| The tile for starting Dashboard Builder has been enabled |  |
Step 2: Create a new Dashboard
Individual Dashboards in “Dashboard Builder” are structured in Categories. Each Dashboard consists of Groups and Tiles:
2.1: Create Category
| Bottom right corner >> New Dashboard |  |
| Edit Category |  |
| Add new Category |  |
| Enter a custom name |  |
| Save in $TMP (we are in a development environment and do not want to transport) |  |
| The Dashboard Category “Security” is available |  |
2.2: Create Dashboard
| Bottom right corner >> New Dashboard | |
|
Enter a custom name (in this case “Test Security Dashboard”) Choose the Category “Security” Enable 15 Minute(s) auto refresh (Optional) |
 |
| Save in $TMP (we are in a development environment and do not want to transport) | |
| Within the Category “Security”, the (empty) Dashboard “Test Security Dashboard” is available |  |
2.3: Create Group
| Bottom right corner >> Create Group |
 |
| Enter a custom name (in this case “Password Requirements”) |  |
| Again, save in $TMP (we are in a development environment and do not want to transport) |  |
| Within the Dashboard “Test Security Dashboard”, the Group “Password Requirements” is available |  |
Before the Group can be filled with tiles, it is necessary to create a Report in Configuration Validation. Its results are then displayed in the dashboard.
Step 3: Create a Configuration Validation Report
In the Solution Manager Launchpad, the tile “Configuration Validation” can be found in the “Root Cause Analysis” Group:
Configuration Validation compares the configuration of SAP systems in a system comparison list with a predefined state of a target system:
3.1: Create Target System
A target system is created from an existing source system. This includes various Configuration Stores with individual Configuration Items.
The parameters mentioned in the example are Configuration Items in the Configuration Store “ABAP_INSTANCE_PAHI” (Store for profile parameters).
3.1.1: Create Target System from selected Source System
| Switch to “Target System Maintenance” |
 |
| Select “Display all” for choosing a Source System |  |
|
Select a (AS ABAP) Source System Select Config Store “ABAP_INSTANCE_PAHI” Push “Create from selected Stores” |
 |
| Save the new Target System |  |
| >> Saving was successful, the Target System has been created |
 |
3.1.2: Adjust Configuration Items in the Configuration Store
| Switch to “Edit” |  |
| Select Target System “TST” |  |
| Open Config. Store “ABAP_INSTANCE_PAHI” |  |
| Select the relevant items |  |
| Delete unselected items |  |
| Adjust Operators and Values |  |
| Save, the Target System “TST” for validating password minimum requirements has been created |
 |
3.2: Create Comparison List
| Switch to “Comparison List Maintenance” |  |
| Create new “Dynamic” Compare List (so future new systems will be added automatically) |  |
|
Enter a custom Name and Description Filter for System type “ABAP*” “Refresh” to verify the list |
 |
| Save the Comparision List |  |
| The Comparision List “ALL ABAP” for validating against all ABAP Systems has been created |  |
3.3: Run Validation Report
| Switch to “Report Execution” |  |
| Create new record |  |
| Select Validation Template |  |
| Transfer Report “0TPL_0SMD_VCA2_CITEMS_REF” |  |
| Select Reference System |  |
| Transfer Target System “TST” |  |
| Select Comparison List |  |
| Transfer Comparison List “ALL ABAP” |  |
|
Expand “Optional Settings” Check “Suppress query variable pop-up” Number of rows displayed “100” |
 |
| Save current selection in Report Directory |  |
| Start Report |  |
| The Configuration Validation Report about password minumum requirements has been created |  |
Step 4: Display Configuration Validation Report results in the Dashboard
Back in Solution Manager Dashboard Builder, the tiles can now be created.
4.1: Create Dashboard Tiles
| Bottom right corner >> Create Custom Tile |  |
|
Enter Name and Description Change Data Source Type from “BW Query” to “Function Module“ |
 |
|
The Function Module DIAGCPL_CV_DSH is the Dashboard Builder interface to Configuration Validation >> Enter to activate the configuration |
 |
4.1.1: Choose the Configuration Validation Target System “TST”
(as created in “3.1: Create Target System“)
| Right Click “Available Fields – Reference SID” |
 |
| Enter Value “TST” >> OK |
 |
4.1.2: Choose the Configuration Validation Comparison List “ALL ABAP”
(as created in “3.2: Create Comparison List“)
| Right Click “Available Fields – Comparison List of Systems” |
 |
| Enter Value “ALL ABAP” >> OK |
 |
4.1.3: Further configuration
| Right Click “Columns – Key Figures” >> Filter >> Select Filter Value |  |
| Change Value to “All” |  |
| Right Click “Available Fields – Aggregate on System Level” >> Filter >> Select Filter Value |  |
| Change Value to “X” (each system should be counted only once, despite the multiple password parameters) |  |
| Right Click “Available Fields – Compliance” >> Filter >> Select Filter Value |  |
| Enter Values “No” and “Item not found” (both statuses should be considered as “not compliant”) |  |
| Right Click “Columns – Key Figures” >> Thresholds >> Define Thresholds |
 |
| Enter custom threshold values (depends on infrastructure size) |  |
| Bottom right corner >> Save |  |
| Within the the Group “Password Requirements”, the tile is available |  |
4.4: Create Drill-Down view
| >> Tile Settings |  |
|
Change Details Page Template to “Drill-Down views” >> Save |
 |
| Click tile to enter Drill-Down page |  |
| Add a new Drill-Down view |  |
|
Enter a custom name Use the Function Module DIAGCPL_CV_DSH as interface to Configuration Validation >> Enter to activate the configuration |
 |
| Remove “Columns – Key Figures” |  |
| Add fields, that should be columns in the Drill-Down table (the table columns are defined in the “Rows” Section…) |  |
| In this example: Extended System ID, Store Name, Configuration Item, Configuration Item Value, Configuration Item Value Rule, Compliance, Store Timestamp |  |
| Right Click “Extended System ID” >> Sort >> Ascending |  |
|
Choose the Configuration Validation Target System “TST” (as in 4.1.1: Choose the Configuration Validation Target System)
|
 |
|
>> Save The Drill-Down view is available |
 |
4.3: View the Dashboard
| Top right corner >> View mode |  |
|
The dashboard is now in “View mode” The generated URL can be used for distribution |
 |
4.4: Detailed Dashboard Tiles configuration parameters
Tile: Password Requirements
| Parameter | Value |
| KPI Type | Custom |
| Name | Password Requirements |
| Subhead | |
| Description | not compliant |
| Visualization | Number-based |
| Size | 1 X 1 |
| Unit | |
| Data Source Type | Function Module |
| Data Source Name | DIAGCPL_CV_DSH |
| Detail Page Template | Drill-Down views |
| Rows | |
| Columns | Key Figures |
| Filter 1 | Key Figures: All |
| Filter 2 | Aggregate on System Level: X |
| Filter 3 | Comparison List of Systems: ALL ABAP |
| Filter 4 | Reference SID: TST |
| Filter 5 | Compliance: No && Item not found |
| Thresholds | All Less or Equal 0 show as Green All Between 1 and 10 show as Yellow All Greater or Equal 11 show as Red |
Drill-Down View
| Parameter | Value |
| Name | Drill-Down View |
| Data Source Type | Function Module |
| Data Source Name | DIAGCPL_CV_DSH |
| Visualization | Table |
| Disable Visualization Switch | |
| Jump to Application | |
| Rows | Extended System ID (Sort Ascending), Store Name, Configuration Item, Configuration Item Value, Configuration Item Value Rule, Compliance, Store Timestamp |
| Columns | |
| Filter 1 | Comparison List of Systems: ALL ABAP |
| Filter 2 | Reference SID: TST |
Tile: Password Requirements Compliance (Pie chart)
| Parameter | Value |
| KPI Type | Custom |
| Name | Password Requirements |
| Subhead | Compliance |
| Description | not compliant |
| Visualization | Pie chart |
| Size | 2 X 2 |
| Data Source Type | Function Module |
| Data Source Name | DIAGCPL_CV_DSH |
| Detail Page Template | None |
| Rows | Compliance |
| Columns | Key Figures |
| Filter 1 | Key Figures: All |
| Filter 2 | Aggregate on System Level: X |
| Filter 3 | Comparison List of Systems: ALL ABAP |
| Filter 4 | Reference SID: TST |
Tile: Minimum password length
| Parameter | Value |
| KPI Type | Custom |
| Name | Minimum password length |
| Subhead | |
| Description | not compliant |
| Visualization | Number-based |
| Size | 1 X 1 |
| Unit | |
| Data Source Type | Function Module |
| Data Source Name | DIAGCPL_CV_DSH |
| Detail Page Template | None |
| Rows | |
| Columns | Key Figures |
| Filter 1 | Key Figures: All |
| Filter 2 | Comparison List of Systems: ALL ABAP |
| Filter 3 | Reference SID: TST |
| Filter 4 | Configuration Item: login/min_password_lng |
| Filter 5 | Compliance: No |
| Thresholds | All Less or Equal 0 show as Green All Between 1 and 10 show as Yellow All Greater or Equal 11 show as Red |
The remaining tiles
- Number of lowercase letters
- Number of uppercase letters
- Number of digits
- Number of letters
- Number of special characters
are identical. Only Filter 4 “Configuration Item” needs to be adjusted.
Extended concept(s):
For a clearer presentation, it is a good idea to create multiple dashboards. For example, a central SAP Security Dashboard could be structured as follows:
- General System Overview⁴
- SAP Security Baseline⁵ ⁶
- Company-specific Security Projects (e.g. high-priority topics from the SAP Security Patch Day)
Appendix
Useful Configuration Stores for Security Reporting
| Systemtype | Configuration Store | Description |
| ABAP | ABAP_INSTANCE_PAHI | Contains the ABAP profile parameter configuration |
| ABAP | ABAP_NOTES | Contains information about currently installed SAP Notes |
| ABAP | ABAP_COMP_RELEASE | Contains the release levels of installed ABAP components |
| ABAP | AUDIT_CONFIGURATION | Contains the Security Audit Configuration |
| ABAP | AUTH_ROLE_USER | Contains information about users with the rights SAP_ALL and SAP_NEW |
| ABAP | CLIENTS | Contains the available clients |
| ABAP | GLOBAL | Contains the status of the system change option |
| ABAP | GW_REGINFO | Contains the “reginfo” gateway security rules |
| ABAP | GW_SECINFO | Contains the “secinfo” gateway security rules |
| ABAP | SICF_SERVICES | Contains information about SICF services |
| ABAP | STANDARD_USERS | Contrains information about standard users (e.g. SAP*, DDIC) |
| ABAP | USER_PASSWD_HASH_USAGE | Contains information about the usage of different password hash algorithms |
| HANA | HDB_PARAMETER | Contains the HANA parameter configuration |
| JAVA | com.sap.security.core.ume.service | Contains the User Management Engine (UME) parameter configuration |
| JAVA | J2EE_COMP_SPLEVEL | Contains the release levels of installed JAVA components |
| JAVA | Parameters | Contains the JAVA profile parameter configuration |
| JAVA | xmlhardener_srv | Contains the status of XML Hardening |
Sources and related content
¹ DSAG-Umfrage zur IT-Sicherheit im SAP-Umfeld: https://www.dsag.de/externe-news/dsag-umfrage-zur-it-sicherheit-im-sap-umfeld
² SAP Solution Manager 7.2 – Dashboard Builder: https://blogs.sap.com/2017/02/28/sap-solution-manager-7.2-dashboard-builder/
³ Securing SAP NetWeaver AS ABAP Systems against password attacks: https://blogs.sap.com/2018/02/14/securing-sap-netweaver-as-abap-systems-against-password-attacks/
⁴ How to realize a Solution Manager LMDB System Overview in Dashboard Builder: https://blogs.sap.com/2018/04/24/how-to-realize-a-solution-manager-lmdb-system-overview-in-dashboard-builder/
⁵ Security Baseline Template & Security Notes Webinar: https://support.sap.com/en/offerings-programs/support-services/security-optimization-services-portfolio.html
⁶ 2253549 – The SAP Security Baseline Template: https://launchpad.support.sap.com/#/notes/2253549
ConfVal_Home – Technical Operations – SCN Wiki: https://wiki.scn.sap.com/wiki/display/TechOps/ConfVal_Home
Kai Bauer thank you very much! This is very well written and helpful. Excellent work!
Dear Kai,
many thanks for such a detailed blog it really helps
i followed all the required steps and i also see correct data on the main dashboard tile , it shows that 10 systems are non compliant which is right however i do not see drill down data
what could be the problem because of which i cannot see drill down data ?
Best Regards,
Shubham Jain