Displaying Security Alerts in the SAP EarlyWatch Alert Workspace
Most likely you all know SAP EarlyWatch Alert; an automatic diagnostic service that monitors the essential administrative areas of an SAP system. SAP recommends that you consume the corresponding reports in the cloud-based SAP EarlyWatch Alert Workspace in SAP for Me.
If you don’t know the SAP EarlyWatch Alert Workspace, just use the in-app help. It contains detailed help content as an overlay on top of all the SAP EarlyWatch Alert apps. To enable it, simply click on the question mark in the upper right hand corner of the screen:
From the workspace, you can start different apps covering different aspects of SAP EarlyWatch Alert information. One of these apps is the SAP EarlyWatch Alert Solution Finder, containing a powerful search function over all your SAP EarlyWatch Alert reports for any search term or affected system.
But now to the main topic of the blog – getting information about the security status of your system landscape. If there are security issues in your system landscape, most likely there’ll be a corresponding alert in the SAP EarlyWatch Alert reports.
So far customers sometimes have entered “Security” as a search term in the SAP EarlyWatch Alert Solution Finder to find corresponding alerts and associated recommendations. Meanwhile, this has been improved significantly – now alerts are characterized by categories and sub-categories, which you can select as an additional search criterion. To do so, just check the needed category in the dropdown list box Alert Category in the header of the Solution Finder:
Because of the special importance of security alerts, there is now also another card available in the SAP EarlyWatch Alert Workspace: the Security Status. A preliminary version of this card will be released on October 04, 2019, with the final UI described here coming two weeks later.
Using this card, you don’t have to start another app to see a summary of the security issues in your system landscape. The card displays the number of systems in which security alerts exist, both in total and broken down by category and rating. So for every security alert category, you can see the number of systems with red alerts, yellow alerts and without alerts. You also have the option of displaying only the alerts of the most recent report per system (New Alerts) or the alerts that re-occurred since one or multiple of the previous reports (All Alerts):
In detail, the following security checks are performed in SAP EarlyWatch Alert depending on the system type (also see SAP note 863362):
|Critical Authorizations||Users have critical authorizations, like:
|Security Review and Monitoring||
If you click the Security Status card, the SAP EarlyWatch Solution Finder is called with the following alert filter settings:
- If you click the card header, all categories of security alerts are displayed.
- If you click a category, only the corresponding security alerts are displayed.
- There is no filter for Age (in contrast to the conventional Solution Finder, where by default only alerts of the latest report for each system are displayed). The reason is that you usually call the Solution Finder once per week to check whether new alerts have occurred. In contrast, the Security Status answers the question of existing security issues, regardless of how long the corresponding alert already exists.
- There is no filter for Alert Rating in contrast to the conventional Solution Finder, where by default only decisive red alerts are displayed for each system). The reason is that you are usually interested in the most severe alerts first when calling the Solution Finder. In contrast, the Security Status should give you a complete overview about security issues, regardless of the alert rating.
As usual, you will find a recommendation how to solve the issue for every alert found.
Because of the fundamental importance of security alerts, the search for these alerts is protected by an additional authorization. User administrators can assign this authorization in SAP for Me in the Manage Users and Authorizations app. Please note the following in this context:
- The authorization is initially assigned to super administrators only.
- Super administrators can assign the authorization to user administrators or directly to users.
In Detail, you need the following authorizations:
- The already existing authorization Service Reports and Feedback (section Reports) to view SAP EarlyWatch Alert reports and apps.
- The new authorization Display Security Alerts in SAP EarlyWatch Alert Workspace (section Reports) to use the alert category Security in the application SAP EarlyWatch Alert Solution Finder and to access the card Security Status.